Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api: fix TLS when redirecting the request #1740

Merged
merged 6 commits into from
Sep 17, 2019
Merged

api: fix TLS when redirecting the request #1740

merged 6 commits into from
Sep 17, 2019

Conversation

rleungx
Copy link
Member

@rleungx rleungx commented Sep 9, 2019

What problem does this PR solve?

Start 2 PD:
pd1: client-urls: 127.0.0.1:2379, peer-urls: 127.0.0.1:2380
pd2: client-urls: 127.0.0.1:2479, peer-urls: 127.0.0.1:2480

From PD log:
Before:
pd1:

[2019/09/09 13:54:31.332 +08:00] [ERROR] [redirector.go:97] ["request failed"] [error="Get https://127.0.0.1:2379/pd/ping: x509: certificate signed by unknown authority"]
[2019/09/09 13:55:31.332 +08:00] [ERROR] [redirector.go:97] ["request failed"] [error="Get https://127.0.0.1:2379/pd/ping: x509: certificate signed by unknown authority"]

pd2:

[2019/09/09 14:30:00.098 +08:00] [WARN] [config_logging.go:258] ["rejected connection"] [remote-addr=127.0.0.1:53098] [server-name=] [error="remote error: tls: bad certificate"]
[2019/09/09 14:30:01.366 +08:00] [WARN] [config_logging.go:258] ["rejected connection"] [remote-addr=127.0.0.1:53106] [server-name=] [error="remote error: tls: bad certificate"]

After: no such error

From curl:
Before:

curl --cacert /path/to/ca.pem --cert /path/to/pd-server.pem --key /path/to/pd-server-key.pem https://127.0.0.1:2479/pd/ping
redirect failed

After: no such error

What is changed and how it works?

This PR fixes the TLS problem when redirecting the request.

Check List

Tests

  • Manual test

Related changes

  • Need to cherry-pick to the release branch
  • Need to be included in the release notes

@rleungx rleungx added component/api HTTP API. needs-cherry-pick-release-2.1 The PR needs to cherry pick to release-2.1 branch. needs-cherry-pick-release-3.0 The PR needs to cherry pick to release-3.0 branch. labels Sep 9, 2019
@rleungx rleungx requested review from Connor1996, AstroProfundis, disksing, lhy1024 and nolouch and removed request for AstroProfundis September 9, 2019 06:56
@codecov-io
Copy link

codecov-io commented Sep 9, 2019
edited
Loading

Codecov Report

Merging #1740 into master will decrease coverage by 0.05%.
The diff coverage is 75%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1740      +/-   ##
==========================================
- Coverage   76.83%   76.77%   -0.06%     
==========================================
  Files         162      162              
  Lines       15832    15844      +12     
==========================================
  Hits        12165    12165              
- Misses       2650     2654       +4     
- Partials     1017     1025       +8
Impacted Files Coverage Δ
server/api/redirector.go 76.81% <75%> (-0.39%) ⬇️
pkg/etcdutil/etcdutil.go 76.81% <0%> (-11.6%) ⬇️
server/tso/tso.go 78.89% <0%> (-4.59%) ⬇️
server/server.go 81.83% <0%> (-1.92%) ⬇️
server/core/storage.go 76.08% <0%> (-1.45%) ⬇️
server/member/leader.go 74.48% <0%> (-1.03%) ⬇️
server/config/option.go 91.85% <0%> (-0.75%) ⬇️
server/grpc_service.go 57.91% <0%> (+0.43%) ⬆️
server/handler.go 50.13% <0%> (+0.52%) ⬆️
client/client.go 69.89% <0%> (+1.29%) ⬆️
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 06e2034...845eb96. Read the comment docs.

Connor1996
Connor1996 reviewed Sep 9, 2019
View reviewed changes
server/api/redirector.go Outdated Show resolved Hide resolved
@rleungx rleungx requested a review from Connor1996 September 9, 2019 09:03
Connor1996
Connor1996 approved these changes Sep 9, 2019
View reviewed changes
Copy link
Member

@Connor1996 Connor1996 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rleungx rleungx mentioned this pull request Sep 9, 2019
Closed
disksing
disksing reviewed Sep 10, 2019
View reviewed changes
server/api/redirector.go Outdated Show resolved Hide resolved
disksing
disksing reviewed Sep 10, 2019
View reviewed changes
server/api/redirector.go Outdated Show resolved Hide resolved
@rleungx
fix TLS when redirecting request
54d16aa 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
@rleungx
address the comment
c51839d 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
@rleungx
address comments
2b688d2 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
@rleungx
add DisableKeepAlives back
66262e4 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
@nolouch nolouch added needs-cherry-pick-release-3.1 The PR needs to cherry pick to release-3.1 branch. and removed needs-cherry-pick-release-3.1 The PR needs to cherry pick to release-3.1 branch. labels Sep 11, 2019
shafreeck
shafreeck approved these changes Sep 12, 2019
View reviewed changes
Copy link
Contributor

@shafreeck shafreeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rleungx rleungx added status/can-merge Indicates a PR has been approved by a committer. and removed needs-cherry-pick-release-2.1 The PR needs to cherry pick to release-2.1 branch. needs-cherry-pick-release-3.0 The PR needs to cherry pick to release-3.0 branch. labels Sep 17, 2019
@sre-bot
Copy link
Contributor

sre-bot commented Sep 17, 2019

/run-all-tests

@sre-bot sre-bot merged commit cfa5706 into tikv:master Sep 17, 2019
@sre-bot
Copy link
Contributor

sre-bot commented Sep 17, 2019

cherry pick to release-3.0 failed

@sre-bot
Copy link
Contributor

sre-bot commented Sep 17, 2019

cherry pick to release-2.1 failed

@sre-bot
Copy link
Contributor

sre-bot commented Sep 17, 2019

cherry pick to release-3.1 failed

rleungx added a commit to rleungx/pd that referenced this pull request Sep 27, 2019
@rleungx
api: fix TLS when redirecting the request (tikv#1740)
b23ef35 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
@rleungx rleungx mentioned this pull request Sep 27, 2019
Merged
rleungx added a commit to rleungx/pd that referenced this pull request Sep 30, 2019
@rleungx
api: fix TLS when redirecting the request (tikv#1740)
851949c 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
sre-bot pushed a commit that referenced this pull request Oct 9, 2019
@rleungx @sre-bot
api: fix TLS when redirecting the request (#1740) (#1777)
6eb8a04 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
@onitake
Copy link

onitake commented Oct 17, 2019

When will this land in a PD release?
I discovered that version 3.0.4 is not usable for me because I'm running into the certificate validation issue. Will there be a 3.1 or 4.0 soon?

@rleungx
Copy link
Member Author

rleungx commented Oct 18, 2019

@onitake This fix will land in 3.0.5 soon.

@onitake
Copy link

onitake commented Oct 21, 2019

@rleungx Thanks!

nolouch pushed a commit to nolouch/pd that referenced this pull request Nov 12, 2019
@rleungx @nolouch
api: fix TLS when redirecting the request (tikv#1740) (tikv#1777)
56ad7b5 
Signed-off-by: Ryan Leung <rleungx@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@disksing disksing disksing left review comments

@Connor1996 Connor1996 Connor1996 approved these changes

@shafreeck shafreeck shafreeck approved these changes

@lhy1024 lhy1024 Awaiting requested review from lhy1024

@nolouch nolouch Awaiting requested review from nolouch

Assignees
No one assigned
Labels
component/api HTTP API. status/can-merge Indicates a PR has been approved by a committer.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@rleungx @codecov-io @sre-bot @onitake @shafreeck @disksing @Connor1996 @nolouch