Story #13446

[keepstore] secure keepstore traffic with TLS

Added by Tom Clegg over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Keep
Target version:
Start date:
05/09/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
1.0
Release:
Release relationship:
Auto

Description

Background: Clients (including keepproxy) already have TLS support -- otherwise, they wouldn't be able to connect to keepproxy in a typical setup. However, keepstore itself does not have built-in support for TLS, and setting up Nginx alongside each keepstore is a burden.

Load certificate and key from configured location (e.g., /var/lib/acme/live/...) at startup
  • If cert+key cannot be loaded, error out
Reload cert+key if they change on disk SIGHUP is received (acmetool or something similar will be refreshing certs)
  • If cert+key cannot be loaded, log a warning and continue using old cert+key

If cert+key locations are not configured, just serve plain http as before.

https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/

The job of obtaining and renewing certificates and copying them to the appropriate locations is left to the operator. The easiest solution is probably to allow traffic on port 80 to keepstore nodes and use acmetool's "redirector" validation strategy. One could also obtain a certificate on a different node using split-horizon DNS or DNS validation, then copy it to the keepstore node.


Subtasks

Task #13462: Review 13446-keepstore-tlsResolvedPeter Amstutz

Associated revisions

Revision f4aa4dbb
Added by Tom Clegg over 2 years ago

Merge branch '13446-keepstore-tls'

refs #13446

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

History

#1 Updated by Tom Morris over 2 years ago

  • Target version set to 2018-05-23 Sprint
  • Story points set to 1.0

#2 Updated by Tom Clegg over 2 years ago

  • Assigned To set to Tom Clegg

#3 Updated by Tom Clegg over 2 years ago

  • Status changed from New to In Progress

#4 Updated by Tom Clegg over 2 years ago

  • Description updated (diff)

13446-keepstore-tls @ b4a283a9f142209b22fabda98ea2573cf0dbe281

New config parameters added:

TLSCertificateFile:                                                                                                                        

    Path to server certificate file in X509 format. Enables TLS mode.                                                                      

    Example: /var/lib/acme/live/keep0.example.com/fullchain                                                                                

TLSKeyFile:                                                                                                                                

    Path to server key file in X509 format. Enables TLS mode.                                                                              

    The key pair is read from disk during startup, and whenever SIGHUP                                                                     
    is received.                                                                                                                           

    Example: /var/lib/acme/live/keep0.example.com/privkey                                                                                  

#5 Updated by Tom Clegg over 2 years ago

  • Description updated (diff)

#6 Updated by Tom Clegg over 2 years ago

  • Description updated (diff)

#8 Updated by Tom Clegg over 2 years ago

checked with ops about config/docs in note-4 → "sounds reasonable"

#9 Updated by Peter Amstutz over 2 years ago

This business of circulating the current certificate through a buffered channel seems excessively clever compared to a plain old mutex, but it seems to be sound.

LGTM.

#10 Updated by Ward Vandewege over 2 years ago

  • Status changed from In Progress to Resolved

#11 Updated by Tom Morris over 2 years ago

  • Release set to 13

Also available in: Atom PDF