-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS support for backup-restore server #196
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM. Some minor changes. I've test it out yet.
cmd/server.go
Outdated
// Check for existence of server cert and key files before proceeding | ||
if serverTLSCertFile == "" || serverTLSKeyFile == "" { | ||
return nil, fmt.Errorf("TLS enabled but server TLS cert/key file not provided. Will not start HTTPS server") | ||
} else if _, err := os.Stat(serverTLSCertFile); os.IsNotExist(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Unnecessary else.
- Please Return err other than
os.IsNotExist
cmd/server.go
Outdated
return nil, fmt.Errorf("TLS enabled but server TLS cert/key file not provided. Will not start HTTPS server") | ||
} else if _, err := os.Stat(serverTLSCertFile); os.IsNotExist(err) { | ||
return nil, fmt.Errorf("TLS enabled but server TLS cert file is invalid. Will not start HTTPS server") | ||
} else if _, err := os.Stat(serverTLSKeyFile); os.IsNotExist(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had tested it out. But wget request was failing for me with ca verification issue. @georgekuruvillak will you please review and test this PR.
pullPolicy: IfNotPresent | ||
# etcd-backup-restore image to use | ||
etcdBackupRestore: | ||
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl | ||
tag: 0.7.0 | ||
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl | |
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl |
STATUS=`cat status`; | ||
case $STATUS in | ||
"New") | ||
wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;; | ||
wget {{ if .Values.backupRestoreTls }}--ca-certificate /var/etcdbr/tls/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't you require to pass client certificate and key here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If not authenticating client then client certificate and key neednt be passed.
STATUS=`cat status`; | ||
case $STATUS in | ||
"New") | ||
wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;; | ||
wget {{ if .Values.backupRestoreTls }}--ca-certificate /var/etcdbr/tls/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the naming convention requires that you change backupRestoreTls
to backupRestoreTLS
to pass linting.
@@ -91,19 +98,19 @@ data: | |||
{{- end }} | |||
|
|||
# List of comma separated URLs to listen on for client traffic. | |||
listen-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }} | |||
listen-client-urls: {{ if .Values.etcdTls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
etcdTLS
instead of etcdTls
. Similar change needed everywhere else too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please document the steps to create the certificate, csr and key using some cert generation tool such as openssl.
63b25a7
to
0bcbab1
Compare
0bcbab1
to
1255967
Compare
@swapnilgm @georgekuruvillak thanks for your reviews. I have addressed your comments and updated the PR accordingly. PTAL. |
1255967
to
561ca73
Compare
561ca73
to
d58a28e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding documentation. Overall LGTM. Some minor changes suggested. PTAL.
d58a28e
to
9f931b2
Compare
@swapnilgm Thanks for your review. I have addressed the comments. @georgekuruvillak PTAL. Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well written PR.
Signed-off-by: Shreyas Rao <[email protected]>
9f931b2
to
9df523c
Compare
Signed-off-by: Shreyas Rao [email protected]
What this PR does / why we need it:
This PR introduces TLS support for the etcd-backup-restore server. TLS can be enabled by passing the paths to both TLS cert and key PEM-format files via
--server-cert
and--server-key
flags. This PR also introduces security headersHTTP-Strict-Transport-Security
andContent-Security-Policy
for the HTTP responses when TLS is enabled.Which issue(s) this PR fixes:
Fixes #189 #187
Special notes for your reviewer:
Renamed
tls
section toetcdTLS
in helm values file, to differentiate between etcd tls config and etcdbr server tls config. Bootstrap script updated to use apk's wget instead of busybox wget in the case where backup-restore TLS is enabled.Release note: