Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS to event stream #7092

Merged
merged 2 commits into from Oct 24, 2019
Merged

Add TLS to event stream #7092

merged 2 commits into from Oct 24, 2019

Conversation

@davidMcneil
Copy link
Member

davidMcneil commented Oct 23, 2019

Resolves #6769

This PR allows the event stream connection to be secured with TLS by adding a new optional flag --event-stream-server-certificate.

This PR required changes to the underlying NATS library here. The change transitions from the openssl crate to the native_tls crate for handling the TLS connection. This allows us to use the preferred TLS toolchain for a given platform.

Signed-off-by: David McNeil mcneil.david2@gmail.com

Copy link
Contributor

christophermaier left a comment

Looks good!

Signed-off-by: David McNeil <mcneil.david2@gmail.com>
Signed-off-by: David McNeil <mcneil.david2@gmail.com>
@davidMcneil davidMcneil merged commit ff43392 into master Oct 24, 2019
5 checks passed
5 checks passed
DCO This commit has a DCO Signed-off-by
Details
buildkite/habitat-sh-habitat-master-verify Build #3894 passed (38 minutes, 57 seconds)
Details
buildkite/habitat-sh-habitat-master-website Build #974 passed (1 minute, 34 seconds)
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
expeditor/config-validation Validated your Expeditor config file
Details
@chef-expeditor chef-expeditor bot deleted the dmcneil/tls-event-stream branch Oct 24, 2019
@davidMcneil

This comment has been minimized.

Copy link
Member Author

davidMcneil commented Oct 25, 2019

Steps to get the event stream server cert from Automate and use it in habitat:

  1. The automate config must have the following structures (the log level is optional):
[applications]
  [applications.v1]
    [applications.v1.sys]
      [applications.v1.sys.service]
        enable_nats_feature = true

[event_service]
  [event_service.v1]
    [event_service.v1.sys]
      [event_service.v1.sys.service]
        enable_nats_feature = true
      [event_service.v1.sys.log]
        level = "debug"

[event_gateway]
  [event_gateway.v1]
    [event_gateway.v1.sys]
      [event_gateway.v1.sys.service]
        enable_nats_feature = true
        disable_frontend_tls = false
      [event_gateway.v1.sys.log]
        level = "debug"

Use chef-automate config show to see the current config. Use chef-automate config patch to update the config.

  1. The event stream server uses the same cert as the load balancer. Copy the contents of cert under [[global.v1.frontend_tls]]. In testing environments, you can pul the certificate straight from the server with openssl s_client -servername <automate-hostname> -connect <automate-hostname>:443 </dev/null 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'. Write the contents of the cert to a file reachable by habitat. There is work being done to streamline the process of getting the cert from automate.

  2. Specify that habitat should use the cert in one of three ways:

  • Pass the path to the file to hab sup run with the --event-stream-server-certificate cli option
  • Install the certificate to your systems certificate store
  • Once #7106 lands, drop the certificate in the habitat cache/ssl directory
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.