Merge pull request #1210 from SUSE/gen-ssl

Improve SSL certificate handling when deploying through Helm
cloudfoundry · Sep 18, 2017 · e402466 · e402466
2 parents bfa532e + c161cea
commit e402466
Show file tree

Hide file tree

Showing 20 changed files with 144 additions and 83 deletions.
diff --git a/components/app-core/backend/main.go b/components/app-core/backend/main.go
@@ -260,7 +260,7 @@ func initConnPool(dc datastore.DatabaseConfig) (*sql.DB, error) {
 
 		// If our timeout boundary has been exceeded, bail out
 		if timeout.Sub(time.Now()) < 0 {
-			return nil, fmt.Errorf("Timeout boundary of %d minutes has been exceeded. Exiting.", TimeoutBoundary)
+			return nil, fmt.Errorf("timeout boundary of %d minutes has been exceeded. Exiting", TimeoutBoundary)
 		}
 
 		// Circle back and try again
@@ -340,8 +340,8 @@ func loadDatabaseConfig(dc datastore.DatabaseConfig) (datastore.DatabaseConfig,
 	return dc, nil
 }
 
-func createTempCertFiles(pc interfaces.PortalConfig) (string, string, error) {
-	log.Debug("createTempCertFiles")
+func detectTLSCert(pc interfaces.PortalConfig) (string, string, error) {
+	log.Debug("detectTLSCert")
 	certFilename := "pproxy.crt"
 	certKeyFilename := "pproxy.key"
 
@@ -355,6 +355,17 @@ func createTempCertFiles(pc interfaces.PortalConfig) (string, string, error) {
 		return devCertsDir + certFilename, devCertsDir + certKeyFilename, nil
 	}
 
+	// Check if certificate have been provided as files (as is the case in kubernetes)
+	if pc.TLSCertPath != "" && pc.TLSCertKeyPath != "" {
+		log.Infof("Using TLS cert: %s, %s", pc.TLSCertPath, pc.TLSCertKeyPath)
+		_, errCertMissing := os.Stat(pc.TLSCertPath)
+		_, errCertKeyMissing := os.Stat(pc.TLSCertKeyPath)
+		if errCertMissing != nil || errCertKeyMissing != nil {
+			return "", "", fmt.Errorf("unable to find certificate %s or certificate key %s", pc.TLSCertPath, pc.TLSCertKeyPath)
+		}
+		return pc.TLSCertPath, pc.TLSCertKeyPath, nil
+	}
+
 	err := ioutil.WriteFile(certFilename, []byte(pc.TLSCert), 0600)
 	if err != nil {
 		return "", "", err
@@ -436,7 +447,7 @@ func start(config interfaces.PortalConfig, p *portalProxy, addSetupMiddleware *s
 	}
 
 	if config.HTTPS {
-		certFile, certKeyFile, err := createTempCertFiles(config)
+		certFile, certKeyFile, err := detectTLSCert(config)
 		if err != nil {
 			return err
 		}

diff --git a/components/app-core/backend/repository/interfaces/structs.go b/components/app-core/backend/repository/interfaces/structs.go
@@ -86,6 +86,8 @@ type PortalConfig struct {
 	TLSAddress                  string   `configName:"CONSOLE_PROXY_TLS_ADDRESS"`
 	TLSCert                     string   `configName:"CONSOLE_PROXY_CERT"`
 	TLSCertKey                  string   `configName:"CONSOLE_PROXY_CERT_KEY"`
+	TLSCertPath                 string   `configName:"CONSOLE_PROXY_CERT_PATH"`
+	TLSCertKeyPath              string   `configName:"CONSOLE_PROXY_CERT_KEY_PATH"`
 	CFClient                    string   `configName:"CF_CLIENT"`
 	CFClientSecret              string   `configName:"CF_CLIENT_SECRET"`
 	AllowedOrigins              []string `configName:"ALLOWED_ORIGINS"`

diff --git a/deploy/Dockerfile.all-in-one b/deploy/Dockerfile.all-in-one
@@ -4,7 +4,7 @@ COPY *.json ./
 COPY gulpfile.js ./
 COPY components ./components
 COPY build ./build/
-COPY deploy/ci/scripts/generate_cert.sh generate_cert.sh
+COPY deploy/tools/generate_cert.sh generate_cert.sh
 COPY deploy/db deploy/db
 COPY deploy/all-in-one/config.all-in-one.properties config.properties
 
@@ -16,7 +16,7 @@ RUN npm install -g gulp bower \
     && npm run build-cf
 
 # Generate dev-certs
-RUN DEV_CERTS_PATH=/go/dev-certs ./generate_cert.sh \
+RUN CERTS_PATH=/go/dev-certs ./generate_cert.sh \
     && chmod +x portal-proxy
 
 EXPOSE 443

diff --git a/deploy/Dockerfile.bk-preflight.dev b/deploy/Dockerfile.bk-preflight.dev
@@ -7,7 +7,7 @@ RUN apk update && \
 WORKDIR /srv
 COPY outputs/* /srv/
 COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh
-COPY dev-certs dev-certs
+COPY /deploy/tools/generate_cert.sh /generate_cert.sh
 RUN chmod +x portal-proxy
 EXPOSE 443
 CMD ["sh", "-c", "/run-preflight-job.sh; /srv/portal-proxy"]
diff --git a/deploy/Dockerfile.bk.k8s b/deploy/Dockerfile.bk.k8s
@@ -0,0 +1,11 @@
+FROM alpine:latest
+
+RUN apk update && \
+    apk add ca-certificates git &&\
+    mkdir -p /srv
+
+WORKDIR /srv
+COPY outputs/* /srv/
+RUN chmod +x portal-proxy
+EXPOSE 443
+ENTRYPOINT ["/srv/portal-proxy"]
diff --git a/deploy/ci/tasks/build-images/generate-certs.yml b/deploy/ci/tasks/build-images/generate-certs.yml
@@ -17,5 +17,5 @@ run:
   - |
     apk update
     apk add openssl
-    export DEV_CERTS_PATH=dev-certs-output/dev-certs
-    ./stratos-ui/deploy/ci/scripts/generate_cert.sh
+    export CERTS_PATH=dev-certs-output/dev-certs
+    ./stratos-ui/deploy/tools/generate_cert.sh
diff --git a/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml b/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml
@@ -21,4 +21,4 @@ run:
     npm run build-backend
     cd -
     cp -r ./stratos-ui/outputs ./portal-proxy-output
-    sh ./stratos-ui/deploy/ci/scripts/generate_cert.sh
+    sh ./stratos-ui/deploy/tools/generate_cert.sh
diff --git a/deploy/containers/nginx/Dockerfile.k8s b/deploy/containers/nginx/Dockerfile.k8s
@@ -4,5 +4,6 @@ RUN mkdir -p /usr/share/doc/suse
 COPY ./LICENSE.txt /usr/share/doc/suse/LICENSE.txt
 COPY ./conf/nginx.k8s.conf /etc/nginx/nginx.conf
 COPY ./dist/ /usr/share/nginx/html
+COPY ./run-nginx.sh/ /run-nginx.sh
 EXPOSE 80 443
-CMD [ "nginx", "-g", "daemon off;" ]
+CMD [ "/run-nginx.sh" ]
diff --git a/deploy/containers/nginx/conf/nginx.k8s.conf b/deploy/containers/nginx/conf/nginx.k8s.conf
@@ -47,8 +47,8 @@ http {
     server {
         listen                      443 ssl;
 
-        ssl_certificate             /etc/secrets/console-cert;
-        ssl_certificate_key         /etc/secrets/console-cert-key;
+        ssl_certificate             /ENCRYPTION_KEY_VOLUME/console.crt;
+        ssl_certificate_key         /ENCRYPTION_KEY_VOLUME/console.key;
         ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers                 HIGH:!aNULL:!MD5;
 

diff --git a/deploy/containers/nginx/run-nginx.sh b/deploy/containers/nginx/run-nginx.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+sed -i -e 's@ENCRYPTION_KEY_VOLUME@'"${ENCRYPTION_KEY_VOLUME}"'@g' /etc/nginx/nginx.conf
+echo "Checking if certificate has been written to the encryption volume!"
+while : 
+do 
+    if [ -f /${ENCRYPTION_KEY_VOLUME}/console.crt ]; then
+        break;
+    fi
+    sleep 1; 
+done
+echo "TLS certificate detected continuing, starting nginx."
+nginx -g "daemon off;"
diff --git a/deploy/db/Dockerfile.preflight-job b/deploy/db/Dockerfile.preflight-job
@@ -1,4 +1,5 @@
 FROM debian:jessie
 RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openssl
 COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh
+COPY /deploy/tools/generate_cert.sh /generate_cert.sh
 CMD ["/run-preflight-job.sh"]
diff --git a/deploy/db/scripts/run-preflight-job.sh b/deploy/db/scripts/run-preflight-job.sh
@@ -19,4 +19,18 @@ if [ ! -e /$ENCRYPTION_KEY_VOLUME/$ENCRYPTION_KEY_FILENAME ]; then
   echo "-- Done."
 fi
 
+# Step 3 - Write out or generate SSL certificate data
+if [ "${CONSOLE_CERT:-not-set}" = "not-set" -a "${CONSOLE_CERT_KEY:-not-set}" = "not-set" ]; then
+  echo "CONSOLE_CERT and CONSOLE_CERT_KEY not set, generating..."
+  export CERTS_PATH=/$ENCRYPTION_KEY_VOLUME
+  export DEV_CERTS_DOMAIN=console
+  /generate_cert.sh
+  echo "Certificates generated."
+else
+  echo "CONSOLE_CERT and CONSOLE_CERT_KEY have been provided, writing them to the Encryption volume"
+  echo "$CONSOLE_CERT" > /$ENCRYPTION_KEY_VOLUME/console.crt 
+  echo "$CONSOLE_CERT_KEY" > /$ENCRYPTION_KEY_VOLUME/console.key 
+  echo "Wrote out certificates."
+fi
+
 exit 0
diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md
@@ -192,3 +192,24 @@ kubectl create -f storageclass.yaml
 ```
 
 See [Storage Class documentation] ( https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/) for more insformation.
+
+## Deploying Stratos UI with your own TLS certificates
+
+By default the console will generate self-signed certificates for demo purposes. To configure Stratos UI to use your provided TLS certificates set the `consoleCert` and `consoleCertKey` overrides.
+
+```
+consoleCert: |
+    -----BEGIN CERTIFICATE-----
+    MIIDXTCCAkWgAwIBAgIJAJooOiQWl1v1MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+    ...
+    -----END CERTIFICATE-----
+consoleCertKey: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV9+ySh0xZzM41
+    ....
+    -----END PRIVATE KEY-----
+``` 
+Assuming the above is stored in a file called `override-ssl.yaml`, install the chart with the override specified.
+```
+helm install -f override-ssl.yaml stratos-ui/console --namespace console
+```
diff --git a/deploy/kubernetes/build.sh b/deploy/kubernetes/build.sh
@@ -191,7 +191,7 @@ function buildProxy {
   # publish the container image for the portal proxy
   echo
   echo "-- Build & publish the runtime container image for the Console Proxy"
-  buildAndPublishImage stratos-proxy deploy/Dockerfile.bk.dev ${STRATOS_UI_PATH}
+  buildAndPublishImage stratos-proxy deploy/Dockerfile.bk.k8s ${STRATOS_UI_PATH}
   # Build merged preflight & proxy image, used when deploying into multi-node k8s cluster without a shared storage backend
   buildAndPublishImage stratos-proxy-noshared deploy/Dockerfile.bk-preflight.dev ${STRATOS_UI_PATH}
 }

diff --git a/deploy/kubernetes/console/ssl/console.crt b/deploy/kubernetes/console/ssl/console.crt
diff --git a/deploy/kubernetes/console/ssl/console.key b/deploy/kubernetes/console/ssl/console.key
diff --git a/deploy/kubernetes/console/templates/deployment.yaml b/deploy/kubernetes/console/templates/deployment.yaml
@@ -9,9 +9,6 @@ metadata:
 data:
   stolon: {{ .Values.dbPassword | b64enc }}
   db-password: {{  .Values.mariadb.mariadbPassword | b64enc }}
-  console-cert-key: {{ .Files.Get "ssl/console.key" | b64enc }}
-  console-cert: {{ .Files.Get "ssl/console.crt" | b64enc }}
-
 ---
 apiVersion: apps/v1beta1
 kind: StatefulSet
@@ -29,10 +26,16 @@ spec:
       containers:
       - image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.console}}:{{.Values.consoleVersion}}
         name: ui
+        env:
+        - name: ENCRYPTION_KEY_VOLUME
+          value: "{{ .Release.Name }}-encryption-key-volume"
         volumeMounts:
         - mountPath: /etc/secrets/
           name: "{{ .Release.Name }}-secret"
           readOnly: true
+        - mountPath: "/{{ .Release.Name }}-encryption-key-volume"
+          name: "{{ .Release.Name }}-encryption-key-volume"
+          readOnly: true
         ports:
         - containerPort: 80
           name: http
@@ -136,6 +139,22 @@ spec:
           value: "{{ .Release.Name }}-encryption-key-volume"
         - name: ENCRYPTION_KEY_FILENAME
           value: key
+        {{- if .Values.noShared }}
+        {{- if .Values.consoleCert }}
+        - name: CONSOLE_CERT
+          value: | 
+{{ .Values.consoleCert | indent 12 }}
+        {{- end }}
+        {{- if .Values.consoleCertKey }}
+        - name: CONSOLE_CERT_KEY
+          value: |
+{{ .Values.consoleCertKey | indent 12 }}
+        {{- end }}
+        {{- end }}
+        - name: CONSOLE_PROXY_CERT_PATH
+          value: "/{{ .Release.Name }}-encryption-key-volume/console.crt" 
+        - name: CONSOLE_PROXY_CERT_KEY_PATH
+          value: "/{{ .Release.Name }}-encryption-key-volume/console.key" 
         - name: HTTP_PROXY
         {{- if .Values.httpProxy }}
           value: {{.Values.httpProxy}}
@@ -178,3 +197,9 @@ spec:
       - name: "{{ .Release.Name }}-secret"
         secret:
           secretName: "{{ .Release.Name }}-secret"
+      - name: "{{ .Release.Name }}-encryption-key-volume"
+        persistentVolumeClaim:
+          claimName: "{{ .Release.Name }}-encryption-key-volume"
+      - name: "{{ .Release.Name }}-secret"
+        secret:
+          secretName: "{{ .Release.Name }}-secret"
diff --git a/deploy/kubernetes/console/templates/pre-install.yaml b/deploy/kubernetes/console/templates/pre-install.yaml
@@ -67,8 +67,20 @@ spec:
              value: upgrade.lock
            - name: ENCRYPTION_KEY_VOLUME
              value: "{{ .Release.Name }}-encryption-key-volume"
+           - name: CERTS_PATH
+             value: "{{ .Release.Name }}-encryption-key-volume"
            - name: ENCRYPTION_KEY_FILENAME
              value: key
+           {{- if .Values.consoleCert }}
+           - name: CONSOLE_CERT
+             value: | 
+{{ .Values.consoleCert | indent 12 }}
+           {{- end }}
+           {{- if .Values.consoleCertKey }}
+           - name: CONSOLE_CERT_KEY
+             value: |
+{{ .Values.consoleCertKey | indent 12 }}
+           {{- end }}
            image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.preflight}}:{{.Values.consoleVersion}}
            name: "{{ .Release.Name }}-preflight-job"
            volumeMounts:

diff --git a/deploy/kubernetes/console/values.yaml b/deploy/kubernetes/console/values.yaml
@@ -23,6 +23,16 @@ images:
   postflight: stratos-postflight-job
 # Specify which storage class should be used for PVCs
 #storageClass: default
+#consoleCert: |
+#    -----BEGIN CERTIFICATE-----
+#   MIIDXTCCAkWgAwIBAgIJAJooOiQWl1v1MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+#   ...
+#    -----END CERTIFICATE-----
+#consoleCertKey: |
+#    -----BEGIN PRIVATE KEY-----
+#    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkdgEAAoIBAQDV9+ySh0xZzM41
+#    ...
+#    -----END PRIVATE KEYE-----
 # MariaDB chart configuration
 mariadb:
   # Only required for creating the databases

diff --git a/deploy/ci/scripts/generate_cert.sh → deploy/tools/generate_cert.sh b/deploy/ci/scripts/generate_cert.sh → deploy/tools/generate_cert.sh
@@ -1,14 +1,14 @@
 #!/bin/sh
 
 # Settings
-devcerts_path=${DEV_CERTS_PATH:-portal-proxy-output/dev-certs}
-domain=pproxy
-commonname=192.168.99.100
-country=US
-state=Washington
-locality=Seattle
+devcerts_path=${CERTS_PATH:-portal-proxy-output/dev-certs}
+domain=${DEV_CERTS_DOMAIN:-pproxy}
+commonname=127.0.0.1
+country=UK
+state=Bristol
+locality=Bristol
 organization=SUSE
-organizationalunit=HDP
+organizationalunit=CAP
 email=SUSE
 
 # Generate a key and cert