feat(snap)!: Remove secrets-config proxy snap options #4511
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BREAKING CHANGE: Removing the support for the apps.secrets-config.proxy.* snap options Signed-off-by: Farshid Tavakolizadeh <farshid.tavakolizadeh@canonical.com>
|
Kudos, SonarCloud Quality Gate passed!
|
MonicaisHer
approved these changes
Apr 13, 2023
There was a problem hiding this comment.
I have tested setting up TLS with snap built from this PR:
$ snap install ./edgexfoundry_3.0.0-dev.128_amd64.snap --dangerous
edgexfoundry 3.0.0-dev.128 installed
$ sudo ./script.sh
+ SERVER_CERT_FILE=server.crt
+ SERVER_KEY_FILE=server.key
+ SERVER_CSR_FILE=server.csr
+ CA_CERT_FILE=ca.crt
+ CA_KEY_FILE=ca.key
+ TEMP_DIR=/var/snap/edgexfoundry/common
+ openssl ecparam -name prime256v1 -genkey -noout -out ca.key
+ openssl req -new -x509 -sha256 -key ca.key -out ca.crt -subj /CN=local-ca
+ openssl ecparam -name prime256v1 -genkey -noout -out server.key
+ openssl req -new -sha256 -key server.key -out server.csr -subj /CN=localhost
+ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256
Certificate request self-signature ok
subject=CN = localhost
+ sudo cp server.crt server.key /var/snap/edgexfoundry/common/
+ sudo edgexfoundry.secrets-config proxy tls --inCert /var/snap/edgexfoundry/common/server.crt --inKey /var/snap/edgexfoundry/common/server.key --targetFolder /var/snap/edgexfoundry/current/nginx
+ sudo rm server.crt server.key
+ sudo snap restart --reload edgexfoundry.nginx
Restarted.
+ sleep 1
+ curl --cacert ca.crt -v https://localhost:8443/core-data/api/v2/ping
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: ca.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=localhost
* start date: Apr 13 14:46:21 2023 GMT
* expire date: Jan 7 14:46:21 2026 GMT
* common name: localhost (matched)
* issuer: CN=local-ca
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /core-data/api/v2/ping HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Thu, 13 Apr 2023 14:46:23 GMT
< Content-Type: text/html
< Content-Length: 172
< Connection: keep-alive
<
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host localhost left intact
bnevis-i
approved these changes
Apr 13, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This feature allowed using snap options to:
The ability to add users by public key has been removed in secrets-config v3. The remaining parts which are to replace default TLS certificate, is possible via other, more secure means. As a result, this feature along with all its complexity is being removed.
For more details, refer to canonical/edgex-snap-hooks#81 (comment)
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:describing the break)Testing Instructions
New Dependency Instructions (If applicable)