Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: TLS communication between the operator and the instance manager #4442

Merged
merged 18 commits into from
Jun 7, 2024
Merged

feat: TLS communication between the operator and the instance manager #4442

merged 18 commits into from
Jun 7, 2024
+506 −134

Conversation

mnencia
Copy link
Member

@mnencia mnencia commented May 6, 2024
edited

Closes #4441

@github-actions github-actions bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.21 release-1.22 release-1.23 labels May 6, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 6, 2024

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 6, 2024

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

@github-actions GitHub Actions
Copy link
Contributor

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

@mnencia
Copy link
Member Author

mnencia commented May 22, 2024

E2E tests running on EDB fork https://github.com/EnterpriseDB/cloudnative-pg/actions/runs/9192103205

@mnencia mnencia marked this pull request as ready for review May 22, 2024 15:23
@mnencia mnencia requested a review from a team as a code owner May 22, 2024 15:23
@mnencia
Copy link
Member Author

mnencia commented May 22, 2024

/ok-to-merge E2E tests are green

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label May 22, 2024
jsilvela
jsilvela reviewed May 23, 2024
View reviewed changes
pkg/specs/pods.go Outdated Show resolved Hide resolved
jsilvela
jsilvela reviewed May 23, 2024
View reviewed changes
Copy link
Collaborator

@jsilvela jsilvela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems we're always going to try to use HTTPS.
See

podSpec := CreateClusterPodSpec(podName, cluster, envConfig, gracePeriod, true)

I thought this was supposed to be an option, and possibly and opt-in type of thing?

pkg/specs/pods.go Outdated Show resolved Hide resolved
@mnencia
Copy link
Member Author

mnencia commented May 23, 2024

It seems we're always going to try to use HTTPS.

That's correct. The conditional part is only for supporting Online Upgrades.

mnencia
mnencia commented May 23, 2024
View reviewed changes
docs/src/security.md Outdated Show resolved Hide resolved
@mnencia mnencia removed the do not merge 🙅 This PR cannot be merged (yet) label Jun 5, 2024
@mnencia
Copy link
Member Author

mnencia commented Jun 5, 2024

In today's team meeting, we agreed not to backport this feature. It will be part of 1.24

@mnencia
Copy link
Member Author

mnencia commented Jun 5, 2024

/test tl=4 d=push

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 5, 2024

@mnencia, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/9386233356

@mnencia
Copy link
Member Author

mnencia commented Jun 5, 2024

Running another round of tests after the rebase with conflicts

mnencia and others added 18 commits June 6, 2024 17:57
@mnencia
feat: TLS communication between the operator and the instance manager
9cdbb6c 
Closes #4441

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@mnencia
chore: Detect the TLS status instead of always falling back
73c6e8d 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@armru @mnencia
chore: encapsulate tls generation
8c62a4e 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @mnencia
fix: upgradeInstanceManager
8fe56dd 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @mnencia
chore: set timeouts
1f94845 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @mnencia
chore: encapsulate GetStatusSchemeFromPod usage
f840b7a 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @mnencia
refactor: encapsulate tls context logic
657935f 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@mnencia
fix: load certificate on restart
1c4f257 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@mnencia
fix: do not recreate the pods on online upgrade
2553a5a 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@mnencia
chore: fix include
46ecafb 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@mnencia
chore: add missing docstring
0f69e2b 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@mnencia
chore: ports are int32
ddc1edd 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@mnencia
chore: intstr.FromInt is deprecated
13e752f 
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
@armru @mnencia
chore: encapsulate http logic
bd718bc 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@jsilvela @mnencia
chore: couple of wording fixes
5f1dc0e 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@jsilvela @mnencia
chore: clarifications
0681bea 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@jsilvela @mnencia
chore: better names
192aced 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@jsilvela @mnencia
fix: security table
26fc7d7 
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
@mnencia mnencia added the do not backport This PR must not be backported - it will be in the next minor release label Jun 7, 2024
@mnencia mnencia merged commit d7bed97 into main Jun 7, 2024
31 checks passed
@mnencia mnencia deleted the dev/4441 branch June 7, 2024 09:18
dougkirkley pushed a commit to dougkirkley/cloudnative-pg that referenced this pull request Jun 11, 2024
@mnencia @armru @jsilvela
feat: add TLS communication between operator and instance manager (cl…
d548366 
…oudnative-pg#4442)

This patch enhances security by enabling TLS communication between the
operator and the instance manager. Key changes include:

- Supporting TLS on the instance status port
- Ensuring a graceful upgrade without losing communication with
   non-upgraded pods
- Waiting to update the protocol until the instance pod is recreated
   for other reasons when online upgrades are enabled

Closes cloudnative-pg#4441

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Jaime Silvela <jaime.silvela@enterprisedb.com>
Signed-off-by: Douglass Kirkley <dkirkley@eitccorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsilvela jsilvela jsilvela approved these changes

@litaocdl litaocdl litaocdl approved these changes

@armru armru armru approved these changes

Assignees
No one assigned
Labels
do not backport This PR must not be backported - it will be in the next minor release ok to merge 👌 This PR can be merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature]: The communication between the operator and the instance manager should be encrypted
5 participants
@mnencia @litaocdl @jsilvela @armru @cnpg-bot