charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon yugabyte

Cant enable TLS, clientToServer seems to be ignored

Open augcollet opened this issue 2 years ago • 2 comments

Hello,

I try to enable TLS by using following conf.yaml file :

[...]
tls:
  # Set to true to enable the TLS.
  enabled: true
  nodeToNode: true
  clientToServer: true
  # Set to false to disallow any service with unencrypted communication from joining this cluster
  insecure: false
  # Set enabled to true to use cert-manager instead of providing your own rootCA
  certManager:
    enabled: false
    # Will create own ca certificate and issuer when set to true
    bootstrapSelfsigned: true
    # Use ClusterIssuer when set to true, otherwise use Issuer
    useClusterIssuer: false
    # Name of ClusterIssuer to use when useClusterIssuer is true
    clusterIssuer: cluster-ca
    # Name of Issuer to use when useClusterIssuer is false
    issuer: yugabyte-ca
    certificates:
      # The lifetime before cert-manager will issue a new certificate.
      # The re-issued certificates will not be automatically reloaded by the service.
      # It is necessary to provide some external means of restarting the pods.
      duration: 2160h # 90d
      renewBefore: 360h # 15d
      algorithm: ECDSA # ECDSA or RSA
      # Can be 2046, 4096 or 8192 for RSA
      # Or 256, 384 or 521 for ECDSA
      keySize: 521

  ## When certManager.enabled=false, rootCA.cert and rootCA.key are used to generate TLS certs.
  ## When certManager.enabled=true and boostrapSelfsigned=true, rootCA is ignored.
  ## When certManager.enabled=true and bootstrapSelfsigned=false, only rootCA.cert is used
  ## to verify TLS certs generated and signed by the external provider.
  rootCA:
    cert: "..."
    key: "..."
  ## When tls.certManager.enabled=false
  ## nodeCert and clientCert will be used only when rootCA.key is empty.
  ## Will be ignored and genSignedCert will be used to generate
  ## node and client certs if rootCA.key is provided.
  ## cert and key are base64 encoded content of certificate and key.
  nodeCert:
    cert: ""
    key: ""
  clientCert:
    cert: ""
    key: ""
[...]

Everything is stating fine but TLS encryption doesnt seem to be enabled. I see the following informations from the webui : image

If I look at TLS Settings on webui, I notice that client to server encryption is not enabled (is is the same information than previous screenshot ?) : image

So, the clientToServer parameter in yaml seems to be ignored.

Maybe I misunderstand something...

Thank you for reading, any help would be appreciated !

augcollet avatar Dec 14 '22 16:12 augcollet

@bhavin192 @baba230896

iSignal avatar Dec 15 '22 00:12 iSignal

Hello @augcollet, thank you for the bug report. I tried to replicate your setup, and observed same web UI like you have shown. Here are my findings:

  1. The Encryption Status: Never enabled (unlocked icon) is for encryption at rest feature and not related to TLS. I see it is definitely confusing, probably we should name it better on the web UI.

  2. The UI we are looking at is the YB-Master UI, and DB clients don't directly connect to Master, so I think client to node encryption doesn't apply there. Again, I feel this needs to be better represented in the TLS utility of the web UI. We shouldn't show the client to node line there for Master.

  3. If you go any of the YB-TServer web UI, you will be able to see the correct information.

    kubectl port-forward yb-tserver-0 -n default 9000

    Go to http://localhost:9000, and you will be able to see the TLS client to node being enabled.

    YB-TServer web UI

bhavin192 avatar Dec 21 '22 07:12 bhavin192