Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable useClientAuth on console breaks status checks from the operator #1036

Open
doxsch opened this issue Oct 18, 2024 · 1 comment
Open

Enable useClientAuth on console breaks status checks from the operator #1036

doxsch opened this issue Oct 18, 2024 · 1 comment
Assignees
@gtully
Labels
bug Something isn't working

Comments

@doxsch
Copy link

doxsch commented Oct 18, 2024

We would like to protect the console using client certificates. To do this, we have enabled useClientAuth in the console configuration.

Configuration:

...
console:                                                                                  
  expose: true                                                                            
  exposeMode: ingress                                                                     
  name: console                                                                           
  sslEnabled: true                                                                        
  sslSecret: my-mapping-ssl-cert                                         
  trustSecret: my-mapping-ssl-cert                                       
  useClientAuth: true 
...

This has worked so far. The JaaS TextFileCertificateLoginModule maps the certificate provided by the client to a user and group.

However, once this is activated, the following errors appear in the status field of the ActiveMQArtemis resource:

...
- lastTransitionTime: "2024-10-17T10:48:03Z"
  message: 'Get "https://aQ0IvDAb:***@my-broker-ss-0.my-broker-hdls-svc.my-namespace.svc.cluster.local:8161/console/jolokia/read/org.apache.activemq.artemis:broker=%22amq-broker%22/Status": remote error: tls: bad certificate'
  reason: UnableToRetrieveStatus
  status: Unknown
  type: BrokerPropertiesApplied
- lastTransitionTime: "2024-10-17T10:48:32Z"
  message: 'Get "https://aQ0IvDAb:***@my-broker-ss-0.my-broker-hdls-svc.my-namespace.svc.cluster.local:8161/console/jolokia/read/org.apache.activemq.artemis:broker=%22amq-broker%22/Status": remote error: tls: bad certificate'
  reason: UnableToRetrieveStatus
  status: Unknown
  type: BrokerVersionAligned
- lastTransitionTime: "2024-10-16T06:30:50Z"
  message: 'Get "https://aQ0IvDAb:***@my-broker-ss-0.my-broker-hdls-svc.my-namespace.svc.cluster.local:8161/console/jolokia/read/org.apache.activemq.artemis:broker=%22amq-broker%22/Status": remote error: tls: bad certificate'
  reason: UnableToRetrieveStatus
  status: Unknown
  type: JaasPropertiesApplied
...

I think the Jolokia client itself should also provide a client certificate. At the moment, there seems to be no way to do this?
@doxsch doxsch added the bug Something isn't working label Oct 18, 2024
@gtully gtully mentioned this issue Oct 18, 2024
Merged
@gtully
Copy link
Contributor

gtully commented Oct 25, 2024

we need a little test that demonstrates the problem, we can then rework the .restricted mode use of the operator cert and trust bundle to use them when they are present rather than when .restricted = true. Jolokia may not need a restricted flag at all.

@gtully gtully self-assigned this Oct 25, 2024
gtully added a commit to gtully/activemq-artemis-operator that referenced this issue Oct 25, 2024
@gtully
[artemiscloud#1036] when operator cert and trust bundle are present, …
3e18d4e 
…use them on calls to jolokia, fix console.useClientAuth PEM support
gtully added a commit that referenced this issue Oct 29, 2024
@gtully
[#1036] when operator cert and trust bundle are present, use them on …
4e7c039 
…calls to jolokia, fix console.useClientAuth PEM support
gtully added a commit to gtully/activemq-artemis-operator that referenced this issue Oct 29, 2024
@gtully
[artemiscloud#1036] allow operator default cert and ca secret names t…
117a27c 
…o be overridden
gtully added a commit that referenced this issue Oct 29, 2024
@gtully
[#1036] allow operator default cert and ca secret names to be overridden
1c06e4e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gtully gtully

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gtully @doxsch