Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support insecure TLS and only CA cert for Elasticsearch #1918

Merged
merged 4 commits into from
Nov 14, 2019
Merged

Support insecure TLS and only CA cert for Elasticsearch #1918

merged 4 commits into from
Nov 14, 2019

Conversation

pavolloffay
Copy link
Member

@pavolloffay
Support insecure TLS and only CA cert in Elasticsearch scripts
64226c5 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
yurishkuro
yurishkuro reviewed Nov 12, 2019
View reviewed changes
pkg/es/config/config.go
@@ -301,15 +301,16 @@ func (c *Configuration) getConfigOptions(logger *zap.Logger) ([]elastic.ClientOp
}
} else {
httpTransport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{InsecureSkipVerify: c.TLS.SkipHostVerify},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when no TLS is involved at all, would non-nill TLSClientConfig cause issues?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should not godoc from http.Transport.TLSClientConfig

	// TLSClientConfig specifies the TLS configuration to use with
	// tls.Client.
	// If nil, the default configuration is used.
	// If non-nil, HTTP/2 support may not be enabled by default.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this godoc doesn't seem to clarify what happens to tls / no-tls. Perhaps it's just driven off the http scheme

@pavolloffay
nosec
f129762 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
@pavolloffay
fmt
2106a86 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
objectiser
objectiser approved these changes Nov 13, 2019
View reviewed changes
plugin/storage/es/esRollover.py
session = requests.Session()
if skipHostVerify:
session.verify = False
if ca is not None:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should this be elif?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point I think they are mutually exclusive.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have changed it a bit. if CA is provided it will use that in the precedence of skip verify. I want to avoid accidentally using insecure connections.

@pavolloffay pavolloffay mentioned this pull request Nov 14, 2019
Closed
@pavolloffay
Test compilation of ES scripts and use CA in precedence of insecure
abf0df3 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
@codecov
Copy link

codecov bot commented Nov 14, 2019

Codecov Report

Merging #1918 into master will decrease coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1918      +/-   ##
==========================================
- Coverage   98.48%   98.45%   -0.03%     
==========================================
  Files         198      198              
  Lines        9740     9740              
==========================================
- Hits         9592     9590       -2     
- Misses        113      114       +1     
- Partials       35       36       +1
Impacted Files Coverage Δ
cmd/query/app/static_handler.go 86.84% <0%> (-1.76%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b6086ec...abf0df3. Read the comment docs.

@pavolloffay
Copy link
Member Author

Merging without fuzzing to pass. This PR does not modify anything fuzzer tests.

@pavolloffay pavolloffay merged commit 47d2029 into jaegertracing:master Nov 14, 2019
@pavolloffay pavolloffay mentioned this pull request Nov 14, 2019
Closed
@pavolloffay pavolloffay changed the title Support insecure TLS and only CA cert in Elasticsearch scripts Support insecure TLS and only CA cert for Elasticsearch Dec 13, 2019
@pavolloffay pavolloffay added this to the Release 1.16 milestone Dec 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurishkuro yurishkuro yurishkuro left review comments

@objectiser objectiser objectiser approved these changes

@black-adder black-adder Awaiting requested review from black-adder

@jpkrohling jpkrohling Awaiting requested review from jpkrohling

@tiffon tiffon Awaiting requested review from tiffon

@vprithvi vprithvi Awaiting requested review from vprithvi

Assignees
No one assigned
Labels
storage/elasticsearch
Projects
None yet
Milestone
Release 1.16
Development

Successfully merging this pull request may close these issues.
3 participants
@pavolloffay @objectiser @yurishkuro