Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Fix https-only config #286

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[RFC] Fix https-only config #286

wants to merge 1 commit into from

Conversation

koct9i
Copy link
Collaborator

@koct9i koct9i commented Jun 19, 2024
edited
Loading

This options enforces internal clients to use secure connections and
validates that related servers are ready to handle TLS.

Also it forces TLS-only mode for native bus transport and
HTTPS-only for default role of HTTP proxies.

I.e. if it is enabled - only non-default HTTP proxies and
any RPC proxies could be not strictly TLS-only.

@koct9i koct9i changed the title Fix https-only config [RFC] Fix https-only config Jun 19, 2024
@koct9i koct9i marked this pull request as ready for review June 19, 2024 14:57
@koct9i
Copy link
Collaborator Author

koct9i commented Jun 19, 2024

Should be something like this, but this does not work yet.

"YT_PROXY=https://fqdn" is still broken somewhere.
Also ca-bundle isn't passed properly to yt cli/sdk.

@sgburtsev
Copy link
Contributor

Should be something like this, but this does not work yet.

"YT_PROXY=https://fqdn" is still broken somewhere. Also ca-bundle isn't passed properly to yt cli/sdk.

JFYI: Ability to pass own CA in Go SDK was added quite a while ago: ytsaurus/ytsaurus@16a5beb

@sgburtsev
Copy link
Contributor

How will this new option useHttps coexist with disableHttp?
There would be some corner cases:

  1. useHttps and disableHttp will not work without httpsSecret;
  2. with disableHttp useHttps is mandatory.

It might make more sense to only use disableHttp as it almost duplicates useHttps.

@l0kix2 l0kix2 mentioned this pull request Jul 12, 2024
Merged
@koct9i
Copy link
Collaborator Author

koct9i commented Oct 18, 2024

It would be nice to have this ytsaurus/ytsaurus#898
to simplify switching to https just by passing "https://" schema as cluster url.

@koct9i
Add option "secureCluster"
c1ffc3c 
This options enforces internal clients to use secure connections and
validates that related servers are ready to handle TLS.

Also it forces TLS-only mode for native bus transport and
HTTPS-only for default role of HTTP proxies.

I.e. if it is enabled - only non-default HTTP proxies and
any RPC proxies could be not strictly TLS-only.

Issue: ytsaurus#285
@koct9i koct9i marked this pull request as draft November 4, 2024 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
yt-k8s-operator project
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@koct9i @sgburtsev