9daf1fd378
- Add comprehensive database migrations (001-024) for schema evolution - Enhance API schema with expanded type definitions and resolvers - Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth - Implement new services: AI optimization, billing, blockchain, compliance, marketplace - Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage) - Update Crossplane provider with enhanced VM management capabilities - Add comprehensive test suite for API endpoints and services - Update frontend components with improved GraphQL subscriptions and real-time updates - Enhance security configurations and headers (CSP, CORS, etc.) - Update documentation and configuration files - Add new CI/CD workflows and validation scripts - Implement design system improvements and UI enhancements
5.7 KiB
5.7 KiB
TLS Configuration Guide
Overview
This document describes the TLS configuration for Proxmox API connections in the Crossplane provider. Proper TLS configuration is critical for security and compliance.
Current Configuration
ProviderConfig Settings
The ProviderConfig resource supports TLS configuration per site:
apiVersion: proxmox.sankofa.nexus/v1alpha1
kind: ProviderConfig
metadata:
name: proxmox-provider-config
spec:
sites:
- name: us-sfvalley
endpoint: https://ml110-01.sankofa.nexus:8006
insecureSkipTLSVerify: false # ✅ TLS verification enabled
- name: eu-west-1
endpoint: https://r630-01.sankofa.nexus:8006
insecureSkipTLSVerify: false # ✅ TLS verification enabled
insecureSkipTLSVerify: false # ✅ TLS verification enabled
TLS Verification
Current Status
- Default:
insecureSkipTLSVerify: false(TLS verification enabled) - Location:
crossplane-provider-proxmox/examples/provider-config.yaml - Implementation:
pkg/proxmox/http_client.go
Implementation Details
The HTTP client uses Go's crypto/tls package:
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: insecureSkipTLSVerify,
},
}
Security Best Practices
✅ Recommended: Enable TLS Verification
insecureSkipTLSVerify: false
Benefits:
- Prevents man-in-the-middle attacks
- Validates certificate authenticity
- Ensures connection to intended server
- Required for compliance (SOC 2, ISO 27001)
⚠️ Development Only: Disable TLS Verification
insecureSkipTLSVerify: true
Use Cases:
- Development environments with self-signed certificates
- Testing with local Proxmox instances
- Temporary workarounds (should be fixed)
Risks:
- Vulnerable to MITM attacks
- No certificate validation
- Not suitable for production
Certificate Management
Proxmox Certificate Setup
-
Obtain Valid Certificates
- Use Let's Encrypt (recommended)
- Use internal CA for private networks
- Purchase commercial certificates
-
Install Certificates on Proxmox
# On Proxmox node pvecm updatecerts -f # Or manually install certificates -
Verify Certificate
openssl s_client -connect ml110-01.sankofa.nexus:8006 -showcerts
Certificate Validation
The provider validates:
- Certificate chain
- Certificate expiration
- Hostname matching
- Certificate authority trust
Troubleshooting
Error: "x509: certificate signed by unknown authority"
Cause: Certificate not trusted by system CA bundle
Solutions:
-
Add CA certificate to system trust store
# On Kubernetes node cp ca-cert.pem /usr/local/share/ca-certificates/ update-ca-certificates -
Use custom CA bundle in provider
- Mount CA certificate as secret
- Configure provider to use custom CA bundle
- Update HTTP client to use custom CA
-
Temporary: Set
insecureSkipTLSVerify: true(development only)
Error: "x509: certificate is valid for X, not Y"
Cause: Certificate hostname mismatch
Solutions:
- Update certificate to include correct hostname
- Use correct hostname in endpoint configuration
- Request new certificate with correct SANs
Error: "x509: certificate has expired"
Cause: Certificate expired
Solutions:
- Renew certificate
- Install new certificate on Proxmox
- Update certificate rotation procedures
Certificate Rotation
Automated Rotation
-
Use Let's Encrypt with auto-renewal
certbot renew --dry-run -
Monitor certificate expiration
- Set up alerts for certificates expiring in < 30 days
- Automate renewal process
-
Update Proxmox certificates
# After renewal systemctl reload pveproxy
Manual Rotation
- Obtain new certificate
- Install on Proxmox node
- Verify certificate works
- Update provider configuration if needed
- Restart provider pods
Compliance Considerations
SOC 2 Requirements
- ✅ TLS 1.2+ required
- ✅ Certificate validation enabled
- ✅ Certificate rotation procedures documented
- ✅ Certificate expiration monitoring
ISO 27001 Requirements
- ✅ Encryption in transit
- ✅ Certificate management procedures
- ✅ Access control for certificate management
- ✅ Audit logging of certificate changes
Configuration Examples
Production Configuration
sites:
- name: us-east-1
endpoint: https://pve1.sankofa.nexus:8006
insecureSkipTLSVerify: false # Production: always false
Development Configuration
sites:
- name: dev
endpoint: https://pve-dev.local:8006
insecureSkipTLSVerify: true # Dev only: self-signed certs
Staging Configuration
sites:
- name: staging
endpoint: https://pve-staging.sankofa.nexus:8006
insecureSkipTLSVerify: false # Staging: use real certs
Monitoring
Certificate Expiration Alerts
Set up Prometheus alerts:
groups:
- name: tls_certificates
rules:
- alert: ProxmoxCertificateExpiring
expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 30
for: 1h
annotations:
summary: "Proxmox certificate expiring soon"
TLS Connection Monitoring
Monitor TLS handshake failures:
- Failed TLS connections
- Certificate validation errors
- Connection timeouts
Related Documentation
Last Updated
- Date: 2024-12-19
- Status: TLS verification enabled by default
- Next Review: 2025-01-19