Issue
An organization may run into failures when components attempt communication with a MySQL database service via TLS1.1 on newer versions of Spinnaker.
This connectivity issue may manifest in different ways, since a TLS-related error message may not always explicitly be shown. As a result, Spinnaker services of varying degree may end up failing as they are upgraded to a newer Java version.
This is an issue that originates due to changes in JVM and deprecations that have been announced, and it is not strictly speaking, an Armory/Spinnaker Issue.
Sample error:
spin-orca-56cbc4f4d-zg6tk orca Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
spin-orca-56cbc4f4d-zg6tk orca at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170)
spin-orca-56cbc4f4d-zg6tk orca at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
spin-orca-56cbc4f4d-zg6tk orca at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:222)
spin-orca-56cbc4f4d-zg6tk orca at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:449)
spin-orca-56cbc4f4d-zg6tk orca at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:336)
spin-orca-56cbc4f4d-zg6tk orca at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:188)
spin-orca-56cbc4f4d-zg6tk orca at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:99)
spin-orca-56cbc4f4d-zg6tk orca at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:329)
spin-orca-56cbc4f4d-zg6tk orca ... 168 common frames omittedCause
With TLS 1.1 approaching an end-of-life deprecation, it was discovered that Java 11.0.11 removes certain cyphers that would enable TLS1.1 to work.
This entails that any component that communicates using TLS1.1 will fail (by default). It was also observed that the communication did not auto-negotiate to TLS1.2, even though it is supposedly supported by the version of the MySQL drivers that were tested (8.0.19+).
Solution
To anticipate these changes in releases of Spinnaker, it is highly recommended that customers look to make changes now to support the deprecation of TLS 1.1
JDBC URIS
For any JDBC URIs for mysql, the following should be appended to the end of all declarations:
?enabledTLSProtocols=TLSv1.2
For example, connectionPools.default.jdbcUrl should be adjusted from:
jdbc:mysql://tsesql01rds-57.cddfke67dweh.us-east-2.rds.amazonaws.com:3306/front50_test
to:
jdbc:mysql://tsesql01rds-57.cddfke67dweh.us-east-2.rds.amazonaws.com:3306/front50_test?enabledTLSProtocols=TLSv1.2
Cypher Declaration
Enable/disable cyphers as appropriate. This may impact other aspects of Spinnaker services and it is recommended to make sure TLS1.2 is used everywhere.
See the following KB articles for more details:
- https://support.armory.io/support?id=kb_article_view&sysparm_article=KB0010309
- https://support.armory.io/support?id=kb_article_view&sysparm_article=KB0010116
This is a sample configuration for Orca, but the change applies to Orca, Clouddriver, and FIAT, depending on the Java version if the Spinnaker version is 2.28.x.
orca:
sql:
connectionPool:
connectionTimeout: 5000
jdbcUrl: jdbc:mysql://DB_INSTANCE:3306/orca?enabledTLSProtocols=TLSv1.2
As Tested On Version
2.26, 2.28.x