Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial work to allow password protected PEM files #174

Merged
merged 1 commit into from
Mar 22, 2016
Merged

Initial work to allow password protected PEM files #174

merged 1 commit into from
Mar 22, 2016

Conversation

grierj
Copy link
Contributor

@grierj grierj commented Mar 7, 2016

Handle multiple password prompts
Had to put this before go-routines so we could hang on to STDIN
Adding gopass to vendoring
Tests for new ssl library stuff

This should solve #157

Initial work to allow password protected PEM files
eb8083e 
Handle multiple password prompts
Had to put this before go-routines so we could hang on to STDIN
Adding gopass to vendoring
Tests for new ssl library stuff
grierj
grierj reviewed Mar 8, 2016
View reviewed changes
go/app/http.go
@@ -112,7 +131,7 @@ func standardHttp(discovery bool) {
log.Fatale(err)
}
tlsConfig.InsecureSkipVerify = config.Config.SSLSkipVerify
if err = ssl.AppendKeyPair(tlsConfig, config.Config.SSLCertFile, config.Config.SSLPrivateKeyFile); err != nil {
if err = ssl.AppendKeyPairWithPassword(tlsConfig, config.Config.SSLCertFile, config.Config.SSLPrivateKeyFile, sslPEMPassword); err != nil {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can wrap this in an 'if' that checks to see if we have a password, or leave it as is. The function doesn't try to decrypt a non-encrypted cert, so it's mostly a no-op, but the naming is somewhat misleading. Interested in other opinions here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this. @djuntgen, any concerns?

@djuntgen
Copy link

@grierj Does sslPEMPassword come from stdin? Meaning, on start does Orchestrator prompt the users for the PEM Password?

@shlomi-noach
Copy link
Contributor

I'm not sure I'm keen on orchestrator prompting for password upon execution. It is being built for automation. In my environments it is used within cronjobs and chatops. @djuntgen what are the alternatives to prompting?

@grierj
Copy link
Contributor Author

grierj commented Mar 11, 2016

It only prompts if your private keys are password protected, keys without passwords won't prompt. And then it does this at start-up time only (before all the go routines are spawned).

Alternatives could be password files, but they have similar issues to not having the key password protected.

@grierj
Copy link
Contributor Author

grierj commented Mar 11, 2016

@djuntgen Yes, it looks at the configured SSH keys (orchestrator and orchestrator-agent) and if they are found to be encrypted, there will be a stdin style password prompt to ask for them.

Note: This doesn't work with the mutual TLS certificates for orchestrator to mysql communication, but it could if there was a desire to.

@shlomi-noach
Copy link
Contributor

@grierj shall I merge at this time?

@djuntgen
Copy link

@grierj @shlomi-noach - i'm good!

@grierj
Copy link
Contributor Author

grierj commented Mar 22, 2016

@shlomi-noach as long as you're fine with the initial prompting, it's good to merge.

@shlomi-noach shlomi-noach merged commit 9e1bb18 into outbrain-inc:master Mar 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@grierj @djuntgen @shlomi-noach