Skip to content

Added config for mTLS in API server #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
oliveromahony merged 22 commits into from
Nov 30, 2022
Merged

Added config for mTLS in API server #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
2c926f9
added config for tls in API server
Nov 22, 2022
81bfc0c
wip: need more tests
Nov 23, 2022
e82fd2c
fix lint
Nov 23, 2022
8d62bb1
removed unnecessary changes
Nov 23, 2022
69b6574
changes
Nov 25, 2022
56dc997
works except test
Nov 25, 2022
ce092d7
wip tests
Nov 25, 2022
0de30bd
tidy test
Nov 25, 2022
3f4e628
wip
Nov 28, 2022
708b9c2
merge from main
Nov 28, 2022
dcab103
added mtls test
Nov 28, 2022
3257ed7
added test for mlts
Nov 28, 2022
07fedac
timinig on file existing
Nov 28, 2022
d099a92
waituntil for file
Nov 28, 2022
f8a2faa
Update mTLS test to verify if make_certs.sh script succeeded
dhurley Nov 28, 2022
8776252
Update make_certs.sh
dhurley Nov 28, 2022
aacd548
Update mTLS test to only clean up certs directory in build folder
dhurley Nov 28, 2022
c17dca5
code review comments
Nov 28, 2022
c708025
added default
Nov 28, 2022
5c54e9d
tidy script
Nov 28, 2022
958d071
changed default port to 8081
Nov 28, 2022
cd52672
tidied up the example
Nov 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,14 @@ TEST_BUILD_DIR := build/test
# override this value if you want to change the architecture. GOOS options here: https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63
LOCAL_ARCH := amd64

CERT_CLIENT_CA_CN := client-ca.local
CERT_CLIENT_INT_CN := client-int.local
CERT_CLIENT_EE_CN := client-ee.local
CERT_CLIENT_DNS := client.local
CERT_SERVER_CA_CN := server-ca.local
CERT_SERVER_INT_CN := server-int.local
CERT_SERVER_EE_CN := server-ee.local
CERT_SERVER_DNS := tls.example.com

$(TEST_BUILD_DIR):
mkdir -p $(TEST_BUILD_DIR)
Expand Down Expand Up @@ -164,27 +172,29 @@ test-install: ## Run agent install test
# Cert Generation #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
certs: ## Generate TLS certificates
scripts/mtls/gen_cnf.sh ca --cn 'client-ca.local' --state Cork --locality Cork --org NGINX --country IE --out ${CERTS_DIR}/client/conf
scripts/mtls/gen_cnf.sh ca --cn '${CERT_CLIENT_CA_CN}' --state Cork --locality Cork --org NGINX --country IE --out ${CERTS_DIR}/client/conf
scripts/mtls/gen_cert.sh ca --config ${CERTS_DIR}/client/conf/ca.cnf --out ${CERTS_DIR}/client

scripts/mtls/gen_cnf.sh intermediate --cn 'client-int.local' --org NGINX --locality Cork --out ${CERTS_DIR}/client/conf
scripts/mtls/gen_cnf.sh intermediate --cn '${CERT_CLIENT_INT_CN}' --org NGINX --locality Cork --out ${CERTS_DIR}/client/conf
scripts/mtls/gen_cert.sh intermediate --config ${CERTS_DIR}/client/conf/int.cnf --ca-cert ${CERTS_DIR}/client/ca.crt --ca-key ${CERTS_DIR}/client/ca.key --out ${CERTS_DIR}/client

scripts/mtls/gen_cnf.sh end-entity --cn 'client.local' --san 'DNS.1=client.local' --out ${CERTS_DIR}/client/conf
scripts/mtls/gen_cnf.sh end-entity --cn '${CERT_CLIENT_EE_CN}' --san 'DNS.1=${CERT_CLIENT_DNS}' --out ${CERTS_DIR}/client/conf
scripts/mtls/gen_cert.sh end-entity --config ${CERTS_DIR}/client/conf/ee.cnf --ca-cert ${CERTS_DIR}/client/int.crt --ca-key ${CERTS_DIR}/client/int.key --out ${CERTS_DIR}/client

cp ${CERTS_DIR}/client/ee.crt ${CERTS_DIR}/client.crt
cp ${CERTS_DIR}/client/ee.key ${CERTS_DIR}/client.key

scripts/mtls/gen_cnf.sh ca --cn 'server-ca.local' --state Cork --locality Cork --org NGINX --country IE --out ${CERTS_DIR}/server/conf
scripts/mtls/gen_cnf.sh ca --cn '${CERT_SERVER_CA_CN}' --state Cork --locality Cork --org NGINX --country IE --out ${CERTS_DIR}/server/conf
scripts/mtls/gen_cert.sh ca --config ${CERTS_DIR}/server/conf/ca.cnf --out ${CERTS_DIR}/server

scripts/mtls/gen_cnf.sh intermediate --cn 'server-int.local' --org NGINX --locality Cork --out ${CERTS_DIR}/server/conf
scripts/mtls/gen_cnf.sh intermediate --cn '${CERT_SERVER_INT_CN}' --org NGINX --locality Cork --out ${CERTS_DIR}/server/conf
scripts/mtls/gen_cert.sh intermediate --config ${CERTS_DIR}/server/conf/int.cnf --ca-cert ${CERTS_DIR}/server/ca.crt --ca-key ${CERTS_DIR}/server/ca.key --out ${CERTS_DIR}/server

scripts/mtls/gen_cnf.sh end-entity --cn 'tls.example.com' --san 'DNS.1=tls.example.com' --out ${CERTS_DIR}/server/conf
scripts/mtls/gen_cnf.sh end-entity --cn '${CERT_SERVER_EE_CN}' --san 'DNS.1=${CERT_SERVER_DNS}' --out ${CERTS_DIR}/server/conf
scripts/mtls/gen_cert.sh end-entity --config ${CERTS_DIR}/server/conf/ee.cnf --ca-cert ${CERTS_DIR}/server/int.crt --ca-key ${CERTS_DIR}/server/int.key --out ${CERTS_DIR}/server

cat ${CERTS_DIR}/server/int.crt ${CERTS_DIR}/server/ca.crt > ${CERTS_DIR}/ca.pem

cp ${CERTS_DIR}/server/ee.crt ${CERTS_DIR}/server.crt
cp ${CERTS_DIR}/server/ee.key ${CERTS_DIR}/server.key

Expand Down
2 changes: 1 addition & 1 deletion examples/grafana-metrics/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,6 @@ COPY --from=install /agent/nginx-agent.conf /etc/nginx-agent/nginx-agent.conf

RUN chmod +x /agent/entrypoint.sh
STOPSIGNAL SIGTERM
EXPOSE 80 443
EXPOSE 8080

ENTRYPOINT ["/agent/entrypoint.sh"]
9 changes: 9 additions & 0 deletions examples/grafana-metrics/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,15 @@ This example demonstrates how the NGINX agent can be used to report metrics usin
make clean build run
```

## List of Services
The services run by this example are listed below
| Service | Port |
|-------------|-------|
| Grafana | 3000 |
| NGINX | 8080 |
| Grafana | 8081 |
| Prometheus | 9090 |

## Example of Grafana Dashboard

![Dashboard](grafana-dashboard-example.png)
3 changes: 2 additions & 1 deletion examples/grafana-metrics/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ services:
image: nginx/agent-example
container_name: agent
ports:
- 9091:9091
- 8080:8080
- 8081:8081
networks:
- monitoring
prometheus:
Expand Down
Loading