Project

General

Profile

Actions
Copy link

Idea #13446

closed

[keepstore] secure keepstore traffic with TLS

Added by Tom Clegg over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Tom Clegg
Category:
Keep
Target version:
2018-05-23 Sprint
Start date:
05/09/2018
Due date:
Story points:
1.0
Release:
Arvados 1.2
Release relationship:
Auto

Description

Background: Clients (including keepproxy) already have TLS support -- otherwise, they wouldn't be able to connect to keepproxy in a typical setup. However, keepstore itself does not have built-in support for TLS, and setting up Nginx alongside each keepstore is a burden.

Load certificate and key from configured location (e.g., /var/lib/acme/live/...) at startup
  • If cert+key cannot be loaded, error out
Reload cert+key if they change on disk SIGHUP is received (acmetool or something similar will be refreshing certs)
  • If cert+key cannot be loaded, log a warning and continue using old cert+key

If cert+key locations are not configured, just serve plain http as before.

https://blog.gopheracademy.com/advent-2016/exposing-go-on-the-internet/

The job of obtaining and renewing certificates and copying them to the appropriate locations is left to the operator. The easiest solution is probably to allow traffic on port 80 to keepstore nodes and use acmetool's "redirector" validation strategy. One could also obtain a certificate on a different node using split-horizon DNS or DNS validation, then copy it to the keepstore node.

Subtasks 1 (0 open1 closed)

Task #13462: Review 13446-keepstore-tlsResolvedPeter Amstutz05/09/2018Actions
Actions
Copy link

Also available in: Atom PDF