Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rgw: use insecure TLS for bucket health check #8712

Merged
merged 1 commit into from Sep 28, 2021
Merged

rgw: use insecure TLS for bucket health check #8712

merged 1 commit into from Sep 28, 2021

Conversation

leseb
Copy link
Member

@leseb leseb commented Sep 14, 2021

Description of your changes:

We have seen cases where the signed certificate used for the RGW does not
contain the internal DNS endpoint, resulting in the health check to fail
since the certificate is not valid for this domain.
People consuming the gateways by external clients and for specific
domains do not necessarily have the internal DNS configured in the
certificate.
So let's be a bit more flexible and simply ensure a connectivity check
and bypass the certificate validation.

Closes: #8663
Signed-off-by: Sébastien Han seb@redhat.com

Which issue is resolved by this Pull Request:
Resolves #

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

@leseb leseb added the ceph-rgw label Sep 14, 2021
@leseb leseb mentioned this pull request Sep 14, 2021
Closed
@BlaineEXE
Copy link
Member

I think this change makes sense in the context, and I think it makes sense that we should be able to verify the health in cases where the cert understandably doesn't have the endpoint we need for the health check.

I don't know how to evaluate this change in terms of possible security concerns, however. Perhaps @yuvalif might have more ability to comment on that aspect.

BlaineEXE
BlaineEXE requested changes Sep 14, 2021
View reviewed changes
Copy link
Member

@BlaineEXE BlaineEXE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am going to request changes for now. I messaged Yuval to see if he would mind checking out the security concerns of this change. If the security aspect sounds okay to him, I think we can merge this.

ashangit pushed a commit to ashangit/rook that referenced this pull request Sep 22, 2021
CRITEO - rgw: use insecure TLS
948e9b3 
Backport rook#8712
And also apply the patch on user creation
ashangit pushed a commit to ashangit/rook that referenced this pull request Sep 22, 2021
CRITEO - rgw: use insecure TLS
5cfa58d 
Backport rook#8712
And also apply the patch on user creation
@ashangit ashangit mentioned this pull request Sep 22, 2021
Merged
ashangit pushed a commit to criteo-forks/rook that referenced this pull request Sep 22, 2021
@ashangit
CRITEO - rgw: use insecure TLS
6b34f7b 
Backport rook#8712
And also apply the patch on user creation
@BlaineEXE
Copy link
Member

I wonder if we could modify the TLS integration test to catch this case. It seems like maybe we could just remove the RGW service from the certificate.

thotz
thotz approved these changes Sep 27, 2021
View reviewed changes
Copy link
Contributor

@thotz thotz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@leseb leseb force-pushed the fix-8663 branch 2 times, most recently from 0188dc1 to 33d5d28 Compare September 27, 2021 14:04
@leseb leseb requested a review from thotz September 27, 2021 14:04
@leseb
Copy link
Member Author

leseb commented Sep 27, 2021

@BlaineEXE @thotz I've fixed the TLS behavior for insecure and added unit tests. PTAL.

@leseb leseb force-pushed the fix-8663 branch 2 times, most recently from 88c9080 to 8e6fb5c Compare September 27, 2021 14:17
travisn
travisn requested changes Sep 27, 2021
View reviewed changes
Copy link
Member

@travisn travisn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TestCephObjectSuite/TestWithBrokenTLS/verify_object_store_status test is failing consistently

@mergify
Copy link

mergify bot commented Sep 28, 2021

This pull request has merge conflicts that must be resolved before it can be merged. @leseb please rebase it. https://rook.io/docs/rook/latest/development-flow.html#updating-your-fork

@leseb leseb force-pushed the fix-8663 branch 5 times, most recently from 5b5e5e7 to abb7b14 Compare September 28, 2021 12:14
@leseb
rgw: use insecure TLS for bucket health check
cda5dad 
We have seen cases where the signed certificate used for the RGW does not
contain the internal DNS endpoint, resulting in the health check to fail
since the certificate is not valid for this domain.
People consuming the gateways by external clients and for specific
domains do not necessarily have the internal DNS configured in the
certificate.
So let's be a bit more flexible and simply ensure a connectivity check
and bypass the certificate validation.

Also, this is fixing the tls code in newS3Agent and adds unit tests.

Closes: rook#8663
Signed-off-by: Sébastien Han <seb@redhat.com>
@travisn travisn merged commit 2bedb53 into rook:master Sep 28, 2021
@mergify mergify bot mentioned this pull request Sep 28, 2021
Merged
@leseb leseb deleted the fix-8663 branch September 28, 2021 13:55
leseb added a commit that referenced this pull request Sep 29, 2021
@leseb
Merge pull request #8855 from rook/mergify/bp/release-1.7/pr-8712
89990f7 
rgw: use insecure TLS for bucket health check (backport #8712)
ashangit pushed a commit to ashangit/rook that referenced this pull request Oct 18, 2021
Authorize unsecure connection for s3 user reconcile
f7b0873 
 rgw: use insecure TLS for bucket health check rook#8712 only solved bucket health check
This was referenced Oct 18, 2021
Merged
Closed
ashangit pushed a commit to criteo-forks/rook that referenced this pull request Oct 18, 2021
@ashangit
Authorize unsecure connection for s3 user reconcile
e83579b 
 rgw: use insecure TLS for bucket health check rook#8712 only solved bucket health check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thotz thotz thotz approved these changes

@travisn travisn travisn approved these changes

@BlaineEXE BlaineEXE Awaiting requested review from BlaineEXE

Assignees
No one assigned
Labels
ceph-rgw
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RGW bucket health check fails with SSL hostname error
4 participants
@leseb @BlaineEXE @travisn @thotz