Add insecure property for NutanixDatacenterConfig
#4171
Conversation
|
Hi @thunderboltsid. Thanks for your PR. I'm waiting for a aws member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
eks-distro-bot
added
the
size/M
Codecov Report
@@ Coverage Diff @@
## main #4171 +/- ##
=======================================
Coverage 68.27% 68.28%
=======================================
Files 404 404
Lines 32656 32664 +8
=======================================
+ Hits 22295 22303 +8
Misses 8926 8926
Partials 1435 1435
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
thunderboltsid
force-pushed
the
nutanix-insecure
branch
2 times, most recently
from
e62ca41 to
2bd3ea0
Compare
|
@deepakm-ntnx: changing LGTM is restricted to collaborators In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
just for completeness, noting that this was added thru https://github.com/aws/eks-anywhere/pull/2229/files#diff-f06dc4da7f8574dbb4b599dc7e0fe78fd2c6698991b7659dd23a730d43ba5435R29 but was removed later thru https://github.com/aws/eks-anywhere/pull/3116/files#diff-f06dc4da7f8574dbb4b599dc7e0fe78fd2c6698991b7659dd23a730d43ba5435 due to concerns from EKS-A Team but since this is a supported way in other providers as well, adding it back to be consistent |
This was not raised by EKS-A team as a concern but was removed for following better engineering practices by us. However, following the discussion with our product team, and relaying feedback from @abhinavmpandey08 to support both insecure as well as additional trust bundle, we intend on providing support for skipping TLS verification as outlined in the PR description. |
thunderboltsid
force-pushed
the
nutanix-insecure
branch
2 times, most recently
from
2edac19 to
2caaafb
Compare
|
/assign @abhay-krishna @pokearu |
thunderboltsid
force-pushed
the
nutanix-insecure
branch
from
2caaafb to
900b3ee
Compare
|
/ok-to-test |
| @@ -26,6 +26,14 @@ type NutanixDatacenterConfigSpec struct { | |||
| // AdditionalTrustBundle is the optional PEM-encoded certificate bundle for users that | |||
| // configured their Prism Central with certificates from non-publicly trusted CAs | |||
| AdditionalTrustBundle string `json:"additionalTrustBundle,omitempty"` | |||
|
|
|||
| // Insecure is the optional flag to skip TLS verification. Nutanix Prism Central installation by default ships | |||
There was a problem hiding this comment.
Could we break these comment lines consistently with the other comment lines.
There was a problem hiding this comment.
@chrisdoherty4 updated the comments. thanks
There was a problem hiding this comment.
lgtm with a small comment. Try to limit/have a consistent line length for the reasons outlined in https://github.com/aws/eks-anywhere/blob/main/docs/developer/best-practice.md#line-length.
Insecure is the optional property to skip TLS verification. Nutanix Prism installs by default ship with a self-signed certificate that will fail TLS verification because of two reasons: 1. The certificate is not issued by a public CA 2. The certificate does not have the IP SANs for the Prism Central endpoint To accommodate for the scenario where the user has not changed the default Certificate that ships with Prism Central, we allow the user to skip TLS verification. This is not recommended for production use as skipping TLS verification opens up the user to potential MITM attacks.
deepakm-ntnx
force-pushed
the
nutanix-insecure
branch
from
97ab715 to
5002a55
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavmpandey08 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This reverts commit bba5709.
* Add `insecure` property for NutanixDatacenterConfig Insecure is the optional property to skip TLS verification. Nutanix Prism installs by default ship with a self-signed certificate that will fail TLS verification because of two reasons: 1. The certificate is not issued by a public CA 2. The certificate does not have the IP SANs for the Prism Central endpoint To accommodate for the scenario where the user has not changed the default Certificate that ships with Prism Central, we allow the user to skip TLS verification. This is not recommended for production use as skipping TLS verification opens up the user to potential MITM attacks. * Updated the insecure property description based on review feedback * Add a unit test for validating insecure property * updated comment to fit the standard length Co-authored-by: deepakm-ntnx <deepak.muley@nutanix.com>
To accommodate for the scenario where the user has not replaced the default Certificate that ships with Prism Central, we allow the user to skip TLS verification. Insecure is the optional property to skip TLS verification.
Nutanix Prism Central installation by default ships with a self-signed certificate that will fail TLS verification because of two reasons:
As such, in order for these services to establish a connection with Prism Central, client has three options:
We intend on supporting all three options until Prism Central starts shipping with valid self-signed certificates.
The recommended order from a customer guidance perspective should be:
From an application evaluation perspective, the order will be:
How was this tested?
Created a EKS-A cluster on a Nutanix setup (@vnephologist lab) with self-signed certificates using the insecure flag set to true.