New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RGW bucket health check fails with SSL hostname error #8663
Comments
@logan2211 : are suggesting using an insecure path for a bucket health check. Please note Buckethealthchecker itself is an s3 client for ceph object store or RGW lying in the Rook codebase.So it is expected to fail IMO it is right to fix the test failure. |
Agreed with @thotz, the healthcheck is really the internal representation of "is the endpoint alive and can I interact with it?". I guess I have a question @logan2211, is this gateway only accessible externally? That's why you "don't care" about the internal check? Thanks! |
Sorry for any confusion.. the rgw is internal to the rook cluster and all resources are managed by rook, but the rgw apis are consumed by external clients via a loadbalancer service. I'm interested Rook's internal representation of whether the RGW instances that it creates and manages are alive and functioning well, and I don't think whether the clients consuming the storage are internal or external has any bearing on the utility of this health check. Mainly the issue with the health check is the configuration is not yet flexible enough to accommodate situations where the RGW SSL cert does not include the internal cluster DNS endpoint (requiring that the health check support a custom URL, insecure flag, or both), or where the RGW might be using a self-signed cert, in which case it would be useful to have an insecure flag. In either of these situations I laid out, the health check reports failures despite a well functioning object store, and currently the only way to fix it is by disabling the check. |
@logan2211 thanks for the clarification, I think it makes sense. I concur that having to accommodate the signed certs with the internal cluster DNS endpoint can be an issue. Is it not feasible on your end? A simple fix would be to use insecure TLS by not validating the certificate when performing the internal check. IMO it's not a security concern, connections are still encrypted and the check is local to the cluster. At least, this connectivity check's goal remains untouched. |
We have seen case where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessary have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen case where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessary have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
I've opened #8712 but would like other maintainers to chime in. @BlaineEXE when you have time PTAL. Thanks! |
Maybe -- I'm not sure if RGW supports SNI so I could provide both certs.
Yes I think the insecure flag would not be a bad idea. An additional option to set the endpoint URI would be an even more useful flag for me since I could have the added benefit of relying on the health check to fail if the cert expires or some other cert-related issue occurs. |
I don't think this is something we are looking at supporting at the moment. |
Hi,
To mitigate the issue we will apply this "workaround patch" on our internal rook operator forks criteo-forks#6 as we are not able to generate appropriate certificate (internal limitation) |
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: #8663 Signed-off-by: Sébastien Han <seb@redhat.com> (cherry picked from commit cda5dad) # Conflicts: # tests/integration/ceph_object_test.go
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: #8663 Manual cherry-pick from 0ff9fd3 Signed-off-by: Sébastien Han <seb@redhat.com>
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: #8663 Signed-off-by: Sébastien Han <seb@redhat.com> (cherry picked from commit cda5dad)
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: #8663 Signed-off-by: Sébastien Han <seb@redhat.com> (cherry picked from commit cda5dad)
We have seen cases where the signed certificate used for the RGW does not contain the internal DNS endpoint, resulting in the health check to fail since the certificate is not valid for this domain. People consuming the gateways by external clients and for specific domains do not necessarily have the internal DNS configured in the certificate. So let's be a bit more flexible and simply ensure a connectivity check and bypass the certificate validation. Also, this is fixing the tls code in newS3Agent and adds unit tests. Closes: rook#8663 Signed-off-by: Sébastien Han <seb@redhat.com> (cherry picked from commit cda5dad)
Is this a bug report or feature request?
Deviation from expected behavior:
Bucket health check fails with:
This seems to be a follow on issue from the other bugs related to this feature that were discussed in #7288. Now that Rook has been fixed to use the correct port for SSL enabled rgw in #7331, it seems like this is the next issue SSL enabled rgw deployments will hit with this check.
Expected behavior:
Bucket test success. It seems like there should be one or two more configuration switches for this feature:
How to reproduce it (minimal and precise):
Create a Rook cluster + SSL enabled object store, make sure the cert does not name the k8s .svc endpoint in its hostnames, and watch the bucket test fail.
Environment:
rook version
inside of a Rook Pod): v1.5.12ceph -v
):ceph version 15.2.11 (e3523634d9c2227df9af89a4eac33d16738c49cb) octopus (stable)
kubectl version
): v1.17The text was updated successfully, but these errors were encountered: