Secure the invoker with ssl.#3968
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3968 +/- ##
==========================================
- Coverage 85.84% 81.25% -4.59%
==========================================
Files 147 147
Lines 7114 7113 -1
Branches 419 431 +12
==========================================
- Hits 6107 5780 -327
- Misses 1007 1333 +326
Continue to review full report at Codecov.
|
|
PG2#3514 🔵 |
vvraskin
left a comment
There was a problem hiding this comment.
Thanks for cleaning up the previous https configuration, neatly done. Just some minor comments
| keyPrefix: "{{ __controller_ssl_keyPrefix }}" | ||
| storeFlavor: PKCS12 | ||
| clientAuth: "{{ controller_client_auth | default('true') }}" | ||
| cert: "controller-openwhisk-server-cert.pem" |
There was a problem hiding this comment.
Should we use this var __controller_ssl_keyPrefix for both cert and key variables?
| keyPrefix: "{{ __invoker_ssl_keyPrefix }}" | ||
| storeFlavor: "PKCS12" | ||
| clientAuth: "{{ invoker_client_auth | default('true') }}" | ||
| cert: "invoker-openwhisk-server-cert.pem" |
There was a problem hiding this comment.
the same as above, __invoker_ssl_keyPrefix
| val ts: KeyStore = getCertStore(truststorePassword, httpsConfig.truststoreFlavor, httpsConfig.keystorePath) | ||
| val trustManagerFactory: TrustManagerFactory = TrustManagerFactory.getInstance(keyFactoryType) | ||
| trustManagerFactory.init(ts) | ||
| trustManagerFactory.init(keyStore) |
There was a problem hiding this comment.
As discussed in person, should we add a comment saying that we use keystore as a truststore here or leave truststore configurable from the outside?
| * Starts an HTTPS route handler on given port and registers a shutdown hook. | ||
| */ | ||
| def startHttpsService(route: Route, port: Int, config: WhiskConfig)(implicit actorSystem: ActorSystem, | ||
| def startHttpsService(route: Route, port: Int, config: HttpsConfig)(implicit actorSystem: ActorSystem, |
There was a problem hiding this comment.
This method is pretty similar to startHttpService, should we perhaps merge them to something like:
def startHttpService(route: Route, port: Int, config: Option[HttpsConfig] = None)(
implicit actorSystem: ActorSystem,
materializer: ActorMaterializer): Unit = {
implicit val executionContext = actorSystem.dispatcher
val context = config.map(c => Https.connectionContext(c)).getOrElse(Http().defaultServerHttpContext)
Http().bindAndHandle(route, "0.0.0.0", port, connectionContext = context)
}
3d492ca to
008153e
Compare
f257c0c to
7b37df3
Compare
* Secure the invoker with ssl. * Tidy up controller ssl. * Review.
Description
This PR adds SSL to the invoker to secure the ping-endpoint. In addition it tidies up some controller-ssl-settings.
Related issue and scope
My changes affect the following components
Types of changes
Checklist: