-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds Operator support for TLS enabled observatorium-api #273
Conversation
4ccd142
to
be679f2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I see this correctly this is still missing the part of actually wiring up the files mounted from the secret, right (presumably that's why it's WIP :) )?
b005ba9
to
493af8a
Compare
1f294e9
to
72792ef
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nir, the mTLS failures look like a configuration issue in this PR rather than a problem with the API code. Please take a look at the comments. Otherwise, this generally looks very good :)
environments/dev/main.jsonnet
Outdated
namespace: obs.config.namespace, | ||
}, | ||
data: { | ||
'ca.pem': importstr '../../tmp/certs/up_client/ca.pem', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason that mTLS is failing is that you have generated two different sets of client certs each with a different CA. The client certs for the up binary were generated using this certificate, so using this CA as the client-ca means up will work. But the client certs for the healthchecks were generated using the observatorium/ca.pem cert, so when the API checks the client certificates against the up_client/ca.pem cert, the validation will fail
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tested this as well, and Done per your request. Yet I still get theTLS handshake error
Looks like this needs a rebase and CI is failing. Once green we can have another look. |
This should not fail for the same reason since the healthchecks no longer use mTLS. e.g. these flags no longer exist: https://github.com/observatorium/deployments/pull/273/files#diff-600fb07f5f3b3600a9a1111605f807ceR48 |
let me know if you need help :) |
TLSSecret TLSSecret `json:"secret"` | ||
} | ||
|
||
type MTLSConfigMap struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't have any Observatorium-wide mTLS settings (anymore), so we should remove this struct
CertFile string `json:"certFile"` | ||
Name string `json:"name"` | ||
PrivateKeyFile string `json:"privateKeyFile"` | ||
ReloadInterval string `json:"reloadInterval"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will need an optional field to load the CA that signed the certificate. This is optional because the healthchecker needs to know that the certificate is valid and if the CA is not in the system certs then it needs to be specified. Note, this is different from an mTLS CA used to check clients of the API; this is for clients to validate the server's cert
@@ -38,6 +38,9 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet'; | |||
'--latency=10s', | |||
'--initial-query-delay=5s', | |||
'--threshold=0.90', | |||
'--tls-ca-file=' + up.config.withTLS.clientCAFile, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should really be called serverCAFile
because it's the CA that signed the server's certificate that matters here, not the client's
@@ -34,14 +34,41 @@ local dex = (import '../../components/dex.libsonnet') + { | |||
}; | |||
|
|||
local obs = (import '../base/observatorium.jsonnet') + { | |||
tls_secret: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep everything here camelCase for consistency
}, | ||
|
||
withMTLS: { | ||
local apiWithMTLS = self, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should remove this because the API doesn't support any process-wide mTLS
config+:: obs.config.withTLS, | ||
}, | ||
|
||
withMTLS+:: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here: there is no longer any API-wide mTLS settings
- --web.healthchecks.url=https://127.0.0.1:8080 | ||
- --tls.server.cert-file=/mnt/certs/server.pem | ||
- --tls.server.key-file=/mnt/certs/server.key | ||
- --tls.healthchecks.cert-file=/mnt/certs/client.pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Several of these flags no longer exist.
- --tls.server.cert-file=/mnt/certs/server.pem | ||
- --tls.server.key-file=/mnt/certs/server.key | ||
- --tls.healthchecks.cert-file=/mnt/certs/client.pem | ||
- --tls.healthchecks.key-file=/mnt/certs/client.key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one too
- --tls.healthchecks.key-file=/mnt/certs/client.key | ||
- --tls.healthchecks.server-ca-file=/mnt/certs/ca.pem | ||
- --tls.reload-interval=1m | ||
- --tls.server.client-ca-file=/mnt/clientca/ca.pem |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this one
ping @nmagnezi will you be able to take a look at the issues/comments I added a few weeks ago? |
|
||
CONTROLLER_GEN ?= $(BIN_DIR)/controller-gen | ||
JB ?= $(BIN_DIR)/jb | ||
GENERATE_TLS_CERT ?= $(BIN_DIR)/generate-tls-cert |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: extra space here
mkdir -p $(CERT_DIR) | ||
|
||
# Generate TLS certificates for local development. | ||
generate-cert: $(GENERATE_TLS_CERT) $(CERT_DIR) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should make the dependency on the cert dir target order-only
generate-cert: $(GENERATE_TLS_CERT) $(CERT_DIR) | |
generate-cert: $(GENERATE_TLS_CERT) | $(CERT_DIR) |
mkdir -p $(CERT_DIR) | ||
|
||
# Generate TLS certificates for local development. | ||
generate-cert: $(GENERATE_TLS_CERT) $(CERT_DIR) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be a phony target
Closed in #329 |
Issue: #272
Depends on: