Allow for private CA on the Agent side #3494
Conversation
|
I'm taking this out of draft mode, because it's probably worth moving forward, even though I'm also not entirely satisfied. For convenience, here's the text of my second commit:
|
Odd that unit tests didn't see this. It's possible this is due to the new pquisby 0.0.9, which I believe was published to fix Varshini's comparison problems ... except I'm not finding the relevant code in the GitHub project to compare. 😦 |
We're now up to pquisby 0.0.11, which appears to fix the problem. |
There was a problem hiding this comment.
I'm requesting changes mostly because of the placeholder in the pbench-agent.cfg file, and partly for the fallback verify= value (and slightly for the readlink usage). However, I have some concerns about this change in general and I would like to offer a different approach.
One of the thrusts of the contrib/containerized-pbench/pbench script is that it provides for a "no-install" invocation of the Agent: you can download a single file, and run it without doing an RPM install or creating a Git checkout. Entangling it with the CA file doubles the complication.
Moreover, my/our expectation is that access to the Pbench Server will not require the Pbench private CA once we have TLS deployed in production, so an external user will not require the CA file. Nevertheless, it's quite true that access to the Staging server or to a development server will require the private CA, and only the user will know which of those they are targeting with the pbench script, so there does need to be some sort of "knob" which the user can employ to tell the script which configuration it is running in.
But, that knob does not necessarily have to be PB_AGENT_CA as presented, and there is an alternative to mapping a user-provided CA into the container (which is, I think, the root of my concerns): we can build the CA into the container (it is very small, relative to the size of the container, so the impact of doing so will be imperceptible). Then all we need is for the script to set REQUESTS_CA_BUNDLE inside the container, if the user requests it.
FWIW, rather than extending the code in the pbench script which tries to use or generate a local config file, I would prefer to see it torn out! The principal purpose of that was to allow the user to specify the Pbench Server "on the fly", but, with the wonderful --server switch that you added, we no longer need a config file to accomplish that. So, I recommend removing all that code -- if the user needs to use a custom Agent config file, s/he can use PB_AGENT_PODMAN_OPTIONS to map one over the default config file inside the container.
There was a problem hiding this comment.
But, that knob does not necessarily have to be PB_AGENT_CA as presented, and there is an alternative to mapping a user-provided CA into the container (which is, I think, the root of my concerns): we can build the CA into the container (it is very small, relative to the size of the container, so the impact of doing so will be imperceptible). Then all we need is for the script to set REQUESTS_CA_BUNDLE inside the container, if the user requests it.
I really don't like the idea of building our hack development CA into the real agent container. Frankly a "product deployed" agent shouldn't be able to trust our staging server. And while we could add another layer to the "real" agent container for development, that's a difference and complication I'd rather avoid.
FWIW, rather than extending the code in the pbench script which tries to use or generate a local config file, I would prefer to see it torn out!
I very nearly did that along the way, but I felt reluctant to tear out all your hard work so I struggled to retain it. 😆
Why? Simply including it is not a security hazard, and it will increase the size of the image by about 0.00006%.
Again, why? I'm guessing that using our CA will not be the default (because the default should be to target the production Server or to require the user to explicitly select a Server to target), and so this would just be an unused option in that case.
I agree -- and it's not worth adding a layer for just 1.2Kb.
Thank you -- I very much appreciate that sentiment -- but, while the config file is an excellent solution on the Server side, I don't feel like it is a good one on the client/Agent side, and, now that we have |
There was a problem hiding this comment.
I really don't like the idea of building our hack development CA into the real agent container.
Why? Simply including it is not a security hazard, and it will increase the size of the image by about 0.00006%.
It feels very much like including testing code in the product: it's impure, and exposes what should be internal. It opens the risk that REQUESTS_CA_BUNDLE=/etc/pki/tls/certs will trust something that shouldn't be trusted. The idea makes me extremely uncomfortable, and I can't convince myself that it's "innocuous".
I very nearly did that along the way, but I felt reluctant to tear out all your hard work so I struggled to retain it. 😆
Thank you -- I very much appreciate that sentiment -- but, while the config file is an excellent solution on the Server side, I don't feel like it is a good one on the client/Agent side, and, now that we have
--server, I would like to see the Agent config file disappear...so feel free to excise it from here! 😀
Yeah: done. That closes out the discussion about virtual tabbing and HERE files, too. (I have GitHub set to 4 space tabs just like vscode, by the way, so it looks fine to me: and I don't see any advantage in a different setting since it still doesn't ensure a wayward tab is evident.)
Final thought before I leave to hike... it occurs to me that this would bother me a bit less if we packaged it in our own file tree rather than in a standard system location, like |
There was a problem hiding this comment.
I really don't like the idea of building our hack development CA into the real agent container.
It feels very much like including testing code in the product: it's impure, and exposes what should be internal.
I'll grant that. But, it's a very small impurity (of which it is far from the first...), and it enables substantial simplifications for the user. So, I think it is a good trade-off.
It opens the risk that REQUESTS_CA_BUNDLE=/etc/pki/tls/certs will trust something that shouldn't be trusted.
That's a fair point. (See below.)
now that we have
--server, I would like to see the Agent config file disappear...so feel free to excise it from here! 😀
Yeah: done.
🎉
That closes out the discussion about virtual tabbing and HERE files, too.
🎊
(I have GitHub set to 4 space tabs just like
vscode, by the way, so it looks fine to me: and I don't see any advantage in a different setting since it still doesn't ensure a wayward tab is evident.)
I was unaware of that setting. (However, I'm not sure I would like that better.)
it occurs to me that this would bother me a bit less if we packaged it in our own file tree rather than in a standard system location, like
/opt/pbench-agent/config/develop/pbench-devel-CA.crtwhere it's highly improbable that it could be referenced accidentally and where the path and name makes the purpose more obvious.
I would be happy with that solution. I only put it in /etc/pki/tls/certs because I needed to put it somewhere and that seemed like a conventional location. (I was thinking that we would actually trust it in test configurations, but never carried through on that; but, IIUC, trusting it requires having it in there.)
As for what to name the CA cert file, we could go with pbench-devel-CA.crt or pbench-private-CA.crt, but I don't see much advantage to those over the current pbench_CA.crt.
Note that currently, we use the private CA:
- in func-test to connect between the Server and Keycloak and between the client and the "inner" Nginx proxy; and,
- in Staging to connect between the client and the "inner" proxy.
Once we move the Staging server behind the IntLab "outer" proxy, we won't use the CA in staging at all (just as we won't in production) -- instead, we'll use a cert signed by the IntLab "intermediate CA" -- so access to the private CA will only be an issue for func-test and development.
| if server: | ||
| path = config.get("results", "rest_endpoint") | ||
| uri = f"{server}/{path}" | ||
| self.ca = None | ||
| else: | ||
| uri = config.get("results", "server_rest_url") | ||
|
|
||
| # If the "server_ca" config variable isn't defined, we expect to verify | ||
| # using a registered CA. | ||
| self.ca = config.get("results", "server_ca", fallback=None) |
There was a problem hiding this comment.
Is this code up-to-date with our current thinking?
As the code now stands (AFAICT), if we specify server, then we ignore the server_ca option in the config file, and we'll depend on REQUESTS_CA_BUNDLE if an override is needed; if, instead, we pull the uri from the config file, then we'll honor server_ca if it is provided...why the bifurcation? Why not use the config file CA value in both cases if it is provided? Or, why have the server_ca option at all when the user can use REQUESTS_CA_BUNDLE?
There was a problem hiding this comment.
The config file defines a server and optionally a CA to go with that server. If you don't create a custom config file and use --server, there's not going to be a server_ca anyway. But if you have a config file, even with a server_ca, we can't necessarily assume that the --server target cert uses that CA.
So basically, config file server goes with config file CA; while --server goes with REQUESTS_CA_BUNDLE.
There was a problem hiding this comment.
I'm unclear why we need this change and why it's better than just relying on REQUESTS_CA_BUNDLE for both cases. 🤷
There was a problem hiding this comment.
So your idea is that if someone installs the Agent RPM and relies on a server configured in pbench-agent.cfg so they can just pbench-results-move (e.g., the passthrough server) we should still require them to put a customized REQUESTS_CA_BUNDLE in the environment?
Granted, in the long run, we don't want to force users to rely on private CA certs at all, but this still seems worth doing.
There was a problem hiding this comment.
My thinking is that, in production, access to the Pbench Server will require only publicly-available and trusted CAs (for some definition of "public"...e.g., "Red Hat internal", perhaps...), and so no specific action (e.g., defining REQUESTS_CA_BUNDLE) on the part of the user would be required.
For Staging, we should be operating in a similar environment (i.e., behind the IntLab proxies and using IntLab-signed or RH-IT-signed certs).
So, it's only for func-test and development that we would need to be using our private CA. "Normal users" wouldn't need it, unless they are working with bits that are too hot for Staging.
And, I think we have func-test already covered. So, it all really boils down to how do we support our developers. And, for that, I think we can rely on defining REQUESTS_CA_BUNDLE (and, we can probably do it implicitly inside a wrapper script or two, so it doesn't have to be reflected at all in the actual Agent or Server code).
PBENCH-1209 The staging server and local development servers now use HTTPS with certs signed by a private pbench CA. An HTTPS connection can't be validated without a reference to this CA. The primary change here is in the `contrib/containerized-pbench/pbench` script which now looks for a private CA definition, maps the CA bundle file into the container, and defines `REQUESTS_CA_BUNDLE` within the container. In an attempt to handle RPM installs, there's also logic to support a new `[results]` section `pbench_ca` configuration variable to define a CA path that will be used to verify the `PUT` to a server. Note, this isn't being used for the `--relay` path, as that's currently not using `https` and we'll need to figure out how we want to configure this in the future.
I'm not entirely sure how far I want to take this. What I have so far allows a user to use the `pbench` script to run a Pbench Agent command with a specified CA bundle against a "runlocal" or the staging server by specifying the CA file with `export PB_AGENT_CA=server/pbenchinacan/etc/pki/tls/certs/pbench_CA.crt` before using `./contrib/containerized-pbench/pbench pbench-results-move`. If you use `--server` or `--relay` you don't need to worry about having a `~/.config/pbench/pbench-agent.cfg` file. The remaining "problem" is that if you don't want to use `--server` and expect to get your configuration from `~/.config/pbench/pbench-agent.cfg`, even if it has the new `server_ca` configuration value set, there's no logic to cause the CA to be mapped into the container so it won't actually work. (That is, you still need the `PB_AGENT_CA` environment variable.) I find this unsatisfying; but any solution I can see (e.g., unconditionally mapping in the private CA if we can find it, or building a mechanism to look for `[results] server_ca` in the config file, given there's no standard config-parser CLI available outside the container) at least equally unsatisfying. So for now, this is at least a hack allowing us to use the `pbench` container script against staging and runlocal servers. Maybe that's enough.
Drop the attempt to create and manage a pbench-agent.cfg file.
Might as well default `verify=None` everywhere.
| if server: | ||
| path = config.get("results", "rest_endpoint") | ||
| uri = f"{server}/{path}" | ||
| self.ca = None | ||
| else: | ||
| uri = config.get("results", "server_rest_url") | ||
|
|
||
| # If the "server_ca" config variable isn't defined, we expect to verify | ||
| # using a registered CA. | ||
| self.ca = config.get("results", "server_ca", fallback=None) |
There was a problem hiding this comment.
I'm unclear why we need this change and why it's better than just relying on REQUESTS_CA_BUNDLE for both cases. 🤷
|
I am just curious, can we use --server option to get rid of pbench-agent.conf file? May be out of context on this PR |
I had the very same thought, but, when I started to look at it, it became clear that the answer is "no". If/when we get to using conventional packaging (a la the Fedora rules), we get much closer, but even then the answer might well be "no".
Definitely. 😀 But, we probably should be considering how we specify the access schema for the Pbench Server -- having that in |
PBENCH-1209
The staging server and local development servers now use HTTPS with certs signed by a private pbench CA. An HTTPS connection can't be validated without a reference to this CA.
The primary change here is in the
contrib/containerized-pbench/pbenchscript which now looks for a private CA definition, maps the CA bundle file into the container, and definesREQUESTS_CA_BUNDLEwithin the container.In an attempt to handle RPM installs, there's also logic to support a new
[results]sectionpbench_caconfiguration variable to define a CA path that will be used to verify thePUTto a server.Note, this isn't being used for the
--relaypath, as that's currently not usinghttpsand we'll need to figure out how we want to configure this in the future.