TLS : fix CI and certificate

skydive-project · Nov 8, 2018 · 8a48acf · 8a48acf
1 parent 2aaf855
commit 8a48acf
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 45 deletions.
diff --git a/config/config.go b/config/config.go
@@ -88,7 +88,6 @@ func init() {
 	cfg.SetDefault("agent.topology.neutron.tenant_name", "service")
 	cfg.SetDefault("agent.topology.neutron.username", "neutron")
 	cfg.SetDefault("agent.topology.socketinfo.host_update", 10)
-	cfg.SetDefault("agent.X509_servername", "")
 
 	cfg.SetDefault("analyzer.auth.cluster.backend", "noauth")
 	cfg.SetDefault("analyzer.auth.api.backend", "noauth")

diff --git a/etc/skydive.yml.default b/etc/skydive.yml.default
@@ -3,6 +3,17 @@
 # host_id is used to reference the agent, by default set to hostname
 # host_id:
 
+tls:
+  # File path to X509 Certificate and Private Key to enable TLS communication
+  # Unique certificate per agent is recommended
+  # client_cert: /etc/ssl/certs/agent.domain.com.crt
+  # client_key:  /etc/ssl/certs/agent.domain.com.key
+
+  # server_cert: /etc/ssl/certs/analyzer.domain.com.crt
+  # server_key:  /etc/ssl/certs/analyzer.domain.com.key
+
+  # ca_cert: /etc/ssl/certs/ca.domain.com.crt
+
 http:
   # define the Cookie HTTP Request Header
   cookie:
@@ -37,11 +48,6 @@ analyzer:
   # Default addr is 127.0.0.1
   # listen: :8082
 
-  # File path to X509 Certificate and Private Key to enable TLS communication
-  # Must be different than the agent
-  # X509_cert: /etc/ssl/certs/analyzer.domain.com.crt
-  # X509_key:  /etc/ssl/certs/analyzer.domain.com.key
-
   auth:
     # auth section for API request
     api:
@@ -161,17 +167,6 @@ agent:
   # Default addr is 127.0.0.1
   # listen: :8081
 
-  # File path to X509 Certificate and Private Key to enable TLS communication
-  # Must be different than the analyzer and unique per agent (recommended)
-  # X509_cert: /etc/ssl/certs/agent.domain.com.crt
-  # X509_key:  /etc/ssl/certs/agent.domain.com.key
-
-  # Allow to use auto-signed Certificate
-  # X509_insecure: false
-
-  # Server name field specified in TLS communications.
-  # Not required, but can be used to allow virtual hosting
-  # X509_servername: domain.com
 
   auth:
     # auth section for API request

diff --git a/scripts/ci/run-python-tests.sh b/scripts/ci/run-python-tests.sh
@@ -102,6 +102,11 @@ IP.2 = ::1
 EOF
 
 CERT_DIR=$(mktemp -d /tmp/skydive-ssl.XXXXXX)
+openssl genrsa -out $CERT_DIR/rootCA.key 4096
+chmod 400 $CERT_DIR/rootCA.key
+yes '' | openssl req -x509 -new -nodes -key $CERT_DIR/rootCA.key -days 365 -out $CERT_DIR/rootCA.crt
+chmod 444 $CERT_DIR/rootCA.crt
+
 openssl genrsa -out $CERT_DIR/analyzer.key 2048
 chmod 400 $CERT_DIR/analyzer.key
 yes '' | openssl req -new -key $CERT_DIR/analyzer.key -out $CERT_DIR/analyzer.csr -subj "/CN=analyzer" -config $CONF_SSL
@@ -110,21 +115,23 @@ chmod 444 $CERT_DIR/analyzer.crt
 
 CONF=$(mktemp /tmp/skydive.yml.XXXXXX)
 cat <<EOF > "$CONF"
+tls:
+  ca_cert: /etc/skydive.ca.crt
+  client_cert: /etc/skydive.analyzer.crt
+  client_key: /etc/skydive.analyzer.key
+  server_cert: /etc/skydive.analyzer.crt
+  server_key: /etc/skydive.analyzer.key
 agent:
-  X509_cert: /etc/skydive.analyzer.crt
-  X509_key: /etc/skydive.analyzer.key
   topology:
     probes:
       - ovsdb
       - docker
 
 analyzer:
   listen: 0.0.0.0:8082
-  X509_cert: /etc/skydive.analyzer.crt
-  X509_key: /etc/skydive.analyzer.key
 EOF
 
-export SKYDIVE_PYTHON_TESTS_MAPFILE="$CONF:/etc/skydive.yml,$CERT_DIR/analyzer.crt:/etc/skydive.analyzer.crt,$CERT_DIR/analyzer.key:/etc/skydive.analyzer.key"
+export SKYDIVE_PYTHON_TESTS_MAPFILE="$CONF:/etc/skydive.yml,$CERT_DIR/rootCA.crt:/etc/skydive.ca.crt,$CERT_DIR/analyzer.crt:/etc/skydive.analyzer.crt,$CERT_DIR/analyzer.key:/etc/skydive.analyzer.key"
 export SKYDIVE_PYTHON_TESTS_TLS="True"
 python -m unittest discover tests
 

diff --git a/scripts/scale.sh b/scripts/scale.sh
@@ -116,10 +116,17 @@ function generate_tls_crt() {
 		return
 	fi
 
-	sudo openssl genrsa -out $TEMP_DIR/$NAME.key 2048
-	sudo chmod 400 $TEMP_DIR/$NAME.key
+	if [ ! -e $TEMP_DIR/rootCA.crt ]; then
+	    sudo openssl genrsa -out $TEMP_DIR/rootCA.key 4096
+	    sudo chmod 400 $TEMP_DIR/rootCA.key
+            yes '' | sudo openssl req -x509 -new -nodes -key $TEMP_DIR/rootCA.key -days 365 -out $TEMP_DIR/rootCA.crt
+	    sudo chmod 444 $TEMP_DIR/rootCA.crt
+	fi
+
+        sudo openssl genrsa -out $TEMP_DIR/$NAME.key 2048
+        sudo chmod 400 $TEMP_DIR/$NAME.key
 	yes '' | sudo openssl req -new -key $TEMP_DIR/$NAME.key -out $TEMP_DIR/$NAME.csr -subj "/CN=$NAME" -config $TEMP_DIR/skydive-ssl.cnf
-	sudo openssl x509 -req -days 365 -signkey $TEMP_DIR/$NAME.key -in $TEMP_DIR/$NAME.csr -out $TEMP_DIR/$NAME.crt -extfile $TEMP_DIR/skydive-ssl.cnf -extensions v3_req
+	sudo openssl x509 -req -days 365 -in $TEMP_DIR/$NAME.csr -CA $TEMP_DIR/rootCA.crt -CAkey $TEMP_DIR/rootCA.key -CAcreateserial -out $TEMP_DIR/$NAME.crt -extfile $TEMP_DIR/skydive-ssl.cnf -extensions v3_req
 	sudo chmod 444 $TEMP_DIR/$NAME.crt
 }
 
@@ -155,11 +162,13 @@ function create_agent() {
 
 		# TLS if needed
 		if [ $TLS = true ]; then
-			AGENT_CRT=$TEMP_DIR/agent.crt
-			AGENT_KEY=$TEMP_DIR/agent.key
+                    CA_CRT=$TEMP_DIR/rootCA.crt
+
+                    AGENT_CRT=$TEMP_DIR/agent.crt
+		    AGENT_KEY=$TEMP_DIR/agent.key
 
-			ANALYZER_CRT=$TEMP_DIR/analyzer.crt
-		        ANALYZER_KEY=$TEMP_DIR/analyzer.key
+		    ANALYZER_CRT=$TEMP_DIR/analyzer.crt
+		    ANALYZER_KEY=$TEMP_DIR/analyzer.key
 		fi
 
 		echo "analyzers:" > $TEMP_DIR/$NAME.yml
@@ -173,14 +182,14 @@ host_id: $NAME
 http:
   ws:
     pong_timeout: 15
-analyzer:
-  X509_cert: $ANALYZER_CRT
-  X509_key: $ANALYZER_KEY
+tls:
+  ca_cert: $CA_CRT
+  client_cert: $AGENT_CRT
+  client_key: $AGENT_KEY
+  server_cert: $ANALYZER_CRT
+  server_key: $ANALYZER_KEY
 agent:
   listen: 0.0.0.0:8081
-  X509_cert: $AGENT_CRT
-  X509_key: $AGENT_KEY
-  X509_insecure: true
   topology:
     netlink:
       metrics_update: 5
@@ -294,11 +303,13 @@ function create_analyzer() {
 
 	# TLS if needed
 	if [ $TLS = true ]; then
-		ANALYZER_CRT=$TEMP_DIR/analyzer.crt
-		ANALYZER_KEY=$TEMP_DIR/analyzer.key
+            CA_CRT=$TEMP_DIR/rootCA.crt
+
+	    ANALYZER_CRT=$TEMP_DIR/analyzer.crt
+	    ANALYZER_KEY=$TEMP_DIR/analyzer.key
 
-		AGENT_CRT=$TEMP_DIR/agent.crt
-		AGENT_KEY=$TEMP_DIR/agent.key
+	    AGENT_CRT=$TEMP_DIR/agent.crt
+	    AGENT_KEY=$TEMP_DIR/agent.key
 	fi
 
 	cat <<EOF >> $TEMP_DIR/$NAME.yml
@@ -321,14 +332,14 @@ flow:
   expire: 600
   update: 5
   protocol: $FLOW_PROTOCOL
-agent:
-  X509_cert: $AGENT_CRT
-  X509_key: $AGENT_KEY
-  X509_insecure: true
+tls:
+  ca_cert: $CA_CRT
+  client_cert: $AGENT_CRT
+  client_key: $AGENT_KEY
+  server_cert: $ANALYZER_CRT
+  server_key: $ANALYZER_KEY
 analyzer:
   listen: 0.0.0.0:$CURR_ANALYZER_PORT
-  X509_cert: $ANALYZER_CRT
-  X509_key: $ANALYZER_KEY
   auth:
     api:
       backend: scaleapi