Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support for backup-restore server #196

Merged
merged 1 commit into from
Oct 22, 2019

Conversation

shreyas-s-rao
Copy link
Collaborator

@shreyas-s-rao shreyas-s-rao commented Sep 3, 2019

Signed-off-by: Shreyas Rao [email protected]

What this PR does / why we need it:
This PR introduces TLS support for the etcd-backup-restore server. TLS can be enabled by passing the paths to both TLS cert and key PEM-format files via --server-cert and --server-key flags. This PR also introduces security headers HTTP-Strict-Transport-Security and Content-Security-Policy for the HTTP responses when TLS is enabled.

Which issue(s) this PR fixes:
Fixes #189 #187

Special notes for your reviewer:
Renamed tls section to etcdTLS in helm values file, to differentiate between etcd tls config and etcdbr server tls config. Bootstrap script updated to use apk's wget instead of busybox wget in the case where backup-restore TLS is enabled.

Release note:

Added TLS support for backup-restore server. TLS can be enabled by passing the paths to both TLS cert and key PEM-format files via `--server-cert` and `--server-key` flags.

@shreyas-s-rao shreyas-s-rao added kind/enhancement Enhancement, improvement, extension area/security Security related needs/review Needs review component/etcd-backup-restore ETCD Backup & Restore platform/all needs/lgtm Needs approval for merging area/backup Backup related needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 3, 2019
@shreyas-s-rao shreyas-s-rao added this to the 0.8.0 milestone Sep 3, 2019
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Sep 3, 2019
Copy link
Contributor

@swapnilgm swapnilgm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. Some minor changes. I've test it out yet.

cmd/server.go Outdated
// Check for existence of server cert and key files before proceeding
if serverTLSCertFile == "" || serverTLSKeyFile == "" {
return nil, fmt.Errorf("TLS enabled but server TLS cert/key file not provided. Will not start HTTPS server")
} else if _, err := os.Stat(serverTLSCertFile); os.IsNotExist(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Unnecessary else.
  • Please Return err other than os.IsNotExist

cmd/server.go Outdated
return nil, fmt.Errorf("TLS enabled but server TLS cert/key file not provided. Will not start HTTPS server")
} else if _, err := os.Stat(serverTLSCertFile); os.IsNotExist(err) {
return nil, fmt.Errorf("TLS enabled but server TLS cert file is invalid. Will not start HTTPS server")
} else if _, err := os.Stat(serverTLSKeyFile); os.IsNotExist(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

Copy link
Contributor

@swapnilgm swapnilgm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had tested it out. But wget request was failing for me with ca verification issue. @georgekuruvillak will you please review and test this PR.

pullPolicy: IfNotPresent
# etcd-backup-restore image to use
etcdBackupRestore:
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl
tag: 0.7.0
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl

STATUS=`cat status`;
case $STATUS in
"New")
wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
wget {{ if .Values.backupRestoreTls }}--ca-certificate /var/etcdbr/tls/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't you require to pass client certificate and key here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not authenticating client then client certificate and key neednt be passed.

STATUS=`cat status`;
case $STATUS in
"New")
wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
wget {{ if .Values.backupRestoreTls }}--ca-certificate /var/etcdbr/tls/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
Copy link
Contributor

@georgekuruvillak georgekuruvillak Sep 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the naming convention requires that you change backupRestoreTls to backupRestoreTLS to pass linting.

@@ -91,19 +98,19 @@ data:
{{- end }}

# List of comma separated URLs to listen on for client traffic.
listen-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
listen-client-urls: {{ if .Values.etcdTls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
Copy link
Contributor

@georgekuruvillak georgekuruvillak Sep 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

etcdTLS instead of etcdTls. Similar change needed everywhere else too.

Copy link
Contributor

@georgekuruvillak georgekuruvillak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please document the steps to create the certificate, csr and key using some cert generation tool such as openssl.

@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Oct 16, 2019
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 16, 2019
@shreyas-s-rao
Copy link
Collaborator Author

@swapnilgm @georgekuruvillak thanks for your reviews. I have addressed your comments and updated the PR accordingly. PTAL.

@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 16, 2019
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 16, 2019
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 16, 2019
Copy link
Contributor

@swapnilgm swapnilgm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding documentation. Overall LGTM. Some minor changes suggested. PTAL.

cmd/server.go Outdated Show resolved Hide resolved
cmd/server.go Outdated Show resolved Hide resolved
doc/usage/generating_ssl_certificates.md Outdated Show resolved Hide resolved
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 22, 2019
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 22, 2019
@shreyas-s-rao
Copy link
Collaborator Author

@swapnilgm Thanks for your review. I have addressed the comments. @georgekuruvillak PTAL. Thanks.

Copy link
Contributor

@swapnilgm swapnilgm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@georgekuruvillak georgekuruvillak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well written PR.

@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 22, 2019
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Oct 22, 2019
@swapnilgm swapnilgm merged commit dd26b65 into gardener:master Oct 22, 2019
@swapnilgm swapnilgm mentioned this pull request Oct 22, 2019
@shreyas-s-rao shreyas-s-rao deleted the add-tls-support branch October 23, 2019 04:38
@swapnilgm swapnilgm mentioned this pull request Dec 20, 2019
@gardener-robot gardener-robot added priority/3 Priority (lower number equals higher priority) and removed priority/3 Priority (lower number equals higher priority) labels Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/backup Backup related area/security Security related component/etcd-backup-restore ETCD Backup & Restore kind/enhancement Enhancement, improvement, extension needs/lgtm Needs approval for merging needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/review Needs review platform/all
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Feature] Enable SSL for the http server
7 participants