pass initial TLS certificates into RSS

.github/buildomat/jobs/deploy.sh

@@ -132,6 +132,55 @@ done
 
 ptime -m pfexec ./tools/create_virtual_hardware.sh
 
+#
+# Generate a self-signed certificate to use as the initial TLS certificate for
+# the recovery Silo.  Its DNS name is determined by the silo name and the
+# delegated external DNS name, both of which are in the RSS config file.  In a
+# real system, the certificate would come from the customer during initial rack
+# setup on the technician port.
+#
+tar xf out/omicron-sled-agent.tar pkg/config-rss.toml
+SILO_NAME="$(sed -n 's/silo_name = "\(.*\)"/\1/p' pkg/config-rss.toml)"
+EXTERNAL_DNS_DOMAIN="$(sed -n 's/external_dns_zone_name = "\(.*\)"/\1/p' pkg/config-rss.toml)"
+rm -f pkg/config-rss.toml
+
+#
+# By default, OpenSSL creates self-signed certificates with "CA:true".  The TLS
+# implementation used by reqwest rejects endpoint certificates that are also CA
+# certificates.  So in order to use the certificate, we need one without
+# "CA:true".  There doesn't seem to be a way to do this on the command line.
+# Instead, we must override the system configuration with our own configuration
+# file.  There's virtually nothing in it.
+#
+TLS_NAME="$SILO_NAME.sys.$EXTERNAL_DNS_DOMAIN"
+openssl req \
+    -newkey rsa:4096 \
+    -x509 \
+    -sha256 \
+    -days 3 \
+    -nodes \
+    -out "pkg/initial-tls-cert.pem" \
+    -keyout "pkg/initial-tls-key.pem" \
+    -subj "/CN=$TLS_NAME" \
+    -addext "subjectAltName=DNS:$TLS_NAME" \
+    -addext "basicConstraints=critical,CA:FALSE" \
+    -config /dev/stdin <<EOF
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+EOF
+tar rvf out/omicron-sled-agent.tar \
+    pkg/initial-tls-cert.pem \
+    pkg/initial-tls-key.pem
+rm -f pkg/initial-tls-cert.pem pkg/initial-tls-key.pem
+rmdir pkg
+# The actual end-to-end tests need the certificate.  This is where that file
+# will end up once installed.
+E2E_TLS_CERT="/opt/oxide/sled-agent/pkg/initial-tls-cert.pem"
+
+
 #
 # Image-related tests use images served by catacomb. The lab network is
 # IPv4-only; the propolis zones are IPv6-only. These steps set up tcpproxy
@@ -218,6 +267,7 @@ export RUST_BACKTRACE=1
 ./tests/bootstrap
 
 rm ./tests/bootstrap
+export E2E_TLS_CERT
 for test_bin in tests/*; do
 	./"$test_bin"
 done

docs/how-to-run.adoc

@@ -91,8 +91,8 @@ The control plane repository contains a packaging tool which bundles binaries
 and SMF manifests. After building the expected binaries, they can be packaged
 in a format which lets them be transferred to a Helios machine.
 
-This tool acts on a `package-manifest.toml` file which describes the packages to be
-bundled in the build.
+This tool acts on a `package-manifest.toml` file which describes the packages
+to be bundled in the build.
 
 Configuration files are used to select IP addresses, and to manage Zpools
 utilized by the Sled Agent. These configuration files are located within
@@ -137,6 +137,20 @@ Created new build target 'default' and set it as active
 NOTE: The `target create` command will set the new target as active and thus let you
 omit the `-t` flag in subsequent commands.
 
+Initial TLS certificates for the externally-facing endpoints are also part of
+the runtime configuration that would normally come from the customer during
+initial setup.  In development, by default, a deployed Omicron system will have
+no TLS certificates.  You can deploy a system with TLS certificates by putting
+a PEM-format certificate chain and private key into files called
+"initial-tls-cert.pem" and "initial-tls-key.pem" in the same directory as the
+"config-rss.toml" file that you're using.  This must happen before packaging up
+the sled agent (which is the next step below).
+
+If you don't specify initial certificates in this way, you can always load
+certificates later via the API.  This assumes you have a way to reach the API
+that doesn't require a valid TLS certificate.  Today, Nexus always starts an
+HTTP server that you can use for this.  This may be removed in the future.
+
 === Building
 
 To actually kick off the build and package everything, you can run:

end-to-end-tests/Cargo.toml

@@ -9,7 +9,10 @@ anyhow = { workspace = true, features = ["backtrace"] }
 async-trait.workspace = true
 base64.workspace = true
 camino.workspace = true
+chrono.workspace = true
+futures.workspace = true
 http.workspace = true
+hyper.workspace = true
 omicron-sled-agent.workspace = true
 omicron-test-utils.workspace = true
 oxide-client.workspace = true