Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CB-28061: Reenable HTTPS for saltboot and ensure cert files are present #1097

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CB-28061: Reenable HTTPS for saltboot and ensure cert files are present #1097

wants to merge 1 commit into from
+18 −1

Conversation

szabolcs-horvath
Copy link
Contributor

Previously salt-bootstrap wouldn't work with HTTPS enabled, on non-gateway instances, since we do not generate the cert files which salt-bootstrap was relying on, on these instances.

Added logic for always generating the necessary certs (given that saltboot HTTPS is enabled):

  • On gateway instances, we generate them using the same ca cert used to generate the certs for nginx and jumpgate
  • On all other instances, we generate a ca cert and use that to generate the necessary certs

Note: The host values in the generated certs still don't matter, as there is still neither client- nor host-side verification. We only use TLS to have the channel be encrypted.

@szabolcs-horvath
CB-28061: Reenable HTTPS for saltboot and ensure cert files are present
ead7952 
Previously salt-bootstrap wouldn't work with HTTPS enabled, on non-gateway instances, since we do not generate the cert files which salt-bootstrap was relying on, on these instances.

Added logic for always generating the necessary certs (given that saltboot HTTPS is enabled):
- On gateway instances, we generate them using the same ca cert used to generate the certs for nginx and jumpgate
- On all other instances, we generate a ca cert and use that to generate the necessary certs

Note: The host values in the generated certs still don't matter, as there is still neither client- nor host-side verification. We only use TLS to have the channel be encrypted.
@szabolcs-horvath szabolcs-horvath marked this pull request as ready for review December 9, 2024 12:36
@szabolcs-horvath szabolcs-horvath requested a review from a team as a code owner December 9, 2024 12:36
@TheTinkerDad
Copy link
Contributor

Please add information about tests performed. I can see a few test builds only, but without any validation (SKIP_VALIDATION parameter is set for these!):

Also, are you sure, that these changes will be compatible with

  • FreeIPA images
  • 7.2.16, 7.2.17, 7.2.18 - especially on CentOS 7
  • YCloud images
  • Graviton / arm64
    ?

If any of these are not required - e.g. you don't plan to support this on CentOS 7 or older runtimes - please use the appropriate "if"s in the code to branch the logic based on the target OS, arch, runtime, image type, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheTinkerDad TheTinkerDad Awaiting requested review from TheTinkerDad

@kkubina kkubina Awaiting requested review from kkubina kkubina is a code owner automatically assigned from hortonworks/cloudbreak-sloth

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@szabolcs-horvath @TheTinkerDad