-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORE-5589 Add config to select minimum TLS version #21372
CORE-5589 Add config to select minimum TLS version #21372
Conversation
/dt |
skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a8ff-f282-4962-9130-cdae90c56395: skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a8ff-f283-4374-b05f-c8f3ace0da97: skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a900-3c9c-4c3d-bb30-f7515b63be79: skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a900-3c9a-47f4-a945-b7234c7c4231: skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a900-3c9e-4f7b-99bc-0f992927e9c8: |
ab89c76
to
015bf39
Compare
/dt |
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51544#0190b861-ef5a-44a6-9745-c5d733a65b9d ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51585#0190bc60-8720-4496-92aa-093c7a1664fb ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51585#0190bc61-afa7-4c95-ab0e-76c7e1a9aceb ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51585#0190bc61-afa5-4650-8c17-53a7948dc346 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51722#0190c614-6cde-4282-8ace-4a0b0c2ac07b |
040d7e4
to
9620dba
Compare
Force push
|
What specific string do we want our users using in this property? |
src/v/config/configuration.cc
Outdated
, tls_min_version( | ||
*this, | ||
"tls_min_version", | ||
"The minimum version of TLS that Redpanda will support.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The minimum version of TLS that Redpanda will support.", | |
"The minimum TLS version that Redpanda supports.", |
Nit, for economy / alignment with docs style guide
"v1.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good. i need to go over the dt tests in a bit more detail, but I wanted to flag the legacy_default thing before bed.
src/v/config/types.h
Outdated
.match(to_string_view(tls_version::v1_0), tls_version::v1_0) | ||
.match(to_string_view(tls_version::v1_1), tls_version::v1_1) | ||
.match(to_string_view(tls_version::v1_2), tls_version::v1_2) | ||
.match(to_string_view(tls_version::v1_3), tls_version::v1_3); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: a default match to avoid throwing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: a default match to avoid throwing?
Yeah, and I think this can be reused in the next commit.
src/v/config/configuration.cc
Outdated
tls_version::v1_1, | ||
tls_version::v1_2, | ||
tls_version::v1_3}, | ||
legacy_default<tls_version>(tls_version::v1_0, legacy_version{12})) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this is the issue from late last year that @dotnwat was referring to. I think we're subject to this weird behavior here as well. You might try:
- upgrade from
<= logical 12
to HEAD - set the min tls version to 1.2
- restart the broker
- see whether the min tls version is set back to 1.0
In this case I think the escape hatch would be to set something other than the current version non-legacy default (e.g. 1.1 or 1.3), but it's worth being aware of, esp. if this is a compliance concern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for flagging. I'll write up a DT test for this specifically
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah thanks for flagging that is an issue. Setting to v1.2 and then restarting resets it back to v1.0....
src/v/config/types.h
Outdated
.match(to_string_view(tls_version::v1_0), tls_version::v1_0) | ||
.match(to_string_view(tls_version::v1_1), tls_version::v1_1) | ||
.match(to_string_view(tls_version::v1_2), tls_version::v1_2) | ||
.match(to_string_view(tls_version::v1_3), tls_version::v1_3); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: a default match to avoid throwing?
Yeah, and I think this can be reused in the next commit.
src/v/config/convert.h
Outdated
if ( | ||
std::find(acceptable_values.begin(), acceptable_values.end(), value) | ||
== acceptable_values.end()) { | ||
return false; | ||
} | ||
|
||
rhs = string_switch<type>(std::string_view{value}) | ||
.match(to_string_view(type::v1_0), type::v1_0) | ||
.match(to_string_view(type::v1_1), type::v1_1) | ||
.match(to_string_view(type::v1_2), type::v1_2) | ||
.match(to_string_view(type::v1_3), type::v1_3); | ||
|
||
return true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is acceptable_values
used anywhere else?
perhaps:
if ( | |
std::find(acceptable_values.begin(), acceptable_values.end(), value) | |
== acceptable_values.end()) { | |
return false; | |
} | |
rhs = string_switch<type>(std::string_view{value}) | |
.match(to_string_view(type::v1_0), type::v1_0) | |
.match(to_string_view(type::v1_1), type::v1_1) | |
.match(to_string_view(type::v1_2), type::v1_2) | |
.match(to_string_view(type::v1_3), type::v1_3); | |
return true; | |
auto out = string_switch<std::optional<type>>(std::string_view{value}) | |
.match(to_string_view(type::v1_0), type::v1_0) | |
.match(to_string_view(type::v1_1), type::v1_1) | |
.match(to_string_view(type::v1_2), type::v1_2) | |
.match(to_string_view(type::v1_3), type::v1_3) | |
.default_match(std::nullopt); | |
if(out.has_value()) { | |
rhs = out.value(); | |
} | |
return out.has_value(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
couple nits, not blocking. Looks clear to me what's going on. nice work, good tests.
Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
eb8fcb9
to
1cb3b6d
Compare
Force push
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm.
curious why legacy_default was removed? it's not that i think it should or short not be used, but rather, if it was thought to have been needed before, it's surprising that the need disappeared given it solves such a specific problem.
@@ -33,6 +33,8 @@ build_tls_credentials( | |||
cred_builder.set_ciphersuites( | |||
{config::tlsv1_3_ciphersuites.data(), | |||
config::tlsv1_3_ciphersuites.size()}); | |||
cred_builder.set_minimum_tls_version( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm intrigued, why is it set here, but not, for example, for the oidc client or the cloud_roles client?
Which also begs the question, should it be possible to configure this per client, or listener?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm intrigued, why is it set here, but not, for example, for the oidc client or the cloud_roles client?
Thanks for pointing that out, definitely a miss. I'll make the changes, but it's probably not as big as a deal as ensuring our services can be selective of what TLS version they support.
Which also begs the question, should it be possible to configure this per client, or listener?
Maybe in a future update. For now, to get something done to help our customers was to provide a single cluster config.
|
1cb3b6d
to
c3a61b3
Compare
Force push
|
Signed-off-by: Michael Boquard <michael@redpanda.com>
Signed-off-by: Michael Boquard <michael@redpanda.com>
c3a61b3
to
8bf2e75
Compare
Force push
|
The feature being broken doesn't eliminate a problem that exists, right?
I guess these are the reasons why altered upgrade behavior is no longer needed? |
Correct but....
yes this eliminated the need. |
CI Failure: |
Backports Required
Release Notes
Features
tls_min_version
that allows users of Redpanda to specify the minimum version of TLS Redpanda will support. By default, the value is TLS v1.2.