From be27d7d673a961ecc273a1d681e88f19c8b6a632 Mon Sep 17 00:00:00 2001 From: Ming Yu Wang <90855268+mwangggg@users.noreply.github.com> Date: Mon, 15 Jul 2024 12:47:03 -0400 Subject: [PATCH] test(tls): set up TLS in oauth-proxy config (#426) Co-authored-by: Andrew Azores --- .gitignore | 2 + compose/agent_certs/generate-agent-certs.sh | 60 +++++++++++++++++ compose/auth_certs/generate.sh | 7 ++ compose/auth_proxy.yml | 28 ++++---- ...yaml => auth_proxy_alpha_config_http.yaml} | 0 compose/auth_proxy_alpha_config_https.yaml | 35 ++++++++++ compose/auth_proxy_https.yml | 13 ++++ compose/cryostat-grafana.yml | 4 +- compose/cryostat.yml | 15 ++++- compose/cryostat_docker.yml | 14 +++- compose/grafana_no_proxy.yml | 2 +- compose/jfr-datasource.yml | 14 +++- compose/reports.yml | 11 +++- compose/s3-seaweed.yml | 2 +- compose/s3_no_proxy.yml | 2 +- compose/sample-apps.yml | 30 ++++----- compose/sample-apps_https.yml | 10 +++ smoketest.bash | 64 ++++++++++++++++++- 18 files changed, 269 insertions(+), 44 deletions(-) create mode 100755 compose/agent_certs/generate-agent-certs.sh create mode 100644 compose/auth_certs/generate.sh rename compose/{auth_proxy_alpha_config.yaml => auth_proxy_alpha_config_http.yaml} (100%) create mode 100644 compose/auth_proxy_alpha_config_https.yaml create mode 100644 compose/auth_proxy_https.yml create mode 100644 compose/sample-apps_https.yml diff --git a/.gitignore b/.gitignore index 5a8f57977..8b9eace37 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,5 @@ certs/*.p12 certs/*.pass *.jfr .quarkus/ +compose/auth_certs/*.key +compose/auth_certs/*.pem diff --git a/compose/agent_certs/generate-agent-certs.sh b/compose/agent_certs/generate-agent-certs.sh new file mode 100755 index 000000000..65c38a809 --- /dev/null +++ b/compose/agent_certs/generate-agent-certs.sh @@ -0,0 +1,60 @@ +#!/bin/sh + +set -x + +CERTS_DIR="$(realpath "$(dirname "$0")")" + +SSL_KEYSTORE=agent-keystore.p12 + +SSL_KEYSTORE_PASS_FILE=keystore.pass + +cleanup() { + cd "$CERTS_DIR" + rm "$SSL_KEYSTORE" "$SSL_KEYSTORE_PASS_FILE" agent-server.cer + cd - +} + +case "$1" in + clean) + cleanup + exit 0 + ;; + generate) + ;; + *) + echo "Usage: $0 [clean|generate]" + exit 1 + ;; +esac + +set -e + +genpass() { + < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32 +} + +SSL_KEYSTORE_PASS="$(genpass)" + +cd "$CERTS_DIR" +trap "cd -" EXIT + +echo "$SSL_KEYSTORE_PASS" > "$SSL_KEYSTORE_PASS_FILE" + +keytool \ + -genkeypair -v \ + -alias quarkus-test-agent \ + -dname "CN=quarkus-test-agent, O=Cryostat, C=CA" \ + -storetype PKCS12 \ + -validity 365 \ + -keyalg RSA \ + -storepass "$SSL_KEYSTORE_PASS" \ + -keystore "$SSL_KEYSTORE" + +keytool \ + -exportcert -v \ + -alias quarkus-test-agent \ + -keystore "$SSL_KEYSTORE" \ + -storepass "$SSL_KEYSTORE_PASS" \ + -file agent_server.cer + +cp agent_server.cer "$CERTS_DIR/../../truststore/quarkus-test-agent.cer" diff --git a/compose/auth_certs/generate.sh b/compose/auth_certs/generate.sh new file mode 100644 index 000000000..5ca54784c --- /dev/null +++ b/compose/auth_certs/generate.sh @@ -0,0 +1,7 @@ +#!/usr/bin/sh + +set -xe + +CERTS_DIR="$(dirname "$(readlink -f "$0")")" + +openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out "${CERTS_DIR}/certificate.pem" -keyout "${CERTS_DIR}/private.key" diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 649489867..c5051ca08 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -5,12 +5,13 @@ services: - "${CRYOSTAT_HTTP_PORT}" environment: CRYOSTAT_HTTP_PROXY_HOST: auth - CRYOSTAT_HTTP_PROXY_PORT: '8080' - QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true' - QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true' - QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true' - QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true' - QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: 127.0.0.1:${CRYOSTAT_HTTP_PORT} + CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_HTTP_PORT}" + QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: "true" + QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: "true" + QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: "true" + QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: "true" + QUARKUS_HTTP_ACCESS_LOG_PATTERN: long + QUARKUS_HTTP_ACCESS_LOG_ENABLED: "true" healthcheck: test: curl --fail http://cryostat:8181/health/liveness || exit 1 interval: 10s @@ -28,26 +29,29 @@ services: deploy: resources: limits: - cpus: '0.1' + cpus: "0.1" memory: 32m image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest} - command: --alpha-config=/tmp/auth_proxy_alpha_config.yaml + command: + - --alpha-config=/tmp/auth_proxy_alpha_config.yaml volumes: - auth_proxy_cfg:/tmp hostname: auth ports: - - "8080:8080" + - "${CRYOSTAT_PROXY_PORT}:${CRYOSTAT_PROXY_PORT}" labels: kompose.service.expose: "auth" environment: OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback + OAUTH2_PROXY_REDIRECT_URL: ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ - # OAUTH2_PROXY_SKIP_AUTH_ROUTES: .* + OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/health(/liveness)?$$" + CRYOSTAT_PROXY_PROTOCOL: ${CRYOSTAT_PROXY_PROTOCOL} + CRYOSTAT_PROXY_PORT: ${CRYOSTAT_PROXY_PORT} restart: unless-stopped healthcheck: - test: wget -q --spider http://localhost:8080/ping || exit 1 + test: wget -q --spider ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ping || exit 1 interval: 10s retries: 3 start_period: 30s diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config_http.yaml similarity index 100% rename from compose/auth_proxy_alpha_config.yaml rename to compose/auth_proxy_alpha_config_http.yaml diff --git a/compose/auth_proxy_alpha_config_https.yaml b/compose/auth_proxy_alpha_config_https.yaml new file mode 100644 index 000000000..14842b442 --- /dev/null +++ b/compose/auth_proxy_alpha_config_https.yaml @@ -0,0 +1,35 @@ +server: + SecureBindAddress: 0.0.0.0:8443 + TLS: + Key: + fromFile: /certs/private.key + Cert: + fromFile: /certs/certificate.pem +upstreamConfig: + proxyRawPath: true + upstreams: + - id: cryostat + path: / + uri: http://cryostat:8181 + - id: grafana + path: /grafana/ + uri: http://grafana:3000 + - id: storage + path: ^/storage/(.*)$ + rewriteTarget: /$1 + uri: http://s3:${STORAGE_PORT} + passHostHeader: false + proxyWebSockets: false +providers: + - id: dummy + name: Unused - Sign In Below + clientId: CLIENT_ID + clientSecret: CLIENT_SECRET + provider: google +injectRequestHeaders: + - name: "X-Forwarded-Proto" + values: + - fromEnv: CRYOSTAT_PROXY_PROTOCOL + - name: "X-Forwarded-Port" + values: + - fromEnv: CRYOSTAT_PROXY_PORT diff --git a/compose/auth_proxy_https.yml b/compose/auth_proxy_https.yml new file mode 100644 index 000000000..d3b7a24af --- /dev/null +++ b/compose/auth_proxy_https.yml @@ -0,0 +1,13 @@ +version: "3" +services: + cryostat: + environment: + CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_PROXY_PORT}" + CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" + auth: + volumes: + - auth_proxy_certs:/certs + +volumes: + auth_proxy_certs: + external: true diff --git a/compose/cryostat-grafana.yml b/compose/cryostat-grafana.yml index 1ae75b868..3c030bc38 100644 --- a/compose/cryostat-grafana.yml +++ b/compose/cryostat-grafana.yml @@ -11,13 +11,13 @@ services: deploy: resources: limits: - cpus: '0.1' + cpus: "0.1" memory: 256m environment: - GF_INSTALL_PLUGINS=grafana-simple-json-datasource - GF_AUTH_ANONYMOUS_ENABLED=true - GF_SERVER_DOMAIN=localhost - - GF_SERVER_ROOT_URL=http://localhost:8080/grafana/ + - GF_SERVER_ROOT_URL=${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/grafana/ - GF_SERVER_SERVE_FROM_SUB_PATH=true - JFR_DATASOURCE_URL=http://jfr-datasource:8080 expose: diff --git a/compose/cryostat.yml b/compose/cryostat.yml index a2e5fa9da..eb6953872 100644 --- a/compose/cryostat.yml +++ b/compose/cryostat.yml @@ -4,7 +4,7 @@ services: deploy: resources: limits: - cpus: '2' + cpus: "2" memory: 512m image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:latest} volumes: @@ -25,7 +25,18 @@ services: CRYOSTAT_DISCOVERY_JDP_ENABLED: ${CRYOSTAT_DISCOVERY_JDP_ENABLED:-true} CRYOSTAT_DISCOVERY_PODMAN_ENABLED: ${CRYOSTAT_DISCOVERY_PODMAN_ENABLED:-true} CRYOSTAT_DISCOVERY_DOCKER_ENABLED: ${CRYOSTAT_DISCOVERY_DOCKER_ENABLED:-true} - JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -XX:StartFlightRecording=name=startup,settings=profile,disk=true,duration=30s -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -XX:+FlightRecorder + -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m + -XX:StartFlightRecording=name=startup,settings=profile,disk=true,duration=30s + -Dcom.sun.management.jmxremote.autodiscovery=true + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=9091 + -Dcom.sun.management.jmxremote.rmi.port=9091 + -Djava.rmi.server.hostname=127.0.0.1 + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false restart: unless-stopped healthcheck: test: curl --fail http://cryostat:${CRYOSTAT_HTTP_PORT}/health/liveness || exit 1 diff --git a/compose/cryostat_docker.yml b/compose/cryostat_docker.yml index 2acc03b68..cb67c20da 100644 --- a/compose/cryostat_docker.yml +++ b/compose/cryostat_docker.yml @@ -9,7 +9,7 @@ services: deploy: resources: limits: - cpus: '2' + cpus: "2" memory: 512m image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:latest} volumes: @@ -34,7 +34,17 @@ services: CRYOSTAT_HTTP_PROXY_PORT: "8080" CRYOSTAT_DISCOVERY_DOCKER_ENABLED: "true" CRYOSTAT_DISCOVERY_JDP_ENABLED: "true" - JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -XX:+FlightRecorder + -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m + -Dcom.sun.management.jmxremote.autodiscovery=true + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=9091 + -Dcom.sun.management.jmxremote.rmi.port=9091 + -Djava.rmi.server.hostname=127.0.0.1 + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false restart: unless-stopped healthcheck: test: curl --fail http://cryostat:8181/health/liveness || exit 1 diff --git a/compose/grafana_no_proxy.yml b/compose/grafana_no_proxy.yml index 8e1b1997d..577834e8f 100644 --- a/compose/grafana_no_proxy.yml +++ b/compose/grafana_no_proxy.yml @@ -6,7 +6,7 @@ services: - GRAFANA_DASHBOARD_URL=http://grafana:3000 grafana: ports: - - '3000:3000' + - "3000:3000" environment: - GF_SERVER_DOMAIN= - GF_SERVER_ROOT_URL= diff --git a/compose/jfr-datasource.yml b/compose/jfr-datasource.yml index c0e847485..ca6b0bcd6 100644 --- a/compose/jfr-datasource.yml +++ b/compose/jfr-datasource.yml @@ -10,7 +10,7 @@ services: deploy: resources: limits: - cpus: '0.4' + cpus: "0.4" memory: 512m expose: - "8080" @@ -20,9 +20,17 @@ services: io.cryostat.jmxHost: "jfr-datasource" io.cryostat.jmxPort: "11223" environment: - JAVA_OPTS_APPEND: "-Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=11223 -Dcom.sun.management.jmxremote.rmi.port=11223 -Djava.rmi.server.hostname=jfr-datasource -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -Dcom.sun.management.jmxremote.autodiscovery=true + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=11223 + -Dcom.sun.management.jmxremote.rmi.port=11223 + -Djava.rmi.server.hostname=jfr-datasource + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false healthcheck: - test: curl --fail http://localhost:8080/ || exit 1 + test: curl --fail ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ || exit 1 retries: 3 interval: 30s start_period: 30s diff --git a/compose/reports.yml b/compose/reports.yml index 29e7da021..0a1849851 100644 --- a/compose/reports.yml +++ b/compose/reports.yml @@ -10,14 +10,21 @@ services: deploy: resources: limits: - cpus: '0.5' + cpus: "0.5" memory: 512m expose: - "10001" labels: kompose.service.expose: "reports" environment: - JAVA_OPTS_APPEND: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=11224 -Dcom.sun.management.jmxremote.rmi.port=11224 -Djava.rmi.server.hostname=reports -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=11224 + -Dcom.sun.management.jmxremote.rmi.port=11224 + -Djava.rmi.server.hostname=reports + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false QUARKUS_HTTP_PORT: 10001 healthcheck: test: curl --fail http://localhost:10001/ || exit 1 diff --git a/compose/s3-seaweed.yml b/compose/s3-seaweed.yml index d4ef60ddd..4d796e313 100644 --- a/compose/s3-seaweed.yml +++ b/compose/s3-seaweed.yml @@ -25,7 +25,7 @@ services: CRYOSTAT_SECRET_KEY: secret_key DATA_DIR: /data IP_BIND: 0.0.0.0 - WEED_V: '4' # glog logging level + WEED_V: "4" # glog logging level volumes: - seaweed_data:/data ports: diff --git a/compose/s3_no_proxy.yml b/compose/s3_no_proxy.yml index 0569cf7f6..b47d0f631 100644 --- a/compose/s3_no_proxy.yml +++ b/compose/s3_no_proxy.yml @@ -5,4 +5,4 @@ services: - "${STORAGE_PORT}:${STORAGE_PORT}" cryostat: environment: - STORAGE_EXT_URL: '' + STORAGE_EXT_URL: "" diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index 8cd3f12bb..78295c359 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -11,12 +11,12 @@ services: JMX_PORT: 9093 USE_JDP: "true" CRYOSTAT_AGENT_APP_NAME: vertx-fib-demo-1 - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-1" CRYOSTAT_AGENT_WEBSERVER_PORT: "8910" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-1:8910/" - CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -43,12 +43,12 @@ services: USE_JDP: "true" USE_AUTH: "true" CRYOSTAT_AGENT_APP_NAME: "vertx-fib-demo-2" - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-2" CRYOSTAT_AGENT_WEBSERVER_PORT: "8911" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-2:8911/" - CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -76,12 +76,12 @@ services: USE_AUTH: "true" USE_SSL: "true" CRYOSTAT_AGENT_APP_NAME: "vertx-fib-demo-3" - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-3" CRYOSTAT_AGENT_WEBSERVER_PORT: "8912" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-3:8912/" - CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -144,10 +144,10 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_PORT: 9977 CRYOSTAT_AGENT_CALLBACK: http://quarkus-test-agent:9977/ - CRYOSTAT_AGENT_BASEURI: http://${CRYOSTAT_HTTP_HOST}:8080/ + CRYOSTAT_AGENT_BASEURI: ${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/ CRYOSTAT_AGENT_BASEURI_RANGE: public - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass CRYOSTAT_AGENT_HARVESTER_PERIOD_MS: 30000 @@ -177,10 +177,10 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: gameserver CRYOSTAT_AGENT_WEBSERVER_PORT: 9494 CRYOSTAT_AGENT_CALLBACK: http://gameserver:9494/ - CRYOSTAT_AGENT_BASEURI: http://${CRYOSTAT_HTTP_HOST}:8080/ + CRYOSTAT_AGENT_BASEURI: ${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/ CRYOSTAT_AGENT_BASEURI_RANGE: public - CRYOSTAT_AGENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass CRYOSTAT_AGENT_API_WRITES_ENABLED: "true" diff --git a/compose/sample-apps_https.yml b/compose/sample-apps_https.yml new file mode 100644 index 000000000..dc4afa238 --- /dev/null +++ b/compose/sample-apps_https.yml @@ -0,0 +1,10 @@ +version: "3" +services: + quarkus-test-agent: + environment: + CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/agent-keystore.p12 + CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent_server.cer + volumes: + - ${DIR}/compose/agent_certs:/certs:z diff --git a/smoketest.bash b/smoketest.bash index d19384fae..c889d3fb2 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -6,6 +6,7 @@ if ! command -v yq >/dev/null 2>&1 ; then fi DIR="$(dirname "$(readlink -f "$0")")" +export DIR FILES=( "${DIR}/compose/db.yml" @@ -23,6 +24,9 @@ CRYOSTAT_HTTP_PORT=${CRYOSTAT_HTTP_PORT:-8080} USE_PROXY=${USE_PROXY:-true} DEPLOY_GRAFANA=${DEPLOY_GRAFANA:-true} DRY_RUN=${DRY_RUN:-false} +USE_TLS=${USE_TLS:-true} +SAMPLE_APPS_USE_TLS=${SAMPLE_APPS_USE_TLS:-true} +INCLUDE_SAMPLE_APPS=${INCLUDE_SAMPLE_APPS:-false} display_usage() { echo "Usage:" @@ -33,16 +37,18 @@ display_usage() { echo -e "\t-G\t\t\t\t\t\texclude Grafana dashboard and jfr-datasource from deployment." echo -e "\t-r\t\t\t\t\t\tconfigure a cryostat-Reports sidecar instance" echo -e "\t-t\t\t\t\t\t\tinclude sample applications for Testing." + echo -e "\t-A\t\t\t\t\t\tDisable TLS on sample applications' Agents." echo -e "\t-V\t\t\t\t\t\tdo not discard data storage Volumes on exit." echo -e "\t-X\t\t\t\t\t\tdeploy additional development aid tools." echo -e "\t-c [podman|docker]\t\t\t\tUse Podman or Docker Container Engine (default \"podman\")." echo -e "\t-b\t\t\t\t\t\tOpen a Browser tab for each running service's first mapped port (ex. auth proxy login, database viewer)" echo -e "\t-n\t\t\t\t\t\tDo Not apply configuration changes, instead emit the compose YAML that would have been used to stdout." + echo -e "\t-k\t\t\t\t\t\tDisable TLS on the auth proxy." } s3=seaweed ce=podman -while getopts "hs:prGtOVXcbn" opt; do +while getopts "hs:prGtAOVXcbnk" opt; do case $opt in h) display_usage @@ -58,7 +64,10 @@ while getopts "hs:prGtOVXcbn" opt; do DEPLOY_GRAFANA=false ;; t) - FILES+=("${DIR}/compose/sample-apps.yml") + INCLUDE_SAMPLE_APPS=true + ;; + A) + SAMPLE_APPS_USE_TLS=false ;; O) PULL_IMAGES=false @@ -82,6 +91,9 @@ while getopts "hs:prGtOVXcbn" opt; do n) DRY_RUN=true ;; + k) + USE_TLS=false + ;; *) display_usage exit 1 @@ -96,11 +108,26 @@ if [ "${DEPLOY_GRAFANA}" = "true" ]; then ) fi +if [ "${INCLUDE_SAMPLE_APPS}" = "true" ]; then + FILES+=("${DIR}/compose/sample-apps.yml") + if [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + FILES+=("${DIR}/compose/sample-apps_https.yml") + fi +fi +CRYOSTAT_PROXY_PORT=8080 +CRYOSTAT_PROXY_PROTOCOL=http +AUTH_PROXY_ALPHA_CONFIG_FILE=auth_proxy_alpha_config_http if [ "${USE_PROXY}" = "true" ]; then FILES+=("${DIR}/compose/auth_proxy.yml") CRYOSTAT_HTTP_HOST=auth CRYOSTAT_HTTP_PORT=8181 + if [ "${USE_TLS}" = "true" ]; then + FILES+=("${DIR}/compose/auth_proxy_https.yml") + CRYOSTAT_PROXY_PORT=8443 + CRYOSTAT_PROXY_PROTOCOL=https + AUTH_PROXY_ALPHA_CONFIG_FILE=auth_proxy_alpha_config_https + fi else FILES+=("${DIR}/compose/no_proxy.yml") if [ "${s3}" != "none" ]; then @@ -115,6 +142,8 @@ export CRYOSTAT_HTTP_HOST export CRYOSTAT_HTTP_PORT export GRAFANA_DASHBOARD_EXT_URL export DATABASE_GENERATION +export CRYOSTAT_PROXY_PORT +export CRYOSTAT_PROXY_PROTOCOL s3Manifest="${DIR}/compose/s3-${s3}.yml" if [ ! -f "${s3Manifest}" ]; then @@ -181,7 +210,18 @@ cleanup() { down "${downFlags[@]}" if [ "${USE_PROXY}" = "true" ]; then ${container_engine} rm proxy_cfg_helper || true + ${container_engine} rm proxy_certs_helper || true ${container_engine} volume rm auth_proxy_cfg || true + ${container_engine} volume rm auth_proxy_certs || true + fi + if [ "${INCLUDE_SAMPLE_APPS}" = "true" ] && [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + rm "${DIR}/compose/agent_certs/agent_server.cer" + rm "${DIR}/compose/agent_certs/agent-keystore.p12" + rm "${DIR}/compose/agent_certs/keystore.pass" + fi + if [ "${USE_TLS}" = "true" ]; then + rm "${DIR}/compose/auth_certs/certificate.pem" + rm "${DIR}/compose/auth_certs/private.key" fi if [ "${s3}" = "localstack" ]; then ${container_engine} rm localstack_cfg_helper || true @@ -200,13 +240,17 @@ cleanup() { trap cleanup EXIT cleanup +if [ "${INCLUDE_SAMPLE_APPS}" = "true" ] && [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + sh "${DIR}/compose/agent_certs/generate-agent-certs.sh" generate +fi + createProxyCfgVolume() { "${container_engine}" volume create auth_proxy_cfg "${container_engine}" container create --name proxy_cfg_helper -v auth_proxy_cfg:/tmp busybox local cfg cfg="$(mktemp)" chmod 644 "${cfg}" - envsubst '$STORAGE_PORT' < "${DIR}/compose/auth_proxy_alpha_config.yaml" > "${cfg}" + envsubst '$STORAGE_PORT' < "${DIR}/compose/${AUTH_PROXY_ALPHA_CONFIG_FILE}.yaml" > "${cfg}" "${container_engine}" cp "${DIR}/compose/auth_proxy_htpasswd" proxy_cfg_helper:/tmp/auth_proxy_htpasswd "${container_engine}" cp "${cfg}" proxy_cfg_helper:/tmp/auth_proxy_alpha_config.yaml } @@ -214,6 +258,20 @@ if [ "${USE_PROXY}" = "true" ]; then createProxyCfgVolume fi +createProxyCertsVolume() { + "${container_engine}" volume create auth_proxy_certs + "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox + if [ -f "${DIR}/compose/auth_certs/certificate.pem" ] && [ -f "${DIR}/compose/auth_certs/private.key" ]; then + chmod 644 "${DIR}/compose/auth_certs/private.key" + "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem + "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key + fi +} +if [ "${USE_PROXY}" = "true" ] && [ "${USE_TLS}" = "true" ]; then + sh "${DIR}/compose/auth_certs/generate.sh" + createProxyCertsVolume +fi + createLocalstackCfgVolume() { "${container_engine}" volume create localstack_cfg "${container_engine}" container create --name localstack_cfg_helper -v localstack_cfg:/tmp busybox