Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TF-8697: Support TLS 1.3 #297

Merged
merged 2 commits into from
Sep 14, 2023
Merged

TF-8697: Support TLS 1.3 #297

merged 2 commits into from
Sep 14, 2023

Conversation

sudomateo
Copy link
Contributor

@sudomateo sudomateo commented Sep 13, 2023
edited
Loading

Closes #263

The Vault health check in Terraform Enterprise utilizes this vault-ruby library. When Terraform Enterprise is configured to communicate with a Vault server that only supports TLS v1.3, the Vault health check fails and Terraform Enterprise fails to start:

# tfe-admin health-check
checking: Archivist Health Check...
|  checks that Archivist is up and healthy
|- ✓ PASS

checking: Terraform Enterprise Health Check...
|  checks that Terraform Enterprise is up and can communicate with Redis and Postgres
|- ✗ ERROR: http://127.0.0.1:9292/_health_check?full did not return a healthy status, 500

checking: Terraform Enterprise Vault Health Check...
|  checks that Terraform Enterprise can connect to Vault and is able to encrypt and decrypt tokens
|- ✓ PASS

checking: Fluent Bit Health Check...
|  checks that the configure Fluent Bit server is healthy
|- SKIPPED

checking: RabbitMQ Health Check...
|  checks that RabbitMQ can be connected to and that we can send and consume messages
|- SKIPPED

checking: Vault Server Health Check...
|  checks that the configured Vault Server is healthy
|- ✓ PASS

1 check failed.

The underlying Atlas logs show more information about the failed Vault health check.

2023-09-13 17:04:40 [INFO] [16965a07-d6cd-42a5-b05c-3f8fa7dadac9] [dd.service=atlas dd.trace_id=3137792820384578439 dd.span_id=0] {"method":"GET","path":"/_health_check","format":"html","status":500,"allocations":77263,"duration":102.29,"view":0.69,"db":0.86,"dd":{"trace_id":"3137792820384578439","span_id":"0","env":"","service":"atlas","version":""},"ddsource":["ruby"],"uuid":"16965a07-d6cd-42a5-b05c-3f8fa7dadac9","remote_ip":"127.0.0.1","request_id":"16965a07-d6cd-42a5-b05c-3f8fa7dadac9","user_agent":"Go-http-client/1.1","user":null,"auth_source":null}
2023-09-13 17:04:42 [INFO] [640e2bed-3071-4009-8a9d-b879b2297ae6] [dd.service=atlas dd.trace_id=4180500942360885713 dd.span_id=0] health_check: Connecting to DB
2023-09-13 17:04:42 [INFO] [640e2bed-3071-4009-8a9d-b879b2297ae6] [dd.service=atlas dd.trace_id=4180500942360885713 dd.span_id=0] health_check: Connecting to Redis
2023-09-13 17:04:42 [INFO] [640e2bed-3071-4009-8a9d-b879b2297ae6] [dd.service=atlas dd.trace_id=4180500942360885713 dd.span_id=0] health_check: Connecting to Vault
2023-09-13 17:04:42 [ERROR] [640e2bed-3071-4009-8a9d-b879b2297ae6] [dd.service=atlas dd.trace_id=4180500942360885713 dd.span_id=0] Health check failure (vault): SSL_connect returned=1 errno=0 peeraddr=10.0.39.200:8200 state=error: tlsv1 alert protocol version
2023-09-13 17:04:42 [INFO] [640e2bed-3071-4009-8a9d-b879b2297ae6] [dd.service=atlas dd.trace_id=4180500942360885713 dd.span_id=0] health_check: Sending 500 response

This pull request replaces the deprecated ssl_version with min_version in order to support TLS v1.3. Previously, the code statically defined the TLS version to TLS v1.2, meaning that this vault-ruby library could not connect to Vault servers that only supported TLS v1.3.

With these changes, the Vault health check passes and Terraform Enterprise can start and perform runs.

root@ip-10-0-58-110:~# tfe-admin health-check
checking: Archivist Health Check...
|  checks that Archivist is up and healthy
|- ✓ PASS

checking: Terraform Enterprise Health Check...
|  checks that Terraform Enterprise is up and can communicate with Redis and Postgres
|- ✓ PASS

checking: Terraform Enterprise Vault Health Check...
|  checks that Terraform Enterprise can connect to Vault and is able to encrypt and decrypt tokens
|- ✓ PASS

checking: Fluent Bit Health Check...
|  checks that the configure Fluent Bit server is healthy
|- SKIPPED

checking: RabbitMQ Health Check...
|  checks that RabbitMQ can be connected to and that we can send and consume messages
|- SKIPPED

checking: Vault Server Health Check...
|  checks that the configured Vault Server is healthy
|- ✓ PASS

  All checks passed.

@sudomateo sudomateo requested a review from a team as a code owner September 13, 2023 18:56
averche
averche approved these changes Sep 13, 2023
View reviewed changes
Copy link

@averche averche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me though I don't have much experience with ruby

evanphx
evanphx approved these changes Sep 13, 2023
View reviewed changes
Copy link
Contributor

@evanphx evanphx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ship

@sudomateo sudomateo merged commit 4744644 into master Sep 14, 2023
14 checks passed
This was referenced Sep 14, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@averche averche averche approved these changes

@evanphx evanphx evanphx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Failure to connect with TLS v1.3
3 participants
@sudomateo @evanphx @averche