-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify TLS certificate on endpoints that are used between agents only #11956
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM; just some quick thoughts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Feel free to ship as-is.
Ember Asset Size actionAs of dd59dc5 Files that stayed the same size 🤷:
|
Ember Test Audit comparison
|
…> server or client -> server communication
My merge to fix conflicts with |
dd59dc5
to
5d540a4
Compare
PR #11956 implemented a new mTLS RPC check to validate the role of the certificate used in the request, but further testing revealed two flaws: 1. client-only endpoints did not accept server certificates so the request would fail when forwarded from one server to another. 2. the certificate was being checked after the request was forwarded, so the check would happen over the server certificate, not the actual source. This commit checks for the desired mTLS level, where the client level accepts both, a server or a client certificate. It also validates the cercertificate before the request is forwarded.
PR #11956 implemented a new mTLS RPC check to validate the role of the certificate used in the request, but further testing revealed two flaws: 1. client-only endpoints did not accept server certificates so the request would fail when forwarded from one server to another. 2. the certificate was being checked after the request was forwarded, so the check would happen over the server certificate, not the actual source. This commit checks for the desired mTLS level, where the client level accepts both, a server or a client certificate. It also validates the cercertificate before the request is forwarded.
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
There are different types of endpoints in Nomad, and different types use different mechanism to validate and authenticate requests.
The most common endpoints are called by end-users via the HTTP API and get translated to an RPC request. They are authenticated using ACL tokens.
Another type of endpoint is used by Raft and are called between servers. This process doesn't have ACL tokens involved, so requests are validated by checking the mTLS certificates, when available.
Finally, there are endpoints that are called by agents directly via RPC, either
client -> server
orserver -> server
. These also don't use ACL tokens, so there was no explicit validation.This PRs adds a check to these agent to agent endpoints similar to Raft's, using the mTLS certificate, if available.