Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Verify TLS certificate on endpoints that are used between agents only into release/1.2.x #12624

Conversation

hc-github-team-nomad-core
Copy link
Contributor

Backport

This PR is auto-generated from #11956 to be assessed for backporting due to the inclusion of the label backport/1.2.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

The below text is copied from the body of the original PR.


There are different types of endpoints in Nomad, and different types use different mechanism to validate and authenticate requests.

The most common endpoints are called by end-users via the HTTP API and get translated to an RPC request. They are authenticated using ACL tokens.

Another type of endpoint is used by Raft and are called between servers. This process doesn't have ACL tokens involved, so requests are validated by checking the mTLS certificates, when available.

Finally, there are endpoints that are called by agents directly via RPC, either client -> server or server -> server. These also don't use ACL tokens, so there was no explicit validation.

This PRs adds a check to these agent to agent endpoints similar to Raft's, using the mTLS certificate, if available.

@hashicorp-cla
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes


temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA. If you already have a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@lgfa29
Copy link
Contributor

lgfa29 commented Apr 19, 2022

Manually backported

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants