test(tls): set up TLS in oauth-proxy config (#426)

Co-authored-by: Andrew Azores <[email protected]>
cryostatio · Jul 15, 2024 · be27d7d · be27d7d
1 parent 8dece62
commit be27d7d
Show file tree

Hide file tree

Showing 18 changed files with 269 additions and 44 deletions.
diff --git a/.gitignore b/.gitignore
@@ -46,3 +46,5 @@ certs/*.p12
 certs/*.pass
 *.jfr
 .quarkus/
+compose/auth_certs/*.key
+compose/auth_certs/*.pem
diff --git a/compose/agent_certs/generate-agent-certs.sh b/compose/agent_certs/generate-agent-certs.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+set -x
+
+CERTS_DIR="$(realpath "$(dirname "$0")")"
+
+SSL_KEYSTORE=agent-keystore.p12
+
+SSL_KEYSTORE_PASS_FILE=keystore.pass
+
+cleanup() {
+    cd "$CERTS_DIR"
+    rm "$SSL_KEYSTORE" "$SSL_KEYSTORE_PASS_FILE" agent-server.cer
+    cd -
+}
+
+case "$1" in
+    clean)
+        cleanup
+        exit 0
+        ;;
+    generate)
+        ;;
+    *)
+        echo "Usage: $0 [clean|generate]"
+        exit 1
+        ;;
+esac
+
+set -e
+
+genpass() {
+    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32
+}
+
+SSL_KEYSTORE_PASS="$(genpass)"
+
+cd "$CERTS_DIR"
+trap "cd -" EXIT
+
+echo "$SSL_KEYSTORE_PASS" > "$SSL_KEYSTORE_PASS_FILE"
+
+keytool \
+    -genkeypair -v \
+    -alias quarkus-test-agent \
+    -dname "CN=quarkus-test-agent, O=Cryostat, C=CA" \
+    -storetype PKCS12 \
+    -validity 365 \
+    -keyalg RSA \
+    -storepass "$SSL_KEYSTORE_PASS" \
+    -keystore "$SSL_KEYSTORE"
+
+keytool \
+    -exportcert -v \
+    -alias  quarkus-test-agent \
+    -keystore "$SSL_KEYSTORE" \
+    -storepass "$SSL_KEYSTORE_PASS" \
+    -file agent_server.cer
+
+cp agent_server.cer "$CERTS_DIR/../../truststore/quarkus-test-agent.cer"
diff --git a/compose/auth_certs/generate.sh b/compose/auth_certs/generate.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/sh
+
+set -xe
+
+CERTS_DIR="$(dirname "$(readlink -f "$0")")"
+
+openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out "${CERTS_DIR}/certificate.pem" -keyout "${CERTS_DIR}/private.key"
diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml
@@ -5,12 +5,13 @@ services:
       - "${CRYOSTAT_HTTP_PORT}"
     environment:
       CRYOSTAT_HTTP_PROXY_HOST: auth
-      CRYOSTAT_HTTP_PROXY_PORT: '8080'
-      QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true'
-      QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true'
-      QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true'
-      QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true'
-      QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: 127.0.0.1:${CRYOSTAT_HTTP_PORT}
+      CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_HTTP_PORT}"
+      QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: "true"
+      QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: "true"
+      QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: "true"
+      QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: "true"
+      QUARKUS_HTTP_ACCESS_LOG_PATTERN: long
+      QUARKUS_HTTP_ACCESS_LOG_ENABLED: "true"
     healthcheck:
       test: curl --fail http://cryostat:8181/health/liveness || exit 1
       interval: 10s
@@ -28,26 +29,29 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.1'
+          cpus: "0.1"
           memory: 32m
     image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest}
-    command: --alpha-config=/tmp/auth_proxy_alpha_config.yaml
+    command:
+      - --alpha-config=/tmp/auth_proxy_alpha_config.yaml
     volumes:
       - auth_proxy_cfg:/tmp
     hostname: auth
     ports:
-      - "8080:8080"
+      - "${CRYOSTAT_PROXY_PORT}:${CRYOSTAT_PROXY_PORT}"
     labels:
       kompose.service.expose: "auth"
     environment:
       OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd
       OAUTH2_PROXY_HTPASSWD_USER_GROUP: write
-      OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback
+      OAUTH2_PROXY_REDIRECT_URL: ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/oauth2/callback
       OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_
-      # OAUTH2_PROXY_SKIP_AUTH_ROUTES: .*
+      OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/health(/liveness)?$$"
+      CRYOSTAT_PROXY_PROTOCOL: ${CRYOSTAT_PROXY_PROTOCOL}
+      CRYOSTAT_PROXY_PORT: ${CRYOSTAT_PROXY_PORT}
     restart: unless-stopped
     healthcheck:
-      test: wget -q --spider http://localhost:8080/ping || exit 1
+      test: wget -q --spider ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ping || exit 1
       interval: 10s
       retries: 3
       start_period: 30s

diff --git a/compose/auth_proxy_alpha_config.yaml → compose/auth_proxy_alpha_config_http.yaml b/compose/auth_proxy_alpha_config.yaml → compose/auth_proxy_alpha_config_http.yaml
diff --git a/compose/auth_proxy_alpha_config_https.yaml b/compose/auth_proxy_alpha_config_https.yaml
@@ -0,0 +1,35 @@
+server:
+  SecureBindAddress: 0.0.0.0:8443
+  TLS:
+    Key:
+      fromFile: /certs/private.key
+    Cert:
+      fromFile: /certs/certificate.pem
+upstreamConfig:
+  proxyRawPath: true
+  upstreams:
+    - id: cryostat
+      path: /
+      uri: http://cryostat:8181
+    - id: grafana
+      path: /grafana/
+      uri: http://grafana:3000
+    - id: storage
+      path: ^/storage/(.*)$
+      rewriteTarget: /$1
+      uri: http://s3:${STORAGE_PORT}
+      passHostHeader: false
+      proxyWebSockets: false
+providers:
+  - id: dummy
+    name: Unused - Sign In Below
+    clientId: CLIENT_ID
+    clientSecret: CLIENT_SECRET
+    provider: google
+injectRequestHeaders:
+  - name: "X-Forwarded-Proto"
+    values:
+      - fromEnv: CRYOSTAT_PROXY_PROTOCOL
+  - name: "X-Forwarded-Port"
+    values:
+      - fromEnv: CRYOSTAT_PROXY_PORT
diff --git a/compose/auth_proxy_https.yml b/compose/auth_proxy_https.yml
@@ -0,0 +1,13 @@
+version: "3"
+services:
+  cryostat:
+    environment:
+      CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_PROXY_PORT}"
+      CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true"
+  auth:
+    volumes:
+      - auth_proxy_certs:/certs
+
+volumes:
+  auth_proxy_certs:
+    external: true
diff --git a/compose/cryostat-grafana.yml b/compose/cryostat-grafana.yml
@@ -11,13 +11,13 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.1'
+          cpus: "0.1"
           memory: 256m
     environment:
       - GF_INSTALL_PLUGINS=grafana-simple-json-datasource
       - GF_AUTH_ANONYMOUS_ENABLED=true
       - GF_SERVER_DOMAIN=localhost
-      - GF_SERVER_ROOT_URL=http://localhost:8080/grafana/
+      - GF_SERVER_ROOT_URL=${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/grafana/
       - GF_SERVER_SERVE_FROM_SUB_PATH=true
       - JFR_DATASOURCE_URL=http://jfr-datasource:8080
     expose:

diff --git a/compose/cryostat.yml b/compose/cryostat.yml
@@ -4,7 +4,7 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '2'
+          cpus: "2"
           memory: 512m
     image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:latest}
     volumes:
@@ -25,7 +25,18 @@ services:
       CRYOSTAT_DISCOVERY_JDP_ENABLED: ${CRYOSTAT_DISCOVERY_JDP_ENABLED:-true}
       CRYOSTAT_DISCOVERY_PODMAN_ENABLED: ${CRYOSTAT_DISCOVERY_PODMAN_ENABLED:-true}
       CRYOSTAT_DISCOVERY_DOCKER_ENABLED: ${CRYOSTAT_DISCOVERY_DOCKER_ENABLED:-true}
-      JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -XX:StartFlightRecording=name=startup,settings=profile,disk=true,duration=30s -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
+      JAVA_OPTS_APPEND: >-
+        -XX:+FlightRecorder
+        -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m
+        -XX:StartFlightRecording=name=startup,settings=profile,disk=true,duration=30s
+        -Dcom.sun.management.jmxremote.autodiscovery=true
+        -Dcom.sun.management.jmxremote
+        -Dcom.sun.management.jmxremote.port=9091
+        -Dcom.sun.management.jmxremote.rmi.port=9091
+        -Djava.rmi.server.hostname=127.0.0.1
+        -Dcom.sun.management.jmxremote.authenticate=false
+        -Dcom.sun.management.jmxremote.ssl=false
+        -Dcom.sun.management.jmxremote.local.only=false
     restart: unless-stopped
     healthcheck:
       test: curl --fail http://cryostat:${CRYOSTAT_HTTP_PORT}/health/liveness || exit 1

diff --git a/compose/cryostat_docker.yml b/compose/cryostat_docker.yml
@@ -9,7 +9,7 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '2'
+          cpus: "2"
           memory: 512m
     image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:latest}
     volumes:
@@ -34,7 +34,17 @@ services:
       CRYOSTAT_HTTP_PROXY_PORT: "8080"
       CRYOSTAT_DISCOVERY_DOCKER_ENABLED: "true"
       CRYOSTAT_DISCOVERY_JDP_ENABLED: "true"
-      JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
+      JAVA_OPTS_APPEND: >-
+        -XX:+FlightRecorder
+        -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m
+        -Dcom.sun.management.jmxremote.autodiscovery=true
+        -Dcom.sun.management.jmxremote
+        -Dcom.sun.management.jmxremote.port=9091
+        -Dcom.sun.management.jmxremote.rmi.port=9091
+        -Djava.rmi.server.hostname=127.0.0.1
+        -Dcom.sun.management.jmxremote.authenticate=false
+        -Dcom.sun.management.jmxremote.ssl=false
+        -Dcom.sun.management.jmxremote.local.only=false
     restart: unless-stopped
     healthcheck:
       test: curl --fail http://cryostat:8181/health/liveness || exit 1

diff --git a/compose/grafana_no_proxy.yml b/compose/grafana_no_proxy.yml
@@ -6,7 +6,7 @@ services:
       - GRAFANA_DASHBOARD_URL=http://grafana:3000
   grafana:
     ports:
-      - '3000:3000'
+      - "3000:3000"
     environment:
       - GF_SERVER_DOMAIN=
       - GF_SERVER_ROOT_URL=

diff --git a/compose/jfr-datasource.yml b/compose/jfr-datasource.yml
@@ -10,7 +10,7 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.4'
+          cpus: "0.4"
           memory: 512m
     expose:
       - "8080"
@@ -20,9 +20,17 @@ services:
       io.cryostat.jmxHost: "jfr-datasource"
       io.cryostat.jmxPort: "11223"
     environment:
-      JAVA_OPTS_APPEND: "-Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=11223 -Dcom.sun.management.jmxremote.rmi.port=11223 -Djava.rmi.server.hostname=jfr-datasource -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
+      JAVA_OPTS_APPEND: >-
+        -Dcom.sun.management.jmxremote.autodiscovery=true
+        -Dcom.sun.management.jmxremote
+        -Dcom.sun.management.jmxremote.port=11223
+        -Dcom.sun.management.jmxremote.rmi.port=11223
+        -Djava.rmi.server.hostname=jfr-datasource
+        -Dcom.sun.management.jmxremote.authenticate=false
+        -Dcom.sun.management.jmxremote.ssl=false
+        -Dcom.sun.management.jmxremote.local.only=false
     healthcheck:
-      test: curl --fail http://localhost:8080/ || exit 1
+      test: curl --fail ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ || exit 1
       retries: 3
       interval: 30s
       start_period: 30s

diff --git a/compose/reports.yml b/compose/reports.yml
@@ -10,14 +10,21 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.5'
+          cpus: "0.5"
           memory: 512m
     expose:
       - "10001"
     labels:
       kompose.service.expose: "reports"
     environment:
-      JAVA_OPTS_APPEND: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=11224 -Dcom.sun.management.jmxremote.rmi.port=11224 -Djava.rmi.server.hostname=reports -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
+      JAVA_OPTS_APPEND: >-
+        -Dcom.sun.management.jmxremote
+        -Dcom.sun.management.jmxremote.port=11224
+        -Dcom.sun.management.jmxremote.rmi.port=11224
+        -Djava.rmi.server.hostname=reports
+        -Dcom.sun.management.jmxremote.authenticate=false
+        -Dcom.sun.management.jmxremote.ssl=false
+        -Dcom.sun.management.jmxremote.local.only=false
       QUARKUS_HTTP_PORT: 10001
     healthcheck:
       test: curl --fail http://localhost:10001/ || exit 1

diff --git a/compose/s3-seaweed.yml b/compose/s3-seaweed.yml
@@ -25,7 +25,7 @@ services:
       CRYOSTAT_SECRET_KEY: secret_key
       DATA_DIR: /data
       IP_BIND: 0.0.0.0
-      WEED_V: '4' # glog logging level
+      WEED_V: "4" # glog logging level
     volumes:
       - seaweed_data:/data
     ports:

diff --git a/compose/s3_no_proxy.yml b/compose/s3_no_proxy.yml
@@ -5,4 +5,4 @@ services:
       - "${STORAGE_PORT}:${STORAGE_PORT}"
   cryostat:
     environment:
-      STORAGE_EXT_URL: ''
+      STORAGE_EXT_URL: ""