jstaf opened a new issue, #717:
URL: https://github.com/apache/solr-operator/issues/717
Tried setting up solr-operator with TLS between Solr and Zookeeper.
(Zookeeper is setup with TLS, and Solr must connect to Zookeeper's TLS port.)
It doesn't work or appear to have ever been tested.
Summary of problems I found before giving up:
* Solr cannot connect to Zookeepers using TLSv1.3 (will fail with `alert:
protocol_version` until you downgrade).
* Contrary to the documentation, Solr's initContainers ignore
`spec.solrZkOpts` completely... spec.solrZkOpts sets SOLR_OPTS, but the `solr
zk` and `zkCli.sh` commands ignore SOLR_OPTS.
* `solr zk` uses `SOLR_TOOL_OPTS` not `SOLR_OPTS` (and this is specific to
Solr 9... Solr 8 uses a different env var)
https://github.com/apache/solr/blob/main/solr/bin/solr#L601-L610
* `zkcli.sh` uses `ZKCLI_JVM_FLAGS` not `SOLR_OPTS`
* The Solr TLS keystores/truststores don't even get mounted into the
initContainers (and there is no way to do so), so even if you were able to
specify the right combination of flags to `solr zk` and `zkcli.sh` in the
initContainers, you can't add the certificates to setup TLS to Zookeeper
anyways.
* The environment variables for the location of the
truststore/keystore/passwords/etc. are not mounted in the initContainer
* There's no documentation on how to setup TLS between Solr and Zookeeper
To reproduce the issue:
Setup Zookeeper with TLS using the [Bitnami Helm
chart](https://github.com/bitnami/charts/tree/main/bitnami/zookeeper) `helm
install zookeeper bitnami/zookeeper -f zookeeper.yml`. Example `zookeeper.yml`
(uses TLS for encryption, but not for authentication):
```yml
# note: solr flat-out cannot connect to zookeepers that use TLSv1.3,
# so we downgrade to TLSv1.2 here
jvmFlags: -Dzookeeper.ssl.protocol=TLSv1.2
# disabled for simplicity here
auth:
client:
enabled: false
quorum:
enabled: false
networkPolicy:
extraIngress:
- ports:
- port: 3181
service:
# zookeeper healthchecks and stuff are broken without this
disableBaseClientPort: true
headless:
publishNotReadyAddresses: false
tls:
client:
# clients encrypt connections with TLS,
# but do not use mTLS authentication
enabled: true
autoGenerated: true
auth: "none"
quorum:
# use full mTLS auth+encryption between servers
enabled: true
autoGenerated: true
auth: "need"
```
Then install solr-operator, and create a SolrCloud CRD. In this case I've
generated some Certificate resources via cert-manger that the SolrCloud is
using...
```yml
apiVersion: solr.apache.org/v1beta1
kind: SolrCloud
metadata:
name: solr
spec:
replicas: 3
solrImage:
tag: 9.6.1
dataStorage:
persistent:
reclaimPolicy: Delete
pvcTemplate:
spec:
resources:
requests:
storage: "20Gi"
solrTLS:
# can't supply just a trustStore on its own, which is annoying
# (maybe users want to get Solr -> Zookeepr TLS setup first before doing
TLS for Solr itself?)
pkcs12Secret:
name: solr-tls
key: keystore.p12
keyStorePasswordSecret:
name: solr-tls-password
key: password
# doesn't even get mounted into the initcontainer
trustStoreSecret:
name: solr-tls-password
key: truststore.p12
trustStorePasswordSecret:
name: solr-tls-password
key: password
solrZkOpts: >
-Dzookeeper.client.secure=true
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.ssl.hostnameVerification=false
-Dzookeeper.ssl.trustStore.location=/var/solr/tls/truststore.p12
-Dzookeeper.ssl.trustStore.password=some-password
zookeeperRef:
connectionInfo:
externalConnectionString:
"zookeeper-0.zookeeper-headless.solr:3181,zookeeper-1.zookeeper-headless.solr:3181,zookeeper-2.zookeeper-headless.solr:3181"
chroot: /solr
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
