New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Object store user create/update reconcile failed due to invalid certificate #8993
Comments
The healthchecker uses insecure TLS because the execution is really contained, we know it's our own internal check so there is no real security implication. Using insecure TLS is not recommended as it can lead to man-in-the-middle type of attacks. I doubt we want to go as far as using insecure TLS for the object store create/update by default. We could have another key in the secret's data to pass HTTP client options, like use Insecure TLS. @thotz thoughts? |
That works for |
|
Proposal here #9020 |
Thanks for explaining, how about using two certs passing to secret, is that possible to work around for the timebeing? |
I'm struggling with usability of the workaround implemented in #9020. I use cert-manager Certificate resources to issue RGW SSL certs. How can I make a Certificate resource that generates a TLS secret containing the Currently I'm struggling with the following error that is preventing OBC's from working.
|
@logan2211 : IF you are using k8s secret type as TLS for storing RGW certs, then this flag cannot be added. But if you are using k8s secrets normal opaque type then u can add this value in the data field of the secret |
How can I configure radosgw to serve using a certmanager-issued certificate while still allowing rook to reconcile? |
|
Yes it does, but afaict it's impossible to instruct certmanager to inject the extra key in the secret.
|
To elaborate: if you want, say, letsencrypt-verified certificates, you'll need another process that postprocesses the generated secret, every time the certificate is updated. In general: I'd argue, that using a certificate signed by public CAs is or ought to be common. In that case it's impossible to get a signed certificate with the servicename. |
If I understand correctly the |
Of course that works, but it has to be done every time the certificate gets rotated, which is quiet often with acme-issued certificates (letsencrypt). |
Oh I see now I understand your issue completely. @travisn @BlaineEXE currently we can option to skip SSL check-in if the k8s secret is an opaque type. It won't work if the k8s secret type is tls. Do we move this option to objectstoreSpec?? |
What's the proposal? We need an option for the k8s secret type to be tls? Please open a new issue with the issue summarize and the potential proposal. |
Another option is to use the insecure port for in-cluster communication. |
it works if both ports are opened, otherwise end up in same situation |
Hi, I'm having a similar issue, when trying to create a bucket it fails with error that saying the certificate is not valid for |
Same issue here, the 2 problems: a) bucket provisioning
|
@logan2211 I was able to work around this with a Cert Manager certificate that is signed by a publicly trusted CA using the
in the YAML manifest for your Cert Manager
EDIT: Never mind I still have the same issue after the cluster deploys. The cluster was able to deploy and reconcile, but now I can't provision any new buckets. |
Is this a bug report or feature request?
Deviation from expected behavior:
Expected behavior:
Using an invalid certificate for S3 RGW leads to object store user create/update reconcile failed
Since #8712 the bucket health checks does not check certificate but still check for user reconcile.
I'm wondering if there is a security concern that leads to set insecure to false in rgw.go: https://github.com/rook/rook/pull/8712/files#diff-00d4604932102df57560a4811e89064acd51ec541a5ef439b3f14cbf0a54d791R364 or if it is fine to just set it to true
How to reproduce it (minimal and precise):
File(s) to submit:
cluster.yaml
, if necessaryTo get logs, use
kubectl -n <namespace> logs <pod name>
When pasting logs, always surround them with backticks or use the
insert code
button from the Github UI.Read Github documentation if you need help.
Environment:
uname -a
):rook version
inside of a Rook Pod): 1.7.5ceph -v
):kubectl version
):ceph health
in the Rook Ceph toolbox):The text was updated successfully, but these errors were encountered: