Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 tls cert #87

Merged
merged 18 commits into from
Oct 2, 2024
Merged

S3 tls cert #87

merged 18 commits into from
Oct 2, 2024

Conversation

PietroPasotti
Copy link
Contributor

Issue

sthe s3 interface may give to the coordinator a "tls-ca-chain" that the worker is expected to use when using the provisioned storage bucket.
At the moment we are not doing anything with it, which means Worker charms can't use storage that is behind tls

Also there is a bad assumption within the coordinator's s3 config, that the "endpoint" we receive via the s3 integration has a scheme prefix. We use that to determine whether insecure=True.
Not only insecure=False will not work given we don't give the worker a tls cert for the storage configuration, but also it turns out the s3 interface doesn't always give us a full url, but could also give us a fqdn (i.e. no scheme).

Solution

add a field to the cluster schema
coordinator puts there the cert if present in s3 databag, worker picks it up and puts it to filesystem
coordinator uses the cert's presence to determine if insecure=true instead of the endpoint scheme.

Context

too much to tell

Testing Instructions

added some unittests
we should try to deploy tempo HA with this lib, configure s3 to use a certificate, relate and see if it works.

@PietroPasotti PietroPasotti requested a review from a team as a code owner September 27, 2024 12:32
@sed-i
Copy link
Contributor

sed-i commented Sep 27, 2024

Need to remember to release and bump coordinators' cos-lib.

mmkay
mmkay approved these changes Oct 1, 2024
View reviewed changes
src/cosl/coordinated_workers/coordinator.py Outdated Show resolved Hide resolved
src/cosl/coordinated_workers/worker.py Show resolved Hide resolved
@PietroPasotti PietroPasotti merged commit e395157 into main Oct 2, 2024
6 of 7 checks passed
@PietroPasotti PietroPasotti deleted the s3-tls-cert branch October 2, 2024 07:02
@Abuelodelanada Abuelodelanada mentioned this pull request Oct 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmkay mmkay mmkay approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PietroPasotti @sed-i @mmkay