added mtls setup description

doc/docs/usage/installation.md

@@ -68,8 +68,8 @@ The following table shows the optional arguments that can be passed to the scrip
 | -v <version\> | e.g. `v0.1.0`, default: latest version |
 | -i <install-path\> | File path where Ankaios will be installed, default: `/usr/local/bin` |
 | -t <install-type\> | Installation type for systemd integration: `server`, `agent`, `none` or `both` (default) |
-| -s <server-options\> | Options which will be passed to the Ankaios server. Default `--startup-config /etc/ankaios/state.yaml` |
-| -a <agent-options\> | Options which will be passed to the Ankaios agent. Default `--name agent_A` |
+| -s <server-options\> | Options which will be passed to the Ankaios server. Default `--insecure --startup-config /etc/ankaios/state.yaml` |
+| -a <agent-options\> | Options which will be passed to the Ankaios agent. Default `--insecure --name agent_A` |
 
 To install a specific version run the following command and substitute `<version>` with a specific version tag e.g. `v0.1.0`:
 

doc/docs/usage/mtls-setup.md

@@ -0,0 +1,162 @@
+# Setting Up Ankaios with mTLS
+
+ Mutual TLS (MTLS) is a security protocol that verifies both the client and server identities before establishing a connection. To set up MTLS with OpenSSL perform the following actions:
+
+1. Generate CA keys and certificate
+2. Generate keys and certificates for `ank-server`, `ank-agent` and `ank` (CLI).
+3. Perform the Ankaios installation script `install.sh` with mTLS support.
+
+## Generate CA keys and certificate
+
+Construct an [OpenSSL configuration file](https://www.openssl.org/docs/manmaster/man5/config.html) named `ca.cnf`. You are welcome to include additional fields if necessary:
+
+```ini
+# Content of ca.cnf
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[req_distinguished_name]
+CN = ankaios-ca
+```
+
+Generate CA key:
+
+```bash
+openssl genpkey -algorithm ED25519 -out ".certs/ca-key.pem"
+```
+
+Generate CA certificate:
+
+```bash
+openssl req -config "./ca.cnf" -new -x509 -key ".certs/ca-key.pem" -out ".certs/ca.pem"
+```
+
+## Generate key and certificate for `ank-server`
+
+Construct an [OpenSSL configuration file](https://www.openssl.org/docs/manmaster/man5/config.html) named `ank-server.cnf`. You are welcome to include additional fields if necessary:
+
+```ini
+# Content of ank-server.cnf
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = ank-server
+
+[v3_req]
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = ank-server
+```
+
+Generate ank-server key:
+
+```bash
+openssl genpkey -algorithm ED25519 -out ".certs/ank-server-key.pem"
+```
+
+Generate ank-server certificate signing request:
+
+```bash
+openssl req -config "./ank-server.cnf" -new -key ".certs/ank-server-key.pem" -out ".certs/ank-server.csr"
+```
+
+Generate ank-server certificate:
+
+```bash
+openssl x509 -req -in ".certs/server.csr" -CA ".certs/ca.pem" -CAkey ".certs/ca-key.pem" -extensions v3_req -extfile "./ank-server.cnf" -out ".certs/ank-server.pem"
+```
+
+## Generate key and certificate for `ank-agent`
+
+Construct an [OpenSSL configuration file](https://www.openssl.org/docs/manmaster/man5/config.html) named `ank-agent.cnf`. You are welcome to include additional fields if necessary:
+
+```ini
+# Content of ank-agent.cnf
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = ank-agent
+
+[v3_req]
+subjectAltName = @alt_names
+extendedKeyUsage = clientAuth
+
+[alt_names]
+# This certificate can only be used for agents with the names 'agent_A' or 'agent_B'
+# To allow the usage for any agent use the character '*'
+# like: DNS.1 = *
+DNS.1 = agent_A
+DNS.2 = agent_B
+
+```
+
+Generate ank-agent key:
+
+```bash
+openssl genpkey -algorithm ED25519 -out ".certs/ank-agent-key.pem"
+```
+
+Generate ank-agent certificate signing request:
+
+```bash
+openssl req -config "./ank-agent.cnf" -new -key ".certs/ank-agent-key.pem" -out ".certs/ank-agent.csr"
+```
+
+Generate ank-agent certificate:
+
+```bash
+openssl x509 -req -in ".certs/ank-agent.csr" -CA ".certs/ca.pem" -CAkey ".certs/ca-key.pem" -extensions v3_req -extfile "./ank-agent.cnf" -out ".certs/ank-agent.pem"
+```
+
+## Generate key and certificate for the CLI `ank`
+
+Construct an [OpenSSL configuration file](https://www.openssl.org/docs/manmaster/man5/config.html) named `ank.cnf`. You are welcome to include additional fields if necessary:
+
+```ini
+# Content of ank.cnf
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+[req_distinguished_name]
+CN = ank
+
+[v3_req]
+subjectAltName = @alt_names
+extendedKeyUsage = clientAuth
+
+[alt_names]
+DNS.1 = ank
+
+```
+
+Generate ank key:
+
+```bash
+openssl genpkey -algorithm ED25519 -out ".certs/ank-key.pem"
+```
+
+Generate ank certificate signing request:
+
+```bash
+openssl req -config "./ank.cnf" -new -key ".certs/ank-key.pem" -out ".certs/ank.csr"
+```
+
+Generate ank certificate:
+
+```bash
+openssl x509 -req -in ".certs/ank.csr" -CA ".certs/ca.pem" -CAkey ".certs/ca-key.pem" -extensions v3_req -extfile "./ank.cnf" -out ".certs/ank.pem"
+```
+
+## Perform the Ankaios installation script `install.sh` with mTLS support
+
+TBD

tools/certs/config/cli.cnf

@@ -0,0 +1,11 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+[req_distinguished_name]
+CN = cli
+[v3_req]
+subjectAltName = @alt_names
+extendedKeyUsage = clientAuth
+[alt_names]
+DNS.1 = cli

tools/certs/create_certs.sh

@@ -8,13 +8,21 @@ CERTS_OUT_DIR="$ROOT_DIR/.certs"
 
 mkdir -p "$CERTS_OUT_DIR"
 
+echo "Generate CA certificates ..."
 openssl genpkey -algorithm ED25519 -out "$CERTS_OUT_DIR/ca-key.pem"
-openssl req -config "$CONFIGS_DIR/ca.cnf" -new -x509  -key "$CERTS_OUT_DIR/ca-key.pem" -out "$CERTS_OUT_DIR/ca.pem"
+openssl req -config "$CONFIGS_DIR/ca.cnf" -new -x509 -key "$CERTS_OUT_DIR/ca-key.pem" -out "$CERTS_OUT_DIR/ca.pem"
 
+echo "Generate ank-server certificates ..."
 openssl genpkey -algorithm ED25519 -out "$CERTS_OUT_DIR/server-key.pem"
 openssl req -config "$CONFIGS_DIR/server.cnf" -new -key "$CERTS_OUT_DIR/server-key.pem" -out "$CERTS_OUT_DIR/server.csr"
 openssl x509 -req -in "$CERTS_OUT_DIR/server.csr" -CA "$CERTS_OUT_DIR/ca.pem" -CAkey "$CERTS_OUT_DIR/ca-key.pem" -extensions v3_req -extfile "$CONFIGS_DIR/server.cnf" -out "$CERTS_OUT_DIR/server.pem"
 
+echo "Generate ank-agent certificates ..."
 openssl genpkey -algorithm ED25519 -out "$CERTS_OUT_DIR/agent-key.pem"
 openssl req -config "$CONFIGS_DIR/agent.cnf" -new -key "$CERTS_OUT_DIR/agent-key.pem" -out "$CERTS_OUT_DIR/agent.csr"
 openssl x509 -req -in "$CERTS_OUT_DIR/agent.csr" -CA "$CERTS_OUT_DIR/ca.pem" -CAkey "$CERTS_OUT_DIR/ca-key.pem" -extensions v3_req -extfile "$CONFIGS_DIR/agent.cnf" -out "$CERTS_OUT_DIR/agent.pem"
+
+echo "Generate ank-cli certificates ..."
+openssl genpkey -algorithm ED25519 -out "$CERTS_OUT_DIR/cli-key.pem"
+openssl req -config "$CONFIGS_DIR/cli.cnf" -new -key "$CERTS_OUT_DIR/cli-key.pem" -out "$CERTS_OUT_DIR/cli.csr"
+openssl x509 -req -in "$CERTS_OUT_DIR/cli.csr" -CA "$CERTS_OUT_DIR/ca.pem" -CAkey "$CERTS_OUT_DIR/ca-key.pem" -extensions v3_req -extfile "$CONFIGS_DIR/cli.cnf" -out "$CERTS_OUT_DIR/cli.pem"

tools/install.sh

@@ -7,11 +7,11 @@ set -e
 RELEASE_URL_BASE="https://github.com/eclipse-ankaios/ankaios/releases"
 DEFAULT_BIN_DESTINATION="/usr/local/bin"
 BIN_DESTINATION="${DEFAULT_BIN_DESTINATION}"
-DEFAULT_AGENT_OPT="--name agent_A"
+DEFAULT_AGENT_OPT="--insecure --name agent_A"
 AGENT_OPT="$DEFAULT_AGENT_OPT"
 CONFIG_DEST="/etc/ankaios"
 FILE_STARTUP_STATE="${CONFIG_DEST}/state.yaml"
-DEFAULT_SERVER_OPT="--startup-config ${FILE_STARTUP_STATE}"
+DEFAULT_SERVER_OPT="--insecure --startup-config ${FILE_STARTUP_STATE}"
 SERVER_OPT="$DEFAULT_SERVER_OPT"
 INSTALL_TYPE="both"
 SERVICE_DEST=/etc/systemd/system
@@ -46,7 +46,7 @@ setup_verify_arch() {
 }
 
 display_usage() {
-    echo -e "Usage: $0 [-v] [-i] [-t] [-s] [-a]"
+    echo -e "Usage: $0 [-v] [-i] [-t] [-s] [-a] [-tls]"
     echo -e "Install Ankaios on a system."
     echo -e "  -v VERSION: Ankaios specific VERSION to install. Default: latest version."
     echo -e "  -i PATH: Installation PATH. Default: $DEFAULT_BIN_DESTINATION"