feat: TLS support #55
Conversation
labrenbe
moved this from Ready for Development
to Development: In Progress
in Stackable Engineering
labrenbe
moved this from Development: In Progress
to Development: Waiting for Review
in Stackable Engineering
siegfriedweber
moved this from Development: Waiting for Review
to Development: In Review
in Stackable Engineering
rust/operator-binary/src/controller/build/role_group_builder.rs
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,55 @@ | |||
| = Security | |||
| :description: Configure TLS encryption, authentication, and Open Policy Agent (OPA) authorization for Kafka with the Stackable Operator. | |||
There was a problem hiding this comment.
This is OpenSearch, not Kafka.
| The internal and client communication at the REST API can be encrypted with TLS. This requires the xref:secret-operator:index.adoc[Secret Operator] to be running in the Kubernetes cluster providing certificates. | ||
| The used certificates can be changed in a cluster-wide config. TLS encryption on the REST API may be disabled, while it is always enabled for the internal communication between nodes using the `transport` port. |
There was a problem hiding this comment.
Write a single sentence per line.
see https://docs.stackable.tech/home/stable/contributor/docs/style-guide/#_highlights
Please adapt the whole document.
| <3> The lifetime for autoTls certificates generated by the secret operator. | ||
| Only a lifetime up to the `maxCertificateLifetime` setting in the SecretClass is applied. | ||
|
|
||
| The `tls` secret is deployed from the xref:secret-operator:index.adoc[Secret Operator] and looks like this: |
There was a problem hiding this comment.
| The `tls` secret is deployed from the xref:secret-operator:index.adoc[Secret Operator] and looks like this: | |
| The `tls` secret is deployed by the xref:secret-operator:index.adoc[Secret Operator] and looks like this: |
| maxCertificateLifetime: 15d | ||
| ---- | ||
|
|
||
| You can create your own secrets and reference them e.g. in the `spec.clusterConfig.tls.serverSecretClass` or `spec.clusterConfig.tls.internalSecretClass` to use different certificates. |
There was a problem hiding this comment.
You cannot just reference the secrets. You have to create a SecretClass which references them and then use the SecretClass in the clusterConfig.
| maxCertificateLifetime: 15d | ||
| ---- | ||
|
|
||
| You can create your own secrets and reference them e.g. in the `spec.clusterConfig.tls.serverSecretClass` or `spec.clusterConfig.tls.internalSecretClass` to use different certificates. |
There was a problem hiding this comment.
It is important to mention that the operator sets plugins.security.nodes_dn to ["CN=generated certificate for pod"]. That means that the authentication between the nodes is weak. If a user wants to increase the security and use certificates which really identify the OpenSearch nodes, they also must adapt the mentioned setting.
| pullPolicy: IfNotPresent | ||
| {% if lookup('env', 'VECTOR_AGGREGATOR') %} | ||
| clusterConfig: | ||
| {% if test_scenario['values']['server-use-tls'] == 'false' %} |
There was a problem hiding this comment.
The metrics test does not depend on server-use-tls (and it also should not).
There was a problem hiding this comment.
This file seems to be destroyed by automatic merges. There are two config sections and the integration test does not pass.
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestAssert | ||
| timeout: 600 | ||
| timeout: 120 |
There was a problem hiding this comment.
I also reduce this timeout when testing locally. But when executed on Jenkins, the deployment can take a while and I fear that we introduce test flakiness with this timeout.
| use_ssl = True, | ||
| verify_certs = True, | ||
| use_ssl = http_use_tls, | ||
| verify_certs = http_use_tls, |
There was a problem hiding this comment.
verify_certs can stay True.
| verify_certs = http_use_tls, | |
| verify_certs = True, |
| - Add the role group as a node attribute ([#63]). | ||
| - Allow the configuration of TLS for the HTTP and TRANSPORT ports with the operator ([#55]). | ||
|
|
||
| [#63]: https://github.com/stackabletech/opensearch-operator/pull/63 |
There was a problem hiding this comment.
| [#63]: https://github.com/stackabletech/opensearch-operator/pull/63 | |
| [#55]: https://github.com/stackabletech/opensearch-operator/pull/55 | |
| [#63]: https://github.com/stackabletech/opensearch-operator/pull/63 |
There was a problem hiding this comment.
This file is not referenced in nav.adoc.
Description
Part of #61
Definition of Done Checklist
Author
-
requestedSecretLifetimewas already decided in decision: Make autoTls certificate lifetime configurable issues#673.- SecretClasses: Decision: TLS Support #69
Reviewer
Acceptance
type/deprecationlabel & add to the deprecation scheduletype/experimentallabel & add to the experimental features tracker