Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't store generated one-shot client certificates #18587

Closed
kroepke opened this issue Mar 12, 2024 · 1 comment · Fixed by #19180
Closed

Don't store generated one-shot client certificates #18587

kroepke opened this issue Mar 12, 2024 · 1 comment · Fixed by #19180
Assignees
@todvora
Labels
needs-discussion

Comments

@kroepke
Copy link
Member

kroepke commented Mar 12, 2024
edited

As discussed in #18522 (comment), we currently store generated client certificates in a secure location on the local file system with other CA/PKI-related files.

As that is node-local, that file is not necessarily available for requests to be read in a cluster.
In this case, we only intend for a user to download this certificate with third-party clients, e.g., curl, dashboards like Grafana, or other custom applications requiring direct OpenSearch access.
Arguably, we don't need to store this particular certificate at all.
@kroepke kroepke mentioned this issue Mar 12, 2024
Merged
9 tasks
@gally47 gally47 assigned gally47 and todvora and unassigned gally47 Apr 23, 2024
@todvora todvora mentioned this issue Apr 26, 2024
Merged
9 tasks
@todvora
Copy link
Contributor

todvora commented Apr 30, 2024
edited

The actual file was needed just for the certificate signing process. We we able replace it with an in-memory implementation that doesn't store anything in the FS while keeping the very same functionality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@todvora todvora

Labels
needs-discussion
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

In-memory client cert storage used during cert signing Graylog2/graylog2-server
3 participants
@kroepke @todvora @gally47