Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Platform] Add ability to take custom certificates in platform for client to server connections. #8632

Open
Arnav15 opened this issue May 26, 2021 · 0 comments
Open

[Platform] Add ability to take custom certificates in platform for client to server connections. #8632

Arnav15 opened this issue May 26, 2021 · 0 comments
Assignees
@iamarshsingh
Labels
area/platform Yugabyte Platform
Milestone
2.7.x

Comments

@Arnav15
Copy link
Contributor

Arnav15 commented May 26, 2021

We need to add support for specifying custom server certs for client connection so that connections can be made securely over a loadbalancer endpoint.
@Arnav15 Arnav15 added the area/platform Yugabyte Platform label May 26, 2021
@ymahajan ymahajan added this to the 2.7.x milestone Jun 18, 2021
iamarshsingh pushed a commit that referenced this issue Jun 25, 2021
[Platform][#8632] Add ability to take custom certificates in platform…
eaf432e 
… for client to server connections.

Summary:
These changes would add support for specifying custom server certs for client connection so that connections can be made securely over a loadbalancer endpoint.
We are extending the upload certificate API endpoint to also include a third cert type called CustomServerCert. This endpoint is not currently visible in the frontend as this change is meant to be used by Yugabyte Cloud.

To add a new Cert of CustomServerCert Type, a POST request can be made in the following format:

```
curl --location --request POST 'http://localhost:9000/api/v1/customers/f33e3c9b-75ab-4c30-80ad-cba85646ea39/certificates' \
--header 'X-AUTH-TOKEN: *******' \
--header 'Content-Type: application/json' \
--data-raw '{
    "label": "custom-test-2",
    "certStart": 1603143817965,
    "certExpiry": 1634495400000,
    "certContent": "-----BEGIN CERTIFICATE-----XXXXXXXXXXX-----END CERTIFICATE-----",
    "certType": "CustomServerCert",
    "customServerCertData": {
        "serverCertContent": "-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXX-----END CERTIFICATE-----",
        "serverKeyContent": "-----BEGIN RSA PRIVATE KEY-----XXXXXXXXXXXXXXX-----END RSA PRIVATE KEY-----"
    }
}'

```

The API returns the cert ID on success which can be plugged into the clientRootCA during Universe Creation. For Universe Creation a API call with the following params can be made:

```
curl --location --request POST 'http://localhost:9000/api/v1/customers/f33e3c9b-75ab-4c30-80ad-cba85646ea39/universes' \
--header 'X-AUTH-TOKEN: 7bd13a61-71c4-4d24-bd00-d8ca1ad94777' \
--header 'Content-Type: application/json' \
--data-raw '{
    "errorString": null,
    "nodeExporterUser": "prometheus",
    "deviceInfo": null,
    "universeUUID": "5f5ded61-caca-47aa-94e1-e74fc666a507",
    "expectedUniverseVersion": -1,
    "cmkArn": null,
    "encryptionAtRestConfig": {
        "encryptionAtRestEnabled": false,
        "kmsConfigUUID": null,
        "opType": "UNDEFINED",
        "type": "DATA_KEY"
    },
    "nodeDetailsSet": [ XXXX ],
    "communicationPorts": {
        "masterHttpPort": 7000,
        "masterRpcPort": 7100,
        "tserverHttpPort": 9000,
        "tserverRpcPort": 9100,
        "redisServerHttpPort": 11000,
        "redisServerRpcPort": 6379,
        "yqlServerHttpPort": 12000,
        "yqlServerRpcPort": 9042,
        "ysqlServerHttpPort": 13000,
        "ysqlServerRpcPort": 5433,
        "nodeExporterPort": 9300
    },
    "extraDependencies": {
        "installNodeExporter": true
    },
    "firstTry": true,
    "clusters": [ XXXXX ],
    "nodePrefix": "yb-prefix",
    "rootCA": null,
    "clientRootCA": "cert ID inserted HERE",
    "rootAndClientRootCASame": false,
    "userAZSelected": false,
    "resetAZConfig": false,
    "updateInProgress": false,
    "backupInProgress": false,
    "updateSucceeded": true,
    "universePaused": false,
    "nextClusterIndex": 1,
    "allowInsecure": true,
    "setTxnTableWaitCountFlag": false,
    "itestS3PackagePath": "",
    "remotePackagePath": "",
    "importedState": "NONE",
    "capability": "EDITS_ALLOWED"
}'
```

In the above API request, enableClientToNodeEncrypt should be set to true in clusters fields(this is currently hidden in the above request but can be seen by inspecting in the Universe Creation page on Platform webpage).

Test Plan:
1. Add appropriate unit tests in NodeManager and CertificateController.
2. Tested the API endpoint by uploading a new CustomServerCert type certificate on the upload API endpoint. The curl command is as follows:

```
curl --location --request POST 'http://localhost:9000/api/v1/customers/f33e3c9b-75ab-4c30-80ad-cba85646ea39/certificates' \
--header 'X-AUTH-TOKEN: *******' \
--header 'Content-Type: application/json' \
--data-raw '{
    "label": "custom-test-2",
    "certStart": 1603143817965,
    "certExpiry": 1634495400000,
    "certContent": "-----BEGIN CERTIFICATE-----XXXXXXXXXXX-----END CERTIFICATE-----",
    "certType": "CustomServerCert",
    "customServerCertData": {
        "serverCertContent": "-----BEGIN CERTIFICATE-----XXXXXXXXXXXXXX-----END CERTIFICATE-----",
        "serverKeyContent": "-----BEGIN RSA PRIVATE KEY-----XXXXXXXXXXXXXXX-----END RSA PRIVATE KEY-----"
    }
}'

```
3. Tested Universe Creation with the above certificate being used as the clientRootCA. Performed the creation with a POST request as currently platform has no support for different rootCA and clientRootCA in the frontend.
4. Verified the certificates are saved in the correct locations as expected.
5. Verified connecting to the database by using the uploaded certificate as the verification cert.

Reviewers: sanketh, arnav, hkandala

Reviewed By: arnav, hkandala

Subscribers: jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D11959
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iamarshsingh iamarshsingh

Labels
area/platform Yugabyte Platform
Projects
None yet
Milestone
2.7.x
Development

No branches or pull requests
3 participants
@ymahajan @Arnav15 @iamarshsingh