Extend SSL/TLS support to st2stream and st2api - plus move common API code into common library #6204
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pull-request-size
bot
added
the
size/XL
jk464
changed the title
jk464
force-pushed
the
feature/st2api-stream-tls
branch
from
0c311d7
to
217a90b
Compare
jk464
force-pushed
the
feature/st2api-stream-tls
branch
from
217a90b
to
58fdc7e
Compare
jk464
force-pushed
the
feature/st2api-stream-tls
branch
from
58fdc7e
to
53d2e92
Compare
|
can you please fix the lint checks. |
guzzijones
approved these changes
Sep 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In StackStorm/stackstorm-k8s#401, I'm adding support for SSL/TLS between internal components of StackStorm.
st2authhas out-of-the-box support for SSL/TLS. Meanwhilest2streamandst2apidid not and required placing a TLS proxy layer infront of thestream/apicontainers.@cognifloyd pointed out in the
st2core code where it should be fairly straightforward to copy the SSL/TLS support fromst2authtost2streamandst2api. This PR does that.The PR containers two parts as two commits:
Extend SSL/TLS support to st2stream and st2api
This is the primary commit of the PR, it is a basic implementation of SSL/TLS support as suggested by @cognifloyd - and works perfectly fine, nothing fancy beyond that.
Move common API code into shared library
While implementing support for SSL/TLS I notice between the 3 components
api,authandstreamthat the following set of 3 files for each component:st2auth:
st2auth/st2auth/config.py
st2auth/st2auth/app.py
st2auth/st2auth/cmd/api.py
st2api:
st2api/st2api/config.py
st2api/st2api/app.py
st2api/st2api/cmd/api.py
st2stream:
st2stream/st2stream/config.py
st2stream/st2stream/app.py
st2stream/st2stream/cmd/api.py
Are all very similar in function, with only minor functional differences between each one. However there was also some inconsistency in convention between the 3 due to the functionally between separately implement for each (for example
authbeing the only one with SSL/TLS support).Therefore in an attempt to "streamline" the code base, I've moved this code into a new separate
st2commonlibraryopenapi(name open to suggestions since this isn't maybe the best description of its function, I just went for this as a "working" name), the library contains 3 filesst2common/st2common/openapi/api.pyst2common/st2common/openapi/app.pyst2common/st2common/openapi/config.pyWhich moves the common code from the respectively named files in
st2api,st2auth, andst2streamcomponents and updates those libraries to pull in this new library.This will hopefully simplify support/maintenance going forward - and ensure any new features/fixes that would apply to all 3 components gets implement to all 3 (for example if we had this originally, would we have gotten SSL/TLS support for all 3 components at the same time, instead of just for
auth- until this PR?)As an immediate piece of self-feedback there's a few places in the
st2common/openapilibrary I've done something along the lines of:I don't particularly like that, but these where minor differences between services of an otherwise identical function and I was unsure how to handle it otherwise without having to needlessly replicate code. So any suggestion on how to handle this without having to bake edgecases in the common library would be appreciated.