Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rgw: read tls secret hint for insecure tls #9020

Merged
merged 2 commits into from Oct 28, 2021
Merged

Conversation

leseb
Copy link
Member

@leseb leseb commented Oct 21, 2021

Description of your changes:

If the admin wants to use insecure TLS to validate connections to rgw
internally, the TLS secret can have another entry "insecureSkipVerify"
and set it to "true".

Signed-off-by: Sébastien Han seb@redhat.com

Which issue is resolved by this Pull Request:
Resolves #8993

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

@leseb
Copy link
Member Author

leseb commented Oct 21, 2021

If we agree on the proposal I'll add unit tests.

Copy link
Contributor

@thotz thotz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

@leseb
Copy link
Member Author

leseb commented Oct 25, 2021

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

I'm actually trying to not use a CR setting since I don't want to advocate for this option. I'd like to keep it hidden but still accommodate some users... But I agree it's arguable. I guess it's fine if this does not work with k8s secrets for cert and service serving cert too since it should not be insecure anyways.
What do you think?

@travisn
Copy link
Member

travisn commented Oct 25, 2021

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

I'm actually trying to not use a CR setting since I don't want to advocate for this option. I'd like to keep it hidden but still accommodate some users... But I agree it's arguable. I guess it's fine if this does not work with k8s secrets for cert and service serving cert too since it should not be insecure anyways. What do you think?

Seems like it should be a CR setting, and just document that it's not recommended. Otherwise, how will the few users that require it even discover the setting?

@leseb
Copy link
Member Author

leseb commented Oct 25, 2021

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

I'm actually trying to not use a CR setting since I don't want to advocate for this option. I'd like to keep it hidden but still accommodate some users... But I agree it's arguable. I guess it's fine if this does not work with k8s secrets for cert and service serving cert too since it should not be insecure anyways. What do you think?

Seems like it should be a CR setting, and just document that it's not recommended. Otherwise, how will the few users that require it even discover the setting?

I was thinking of adding a comment in our documentation.

@travisn
Copy link
Member

travisn commented Oct 25, 2021

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

I'm actually trying to not use a CR setting since I don't want to advocate for this option. I'd like to keep it hidden but still accommodate some users... But I agree it's arguable. I guess it's fine if this does not work with k8s secrets for cert and service serving cert too since it should not be insecure anyways. What do you think?

Seems like it should be a CR setting, and just document that it's not recommended. Otherwise, how will the few users that require it even discover the setting?

I was thinking of adding a comment in our documentation.

Ok, so anyone reading docs about the secret should at least see the option. It seems reasonable to keep it simple in the secret.

@leseb
Copy link
Member Author

leseb commented Oct 25, 2021

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

I'm actually trying to not use a CR setting since I don't want to advocate for this option. I'd like to keep it hidden but still accommodate some users... But I agree it's arguable. I guess it's fine if this does not work with k8s secrets for cert and service serving cert too since it should not be insecure anyways. What do you think?

Seems like it should be a CR setting, and just document that it's not recommended. Otherwise, how will the few users that require it even discover the setting?

I was thinking of adding a comment in our documentation.

Ok, so anyone reading docs about the secret should at least see the option. It seems reasonable to keep it simple in the secret.

Indeed.

@leseb
Copy link
Member Author

leseb commented Oct 26, 2021

@Mergifyio rebase

@mergify
Copy link

mergify bot commented Oct 26, 2021

rebase

✅ Branch has been successfully rebased

@thotz
Copy link
Contributor

thotz commented Oct 26, 2021

How about adding the option to cephobjectstore than in the secret of cert, useincsecureinternal to something and specify it is only applicable to rook operator in the doc.. The main limitation with cert is that, RGW do support TLS k8s secrets for setting the certs in which adding this option is difficult and same applies for the service serving cert

I'm actually trying to not use a CR setting since I don't want to advocate for this option. I'd like to keep it hidden but still accommodate some users... But I agree it's arguable. I guess it's fine if this does not work with k8s secrets for cert and service serving cert too since it should not be insecure anyways. What do you think?

@leseb : Okay then, lets the add require documentation holding all the above information

@leseb
Copy link
Member Author

leseb commented Oct 26, 2021

@travisn @thotz unit tests added PTAL.

design/common/object-bucket.md Outdated Show resolved Hide resolved
design/common/object-bucket.md Outdated Show resolved Hide resolved
design/common/object-bucket.md Outdated Show resolved Hide resolved
pkg/operator/ceph/object/rgw.go Outdated Show resolved Hide resolved
pkg/operator/ceph/object/rgw.go Outdated Show resolved Hide resolved
The clusterInfo has the parent Context so let's use it.

Signed-off-by: Sébastien Han <seb@redhat.com>
pkg/operator/ceph/object/rgw_test.go Outdated Show resolved Hide resolved
pkg/operator/ceph/object/rgw_test.go Outdated Show resolved Hide resolved
pkg/operator/ceph/object/rgw_test.go Outdated Show resolved Hide resolved
If the admin wants to use insecure TLS to validate connections to rgw
internally, the TLS secret can have another entry "insecureSkipVerify"
and set it to "true".

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb leseb merged commit ecd01bb into rook:master Oct 28, 2021
@leseb leseb deleted the fix-8993 branch October 28, 2021 13:15
mergify bot added a commit that referenced this pull request Oct 28, 2021
rgw: read tls secret hint for insecure tls (backport #9020)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants