Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't apply managementApiAuth to existing datacenter #588

Open
vsoloviov opened this issue Oct 20, 2023 · 4 comments
Open

Can't apply managementApiAuth to existing datacenter #588

vsoloviov opened this issue Oct 20, 2023 · 4 comments
Labels
bug Something isn't working product-backlog Issues in the state 'product-backlog'

Comments

@vsoloviov
Copy link

vsoloviov commented Oct 20, 2023

What happened?

When I added

    managementApiAuth:
      manual:
        clientSecretName: cass-management-api-client
        serverSecretName: cass-management-api-server

to existing datacenter it failed to update sts because API is still running on http, but operator sends https requests:

2023-10-20T06:52:06.234Z	ERROR	controllers.CassandraDatacenter	calculateReconciliationActions returned an error	{"cassandradatacenter": "cass-db/dc2", "requestNamespace": "cass-db", "requestName": "dc2", "loopID": "14a47b0d-9f66-45c4-a330-9ef440c8754a", "error": "Post \"https://10.1.3.11:8080/api/v0/ops/seeds/reload\": http: server gave HTTP response to HTTPS client"}
github.com/k8ssandra/cass-operator/internal/controllers/cassandra.(*CassandraDatacenterReconciler).Reconcile
	/workspace/internal/controllers/cassandra/cassandradatacenter_controller.go:149
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:122
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:323
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:274
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235

What did you expect to happen?

I expected operator to communicate with pods and update configuration to enable mTLS on both operator and mgmt api sides.

How can we reproduce it (as minimally and precisely as possible)?

  • Bring up a basic datacenter with
    managementApiAuth:
      insecure: {}
  • Once datacenter is up and running create certificates chain
### MGMT API Auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cass-management-api-ca
spec:
  isCA: true
  commonName: cass-management-api
  secretName: cass-management-api-ca
  duration: 87600h0m0s # 10y
  privateKey:
    encoding: PKCS8
  issuerRef:
    name: cassandra-ca-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cass-management-api-issuer
spec:
  ca:
    secretName: cass-management-api-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cass-management-api-server
spec:
  secretName: cass-management-api-server
  duration: 8760h0m0s # 1y
  issuerRef:
    name: cass-management-api-issuer
  dnsNames:
    - cass-management-api-server
  commonName: cass-management-api
  privateKey:
    encoding: PKCS8
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cass-management-api-client
spec:
  secretName: cass-management-api-client
  duration: 720h0m0s # 30d
  issuerRef:
    name: cass-management-api-issuer
  commonName: cass-management-api-user
  privateKey:
    encoding: PKCS8

Update datacenter configuration:

    managementApiAuth:
      manual:
        clientSecretName: cass-management-api-client
        serverSecretName: cass-management-api-server

cass-operator version

1.17.2

Kubernetes version

1.27.4

Method of installation

Argo

Anything else we need to know?

No response

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: CASS-16

@vsoloviov vsoloviov added the bug Something isn't working label Oct 20, 2023
@vsoloviov
Copy link
Author

Similar issue happens if I build a datacenter with manual managementApiAuth and then disable it: it sends an http request to the https api endpoint

@adejanovski adejanovski moved this to Ready in K8ssandra Nov 14, 2023
@adejanovski adejanovski added the ready Issues in the state 'ready' label Nov 14, 2023
@burmanm
Copy link
Contributor

burmanm commented Nov 15, 2023

Actions to take here:

  • Instead of checking CassandraDatacenter's status of the HTTPS, we need to check if ObservedGeneration < Generation of CassandraDatacenter and if the target Pod has HTTPS enabled or not and build the client security based on that information.
  • The above can be checked from running configs by inspecting the Pod and/or if the target server secret is mounted there. Can be found from Pod's ENV variables: MGMT_API_TLS_CERT_FILE is set (or a volume called "management-api-server-certs-volume" is mounted to the pod)

@Miles-Garnsey
Copy link
Member

@burmanm is this ticket still current? It is from last year so I'm confirming before I start work on it.

Also, can you clarify what you mean by check if ObservedGeneration < Generation of CassandraDatacenter? What ObserverGeneration are we checking? Why would the ObservedGeneration and "Generation" be different if you're referring to the CassandraDatacenter in both cases?

@burmanm
Copy link
Contributor

burmanm commented Mar 25, 2024

| @burmanm is this ticket still current? It is from last year so I'm confirming before I start work on it.

Yes, it is.

| Also, can you clarify what you mean by check if ObservedGeneration < Generation of CassandraDatacenter? What ObserverGeneration are we checking? Why would the ObservedGeneration and "Generation" be different if you're referring to the CassandraDatacenter in both cases?

Whenever you update the CassandraDatacenter, the ObservedGeneration is less than Generation until the reconciliation has finished. In this case, it wouldn't since it fails midway. However, I think you can just skip that check for now and simply verify if the target pod has https enabled or not for mgmt-api.

Currently, the syntax is func BuildManagementApiSecurityProvider(dc *api.CassandraDatacenter), yet this isn't sufficient. On the other hand, be careful that the SecurityProvider is the HTTPS one when constructing the PodTemplateSpec and other required modifications as enabling auth would require the https one to provide those curl commands and other properties. So it's not just the httphelper client.

@adejanovski adejanovski moved this from Ready to Product Backlog in K8ssandra Aug 22, 2024
@adejanovski adejanovski added product-backlog Issues in the state 'product-backlog' and removed ready Issues in the state 'ready' labels Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working product-backlog Issues in the state 'product-backlog'
Projects
No open projects
Status: Product Backlog
Development

No branches or pull requests

4 participants