Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[platform] Add support to use chained certificates in platform. #8789

Open
Arnav15 opened this issue Jun 7, 2021 · 0 comments
Open

[platform] Add support to use chained certificates in platform. #8789

Arnav15 opened this issue Jun 7, 2021 · 0 comments
Assignees
@Arnav15
Labels
area/platform Yugabyte Platform
Projects
Platform
Milestone
2.7.x

Comments

@Arnav15
Copy link
Contributor

Arnav15 commented Jun 7, 2021

Currently, the platform code worked under the assumption that the certificate entries in the input will be single certificates, which is not extendable since most of the times there will be a cert chain being provided.
@Arnav15 Arnav15 added the area/platform Yugabyte Platform label Jun 7, 2021
@Arnav15 Arnav15 self-assigned this Jun 7, 2021
Arnav15 added a commit that referenced this issue Jun 9, 2021
@Arnav15
[#8789] Add support for certificate chaining in platform/yb-client.
930d103 
Summary:
The platform worked under the assumption that each certificate input will be a single
certificate object, which is an incorrect assumption in most situations, since this will not be the
case in most situations. We will almost always have a certificate chain with an intermediate and a
root. This diff ensures we respect all certificates being sent as input while uploading the
certificate content, as well as it ensures that the yb-client uses all certs present in the file for
the trust store.

Test Plan:
yb-client: Added a unit test.
platform:
1) Added a unit test.
2) Verified via the cloud workflow. Sent a chain of self-signed certificate to use for generating
the server certificates, and verified the universe creation worked as expected.

Reviewers: hkandala, sanketh

Reviewed By: sanketh

Subscribers: jenkins-bot, asingh, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D11839
@hsu880 hsu880 added this to To do in Platform Jun 15, 2021
@hsu880 hsu880 moved this from To do to Needs QA/Docs in Platform Jun 15, 2021
@hsu880 hsu880 modified the milestones: 2.7, 2.7.x Jun 15, 2021
hkandala pushed a commit that referenced this issue Jul 27, 2021
@Arnav15 @hkandala
[Backport 2.6][#8789] Add support for certificate chaining in platfor…
4bd9b02 
…m/yb-client.

Summary:
The platform worked under the assumption that each certificate input will be a single
certificate object, which is an incorrect assumption in most situations, since this will not be the
case in most situations. We will almost always have a certificate chain with an intermediate and a
root. This diff ensures we respect all certificates being sent as input while uploading the
certificate content, as well as it ensures that the yb-client uses all certs present in the file for
the trust store.

Original diff: https://phabricator.dev.yugabyte.com/D11839
Original commit: 930d103

Test Plan:
Jenkins: rebase: 2.6

yb-client: Added a unit test.
platform:
1) Added a unit test.
2) Verified via the cloud workflow. Sent a chain of self-signed certificate to use for generating
the server certificates, and verified the universe creation worked as expected.

Reviewers: sanketh, arnav

Reviewed By: arnav

Subscribers: yugaware, asingh, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D12384
hkandala pushed a commit that referenced this issue Jul 29, 2021
@Arnav15 @hkandala
[Backport 2.4][#8789] Add support for certificate chaining in platfor…
56e2b6e 
…m/yb-client.

Summary:
The platform worked under the assumption that each certificate input will be a single
certificate object, which is an incorrect assumption in most situations, since this will not be the
case in most situations. We will almost always have a certificate chain with an intermediate and a
root. This diff ensures we respect all certificates being sent as input while uploading the
certificate content, as well as it ensures that the yb-client uses all certs present in the file for
the trust store.

Original diff: https://phabricator.dev.yugabyte.com/D11839
Original commit: 930d103
Few dependencies from this commit (37cf988) are also included

Test Plan:
Jenkins: rebase: 2.4

yb-client: Added a unit test.
platform:
1) Added a unit test.
2) Verified via the cloud workflow. Sent a chain of self-signed certificate to use for generating
the server certificates, and verified the universe creation worked as expected.

Reviewers: arnav, sanketh

Reviewed By: arnav

Subscribers: hsu, yugaware, asingh, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D12412
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Arnav15 Arnav15

Labels
area/platform Yugabyte Platform
Projects
Platform
  
Needs QA/Docs
Milestone
2.7.x
Development

No branches or pull requests
4 participants
@Arnav15 @rthallamko3 @streddy-yb @hsu880