freno icon indicating copy to clipboard operation
freno copied to clipboard
verified publisher icon github

Add TLS options for http server

Open gtowey opened this issue 6 years ago • 1 comments

This is a first attempt at adding TLS options to freno.

I've looked at the way SSL is initialized in Orchestrator here https://github.com/github/orchestrator/blob/master/go/app/http.go#L149-L161 and tried to follow that example but also do a bit of simplification as well.

I've added a second sample config file in conf to enable the tls options for testing so you can invoke freno with: ./freno -http -config conf/freno.conf.ssl.json -verbose

That also requires some self-signed certificates to be generated which is straight forward with:

openssl req -x509 -nodes -newkey rsa:2048 -keyout server.rsa.key -out server.rsa.crt -days 3650
ln -sf server.rsa.key server.key
ln -sf server.rsa.crt server.crt

There are a few questions I had about this change.

  1. I didn't include an option to set a certificate authority as part of the configuration -- what's the use case in Orchestrator and do you think it's necessary to include that option here?
  2. The code in Orchestrator takes some extra manual steps to load, parse and verify some of the certificate files, but I don't see many examples of other TLS configuration setups that take these extra steps. Are they needed here?

Also I think this PR isn't complete until it has additional documentation to explain how to configure the server for SSL operation as well.

/cc @shlomi-noach /cc https://github.com/github/freno/issues/112

gtowey avatar Dec 16 '19 23:12 gtowey

Apologies for the late review. This was submitted just as I was taking off for the Holidays and then just got buried below other notifications.

For a simplified TLS code, I think gh-ost would be a good example. orchestrator's code is somewhat more complex. The reasoning is its wide usage in the community, with everyone pulling to make it work on their own setup. The vast majority of TLS code in orchestrator was contributed by the community. I did refactor it here and there.

For now, I think we don't need an authority. We meanwhile use unsigned certificates. I do realize we will move to only allow signed certificates in MySQL, so entirely at your discretion whether to do everything now or take a simpler first step.

shlomi-noach avatar Jan 19 '20 10:01 shlomi-noach