Skip to content

Use tls for nginx connection implementation #120

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 14 commits into from
Nov 27, 2023
Merged

Use tls for nginx connection implementation #120

merged 14 commits into from
Nov 27, 2023

Conversation

ciroque
Copy link
Collaborator

@ciroque ciroque commented Sep 29, 2023

Proposed changes

Implementation of TLS communication between NLK and NGINX Plus hosts.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING document
  • If applicable, I have added tests that prove my fix is effective or that my feature works
  • If applicable, I have checked that any relevant tests pass after adding my changes
  • I have updated any relevant documentation (README.md and CHANGELOG.md)

@ciroque ciroque changed the title Use tls for nginx connection impl Use tls for nginx connection implementation Sep 29, 2023
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from d7931e1 to 9f2f8f3 Compare October 23, 2023 19:48
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 23, 2023
View reviewed changes
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from 9f2f8f3 to 52d65e8 Compare October 23, 2023 21:17
@ciroque ciroque mentioned this pull request Oct 24, 2023
Closed
4 tasks
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from e1927ca to d8ab736 Compare October 24, 2023 18:40
ciroque

This comment was marked as resolved.

# to view

@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from d8ab736 to 3a037c6 Compare October 24, 2023 19:03
ciroque
ciroque commented Oct 24, 2023
View reviewed changes
Copy link
Collaborator Author

@ciroque ciroque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here it is. Large I know. Apologies for that. I have annotated most every file for reference.

@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from 3a037c6 to 3b4913b Compare October 24, 2023 19:33
ciroque
ciroque commented Oct 24, 2023
View reviewed changes
Copy link
Collaborator Author

@ciroque ciroque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More color for changed files.

@ciroque ciroque requested a review from 4141done October 24, 2023 20:38
@ciroque ciroque marked this pull request as ready for review October 24, 2023 20:38
@ciroque ciroque requested a review from chrisakker as a code owner October 24, 2023 20:38
ciroque
ciroque commented Oct 31, 2023
View reviewed changes
ciroque
ciroque commented Oct 31, 2023
View reviewed changes
ciroque
ciroque commented Oct 31, 2023
View reviewed changes
4141done
4141done reviewed Nov 21, 2023
View reviewed changes
Copy link
Collaborator

@4141done 4141done left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good as far as how the configuration is being provided and the TLS is being set up.

However I have two concerns that I think should be addressed before merging, or, if you deem it acceptable given the early stages of the project, fixed quickly afterwards.

  1. (As we discussed offline) I think if a tls-mode is given in the ConfigMap, the library should fail to start rather than reverting to a no-tls mode of operation. The user clearly intended to enable some TLS mode and with the current operation they could think it succeeded when it did not.

  2. Now that we are handling certificates I think we should be quite careful to make sure that any sensitive values don't wind up in logs or error reports. I saw a few debug statements where that could be the case.

I should also caveat that given the size of this PR I focused mostly on understanding the actual code rather than exhaustively going through all the documentation. I will learn to use the feature once we merge and work with you on any docs tweaks that need to happen.

@ciroque ciroque mentioned this pull request Nov 27, 2023
Closed
4141done
4141done approved these changes Nov 27, 2023
View reviewed changes
Copy link
Collaborator

@4141done 4141done left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change along with the follow up issues look good. 👍 🐳 👍

ciroque and others added 10 commits November 27, 2023 14:39
@ciroque
Add documentation for TLS configuration of NLK- better titles
5e1669d 
- tweaks
- Add Under Development notice
- prefer References section over inline links to external documentation
- address PR feedback

- correct use of [!WARNING]
@ciroque
- mode to tlsMode
44ab150
@dependabot @ciroque
Bump github/codeql-action from 2.21.4 to 2.21.5
a39a904 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.4 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@a09933a...00e563e)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @ciroque
Bump sigstore/cosign-installer from 3.1.1 to 3.1.2
2e1a8c4 
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@6e04d22...11086d2)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@ciroque
- renames for consistency
1c31884 
- Checkpoint
- DEMO
- DEMO
- Implements Certificates
- Certificates fleshed out and tests underway
- Refactoring of authorization tests required due to changes in the shape of the Certificates module.
- FRT (Fix Red Tests)
- minor cleanup
- Base implementation of Certificate and informer
- authentication factory implemented
- rename, and doc start
- CHECKPOINT: File creation
@ciroque
- Putting the cherry on top
05dd66b 
- Putting a bow on it
- Final corrections and enhancements
- Let the configuration settings determine log level
@ciroque
- Bug fix
bda3429
@ciroque
- remove dead code
641f0f6
@ciroque
Do not need an error here.
9eb4e84
@ciroque
Stop leaking certificates!!
6d7b421
@ciroque ciroque force-pushed the use-tls-for-nginx-connection-impl branch from 0bdc8e6 to 29148b2 Compare November 27, 2023 22:41
@ciroque ciroque merged commit 4c03217 into main Nov 27, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@4141done 4141done 4141done approved these changes

@chrisakker chrisakker Awaiting requested review from chrisakker chrisakker is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ciroque @4141done