This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

daemon: Autogenerate TLS credentials if the provided path does not exist

This commit removes the `quilt setup-tls` command. The daemon now
automatically generates credentials if the given path does not exist.
  • Loading branch information...
kklin committed Oct 4, 2017
1 parent afc8827 commit decca34e4293d288fb2c5e93dac81b218b5ee351
Showing with 60 additions and 155 deletions.
  1. +2 −0 CHANGELOG.md
  2. +0 −1 cli/cli.go
  3. +42 −2 cli/command/daemon.go
  4. +13 −0 cli/command/daemon_test.go
  5. +0 −85 cli/command/setupTLS.go
  6. +0 −46 cli/command/setupTLS_test.go
  7. +0 −1 docs/_QuiltCLI.md
  8. +2 −19 docs/_Security.md
  9. +1 −1 quilt.go
View
@@ -5,6 +5,8 @@ Up Next
------------- -------------
- Fix a bug where `quilt setup-tls` would fail when writing to a directory whose - Fix a bug where `quilt setup-tls` would fail when writing to a directory whose
parent does not exist. parent does not exist.
- Auto-generate TLS credentials when starting the daemon if the provided
credentials don't exist.
JavaScript API-breaking changes: JavaScript API-breaking changes:
- Remove the Container.replicate() method. Users should create multiple - Remove the Container.replicate() method. Users should create multiple
View
@@ -21,7 +21,6 @@ var commands = map[string]command.SubCommand{
"run": command.NewRunCommand(), "run": command.NewRunCommand(),
"init": &command.Init{}, "init": &command.Init{},
"setup-tls": &command.SetupTLS{},
"ssh": command.NewSSHCommand(), "ssh": command.NewSSHCommand(),
"stop": command.NewStopCommand(), "stop": command.NewStopCommand(),
"version": command.NewVersionCommand(), "version": command.NewVersionCommand(),
View
@@ -6,6 +6,7 @@ import (
"encoding/base64" "encoding/base64"
"flag" "flag"
"fmt" "fmt"
"os"
"golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh"
@@ -14,6 +15,7 @@ import (
"github.com/quilt/quilt/cloud" "github.com/quilt/quilt/cloud"
"github.com/quilt/quilt/connection/credentials/tls" "github.com/quilt/quilt/connection/credentials/tls"
tlsIO "github.com/quilt/quilt/connection/credentials/tls/io" tlsIO "github.com/quilt/quilt/connection/credentials/tls/io"
"github.com/quilt/quilt/connection/credentials/tls/rsa"
"github.com/quilt/quilt/db" "github.com/quilt/quilt/db"
"github.com/quilt/quilt/engine" "github.com/quilt/quilt/engine"
"github.com/quilt/quilt/util" "github.com/quilt/quilt/util"
@@ -69,6 +71,19 @@ func (dCmd *Daemon) AfterRun() error {
func (dCmd *Daemon) Run() int { func (dCmd *Daemon) Run() int {
log.WithField("version", version.Version).Info("Starting Quilt daemon") log.WithField("version", version.Version).Info("Starting Quilt daemon")
// If the specified TLS credential path does not exist, autogenerate
// credentials for the given path.
if dCmd.tlsDir != "" {
if _, err := util.Stat(dCmd.tlsDir); os.IsNotExist(err) {
log.WithField("path", dCmd.tlsDir).Info("Auto-generating TLS credentials")
if err := setupTLS(dCmd.tlsDir); err != nil {
log.WithError(err).WithField("path", dCmd.tlsDir).Error(
"TLS credential generation failed")
return 1
}
}
}
var sshKey ssh.Signer var sshKey ssh.Signer
if dCmd.adminSSHPrivateKey != "" { if dCmd.adminSSHPrivateKey != "" {
var err error var err error
@@ -94,8 +109,7 @@ func (dCmd *Daemon) Run() int {
creds, err := credentials.Read(dCmd.tlsDir) creds, err := credentials.Read(dCmd.tlsDir)
if err != nil { if err != nil {
log.WithError(err).Error("Failed to parse credentials. " + log.WithError(err).Error("Failed to parse TLS credentials")
"Did you run `quilt setup-tls` to generate TLS credentials?")
return 1 return 1
} }
@@ -146,3 +160,29 @@ func getPublicKey(sshPrivKey ssh.Signer) string {
pubKeyType := sshPrivKey.PublicKey().Type() pubKeyType := sshPrivKey.PublicKey().Type()
return pubKeyType + " " + pubKey return pubKeyType + " " + pubKey
} }
func setupTLS(outDir string) error {
if err := util.AppFs.MkdirAll(outDir, 0700); err != nil {
return fmt.Errorf("failed to create output directory: %s", err)
}
ca, err := rsa.NewCertificateAuthority()
if err != nil {
return fmt.Errorf("failed to create CA: %s", err)
}
// Generate a signed certificate for use by the Daemon server, and client
// connections.
signed, err := rsa.NewSigned(ca)
if err != nil {
return fmt.Errorf("failed to create signed key pair: %s", err)
}
for _, f := range tlsIO.DaemonFiles(outDir, ca, signed) {
if err := util.WriteFile(f.Path, []byte(f.Content), f.Mode); err != nil {
return fmt.Errorf("failed to write file (%s): %s", f.Path, err)
}
}
return nil
}
View
@@ -6,6 +6,7 @@ import (
"github.com/spf13/afero" "github.com/spf13/afero"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
tlsIO "github.com/quilt/quilt/connection/tls/io"
"github.com/quilt/quilt/util" "github.com/quilt/quilt/util"
) )
@@ -77,3 +78,15 @@ WEteRuQXq8oploci8N2U0C8zgKbH+fsKD6KeX/xI/EJ/8cktT0fLaA==
assert.Equal(t, "", getPublicKey(nil)) assert.Equal(t, "", getPublicKey(nil))
} }
// Test that the generated files can be parsed.
func TestSetupTLS(t *testing.T) {
util.AppFs = afero.NewMemMapFs()
tlsDir := "tls"
err := setupTLS(tlsDir)
assert.NoError(t, err)
_, err = tlsIO.ReadCredentials(tlsDir)
assert.NoError(t, err)
}
View

This file was deleted.

Oops, something went wrong.

This file was deleted.

Oops, something went wrong.
View
@@ -34,7 +34,6 @@ $ quilt COMMAND --help
| `ssh` | SSH into or execute a command in a machine or container. | | `ssh` | SSH into or execute a command in a machine or container. |
| `stop` | Stop a deployment. | | `stop` | Stop a deployment. |
| `version` | Show the Quilt version information. | | `version` | Show the Quilt version information. |
| `setup-tls` | Create the files necessary for TLS-encrypted communication with Quilt. |
## Init ## Init
The `quilt init` command is a simple way to create reusable infrastructure. The The `quilt init` command is a simple way to create reusable infrastructure. The
View
@@ -7,13 +7,8 @@ blueprints and querying deployment information. Thus, TLS should be enabled for
all non-experimental deployments. It is currently disabled by default. all non-experimental deployments. It is currently disabled by default.
### Quickstart ### Quickstart
Generate the necessary TLS files. Start the daemon. If credentials don't already exist, they will be
automatically generated.
```console
$ quilt setup-tls ~/.quilt/tls
```
Start the daemon with TLS enabled.
```console ```console
$ quilt daemon -tls-dir ~/.quilt/tls $ quilt daemon -tls-dir ~/.quilt/tls
@@ -56,18 +51,6 @@ MACHINE ROLE PROVIDER REGION SIZE PUBLIC IP
b92d625c6847 Worker Amazon us-west-1 m3.medium 54.153.11.92 connecting b92d625c6847 Worker Amazon us-west-1 m3.medium 54.153.11.92 connecting
``` ```
### Setup
The certificate hierarchy can be easily created using the `setup-tls` subcommand.
For example,
```console
$ quilt setup-tls ~/.quilt/tls
```
Will create the file structure described in [tls-dir](#tls-dir). No additional
setup is necessary -- the `-tls-dir` flag can now be set to your chosen TLS
directory.
### tls-dir ### tls-dir
TLS is enabled with the `-tls-dir` option. The TLS directory should have the TLS is enabled with the `-tls-dir` option. The TLS directory should have the
following structure when passed to `quilt daemon`: following structure when passed to `quilt daemon`:
View
@@ -26,7 +26,7 @@ quilt COMMAND --help
Commands: Commands:
counters, daemon, debug-logs, init, inspect, logs, minion, show, run, ssh, counters, daemon, debug-logs, init, inspect, logs, minion, show, run, ssh,
stop, version, setup-tls` stop, version`
func main() { func main() {
flag.Usage = func() { flag.Usage = func() {

0 comments on commit decca34

Please sign in to comment.