Add mTLS settings to ApiClient #1415
Conversation
Miles-Garnsey
force-pushed
the
integration/http-managementproxy
branch
from
d72a78c
to
e2d1998
Compare
burmanm
force-pushed
the
use_ssl_to_operator
branch
from
4c7dd8b
to
8cb25f6
Compare
burmanm
changed the base branch from
integration/http-managementproxy
to
master
|
Changed base and rebased. |
src/server/src/main/java/io/cassandrareaper/ReaperApplicationConfiguration.java
Show resolved
Hide resolved
...server/src/main/java/io/cassandrareaper/management/http/HttpManagementConnectionFactory.java
Show resolved
Hide resolved
|
For some reason the tests aren't running here by the way, hopefully just a GHA glitch and once you add a test for the new functionality they'll run. |
Tests didn't run because the target branch wasn't |
…store Add two new config options to http, keystore and truststore. They must be mounted as jks keystore files. If the keystore is set, Reaper tries to build HttpManagementProxy with mTLS enabled.
|
@burmanm, as discussed here's the path forward with this PR: Modify the http-api integration test suite to use TLS all the time. That'll require adding the encryption related files in tree and modifying these lines to start the mgmt api server with TLS enabled. |
burmanm
force-pushed
the
use_ssl_to_operator
branch
from
8cb25f6
to
fd44fe0
Compare
|
@Miles-Garnsey this is ready for another review. |
| @@ -0,0 +1,105 @@ | |||
| # Copyright 2017-2017 Spotify AB | |||
There was a problem hiding this comment.
Suggestion: Looks like cassandra-reaper-http-at.yaml is no longer used anywhere but still exists. Should we remove it?
| @@ -0,0 +1,41 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Question: looks like we commit in encryption materials above, but generate them here. Any reason for having both approaches?
There was a problem hiding this comment.
This is to regenerate the provided encryption materials.
There was a problem hiding this comment.
Right, why do we want to regenerate them? This is probably fine, just making sure I understand what you're doing.
There was a problem hiding this comment.
Hopefully we wouldn't (or we could modify it later to regenerate on every CI run), but I like to have generators of stuff we use in the repository, in case someone would for example run into an issue on their refactoring - and wonder why something doesn't work. Having the script gives a clear indication how the certs were generated and be easier to debug - instead of having bunch of encrypted things that were done "somehow". In the same way, if this works, but integration from somewhere else doesn't - this could give a clue.
|
We still have a failing test on this one. |
This can't hot reload yet existing connections, as that requires the connection parameters modifications to be merged first (to use caching). And as such, no such code makes sense before that's done as it would be rewritten.
Fixes #1449