feature(tls-certs): add pcssibiity to generate certs/keys for each test

SCT uses a set of certificates created in 2016, for which newer TLS versions with certification checks cannot be used (particularly these old certificates don't use Subject Alternative Name extension, which would include DNS name/IP of a node for hostname verification). The change reworks how the TLS certificates/keys are created and used in SCT: - certificates/keys are created for each test run - certificates are individual for each node - SAN extension of the certificate contains DNS name and IP of that node only - added possibility to enable mutual TLS - 'stress_thread' modules are updated to build properly the c-s, s-b and latte stress commands, depending on what is enabled - tls in general, hostname validation, mtls - old certificates are deleted from SCT The related task: scylladb/qa-tasks#1605
dimakr · Jun 18, 2024 · e8ad1ef · e8ad1ef
1 parent b7f05f7
commit e8ad1ef
Show file tree

Hide file tree

Showing 34 changed files with 459 additions and 382 deletions.
diff --git a/.gitignore b/.gitignore
@@ -65,3 +65,6 @@ fabric.properties
 
 # Linux swap files range from .saa to .swp (used by vim and some other apps)
 *.s[a-w][a-p]
+
+# SSL artifacts
+data_dir/ssl_conf/
diff --git a/artifacts_test.py b/artifacts_test.py
@@ -22,6 +22,7 @@
 
 from sdcm.sct_events import Severity
 from sdcm.sct_events.database import ScyllaHousekeepingServiceEvent
+from sdcm.provision.helpers.certificate import c_s_transport_str
 from sdcm.tester import ClusterTester
 from sdcm.utils.adaptive_timeouts import NodeLoadInfoServices
 from sdcm.utils.housekeeping import HousekeepingDB
@@ -124,7 +125,9 @@ def check_cluster_name(self):
     def run_cassandra_stress(self, args: str):
         stress_cmd = f"{self.node.add_install_prefix(STRESS_CMD)} {args} -node {self.node.ip_address}"
         if self.params.get('client_encrypt'):
-            stress_cmd += " -transport 'truststore=/etc/scylla/ssl_conf/client/cacerts.jks truststore-password=cassandra'"
+            transport_str = c_s_transport_str(self.params.get('client_encrypt_mtls'))
+            stress_cmd += f" -transport '{transport_str}'"
+
         result = self.node.remoter.run(stress_cmd)
         assert "java.io.IOException" not in result.stdout
         assert "java.io.IOException" not in result.stderr

diff --git a/data_dir/ssl_conf/cadb.pem b/data_dir/ssl_conf/cadb.pem
diff --git a/data_dir/ssl_conf/client/cacerts.jks b/data_dir/ssl_conf/client/cacerts.jks
diff --git a/data_dir/ssl_conf/client/catest.key b/data_dir/ssl_conf/client/catest.key
diff --git a/data_dir/ssl_conf/client/catest.pem b/data_dir/ssl_conf/client/catest.pem
diff --git a/data_dir/ssl_conf/client/cqlshrc b/data_dir/ssl_conf/client/cqlshrc
@@ -2,7 +2,7 @@
 factory = cqlshlib.ssl.ssl_transport_factory
 
 [ssl]
-certfile = /etc/scylla/ssl_conf/client/test.crt
+certfile = /etc/scylla/ssl_conf/ca.pem
 validate = false
-userkey = /etc/scylla/ssl_conf/client/test.key
-usercert = /etc/scylla/ssl_conf/client/test.crt
+userkey = /etc/scylla/ssl_conf/client-facing.key
+usercert = /etc/scylla/ssl_conf/client-facing.crt
diff --git a/data_dir/ssl_conf/client/keystore.jks b/data_dir/ssl_conf/client/keystore.jks
diff --git a/data_dir/ssl_conf/client/keystore.p12 b/data_dir/ssl_conf/client/keystore.p12
diff --git a/data_dir/ssl_conf/client/test.crl b/data_dir/ssl_conf/client/test.crl
diff --git a/data_dir/ssl_conf/client/test.crt b/data_dir/ssl_conf/client/test.crt
diff --git a/data_dir/ssl_conf/client/test.csr b/data_dir/ssl_conf/client/test.csr
diff --git a/data_dir/ssl_conf/client/test.key b/data_dir/ssl_conf/client/test.key