-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Automatic cert renewal policy and self-signed CA creation (#20842)
* Automatic cert renewal policy and self-signed CA creation * Datanode CSR rate limited, added IT * selfsigned_startup property name for automatic cert renewal and selfsigned CA configuration * Add warning to the insecure configuration * default for relaxedHTTPSValidation in RestOperationParameters * add changelog * code cleanup * Simplify rate limiting in DataNodeCertRenewalPeriodical --------- Co-authored-by: Matthias Oesterheld <33032967+moesterheld@users.noreply.github.com>
- Loading branch information
1 parent
60e1ca3
commit 671eacc
Showing
15 changed files
with
353 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
type = "c" | ||
message = "Replace datanode insecure_startup configuration with selfsigned_startup, providing full selfsigned SSL setup" | ||
|
||
issues = ["18911"] | ||
pulls = ["20842"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
full-backend-tests/src/test/java/org/graylog/datanode/DatanodeSelfsignedStartupIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
/* | ||
* Copyright (C) 2020 Graylog, Inc. | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the Server Side Public License, version 1, | ||
* as published by MongoDB, Inc. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* Server Side Public License for more details. | ||
* | ||
* You should have received a copy of the Server Side Public License | ||
* along with this program. If not, see | ||
* <http://www.mongodb.com/licensing/server-side-public-license>. | ||
*/ | ||
package org.graylog.datanode; | ||
|
||
import com.github.joschi.jadconfig.util.Duration; | ||
import com.github.rholder.retry.RetryException; | ||
import io.restassured.response.ValidatableResponse; | ||
import org.graylog.testing.completebackend.ContainerizedGraylogBackend; | ||
import org.graylog.testing.completebackend.Lifecycle; | ||
import org.graylog.testing.completebackend.apis.GraylogApis; | ||
import org.graylog.testing.containermatrix.SearchServer; | ||
import org.graylog.testing.containermatrix.annotations.ContainerMatrixTest; | ||
import org.graylog.testing.containermatrix.annotations.ContainerMatrixTestsConfiguration; | ||
import org.graylog.testing.restoperations.DatanodeOpensearchWait; | ||
import org.graylog.testing.restoperations.RestOperationParameters; | ||
import org.graylog2.security.IndexerJwtAuthTokenProvider; | ||
import org.graylog2.security.JwtSecret; | ||
import org.hamcrest.Matchers; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import java.io.IOException; | ||
import java.security.KeyStoreException; | ||
import java.security.NoSuchAlgorithmException; | ||
import java.security.cert.CertificateException; | ||
import java.util.concurrent.ExecutionException; | ||
|
||
@ContainerMatrixTestsConfiguration(serverLifecycle = Lifecycle.CLASS, searchVersions = SearchServer.DATANODE_DEV, | ||
additionalConfigurationParameters = { | ||
@ContainerMatrixTestsConfiguration.ConfigurationParameter(key = "GRAYLOG_DATANODE_INSECURE_STARTUP", value = "false"), | ||
@ContainerMatrixTestsConfiguration.ConfigurationParameter(key = "GRAYLOG_SELFSIGNED_STARTUP", value = "true"), | ||
@ContainerMatrixTestsConfiguration.ConfigurationParameter(key = "GRAYLOG_ELASTICSEARCH_HOSTS", value = ""), | ||
}) | ||
public class DatanodeSelfsignedStartupIT { | ||
|
||
|
||
private final Logger log = LoggerFactory.getLogger(DatanodeProvisioningIT.class); | ||
|
||
private final GraylogApis apis; | ||
|
||
public DatanodeSelfsignedStartupIT(GraylogApis apis) { | ||
this.apis = apis; | ||
} | ||
|
||
@ContainerMatrixTest | ||
public void testSelfsignedStartup() throws ExecutionException, RetryException { | ||
testEncryptedConnectionToOpensearch(); | ||
} | ||
|
||
|
||
private int getOpensearchPort() { | ||
final String indexerHostAddress = apis.backend().searchServerInstance().getHttpHostAddress(); | ||
return Integer.parseInt(indexerHostAddress.split(":")[1]); | ||
} | ||
|
||
private void testEncryptedConnectionToOpensearch() throws ExecutionException, RetryException { | ||
try { | ||
final ValidatableResponse response = new DatanodeOpensearchWait(RestOperationParameters.builder() | ||
.port(getOpensearchPort()) | ||
.relaxedHTTPSValidation(true) | ||
.jwtTokenProvider(new IndexerJwtAuthTokenProvider(new JwtSecret(ContainerizedGraylogBackend.PASSWORD_SECRET), Duration.seconds(120), Duration.seconds(60))) | ||
.build()) | ||
.waitForNodesCount(1); | ||
|
||
response.assertThat().body("status", Matchers.equalTo("green")); | ||
} catch (Exception e) { | ||
log.error("Could not connect to Opensearch\n" + apis.backend().getSearchLogs()); | ||
throw e; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
...og2-server/src/main/java/org/graylog2/configuration/IndexerDiscoveryCertProvisioning.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/* | ||
* Copyright (C) 2020 Graylog, Inc. | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the Server Side Public License, version 1, | ||
* as published by MongoDB, Inc. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* Server Side Public License for more details. | ||
* | ||
* You should have received a copy of the Server Side Public License | ||
* along with this program. If not, see | ||
* <http://www.mongodb.com/licensing/server-side-public-license>. | ||
*/ | ||
package org.graylog2.configuration; | ||
|
||
import jakarta.inject.Inject; | ||
import org.graylog2.bootstrap.preflight.GraylogCertificateProvisioner; | ||
|
||
public class IndexerDiscoveryCertProvisioning implements IndexerDiscoveryListener { | ||
|
||
private final GraylogCertificateProvisioner graylogCertificateProvisioner; | ||
|
||
@Inject | ||
public IndexerDiscoveryCertProvisioning(GraylogCertificateProvisioner graylogCertificateProvisioner) { | ||
this.graylogCertificateProvisioner = graylogCertificateProvisioner; | ||
} | ||
|
||
@Override | ||
public void beforeIndexerDiscovery() { | ||
|
||
} | ||
|
||
@Override | ||
public void onDiscoveryRetry() { | ||
// let's try to provision certificates, maybe there are datanodes waiting for these | ||
graylogCertificateProvisioner.runProvisioning(); | ||
} | ||
} |
30 changes: 30 additions & 0 deletions
30
graylog2-server/src/main/java/org/graylog2/configuration/IndexerDiscoveryListener.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* Copyright (C) 2020 Graylog, Inc. | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the Server Side Public License, version 1, | ||
* as published by MongoDB, Inc. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* Server Side Public License for more details. | ||
* | ||
* You should have received a copy of the Server Side Public License | ||
* along with this program. If not, see | ||
* <http://www.mongodb.com/licensing/server-side-public-license>. | ||
*/ | ||
package org.graylog2.configuration; | ||
|
||
public interface IndexerDiscoveryListener { | ||
/** | ||
* Triggered before we start with indexer discovery. Won't be triggered if there are any indexers | ||
* explicitly defined in the configuration. | ||
*/ | ||
void beforeIndexerDiscovery(); | ||
|
||
/** | ||
* Triggered after each unsuccessful retry during indexer discovery | ||
*/ | ||
void onDiscoveryRetry(); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.