Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable TLS protocol when cert is provided and port number is 443 #113

Merged
merged 3 commits into from
Mar 15, 2024
Merged

Enable TLS protocol when cert is provided and port number is 443 #113

merged 3 commits into from
Mar 15, 2024

Conversation

gaiksaya
Copy link
Member

Description

Enables TLS protocol when certificateArn is provided and port number is 443 for both OS and OSD.
Bumps version to 1.2.1

Issues Resolved

resolves #112

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@codecov Codecov
Copy link

codecov bot commented Mar 14, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 91.66667% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 82.55%. Comparing base (0051dc0) to head (bb8b02b).

Files Patch % Lines
lib/infra/infra-stack.ts 91.66% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #113      +/-   ##
==========================================
- Coverage   82.58%   82.55%   -0.03%     
==========================================
  Files           6        6              
  Lines         465      470       +5     
  Branches      176      179       +3     
==========================================
+ Hits          384      388       +4     
- Misses         81       82       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@gaiksaya
Format
326bc98 
Signed-off-by: Sayali Gaikawad <[email protected]>
@rishabh6788
Copy link
Collaborator

DO we have logic and test that verifies if the port mapping parameter passed for OS and OSD is not the same?
Like if 443 port is passed by mistake for both OS and OSD we should just error it out upfront.

@gaiksaya
Add error
bb8b02b 
Signed-off-by: Sayali Gaikawad <[email protected]>
@gaiksaya
Copy link
Member Author

DO we have logic and test that verifies if the port mapping parameter passed for OS and OSD is not the same? Like if 443 port is passed by mistake for both OS and OSD we should just error it out upfront.

Good catch! Added this check and associated test including defaults.

peterzhuamazon
peterzhuamazon reviewed Mar 14, 2024
View reviewed changes
lib/infra/infra-stack.ts
+ ` Current mapping is OpenSearch:${this.opensearchPortMapping} OpenSearch-Dashboards:${this.opensearchDashboardsPortMapping}`);
}

if (!this.securityDisabled && !this.minDistribution && this.opensearchPortMapping === 443 && certificateArn !== 'undefined') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it is possible for either os or osd to bind to 443, but not both?

In that case what if someone wants to get TLS on both os and osd?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now we have enforced that TLS can only be enabled for 443 port. It can be any OS or OSD and certificate ARN is compulsory.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now we decided to go with HTTPS port with TLS. Can surely be extended in future for all ports.

@gaiksaya gaiksaya merged commit 2a3968b into opensearch-project:main Mar 15, 2024
5 checks passed
@gaiksaya gaiksaya deleted the fix-cert branch March 15, 2024 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peterzhuamazon peterzhuamazon peterzhuamazon left review comments

@rishabh6788 rishabh6788 rishabh6788 approved these changes

@bbarani bbarani Awaiting requested review from bbarani

@zelinh zelinh Awaiting requested review from zelinh zelinh is a code owner

@jordarlu jordarlu Awaiting requested review from jordarlu

@prudhvigodithi prudhvigodithi Awaiting requested review from prudhvigodithi prudhvigodithi is a code owner

@Divyaasm Divyaasm Awaiting requested review from Divyaasm Divyaasm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Error: A certificate cannot be specified for TCP listeners
3 participants
@gaiksaya @rishabh6788 @peterzhuamazon