Validate server TLS certificate between federators #1662
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jschaul
changed the title
Member
Author
|
Interestingly, the end2end tests show weirdly-encoded errors as a 500 server error with just the first commit of this PR: |
jschaul
changed the title
jschaul
force-pushed
the
certificates-improvements
branch
from
17288d9 to
81c03e8
Compare
The `catchError` middleware was running over gzipped responses, and this caused the wrapping logic to fail, and to display a gzip-encoded error message.
This prevents the response body to being preemptively converted to Text when wrapping an error response inside a JSON object.
There is no need to use STM in `lazyResponseBody`, since it is not interacting with any other STM action, and just using TVars inside `atomically` blocks.
10 tasks
This should fix the error reporting and show what the actual problem is.
pcapriotti
changed the title
The HTTP manager should only be used to perform requests to internal services, so we do not need to set up SSL for it.
- Add configuration option to use system CA store - Propagate error when the custom CA store path cannot be loaded - Add ability to use both a custom and a system CA store
jschaul
commented
Jul 19, 2021
jschaul
commented
Jul 19, 2021
pcapriotti
force-pushed
the
certificates-improvements
branch
from
f5d21c5 to
8c0890c
Compare
Comment on lines
+1
to
+14
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: "federator-ca" | ||
| labels: | ||
| wireService: federator | ||
| chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} | ||
| release: {{ .Release.Name }} | ||
| heritage: {{ .Release.Service }} | ||
| data: | ||
| # TODO: add validation and fail early during templating: either contents should be provided; or explicitly system trust store enabled | ||
| {{- if .Values.remoteCAContents }} | ||
| remote-ca.pem: {{ .Values.remoteCAContents | b64enc | quote }} | ||
| {{- end }} |
jschaul
commented
Jul 26, 2021
Member
Author
jschaul
left a comment
jschaul
left a comment
There was a problem hiding this comment.
Generally looks good now, though there seem some CI failures still? We'll need to tweak the federation environments when this is merged; and see whether useSystemCAStore will work (I think it won't, since currently the grpc-ingress doesn't have let's encrypt properly configured)
| requests: {} | ||
| imagePullPolicy: Always | ||
| config: | ||
| optSettings: |
Member
Author
There was a problem hiding this comment.
for CI, shouldn't this set useSystemCAStore to false?
Contributor
There was a problem hiding this comment.
Yes, I think you're right. Also, should the default assignment useSystemCAStore: true reside in values.yaml or in the template?
| 1. `remoteCAStore`: Maybe Filepath. This config option can be used to specify | ||
| multiple certificates from either a single file (multiple PEM formatted | ||
| certificates concatenated) or directory (one certificate per file, file names | ||
| are hashes from certificate). |
Member
Author
There was a problem hiding this comment.
It would be good to provide an example yaml documentation block with the exact syntax and spelling. And ti would be good to list the default.
Contributor
There was a problem hiding this comment.
I've added some examples in the followup PR #1682 (commit 011e83a2fa55e10554a825b70e2f9325487b57c2), since that also contains new options.
| {{- if $.Values.remoteCAContents }} | ||
| remoteCAStore: "/etc/wire/federator/ca/remote-ca.pem" | ||
| {{- end }} | ||
| federationStrategy: |
Member
Author
There was a problem hiding this comment.
Note: Remember to update the values in the federation anta/bella/chala environments when this PR gets merged.
Contributor
There was a problem hiding this comment.
This part should be fine in anta/bella/chala, as by default we use the system CA, and those certificates are supposed to be Let's Encrypt. However, it seems the Let's Encrypt certificates are not actually being used, so I guess there is a problem somewhere in the ingress configuration.
The script to be used to generate certificates for end2end tests is selfsigned-kubernetes.sh.
pcapriotti
approved these changes
Jul 27, 2021
pcapriotti
added a commit
that referenced
this pull request
Jul 28, 2021
pcapriotti
added a commit
that referenced
this pull request
Aug 4, 2021
It is currently not so easy to distinguish this particular error from a generic TLS error (see #1662 for more context). Since `InvalidCertificate` is never thrown, this PR simply removes it. Note that this is a breaking change in the federation protobuf.
pcapriotti
added a commit
that referenced
this pull request
Sep 9, 2021
It is currently not so easy to distinguish this particular error from a generic TLS error (see #1662 for more context). Since `InvalidCertificate` is never thrown, this PR simply removes it. Note that this is a breaking change in the federation protobuf.
pcapriotti
added a commit
that referenced
this pull request
Sep 9, 2021
* Document federation errors Co-authored-by: Marko Dimjašević <[email protected]> * Remove `InvalidCertificate` federation error It is currently not so easy to distinguish this particular error from a generic TLS error (see #1662 for more context). Since `InvalidCertificate` is never thrown, this PR simply removes it. Note that this is a breaking change in the federation protobuf. * Remove labels from protobuf errors * Improve federation error descriptions Also suggest client behaviour in some cases. Co-authored-by: Marko Dimjašević <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR sets a reasonably secure TLS configuration for the GRPC client that federator uses to connect to other federators (or rather, nginx ingresses, assuming a wire-server instance on the other side).
Summary of changes
docs/reference/config-options.md)Remaining questions
Checklist
make git-add-cassandra-schemato update the cassandra schema documentation.