Adds Operator support for TLS enabled observatorium-api #273
Conversation
nmagnezi
force-pushed
the
api-tls
branch
4 times, most recently
from
4ccd142
to
be679f2
Compare
nmagnezi
force-pushed
the
api-tls
branch
23 times, most recently
from
b005ba9
to
493af8a
Compare
nmagnezi
force-pushed
the
api-tls
branch
2 times, most recently
from
1f294e9
to
72792ef
Compare
environments/dev/main.jsonnet
Outdated
| namespace: obs.config.namespace, | ||
| }, | ||
| data: { | ||
| 'ca.pem': importstr '../../tmp/certs/up_client/ca.pem', |
There was a problem hiding this comment.
The reason that mTLS is failing is that you have generated two different sets of client certs each with a different CA. The client certs for the up binary were generated using this certificate, so using this CA as the client-ca means up will work. But the client certs for the healthchecks were generated using the observatorium/ca.pem cert, so when the API checks the client certificates against the up_client/ca.pem cert, the validation will fail
There was a problem hiding this comment.
I have tested this as well, and Done per your request. Yet I still get theTLS handshake error
|
Looks like this needs a rebase and CI is failing. Once green we can have another look. |
|
This should not fail for the same reason since the healthchecks no longer use mTLS. e.g. these flags no longer exist: https://github.com/observatorium/deployments/pull/273/files#diff-600fb07f5f3b3600a9a1111605f807ceR48 |
|
let me know if you need help :) |
| TLSSecret TLSSecret `json:"secret"` | ||
| } | ||
|
|
||
| type MTLSConfigMap struct { |
There was a problem hiding this comment.
We don't have any Observatorium-wide mTLS settings (anymore), so we should remove this struct
| CertFile string `json:"certFile"` | ||
| Name string `json:"name"` | ||
| PrivateKeyFile string `json:"privateKeyFile"` | ||
| ReloadInterval string `json:"reloadInterval"` |
There was a problem hiding this comment.
We will need an optional field to load the CA that signed the certificate. This is optional because the healthchecker needs to know that the certificate is valid and if the CA is not in the system certs then it needs to be specified. Note, this is different from an mTLS CA used to check clients of the API; this is for clients to validate the server's cert
| @@ -38,6 +38,9 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet'; | |||
| '--latency=10s', | |||
| '--initial-query-delay=5s', | |||
| '--threshold=0.90', | |||
| '--tls-ca-file=' + up.config.withTLS.clientCAFile, | |||
There was a problem hiding this comment.
This should really be called serverCAFile because it's the CA that signed the server's certificate that matters here, not the client's
| @@ -34,14 +34,41 @@ local dex = (import '../../components/dex.libsonnet') + { | |||
| }; | |||
|
|
|||
| local obs = (import '../base/observatorium.jsonnet') + { | |||
| tls_secret: { | |||
There was a problem hiding this comment.
Let's keep everything here camelCase for consistency
| }, | ||
|
|
||
| withMTLS: { | ||
| local apiWithMTLS = self, |
There was a problem hiding this comment.
We should remove this because the API doesn't support any process-wide mTLS
| config+:: obs.config.withTLS, | ||
| }, | ||
|
|
||
| withMTLS+:: { |
There was a problem hiding this comment.
Same here: there is no longer any API-wide mTLS settings
| - --web.healthchecks.url=https://127.0.0.1:8080 | ||
| - --tls.server.cert-file=/mnt/certs/server.pem | ||
| - --tls.server.key-file=/mnt/certs/server.key | ||
| - --tls.healthchecks.cert-file=/mnt/certs/client.pem |
There was a problem hiding this comment.
Several of these flags no longer exist.
| - --tls.server.cert-file=/mnt/certs/server.pem | ||
| - --tls.server.key-file=/mnt/certs/server.key | ||
| - --tls.healthchecks.cert-file=/mnt/certs/client.pem | ||
| - --tls.healthchecks.key-file=/mnt/certs/client.key |
| - --tls.healthchecks.key-file=/mnt/certs/client.key | ||
| - --tls.healthchecks.server-ca-file=/mnt/certs/ca.pem | ||
| - --tls.reload-interval=1m | ||
| - --tls.server.client-ca-file=/mnt/clientca/ca.pem |
|
ping @nmagnezi will you be able to take a look at the issues/comments I added a few weeks ago? |
|
|
||
| CONTROLLER_GEN ?= $(BIN_DIR)/controller-gen | ||
| JB ?= $(BIN_DIR)/jb | ||
| GENERATE_TLS_CERT ?= $(BIN_DIR)/generate-tls-cert |
| mkdir -p $(CERT_DIR) | ||
|
|
||
| # Generate TLS certificates for local development. | ||
| generate-cert: $(GENERATE_TLS_CERT) $(CERT_DIR) |
There was a problem hiding this comment.
We should make the dependency on the cert dir target order-only
| generate-cert: $(GENERATE_TLS_CERT) $(CERT_DIR) | |
| generate-cert: $(GENERATE_TLS_CERT) | $(CERT_DIR) |
| mkdir -p $(CERT_DIR) | ||
|
|
||
| # Generate TLS certificates for local development. | ||
| generate-cert: $(GENERATE_TLS_CERT) $(CERT_DIR) |
|
Closed in #329 |
Issue: #272
Depends on: