Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the transport service DNS name to the CSR #2687

Merged
merged 2 commits into from
Mar 12, 2020

Conversation

pebrc
Copy link
Collaborator

@pebrc pebrc commented Mar 10, 2020

We initially connect through the transport service to the remote
cluster. This should ensure that the transport service is one of the trusted
DNS names.

I ran into errors like this one when testing remote cluster connection setup

[elasticsearch.server][WARN] failed to establish trust with server at [remote-src-es-transport.default.svc]; the server provided a certificate with subject name [CN=remote-src-es-default-2.node.remote-src.default.es.local,OU=remote-src] and fingerprint [effb883baf24e32229edbe17361034c23c6c1a61]; the certificate has subject alternative names [DNS:remote-src-es-default-2.node.remote-src.default.es.local,IP:10.73.0.8,IP:127.0.0.1]; the certificate is issued by [CN=remote-src-transport,OU=remote-src]; the certificate is signed by (subject [CN=remote-src-transport,OU=remote-src] fingerprint [1743d054ed76a38e7a212781318bacfdc3ea0748] {trusted issuer}) which is self-issued; the [CN=remote-src-transport,OU=remote-src] certificate is trusted in this ssl context ([xpack.security.transport.ssl])   

We initially connect through the transport service to the remote
cluster. This should  ensure that the transport service is one of the trusted
DNS names.
@@ -87,6 +87,8 @@ func buildGeneralNames(
generalNames := []certificates.GeneralName{
{OtherName: *commonNameOtherName},
{DNSName: commonName},
// add the transport service name for remote cluster connections initially connecting through the service
{DNSName: fmt.Sprintf("%s.%s.svc", esv1.TransportService(cluster.Name), cluster.Namespace)},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have GetServiceDNSName() in pkg/util/k8s which might be better to use here, and also includes the name without .svc (which also works)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will not work unless we also change the seed hosts

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, would a comment be helpful here to explain why we're not? It seems like a gotcha since the name resolves. Though to be fair, the fully qualified domain name with the default domain suffix (e.g. cluster.local) also resolves but would fail.

Copy link
Contributor

@barkbay barkbay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, it is a side effect of #2659 and clearly shows that we need some e2e tests here (#2647). I will work on them as soon as I have completed my current tasks.

@@ -87,6 +87,8 @@ func buildGeneralNames(
generalNames := []certificates.GeneralName{
{OtherName: *commonNameOtherName},
{DNSName: commonName},
// add the transport service name for remote cluster connections initially connecting through the service
{DNSName: fmt.Sprintf("%s.%s.svc", esv1.TransportService(cluster.Name), cluster.Namespace)},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will not work unless we also change the seed hosts

@pebrc pebrc merged commit 18b8936 into elastic:master Mar 12, 2020
@pebrc pebrc added >enhancement Enhancement of existing functionality v1.1.0 labels Mar 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>enhancement Enhancement of existing functionality v1.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants