Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for LP1921557 sni in Juju login. #12854

Merged
merged 1 commit into from
Apr 8, 2021
Merged

Fix for LP1921557 sni in Juju login. #12854

merged 1 commit into from
Apr 8, 2021

Conversation

tlm
Copy link
Member

@tlm tlm commented Apr 8, 2021

Juju login has been failing with recent changes to Juju's certificate
management. Specifically there are two problems that have come up.

The first is the Juju controller selecting the right certificate when ip
connections are being initiated that don't have an SNI name set. This
has been fixed by returning Juju's ip certificate with empty SNI names.

The second is Juju returning the CA cert in it's certificate chain.
Normally it's not considered valid to return a root CA in a chain but
for the way Juju works when logging in it needs to in order to trust the
CA and add it to the config file.

Checklist

  • Requires a pylibjuju change
  • Added integration tests for the PR
  • Added or updated doc.go related to packages changed
  • Comments answer the question of why design decisions were made

QA steps

Follow the steps outline in the bug report below. Also perform the below check with openssl.

openssl s_client --connect <controller-ip>:17070 -servername <controller-ip>
You need to confirm here that a certificate is returned covering the ip sans of the controller and that CA cert is returned in the chain.

Bug reference

https://bugs.launchpad.net/juju/+bug/1921557

wallyworld
wallyworld approved these changes Apr 8, 2021
View reviewed changes
Copy link
Member

@wallyworld wallyworld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM so long as the logic allows older juju clients to still work against this controller

@tlm tlm force-pushed the lp-1921557-ipsans-2.8 branch from 47fd6ba to e5a5268 Compare April 8, 2021 04:03
@tlm
Copy link
Member Author

tlm commented Apr 8, 2021

1921557 2.9 login to new controller fails TLS

@tlm
Fix for LP1921557 sni in Juju login.
aa7520e 
Juju login has been failing with recent changes to Juju's certificate
management. Specifically there are two problems that have come up.

The first is the Juju controller selecting the right certificate when ip
connections are being initiated that don't have an SNI name set. This
has been fixed by returning Juju's ip certificate with empty SNI names.

The second is Juju returning the CA cert in it's certificate chain.
Normally it's not considered valid to return a root CA in a chain but
for the way Juju works when logging in it needs to in order to trust the
CA and add it to the config file.
@tlm tlm force-pushed the lp-1921557-ipsans-2.8 branch from e5a5268 to aa7520e Compare April 8, 2021 04:52
@tlm
Copy link
Member Author

tlm commented Apr 8, 2021

$$merge$$

1 similar comment
@tlm
Copy link
Member Author

tlm commented Apr 8, 2021

$$merge$$

@jujubot jujubot merged commit adc914c into juju:2.8 Apr 8, 2021
@ycliuhw ycliuhw mentioned this pull request Apr 14, 2021
Merged
jujubot added a commit that referenced this pull request Apr 14, 2021
@jujubot
Merge pull request #12868 from ycliuhw/merge-2.8
9f34465 
#12868

Merge 2.8 to 2.9:

- Fix for LP1921557 sni in Juju login. #12854
- Ensure assess-upgrade-series does not report started prematuremly #12858
- Fix/lp 1923051 #12862
- Fix/lp 1923561 #12867
no conflicts
@wallyworld wallyworld mentioned this pull request Apr 21, 2021
Merged
jujubot added a commit that referenced this pull request Apr 21, 2021
@jujubot
Merge pull request #12909 from wallyworld/merge-2.9-20210421
5879b6b 
#12909

Merge 2.9

#12827 Unsubscribe from hub when closing state pool
#12829 Correct default bootstrap-timeout value displayed in help.
#12840 Constraint tags can be used for pod affinity
#12842 Fix upgrade series agent version handling
#12794 Add disk provisioning customization
#12845 Restore space support for manual machines
#12839 Support merging of netplan configs
#12853 Add display type for network-get results
#12854 Fix for LP1921557 sni in Juju login.
#12850 Use Base in Charmhub packge and its response structures.
#12858 Ensure assess-upgrade-series does not report started prematuremly
#12860 Removed logging from core annotations.
#12861 Fixes bug where empty error can happen in storage
#12865 Update Pebble version to include new files API
#12866 Workaround for k8s dashboard URL with k8s client proxy
#12862 Fix/lp 1923051
#12867 Fix/lp 1923561
#12870 Use channel logic in charm library
#12873 Add support for setting pod affinity topology key
#12874 Use Patch instead of Update for ensuring ingress resources
#12831 Integration fixes
#12879 Ensure refresh uses version
#12864 bug: fix for bootstrap fail on vsphere 7 + multi network
#12883 Initial work to allow juju trust for sidecar charms
#12884 Fix ssh with sidecar charms and containers.
#12886 Charmhub bases
#12881 Use charm pkg updates
#12889 Ignore projected volume mounts when looking up juju storage
#12890 Fix passing empty string container name to unit params
#12893 Add CLA checker GH action and remove codecov push action
#12897 Use production charmhub endpoint
#12887 Resource validation error
#12888 Ensure we validate the model target
#12898 Remove usage of systems package from CAAS application provisioner
#12899 CAAS bundle deployments
#12900 Bump up Pebble version to include user/group in list-files
#12901 charm Format helper
#12902 charm Iskubernetes helper
#12903 Display ... for really long k8s app versions in status
#12904 Filter out more full registry paths for app version in status
#12905 Fix k8s bundle deploys with v2 charms
#12906 Register resource-get for containeragent binary

Conflicts mostly due to charm v8 vs v9 imports.
The other one was due to changes to dashboard CLI.
```
# Conflicts:
# api/common/charms/common.go
# api/common/charms/common_test.go
# apiserver/facades/client/application/application.go
# apiserver/facades/client/application/charmstore.go
# apiserver/facades/client/application/update_series_mocks_test.go
# apiserver/facades/client/charms/client.go
# apiserver/facades/client/charms/convertions.go
# apiserver/facades/client/machinemanager/types_mock_test.go
# apiserver/facades/controller/caasoperatorprovisioner/provisioner.go
# cmd/juju/application/deployer/bundlehandler_test.go
# cmd/juju/application/refresh_test.go
# cmd/juju/application/refresher/refresher_mock_test.go
# cmd/juju/dashboard/dashboard.go
# core/charm/strategies_mock_test.go
# core/model/model.go
# core/model/model_test.go
# go.mod
# go.sum
# resource/resourceadapters/charmhub.go
# scripts/win-installer/setup.iss
# service/agentconf_test.go
# snap/snapcraft.yaml
# state/charm.go
# state/migration_export.go
# state/state.go
# version/version.go
# worker/caasfirewallerembedded/applicationworker.go
# worker/caasfirewallerembedded/applicationworker_test.go
```

## QA steps

See PRs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallyworld wallyworld wallyworld approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tlm @wallyworld @jujubot