search

piraeusdatastore / piraeus-operator

The Piraeus Operator manages LINSTOR clusters in Kubernetes.
https://piraeus.io/
Apache License 2.0
381 stars 60 forks source link

Feature request: TLS secret injection for remotes #331

Open blampe opened 2 years ago

blampe commented 2 years ago

https://github.com/piraeusdatastore/piraeus-operator/pull/262 greatly simplified secret management within a cluster, but if the cluster needs to ship snapshots to a remote with its own TLS secret there's no easy way to load that into the keystore. The absence of the remote's secret will cause the following when trying to create it:

ERROR:
Description:
    The remote could not be reached with the given parameters and therefore wasn't created.
    Please check for spelling errors and that you have the correct access-key and secret-key.
    For more information on the error, please check the error-report.
Cause:
    Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

A solution might look like (a) expanding the helm chart to accept a list of additional TLS secrets, and (b) injecting those secrets via a generalization of https://github.com/piraeusdatastore/piraeus/pull/97.

WanzenBug commented 2 years ago

Looks like a custom certificate for the remote endpoint is currently not implemented in LINSTOR. There might be a way this can be done by overriding the java cert store in the container, but that is something for upstream to answer: https://github.com/LINBIT/linstor-server/issues

blampe commented 2 years ago

There might be a way this can be done by overriding the java cert store in the container, but that is something for upstream to answer: https://github.com/LINBIT/linstor-server/issues

Indeed, the remote can be reached successfully after adding the certificate to the keystore. So, technically speaking not an upstream issue, but more around Piraeus' configuration of that keystore.

The entrypoint actually already has everything we need -- a ConfigMap can be mounted as an executable script to /usr/bin/pre-start.sh, and that can import any certs we need. However AFAICT that pre-start.sh hook isn't exposed anywhere. The closest I could find was extraVolumes on the CRD, but that doesn't actually mount anything into the controller's container -- maybe it should?