[v2] Add SSL support to RabbitMQ Scaler #1073
Conversation
Signed-off-by: Anson Au <[email protected]>
zroubalik
changed the title
|
Could you please update docs: kedacore/keda-docs#231 And add an entry to the Changelog please: https://github.com/kedacore/keda/blob/v2/CHANGELOG.md#v200 |
pkg/scalers/rabbitmq_scaler.go
Outdated
| if val, ok := authParams["ca"]; ok { | ||
| meta.ca = val | ||
| } else { | ||
| return nil, fmt.Errorf("no ca given") | ||
| } | ||
| if val, ok := authParams["cert"]; ok { | ||
| meta.cert = val | ||
| } else { | ||
| return nil, fmt.Errorf("no cert given") | ||
| } | ||
| if val, ok := authParams["key"]; ok { | ||
| meta.key = val | ||
| } else { | ||
| return nil, fmt.Errorf("no key given") |
There was a problem hiding this comment.
from the usage below, I'm assuming those are expected to have file paths, not actual certificate values, right? I think you would want to use metadata map instead of the authParams map, as the latter contains values resolved from a TriggerAuthentication CRD if present for a particular trigger.
There was a problem hiding this comment.
also a bit of nitpicking, but perhaps rabbitmq host is using amqps://, but no key/cert/ca provided would be a bit more descriptive error message.
There was a problem hiding this comment.
also a bit of nitpicking, but perhaps
rabbitmq host is using amqps://, but no key/cert/ca providedwould be a bit more descriptive error message.
Done
|
No,not from a file. One has to upload the certificates content to the K8S
secrets. I wonder how a file path works , as scaledObject is living in a
keda namespace. In a enterprise environment, it's not flexible to have file
contains secret stored in a shared namespace.
…On Fri, Sep 4, 2020 at 2:55 AM Ahmed ElSayed ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pkg/scalers/rabbitmq_scaler.go
<#1073 (comment)>:
> + if val, ok := authParams["ca"]; ok {
+ meta.ca = val
+ } else {
+ return nil, fmt.Errorf("no ca given")
+ }
+ if val, ok := authParams["cert"]; ok {
+ meta.cert = val
+ } else {
+ return nil, fmt.Errorf("no cert given")
+ }
+ if val, ok := authParams["key"]; ok {
+ meta.key = val
+ } else {
+ return nil, fmt.Errorf("no key given")
from the usage below, I'm assuming those are expected to have file paths,
not actual certificate values, right? I think you would want to use
metadata map instead of the authParams map, as the latter contains values
resolved from a TriggerAuthentication CRD if present for a particular
trigger.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1073 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACC7PP67QF6DXYXNPX22E7DSD7RA7ANCNFSM4QU25HWA>
.
|
Signed-off-by: Anson Au <[email protected]>
Signed-off-by: Anson Au <[email protected]>
Update change log for kedacore#1073 Signed-off-by: Anson Au [email protected]
Added, please review |
all done |
other scaler that use a cert take a In this PR it seems that you're reading the value from so usually you'd have a secret defined in Kubernetes as kind: Secret
apiVersion: v1
metadata:
name: test-secret-name
data:
key.pem: <base64 of key.pem file>Other scalers assume that KEDA users will add something like this on the KEDA pod volumeMounts:
- name: certs
mountPath: "/etc/certs"
readOnly: true
volumes:
- name: certs
secret:
secretName: test-secret-namethis will create a file under metadata:
keyPath: /etc/certs/key.pemHowever, with this PR if the user is using TriggerAuthentication with RabbitMQ, then so doing this in if val, ok := authParams["key"]; ok {
meta.key = val
}then In if ca, err := ioutil.ReadFile(caFile); err == nil {
cfg.RootCAs.AppendCertsFromPEM(ca)
}
if cert, err := tls.LoadX509KeyPair(certFile, keyFile); err == nil {
cfg.Certificates = append(cfg.Certificates, cert)
}which assumes that That's based on just reading the code of the PR but I could be wrong. Have you been able to test this change on your cluster? |
|
Yes, it’s fully tested and working on our cluster.
I understand the concept of mounting k8s secret as volume, but it only
works if you are creating a pod - keda pod as you mentioned.
This is a problem in an enterprise environment or any multi talented
environment-
Imagine on a Kubernetes cluster, we would install one Keda , under one keda
namespace , as a shared service.
Each team has their own namespace where their applications and secrets
belong to.
In this case, it's impossible to have one shared KEDA operator pod,but it
has access to all cert/ca/key files from each application. - They won't
share it to keda namespace.
RabbitMQ Scaler is a scaledobject, which likely will be created by
application in their own namespace.
That's why, it's more realistic that the scalar loads the content of the
cert/ca/key from secrets.
I can add support for loading from file, on top of what we have so far. So
we can support more use cases.
…On Thu, 10 Sep 2020 at 7:38 AM, Ahmed ElSayed ***@***.***> wrote:
No,not from a file. One has to upload the certificates content to the K8S
secrets. I wonder how a file path works , as scaledObject is living in a
keda namespace. In a enterprise environment, it's not flexible to have file
contains secret stored in a shared namespace.
other scaler that use a cert take a certPath parameter in the metadata,
and then KEDA users mount the cert as a file using kubernetes secret file
volume.
In this PR it seems that you're reading the value from authParams.
authParams is constructed here
<https://github.com/kedacore/keda/blob/41e9978b4683d3bbc0e39860308e645f7513e243/pkg/scaling/resolver/scale_resolvers.go#L208-L227>.
However, authParams is a map[string]string.
so usually you'd have a secret defined in Kubernetes as
kind: Secret
apiVersion: v1
metadata:
name: test-secret-name
data:
key.pem: <base64 of key.pem file>
Other scalers assume that KEDA users will add something like this on the
KEDA pod
volumeMounts:
- name: certs
mountPath: "/etc/certs"
readOnly: true
volumes:
- name: certs
secret:
secretName: test-secret-name
this will create a file under /etc/certs/key.pem that contains the key.
Then the metadata of the scaler just contains:
metadata:
keyPath: /etc/certs/key.pem
However, with this PR if the user is using TriggerAuthentication with
RabbitMQ, then authParam will be a map[string]string
so doing this in parseRabbitMQMetadata()
if val, ok := authParams["key"]; ok {
meta.key = val
}
then meta.key will contain an invalid string encoding of the key file
content
In getConnectionAndChannel() however, it's calling
if ca, err := ioutil.ReadFile(caFile); err == nil {
cfg.RootCAs.AppendCertsFromPEM(ca)
}
if cert, err := tls.LoadX509KeyPair(certFile, keyFile); err == nil {
cfg.Certificates = append(cfg.Certificates, cert)
}
which assumes that meta.key and meta.ca are file paths mounted on the
KEDA pod itself as mentioned above for the other scalers.
That's based on just reading the code of the PR but I could be wrong. Have
you been able to test this change on your cluster?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1073 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACC7PPZ7456BI23EQWP4G2TSFAGYVANCNFSM4QU25HWA>
.
|
|
Hi, Are you happy to accept this PR? Thanks, |
|
@ansonauhk there's a conflict that prevents a merge of this PR. |
| @@ -130,8 +155,27 @@ func parseRabbitMQMetadata(resolvedEnv, metadata, authParams map[string]string) | |||
| return &meta, nil | |||
| } | |||
|
|
|||
| func getConnectionAndChannel(host string) (*amqp.Connection, *amqp.Channel, error) { | |||
| conn, err := amqp.Dial(host) | |||
| func getConnectionAndChannel(host string, caFile string, certFile string, keyFile string) (*amqp.Connection, *amqp.Channel, error) { | |||
There was a problem hiding this comment.
With the recent change, we have added tls_config.go in pkg/util. That is supposed to be one-stop destination to enable tls encryption. Can you please move this to tls_config.go
| cfg.RootCAs.AppendCertsFromPEM(ca) | ||
| } | ||
|
|
||
| if cert, err := tls.LoadX509KeyPair(certFile, keyFile); err == nil { |
There was a problem hiding this comment.
In my opinion, this should not be the required parameter. client cert and the key are only required when client authentication at the server is set to REQUIREANDVERIFY. In other cases, it could be empty.
Until and unless I am missing something completely in regards to rabbitmq tls.
| if cert, err := tls.LoadX509KeyPair(certFile, keyFile); err == nil { | ||
| cfg.Certificates = append(cfg.Certificates, cert) | ||
| } | ||
| conn, err = amqp.DialTLS(host, cfg) |
There was a problem hiding this comment.
This could fail in some cases. So DialTLS has this defined:
if config.TLSClientConfig.ServerName == "" { config.TLSClientConfig.ServerName = uri.Host }
Either specify InsecureSkipVerify or take servername as parameter. @ahmelsayed this is same what I have mentioned in this #1263
|
Hi, is this PR still being worked on? It seems to be stalled for a few months now. We have a need for it and would appreciate any update on whether this is now abandoned or still in progress. |
|
Looks like some open feedback / issues, as well as now some conflicts around the base that would need to be resolved. Thanks a ton for your help @ansonauhk and this looks pretty close to me. Any interest on clearing out the conflicts so we can ship some of this? Let us know if you have any questions or we can help |
|
Sorry for late response. I will take a look at this weekend.
「Jeff Hollan <[email protected]>」在 2021年2月23日週二,下午1:55 寫道:
… Looks like some open feedback / issues, as well as now some conflicts
around the base that would need to be resolved. Thanks a ton for your help
@ansonauhk <https://github.com/ansonauhk> and this looks pretty close to
me. Any interest on clearing out the conflicts so we can ship some of this?
Let us know if you have any questions or we can help
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1073 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACC7PP6MWGVGDEIKYUF5XS3TAM7M5ANCNFSM4QU25HWA>
.
|
|
@ansonauhk, thanks for picking this up. We are in the process of developing and testing Azure AKS scaling based on RabbitMQ queue. Our setup has TLS mandatory (actuallt mTLS), so this is blocking us from proceeding. |
|
@ansonauhk have you had any time to progress this? |
|
@ansonauhk any update on this PR please? |
|
Any updates on this PR? |
|
This PR is stale, I am closing this. If anybody wants to follow up with this feature, please open another PR. |
|
This might have just killed our keda deployment. Surprised that this is not a feature already and that this PR died. |
|
@mcmcghee a PR with this feature is more then welcome :) |
Signed-off-by: Anson Au [email protected]
Provide a description of what has been changed
Checklist
Fixes #967