Skip to content

release-21.2: server: add basic TLS support to tenant HTTP server #70056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 13, 2021
Merged

release-21.2: server: add basic TLS support to tenant HTTP server #70056

merged 1 commit into from
Sep 13, 2021

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Sep 10, 2021
edited by dhartunian
Loading

Backport 1/1 commits from #69723 on behalf of @dhartunian.

/cc @cockroachdb/release

Previously, the tenant HTTP server only served non-TLS connections by
default. This change will use the TLS config when it's present and serve
the HTTP server over TLS on the tenant. As on dedicated nodes, the
configuration will pick up the optional UI cert or the node cert as a
fallback.

This change also adds TLS to all other HTTP servers on the tenant server
including the _status/vars endpoint and pprof endpoints.

Resolves #69927

Release justification: fixing high-priority bug in existing
functionality.

Release note (security update): sql tenant servers will now use a TLS
certificate for their HTTP server when it's present. Previously this
server never used TLS.

Release justification: This change is necessary to support TLS for HTTP on tenant instances. It will only be enabled for tenants running in secure mode. No changes to kv nodes are made in this PR.

@dhartunian
server: add basic TLS support to tenant HTTP server
55c160d 
Previously, the tenant HTTP server only served non-TLS connections by
default. This change will use the TLS config when it's present and serve
the HTTP server over TLS on the tenant. As on dedicated nodes, the
configuration will pick up the optional UI cert or the node cert as a
fallback.

This change also adds TLS to all other HTTP servers on the tenant server
including the `_status/vars` endpoint and `pprof` endpoints.

Resolves #69927

Release justification: fixing high-priority bug in existing
functionality.

Release note (security update): sql tenant servers will now use a TLS
certificate for their HTTP server when it's present. Previously this
server never used TLS.
@blathers-crl
Copy link
Author

blathers-crl bot commented Sep 10, 2021
edited by dhartunian
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
  • Patches must not add, edit, or otherwise modify cluster versions; or add version gates.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@blathers-crl blathers-crl bot requested review from chrisseto, dhartunian, knz and a team September 10, 2021 21:05
@cockroach-teamcity
Copy link
Member

This change is Reviewable

chrisseto
chrisseto approved these changes Sep 13, 2021
View reviewed changes
Copy link
Contributor

@chrisseto chrisseto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @dhartunian and @knz)

@dhartunian dhartunian merged commit 94d369d into release-21.2 Sep 13, 2021
@dhartunian dhartunian deleted the blathers/backport-release-21.2-69723 branch September 13, 2021 15:04
@cockroach-teamcity cockroach-teamcity mentioned this pull request Sep 13, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisseto chrisseto chrisseto approved these changes

@dhartunian dhartunian Awaiting requested review from dhartunian

@knz knz Awaiting requested review from knz

Assignees

@dhartunian dhartunian

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cockroach-teamcity @chrisseto @dhartunian