Run and Hook sockets over TLS with token authorization for CAAS #10606

hpidcock · 2019-09-05T06:03:30Z

Run and Hook sockets over TLS with token authorization for CAAS

Adds encryption and authentication to CAAS juju-run and jujuc connections.

juju-run multiplex server listens on TCP+TLS
juju-run local listener per uniter on unix socket
jujuc listener per hook context either over TCP+TLS or unix socket
x509 certificates generated by apiserver on request from
caasoperatorprovisioner and injected into operator config map
juju-run auth token generated per unit and store in operator.yaml alongside
ca.crt file (controller's CA cert)
jujuc listner pass token via hook env vars & ca cert filename passed
by env var
caasoperatorprovisioner updates existing operators with certificates
increase rsa key size to 3072 bits to future proof past 2030

QA steps

make microk8s-operator-update
export JUJU_DEV_FEATURE_FLAGS=developer-mode
juju bootstrap microk8s
juju deploy cs:~juju/redis-k8s-1

$ juju exec --unit redis-k8s/0 hostname
redis-k8s-645fdf557-hrkcm
$ juju exec --unit redis-k8s/0 status-set active "hello from unit"
$ juju status | grep redis-k8s/0
redis-k8s/0*  active    idle   10.1.1.20  6379/TCP  hello from unit
$ microk8s.kubectl --namespace controller-microk8s-localhost exec redis-k8s-645fdf557-hrkcm -- juju-run redis-k8s/0 "status-set active 'hello from unit via juju-run on the unit'"
$ juju status | grep redis-k8s/0
redis-k8s/0*  active    idle   10.1.1.20  6379/TCP  hello from unit via juju-run on the unit

$ juju exec --unit redis-k8s/0 --operator hostname
redis-k8s-operator-0
$ juju exec --unit redis-k8s/0 --operator status-set active "hello from operator"
$ juju status | grep redis-k8s/0
redis-k8s/0*  active    idle   10.1.1.20  6379/TCP  hello from operator
$ microk8s.kubectl --namespace controller-microk8s-localhost exec redis-k8s-operator-0 -- juju-run redis-k8s/0 "status-set active 'hello from unit via juju-run on the operator'"
$ juju status | grep redis-k8s/0
redis-k8s/0*  active    idle   10.1.1.20  6379/TCP  hello from unit via juju-run on the operator

Documentation changes

N/A

Bug reference

https://bugs.launchpad.net/juju/+bug/1837841

apiserver/params/params.go

caas/kubernetes/provider/exec/exec.go

caas/kubernetes/provider/k8s.go

cmd/jujud/main.go

worker/caasoperator/action.go

wallyworld

Looks good, thanks!

agent/agent.go

api/caasoperatorprovisioner/client.go

api/caasoperatorprovisioner/client_test.go

caas/kubernetes/provider/k8s.go

cmd/jujud/main.go

worker/meterstatus/runner.go

worker/uniter/paths.go

worker/caasoperatorprovisioner/worker.go

agent/agent.go

hpidcock · 2019-09-12T07:01:48Z

$$merge$$

- juju-run multiplex server listens on TCP+TLS - juju-run local listener per uniter on unix socket - jujuc listener per hook context either over TCP+TLS or unix socket - x509 certificates generated by apiserver on request from caasoperatorprovisioner and injected into operator config map - juju-run auth token generated per unit and store in operator.yaml alongside ca.crt file (controller's CA cert) - jujuc listner pass token via hook env vars & ca cert filename passed by env var - caasoperatorprovisioner updates existing operators with certificates - increase rsa key size to 3072 bits to future proof past 2030

hpidcock · 2019-09-13T03:32:38Z

$$merge$$

wallyworld reviewed Sep 6, 2019

View reviewed changes

apiserver/params/params.go Show resolved Hide resolved

wallyworld reviewed Sep 6, 2019

View reviewed changes

caas/kubernetes/provider/exec/exec.go Outdated Show resolved Hide resolved

caas/kubernetes/provider/k8s.go Show resolved Hide resolved

cmd/jujud/main.go Outdated Show resolved Hide resolved

worker/caasoperator/action.go Outdated Show resolved Hide resolved

hpidcock force-pushed the tls branch 5 times, most recently from 81c090b to 8e4c766 Compare September 11, 2019 07:37

hpidcock marked this pull request as ready for review September 11, 2019 07:37

wallyworld approved these changes Sep 12, 2019

View reviewed changes

hpidcock force-pushed the tls branch 6 times, most recently from 9a1ef76 to cb3df43 Compare September 12, 2019 06:32

hpidcock force-pushed the tls branch 2 times, most recently from 1189dd3 to a50da75 Compare September 13, 2019 02:32

hpidcock force-pushed the tls branch from a50da75 to 38a9b3b Compare September 13, 2019 02:58

jujubot merged commit f367b53 into juju:develop Sep 13, 2019

hpidcock deleted the tls branch November 15, 2019 01:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Run and Hook sockets over TLS with token authorization for CAAS #10606

Run and Hook sockets over TLS with token authorization for CAAS #10606

hpidcock commented Sep 5, 2019 •

edited

wallyworld left a comment

hpidcock commented Sep 12, 2019

hpidcock commented Sep 13, 2019

Run and Hook sockets over TLS with token authorization for CAAS #10606

Run and Hook sockets over TLS with token authorization for CAAS #10606

Conversation

hpidcock commented Sep 5, 2019 • edited