Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use tls for nginx connection implementation #120

Merged
merged 14 commits into from
Nov 27, 2023

Conversation

ciroque
Copy link
Collaborator

@ciroque ciroque commented Sep 29, 2023

Proposed changes

Implementation of TLS communication between NLK and NGINX Plus hosts.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING document
  • If applicable, I have added tests that prove my fix is effective or that my feature works
  • If applicable, I have checked that any relevant tests pass after adding my changes
  • I have updated any relevant documentation (README.md and CHANGELOG.md)

@ciroque ciroque changed the title Use tls for nginx connection impl Use tls for nginx connection implementation Sep 29, 2023
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from d7931e1 to 9f2f8f3 Compare October 23, 2023 19:48
internal/communication/factory.go Dismissed Show resolved Hide resolved
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from 9f2f8f3 to 52d65e8 Compare October 23, 2023 21:17
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from e1927ca to d8ab736 Compare October 24, 2023 18:40
ciroque

This comment was marked as resolved.

@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from d8ab736 to 3a037c6 Compare October 24, 2023 19:03
Copy link
Collaborator Author

@ciroque ciroque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here it is. Large I know. Apologies for that. I have annotated most every file for reference.

internal/communication/factory.go Show resolved Hide resolved
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from 3a037c6 to 3b4913b Compare October 24, 2023 19:33
Copy link
Collaborator Author

@ciroque ciroque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More color for changed files.

client-secret.yaml Outdated Show resolved Hide resolved
cmd/certificates-test-harness/doc.go Outdated Show resolved Hide resolved
cmd/certificates-test-harness/main.go Outdated Show resolved Hide resolved
cmd/configuration-test-harness/doc.go Outdated Show resolved Hide resolved
cmd/configuration-test-harness/main.go Outdated Show resolved Hide resolved
internal/synchronization/synchronizer.go Outdated Show resolved Hide resolved
server-secret.yaml Outdated Show resolved Hide resolved
.github/workflows/build-and-sign-image.yml Outdated Show resolved Hide resolved
.github/workflows/scorecard.yml Outdated Show resolved Hide resolved
ca-secret.yaml Outdated Show resolved Hide resolved
@ciroque ciroque requested a review from 4141done October 24, 2023 20:38
@ciroque ciroque marked this pull request as ready for review October 24, 2023 20:38
@ciroque ciroque requested a review from chrisakker as a code owner October 24, 2023 20:38
Copy link
Collaborator

@4141done 4141done left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good as far as how the configuration is being provided and the TLS is being set up.

However I have two concerns that I think should be addressed before merging, or, if you deem it acceptable given the early stages of the project, fixed quickly afterwards.

  1. (As we discussed offline) I think if a tls-mode is given in the ConfigMap, the library should fail to start rather than reverting to a no-tls mode of operation. The user clearly intended to enable some TLS mode and with the current operation they could think it succeeded when it did not.

  2. Now that we are handling certificates I think we should be quite careful to make sure that any sensitive values don't wind up in logs or error reports. I saw a few debug statements where that could be the case.

I should also caveat that given the size of this PR I focused mostly on understanding the actual code rather than exhaustively going through all the documentation. I will learn to use the feature once we merge and work with you on any docs tweaks that need to happen.

deployments/rbac/clusterrole.yaml Show resolved Hide resolved
internal/authentication/factory.go Show resolved Hide resolved
.gitignore Show resolved Hide resolved
cmd/nginx-loadbalancer-kubernetes/main.go Show resolved Hide resolved
cmd/tls-config-factory-test-harness/main.go Show resolved Hide resolved
internal/configuration/settings.go Outdated Show resolved Hide resolved
internal/authentication/factory.go Outdated Show resolved Hide resolved
internal/certification/certificates.go Outdated Show resolved Hide resolved
internal/certification/certificates.go Show resolved Hide resolved
internal/configuration/settings.go Show resolved Hide resolved
Copy link
Collaborator

@4141done 4141done left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change along with the follow up issues look good. 👍 🐳 👍

ciroque and others added 10 commits November 27, 2023 14:39
- tweaks
- Add Under Development notice
- prefer References section over inline links to external documentation
- address PR feedback

- correct use of [!WARNING]
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.4 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@a09933a...00e563e)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@6e04d22...11086d2)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
- Checkpoint
- DEMO
- DEMO
- Implements Certificates
- Certificates fleshed out and tests underway
- Refactoring of authorization tests required due to changes in the shape of the Certificates module.
- FRT (Fix Red Tests)
- minor cleanup
- Base implementation of Certificate and informer
- authentication factory implemented
- rename, and doc start
- CHECKPOINT: File creation
- Putting a bow on it
- Final corrections and enhancements
- Let the configuration settings determine log level
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from 0bdc8e6 to 29148b2 Compare November 27, 2023 22:41
@ciroque ciroque merged commit 4c03217 into main Nov 27, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants