Add handling in agent cache for server leaf certs #14556
Conversation
freddygv
requested review from
a team and
boxofrad
and removed request for
a team
github-actions
bot
added
theme/certificates
|
Hmm will take a look at these failures on Monday |
There was a problem hiding this comment.
This looks great, nice job! 👏🏻 I really enjoyed getting this review request because it nudged me to read the RFC and learn about this feature.
I've left a bunch of mostly non-blocking comments. The only one I think needs to be addressed is how we're hanging onto stale state stores.
|
Err the TLS configurator side needs more thinking. I've been trying to fix the test failures but there is a legitimate issue here: When an autoTLS cert is present we ALWAYS use it as the outbound cert. However, for WANFed via mesh gateways the secondary DCs can't validate the autoTLS server certificates from servers in the primary because the secondaries don't have the Connect CA roots until federation succeeds. This wasn't an issue before because servers never had an autoTLS cert configured. For server agents we shouldn't use the autoTLS certs for any outbound connections other than peering. But the configurator currently isn't aware of whether it's attached to a server or client agent. Defaulting to using the manually configured certs for outbound connections would work, but it's a breaking change. To be honest I don't know why we default to autoTLS when a manual cert exists. Seems kind of odd. Also the auto_config docs say Thoughts @boxofrad ? |
|
Ah yes, I remember staring at this for a long while when we switched to a per-listener TLS configuration. 😅 I'm not 100%, but maybe @i0rek remembers? why we always prefer the auto-encrypt/config certificate in outgoing connections. If I had to hazard a guess, I'd say it's because if you're using one of those features, only their automatically provisioned client certificates (signed by the Connect CA) are accepted by the server, not certificates created by I think it'd be ok to break backwards compatibility here just for the gRPC port, as long as we leave the server/multiplexed port alone. Only peering makes outgoing connections on that port, and we've told folks using auto-{encrypt,config} not to upgrade to 1.13 yet, so I don't think it'd impact anyone. |
This commit introduces a new ACL token used for internal server management purposes. It has a few key properties: - It has unlimited permissions. - It is persisted through Raft as System Metadata rather than in the ACL tokens table. This is to avoid users seeing or modifying it. - It is re-generated on leadership establishment.
When the TLS-enabled gRPC port receives a request for the expected it must use the auto-tls certificates.
This certificate manager will request a leaf certificate for server agents and then keep them up to date.
- Pulls in CLI test fix from main - Updates psutils to fix TestAgent_Host on M1 Mac
Preivously the TLS configurator would default to presenting auto TLS certificates as client certificates. Server agents should not have this behavior and should instead present the manually configured certs. The autoTLS certs for servers are exclusively used for peering and should not be used as the default for outbound communication.
freddygv
force-pushed
the
NET-818-server-cert-v2
branch
from
c49426a to
1248912
Compare
Description
Adds a new internally generated and locally managed ACL token for servers to use for management actions. This new ACL token has a corresponding ACL identity and unlimited permissions given that it is generated for server agents.
Adds a new server certificate manager for requesting a certificate for servers and updating the TLS configurator as needed.
Testing & Reproduction steps
Links
https://go.hashi.co/csl-204-server-cert
PR Checklist