Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update VCH inspect API to output TLS friendly addresses for VCH docker and admin portal endpoint #7321

Closed
2 tasks
AngieCris opened this issue Feb 13, 2018 · 2 comments
Closed
2 tasks

Update VCH inspect API to output TLS friendly addresses for VCH docker and admin portal endpoint #7321

AngieCris opened this issue Feb 13, 2018 · 2 comments
Assignees
@AngieCris
Labels
area/api The Vritual Container Host management API kind/defect Behavior that is inconsistent with what's intended priority/p1 team/lifecycle
Milestone
Sprint 28 Lifecycle

Comments

@AngieCris
Copy link
Contributor

AngieCris commented Feb 13, 2018
edited
Loading

Problem Statement
The VCH inspect API outputs IP address for docker endpoint and admin portal, and this IP address is the client network IP that user specifies.
However this client IP might fail docker TLS verification (if tls verify is on for this VCH) for some certificate configuration. For example, client could use FQDN resolved from /etc/hosts, and it's possible that it doesn't match what's in the host certificate if there's no alt name matched for it.

Possible Solution
The CLI gets around it by grabbing all candidate IPs from the allowed common host names and alternative names according to the configured certificate, and checking one by one to find an IP/FQDN that passes the tls verification. Once we find such IP, we turn it into FQDN and output this as docker endpoint.

(The PR that added this process: https://github.com/vmware/vic/pull/2744/files#diff-ab6c58c594b80369f767fa321a81c06e)

API code should be updated to determine appropriate IP address for the VCH according to the configured certificate, instead of just using client network IP address.

Acceptance Criteria

  • Update VCH inspect API code to output tls friendly IP
  • Update VCH inspect API integration test to check if the output matches with CLI's output

Cc: @hickeng @zjs
@AngieCris AngieCris added kind/defect Behavior that is inconsistent with what's intended area/api The Vritual Container Host management API priority/p2 team/lifecycle triage/proposed-1.4 status/needs-estimation The issue needs to be estimated by the team labels Feb 13, 2018
@AngieCris AngieCris mentioned this issue Feb 13, 2018
Merged
@AngieCris AngieCris self-assigned this Feb 13, 2018
@AngieCris
Copy link
Contributor Author

AngieCris commented Feb 13, 2018
edited
Loading

The API inspect isn't used in wizard/UI or anywhere, so setting priority/p2 for now. The priority might bump once the UI switches to use API inspect to render VCH inventory list.

@AngieCris
Copy link
Contributor Author

setting priority p1 because it blocks inspect API test

@andrewtchin andrewtchin added this to the Sprint 26 Lifecycle milestone Feb 13, 2018
@andrewtchin andrewtchin removed the status/needs-estimation The issue needs to be estimated by the team label Feb 13, 2018
@AngieCris AngieCris mentioned this issue Mar 16, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AngieCris AngieCris

Labels
area/api The Vritual Container Host management API kind/defect Behavior that is inconsistent with what's intended priority/p1 team/lifecycle
Projects
None yet
Milestone
Sprint 28 Lifecycle
Development

No branches or pull requests
3 participants
@zjs @andrewtchin @AngieCris