From 0c86df5c0edc2438b642a504bcf29d7e4a0793a2 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Mon, 29 Apr 2024 12:34:28 -0400 Subject: [PATCH 01/30] draft --- compose/auth_proxy.yml | 11 +++++++++-- compose/auth_proxy_alpha_config.yaml | 7 ++++++- compose/cryostat_docker.yml | 1 + compose/sample-apps.yml | 11 ++++++++--- smoketest.bash | 15 +++++++++++++++ 5 files changed, 39 insertions(+), 6 deletions(-) diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 649489867..8806b94c4 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -6,6 +6,7 @@ services: environment: CRYOSTAT_HTTP_PROXY_HOST: auth CRYOSTAT_HTTP_PROXY_PORT: '8080' + CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true' QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true' QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true' @@ -34,6 +35,7 @@ services: command: --alpha-config=/tmp/auth_proxy_alpha_config.yaml volumes: - auth_proxy_cfg:/tmp + - auth_proxy_certs:/certs hostname: auth ports: - "8080:8080" @@ -42,12 +44,15 @@ services: environment: OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback + OAUTH2_PROXY_REDIRECT_URL: https://localhost:8080/oauth2/callback + OAUTH2_PROXY_HTTPS_ADDRESS: 8080 OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ + OAUTH2_PROXY_COOKIE_HTTPONLY: "false" + OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true" # OAUTH2_PROXY_SKIP_AUTH_ROUTES: .* restart: unless-stopped healthcheck: - test: wget -q --spider http://localhost:8080/ping || exit 1 + test: wget -q --spider https://localhost:8080/ping || exit 1 interval: 10s retries: 3 start_period: 30s @@ -56,3 +61,5 @@ services: volumes: auth_proxy_cfg: external: true + auth_proxy_certs: + external: true diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config.yaml index 676f55b2b..c6e891c57 100644 --- a/compose/auth_proxy_alpha_config.yaml +++ b/compose/auth_proxy_alpha_config.yaml @@ -1,5 +1,10 @@ server: - BindAddress: http://0.0.0.0:8080 + SecureBindAddress: https://0.0.0.0:8080 + TLS: + key: + fromFile: /certs/private.key + cert: + fromFile: /certs/certificate.pem upstreamConfig: proxyRawPath: true upstreams: diff --git a/compose/cryostat_docker.yml b/compose/cryostat_docker.yml index 2acc03b68..84bd86501 100644 --- a/compose/cryostat_docker.yml +++ b/compose/cryostat_docker.yml @@ -32,6 +32,7 @@ services: QUARKUS_HTTP_HOST: "cryostat" CRYOSTAT_HTTP_PROXY_HOST: "auth" CRYOSTAT_HTTP_PROXY_PORT: "8080" + CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" CRYOSTAT_DISCOVERY_DOCKER_ENABLED: "true" CRYOSTAT_DISCOVERY_JDP_ENABLED: "true" JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index 8cd3f12bb..61982c3c8 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -143,11 +143,14 @@ services: CRYOSTAT_AGENT_APP_NAME: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_PORT: 9977 - CRYOSTAT_AGENT_CALLBACK: http://quarkus-test-agent:9977/ + CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ CRYOSTAT_AGENT_BASEURI: http://${CRYOSTAT_HTTP_HOST}:8080/ + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/cryostat-keystore.p12 + CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/server.cer CRYOSTAT_AGENT_BASEURI_RANGE: public - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass CRYOSTAT_AGENT_HARVESTER_PERIOD_MS: 30000 @@ -155,6 +158,8 @@ services: CRYOSTAT_AGENT_HARVESTER_EXIT_MAX_AGE_MS: 60000 CRYOSTAT_AGENT_HARVESTER_EXIT_MAX_SIZE_B: 153600 # "$(echo 1024*150 | bc)" CRYOSTAT_AGENT_API_WRITES_ENABLED: "true" + volumes: + - ${DIR}/certs:/certs:z restart: always healthcheck: test: curl --fail http://localhost:10010 || exit 1 diff --git a/smoketest.bash b/smoketest.bash index d19384fae..e494e5d7a 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -6,6 +6,7 @@ if ! command -v yq >/dev/null 2>&1 ; then fi DIR="$(dirname "$(readlink -f "$0")")" +export DIR FILES=( "${DIR}/compose/db.yml" @@ -181,7 +182,9 @@ cleanup() { down "${downFlags[@]}" if [ "${USE_PROXY}" = "true" ]; then ${container_engine} rm proxy_cfg_helper || true + ${container_engine} rm proxy_certs_helper || true ${container_engine} volume rm auth_proxy_cfg || true + ${container_engine} volume rm auth_proxy_certs || true fi if [ "${s3}" = "localstack" ]; then ${container_engine} rm localstack_cfg_helper || true @@ -214,6 +217,18 @@ if [ "${USE_PROXY}" = "true" ]; then createProxyCfgVolume fi +createProxyCertsVolume() { + "${container_engine}" volume create auth_proxy_certs + "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox + chmod 777 "${DIR}/compose/auth_certs/private.key" + chmod 777 "${DIR}/compose/auth_certs/certificate.pem" + "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem + "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key +} +if [ "${USE_PROXY}" = "true" ]; then + createProxyCertsVolume +fi + createLocalstackCfgVolume() { "${container_engine}" volume create localstack_cfg "${container_engine}" container create --name localstack_cfg_helper -v localstack_cfg:/tmp busybox From 54595e8ca54cda1bf084657734d663a6d823af4e Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:04:24 -0400 Subject: [PATCH 02/30] add generation script --- compose/auth_certs/generate.sh | 5 +++++ 1 file changed, 5 insertions(+) create mode 100755 compose/auth_certs/generate.sh diff --git a/compose/auth_certs/generate.sh b/compose/auth_certs/generate.sh new file mode 100755 index 000000000..533e0b3ed --- /dev/null +++ b/compose/auth_certs/generate.sh @@ -0,0 +1,5 @@ +#!/usr/bin/sh + +set -xe + +openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out certificate.pem -keyout private.key From f32fc706bba14f38d43fcddbdda9e8d0c713568c Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:04:31 -0400 Subject: [PATCH 03/30] update ignores --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 5a8f57977..8b9eace37 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,5 @@ certs/*.p12 certs/*.pass *.jfr .quarkus/ +compose/auth_certs/*.key +compose/auth_certs/*.pem From f9838218e8b4b6791cad17207d3cd736613aa265 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:04:49 -0400 Subject: [PATCH 04/30] sample apps expect to use HTTPS on auth proxy --- compose/sample-apps.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index 61982c3c8..db8d0ddd8 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -16,7 +16,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-1" CRYOSTAT_AGENT_WEBSERVER_PORT: "8910" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-1:8910/" - CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8080/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -48,7 +48,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-2" CRYOSTAT_AGENT_WEBSERVER_PORT: "8911" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-2:8911/" - CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8080/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -81,7 +81,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-3" CRYOSTAT_AGENT_WEBSERVER_PORT: "8912" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-3:8912/" - CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8080/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -144,7 +144,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_PORT: 9977 CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ - CRYOSTAT_AGENT_BASEURI: http://${CRYOSTAT_HTTP_HOST}:8080/ + CRYOSTAT_AGENT_BASEURI: https://${CRYOSTAT_HTTP_HOST}:8080/ CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/cryostat-keystore.p12 CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/server.cer From f90da164e75e0cb1ccc0c6078d376e8ad594f1f9 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:05:19 -0400 Subject: [PATCH 05/30] correct TLS config keys: https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config#tls --- compose/auth_proxy_alpha_config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config.yaml index c6e891c57..4e1053e79 100644 --- a/compose/auth_proxy_alpha_config.yaml +++ b/compose/auth_proxy_alpha_config.yaml @@ -1,9 +1,9 @@ server: SecureBindAddress: https://0.0.0.0:8080 TLS: - key: + Key: fromFile: /certs/private.key - cert: + Cert: fromFile: /certs/certificate.pem upstreamConfig: proxyRawPath: true From 38bb70979d5efc7ea1e59d7e233a8cfd708f7d96 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:30:54 -0400 Subject: [PATCH 06/30] enable proxy header handling --- compose/cryostat.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/compose/cryostat.yml b/compose/cryostat.yml index a2e5fa9da..291d24477 100644 --- a/compose/cryostat.yml +++ b/compose/cryostat.yml @@ -21,6 +21,10 @@ services: QUARKUS_LOG_LEVEL: ALL QUARKUS_HTTP_HOST: "cryostat" QUARKUS_HTTP_PORT: ${CRYOSTAT_HTTP_PORT} + QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true' + QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true' + QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true' + QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true' QUARKUS_HIBERNATE_ORM_LOG_SQL: "true" CRYOSTAT_DISCOVERY_JDP_ENABLED: ${CRYOSTAT_DISCOVERY_JDP_ENABLED:-true} CRYOSTAT_DISCOVERY_PODMAN_ENABLED: ${CRYOSTAT_DISCOVERY_PODMAN_ENABLED:-true} From 4a8ebb854084132ee5f0289d5032e7b589326870 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:53:07 -0400 Subject: [PATCH 07/30] bind proxy HTTP on 8080, HTTPS on 8443, correct Cryostat proxy handling configs --- compose/auth_proxy.yml | 12 +++++------- compose/auth_proxy_alpha_config.yaml | 3 ++- compose/cryostat.yml | 4 ---- 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 8806b94c4..76c8e1977 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -5,13 +5,13 @@ services: - "${CRYOSTAT_HTTP_PORT}" environment: CRYOSTAT_HTTP_PROXY_HOST: auth - CRYOSTAT_HTTP_PROXY_PORT: '8080' + CRYOSTAT_HTTP_PROXY_PORT: '8443' CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true' QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true' QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true' QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true' - QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: 127.0.0.1:${CRYOSTAT_HTTP_PORT} + # QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: auth # by default all are trusted healthcheck: test: curl --fail http://cryostat:8181/health/liveness || exit 1 interval: 10s @@ -39,17 +39,15 @@ services: hostname: auth ports: - "8080:8080" + - "8443:8443" labels: kompose.service.expose: "auth" environment: OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: https://localhost:8080/oauth2/callback - OAUTH2_PROXY_HTTPS_ADDRESS: 8080 + OAUTH2_PROXY_REDIRECT_URL: http://auth:8080/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ - OAUTH2_PROXY_COOKIE_HTTPONLY: "false" - OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true" - # OAUTH2_PROXY_SKIP_AUTH_ROUTES: .* + OAUTH2_PROXY_FORCE_HTTPS: "false" restart: unless-stopped healthcheck: test: wget -q --spider https://localhost:8080/ping || exit 1 diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config.yaml index 4e1053e79..25efaceac 100644 --- a/compose/auth_proxy_alpha_config.yaml +++ b/compose/auth_proxy_alpha_config.yaml @@ -1,5 +1,6 @@ server: - SecureBindAddress: https://0.0.0.0:8080 + BindAddress: http://0.0.0.0:8080 + SecureBindAddress: :8443 TLS: Key: fromFile: /certs/private.key diff --git a/compose/cryostat.yml b/compose/cryostat.yml index 291d24477..a2e5fa9da 100644 --- a/compose/cryostat.yml +++ b/compose/cryostat.yml @@ -21,10 +21,6 @@ services: QUARKUS_LOG_LEVEL: ALL QUARKUS_HTTP_HOST: "cryostat" QUARKUS_HTTP_PORT: ${CRYOSTAT_HTTP_PORT} - QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true' - QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true' - QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true' - QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true' QUARKUS_HIBERNATE_ORM_LOG_SQL: "true" CRYOSTAT_DISCOVERY_JDP_ENABLED: ${CRYOSTAT_DISCOVERY_JDP_ENABLED:-true} CRYOSTAT_DISCOVERY_PODMAN_ENABLED: ${CRYOSTAT_DISCOVERY_PODMAN_ENABLED:-true} From cc025257c89f3bce10aead1cdc86aeb363c01b32 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Mon, 29 Apr 2024 13:53:59 -0400 Subject: [PATCH 08/30] sample apps use HTTPS 8443 --- compose/sample-apps.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index db8d0ddd8..e621c5e68 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -16,7 +16,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-1" CRYOSTAT_AGENT_WEBSERVER_PORT: "8910" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-1:8910/" - CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8443/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -48,7 +48,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-2" CRYOSTAT_AGENT_WEBSERVER_PORT: "8911" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-2:8911/" - CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8443/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -81,7 +81,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-3" CRYOSTAT_AGENT_WEBSERVER_PORT: "8912" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-3:8912/" - CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8080/" + CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8443/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -144,7 +144,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_PORT: 9977 CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ - CRYOSTAT_AGENT_BASEURI: https://${CRYOSTAT_HTTP_HOST}:8080/ + CRYOSTAT_AGENT_BASEURI: https://${CRYOSTAT_HTTP_HOST}:8443/ CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/cryostat-keystore.p12 CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/server.cer From 3ebb9248eb7464508b03bf602459d02bcaf273f7 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Mon, 29 Apr 2024 18:12:27 -0400 Subject: [PATCH 09/30] agent testing HTTPS success --- compose/agent_certs/generate-agent-certs.sh | 58 +++++++++++++++++++++ compose/auth_proxy.yml | 3 +- compose/sample-apps.yml | 6 +-- src/main/resources/application.properties | 1 + 4 files changed, 63 insertions(+), 5 deletions(-) create mode 100755 compose/agent_certs/generate-agent-certs.sh diff --git a/compose/agent_certs/generate-agent-certs.sh b/compose/agent_certs/generate-agent-certs.sh new file mode 100755 index 000000000..bd400206f --- /dev/null +++ b/compose/agent_certs/generate-agent-certs.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +set -x + +CERTS_DIR=$(realpath "$(dirname "$0")") + +SSL_KEYSTORE=agent-keystore.p12 + +SSL_KEYSTORE_PASS_FILE=keystore.pass + +cleanup() { + cd "$CERTS_DIR" + rm $SSL_KEYSTORE $SSL_KEYSTORE_PASS_FILE agent-server.cer + cd - +} + +case "$1" in + clean) + cleanup + exit 0 + ;; + generate) + ;; + *) + echo "Usage: $0 [clean|generate]" + exit 1 + ;; +esac + +set -e + +genpass() { + < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32 +} + +SSL_KEYSTORE_PASS=$(genpass) + +cd "$CERTS_DIR" +trap "cd -" EXIT + +echo "$SSL_KEYSTORE_PASS" > $SSL_KEYSTORE_PASS_FILE + +keytool \ + -genkeypair -v \ + -alias custom-cryostat \ + -dname "cn=cryostat, o=Cryostat, c=CA" \ + -storetype PKCS12 \ + -validity 365 \ + -keyalg RSA \ + -storepass "$SSL_KEYSTORE_PASS" \ + -keystore "$SSL_KEYSTORE" + +keytool \ + -exportcert -v \ + -alias custom-cryostat \ + -keystore "$SSL_KEYSTORE" \ + -storepass "$SSL_KEYSTORE_PASS" \ + -file agent_server.cer diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 76c8e1977..ed0c9c54f 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -47,10 +47,9 @@ services: OAUTH2_PROXY_HTPASSWD_USER_GROUP: write OAUTH2_PROXY_REDIRECT_URL: http://auth:8080/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ - OAUTH2_PROXY_FORCE_HTTPS: "false" restart: unless-stopped healthcheck: - test: wget -q --spider https://localhost:8080/ping || exit 1 + test: wget -q --spider http://localhost:8080/ping || exit 1 interval: 10s retries: 3 start_period: 30s diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index e621c5e68..7e327cc3c 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -146,8 +146,8 @@ services: CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ CRYOSTAT_AGENT_BASEURI: https://${CRYOSTAT_HTTP_HOST}:8443/ CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass - CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/cryostat-keystore.p12 - CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/server.cer + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/agent-keystore.p12 + CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent-server.cer CRYOSTAT_AGENT_BASEURI_RANGE: public CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" @@ -159,7 +159,7 @@ services: CRYOSTAT_AGENT_HARVESTER_EXIT_MAX_SIZE_B: 153600 # "$(echo 1024*150 | bc)" CRYOSTAT_AGENT_API_WRITES_ENABLED: "true" volumes: - - ${DIR}/certs:/certs:z + - ${DIR}/compose/agent_certs:/certs:z restart: always healthcheck: test: curl --fail http://localhost:10010 || exit 1 diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 10d21479a..db632bb0e 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -55,6 +55,7 @@ quarkus.http.body.delete-uploaded-files-on-end=true quarkus.http.limits.max-form-attribute-size=1G quarkus.http.limits.max-body-size=1G quarkus.vertx.prefer-native-transport=true +quarkus.tls.trust-all=true quarkus.smallrye-openapi.path=/api quarkus.smallrye-openapi.info-title=Cryostat API From 2f58376b8c8a7896ad1c11bb477940534e58b32d Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Mon, 29 Apr 2024 18:19:13 -0400 Subject: [PATCH 10/30] update cert + key permissions --- smoketest.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/smoketest.bash b/smoketest.bash index e494e5d7a..9cb4c169e 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -220,8 +220,8 @@ fi createProxyCertsVolume() { "${container_engine}" volume create auth_proxy_certs "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox - chmod 777 "${DIR}/compose/auth_certs/private.key" - chmod 777 "${DIR}/compose/auth_certs/certificate.pem" + chmod 444 "${DIR}/compose/auth_certs/private.key" + chmod 444 "${DIR}/compose/auth_certs/certificate.pem" "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key } From d0147047124f60e7c99da70604b66b490ffb571c Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Thu, 2 May 2024 14:43:20 -0400 Subject: [PATCH 11/30] look for certificate.pem and private.key --- smoketest.bash | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/smoketest.bash b/smoketest.bash index 9cb4c169e..25eac7d8b 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -220,10 +220,15 @@ fi createProxyCertsVolume() { "${container_engine}" volume create auth_proxy_certs "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox - chmod 444 "${DIR}/compose/auth_certs/private.key" - chmod 444 "${DIR}/compose/auth_certs/certificate.pem" - "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem - "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key + if [ -f "${DIR}/compose/auth_certs/certificate.pem" ] && [ -f "${DIR}/compose/auth_certs/private.key" ]; then + chmod 444 "${DIR}/compose/auth_certs/private.key" + chmod 444 "${DIR}/compose/auth_certs/certificate.pem" + "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem + "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key + else + echo "Unable to find a certificate and key to allow oauth2_proxy to enable TLS connections" + exit 2 + fi } if [ "${USE_PROXY}" = "true" ]; then createProxyCertsVolume From 3ab403913fd23d6afe0c8d0feabd464d269e7b1b Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Thu, 2 May 2024 14:47:49 -0400 Subject: [PATCH 12/30] update permissions --- smoketest.bash | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/smoketest.bash b/smoketest.bash index 25eac7d8b..f27102cec 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -221,8 +221,7 @@ createProxyCertsVolume() { "${container_engine}" volume create auth_proxy_certs "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox if [ -f "${DIR}/compose/auth_certs/certificate.pem" ] && [ -f "${DIR}/compose/auth_certs/private.key" ]; then - chmod 444 "${DIR}/compose/auth_certs/private.key" - chmod 444 "${DIR}/compose/auth_certs/certificate.pem" + chmod 644 "${DIR}/compose/auth_certs/private.key" "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key else From e55346687d0a48fc8d59f889b796dbbb0087fe51 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Thu, 2 May 2024 17:11:13 -0400 Subject: [PATCH 13/30] reviews --- README.md | 2 ++ compose/auth_certs/generate.sh | 4 +++- smoketest.bash | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 296f24ab5..3f1ca6b31 100644 --- a/README.md +++ b/README.md @@ -147,6 +147,8 @@ This will spin up the cryostat container and its required services. $ ./mvnw package ; podman image prune -f # alternatively, use Quarkus CLI instead of the Maven wrapper $ quarkus build ; podman image prune -f +# generate a certificate and key for the server to enable HTTPS connections +$ sh compose/auth_certs/generate.sh # check the available smoketest options $ bash smoketest.bash -h # run a smoketest scenario diff --git a/compose/auth_certs/generate.sh b/compose/auth_certs/generate.sh index 533e0b3ed..68e91c731 100755 --- a/compose/auth_certs/generate.sh +++ b/compose/auth_certs/generate.sh @@ -2,4 +2,6 @@ set -xe -openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out certificate.pem -keyout private.key +CERTS_DIR="$(dirname "$(readlink -f "$0")")" + +openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ${CERTS_DIR}/certificate.pem -keyout ${CERTS_DIR}/private.key diff --git a/smoketest.bash b/smoketest.bash index f27102cec..749788a8a 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -221,11 +221,11 @@ createProxyCertsVolume() { "${container_engine}" volume create auth_proxy_certs "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox if [ -f "${DIR}/compose/auth_certs/certificate.pem" ] && [ -f "${DIR}/compose/auth_certs/private.key" ]; then - chmod 644 "${DIR}/compose/auth_certs/private.key" + chmod 640 "${DIR}/compose/auth_certs/private.key" "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key else - echo "Unable to find a certificate and key to allow oauth2_proxy to enable TLS connections" + echo "Did you run auth_certs/generate.sh?" exit 2 fi } From 19607c3e1af71f338fe1ea718ad7ed2fc64853af Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Fri, 3 May 2024 14:49:32 -0400 Subject: [PATCH 14/30] update permission + agent_server.cer --- compose/sample-apps.yml | 2 +- smoketest.bash | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index 7e327cc3c..e620987f7 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -147,7 +147,7 @@ services: CRYOSTAT_AGENT_BASEURI: https://${CRYOSTAT_HTTP_HOST}:8443/ CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/agent-keystore.p12 - CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent-server.cer + CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent_server.cer CRYOSTAT_AGENT_BASEURI_RANGE: public CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" diff --git a/smoketest.bash b/smoketest.bash index 749788a8a..27af18dc4 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -221,7 +221,7 @@ createProxyCertsVolume() { "${container_engine}" volume create auth_proxy_certs "${container_engine}" container create --name proxy_certs_helper -v auth_proxy_certs:/certs busybox if [ -f "${DIR}/compose/auth_certs/certificate.pem" ] && [ -f "${DIR}/compose/auth_certs/private.key" ]; then - chmod 640 "${DIR}/compose/auth_certs/private.key" + chmod 644 "${DIR}/compose/auth_certs/private.key" "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key else From bccccd73030448ad3885d9d4ae6ae2b4266f64ff Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Thu, 9 May 2024 15:44:37 -0400 Subject: [PATCH 15/30] update quarkus.http properties --- compose/auth_proxy.yml | 4 ++-- src/main/resources/application.properties | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index ed0c9c54f..c85d30661 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -5,7 +5,7 @@ services: - "${CRYOSTAT_HTTP_PORT}" environment: CRYOSTAT_HTTP_PROXY_HOST: auth - CRYOSTAT_HTTP_PROXY_PORT: '8443' + CRYOSTAT_HTTP_PROXY_PORT: '8080' CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true' QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true' @@ -45,7 +45,7 @@ services: environment: OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: http://auth:8080/oauth2/callback + OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ restart: unless-stopped healthcheck: diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index db632bb0e..6a22d0f69 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -34,7 +34,7 @@ cryostat.services.reports.storage-cache.enabled=true cryostat.services.reports.storage-cache.name=archivedreports cryostat.services.reports.storage-cache.expiry-duration=24h -cryostat.http.proxy.tls-enabled=false +cryostat.http.proxy.tls-enabled=true cryostat.http.proxy.host=${quarkus.http.host} cryostat.http.proxy.port=${quarkus.http.port} cryostat.http.proxy.path=/ From 03441e83c10b39df3657e0a4ee128fc34e133fa9 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 18 Jun 2024 09:27:41 -0400 Subject: [PATCH 16/30] fix TLS --- compose/agent_certs/agent-keystore.p12 | Bin 0 -> 3498 bytes compose/agent_certs/agent_server.cer | Bin 0 -> 1037 bytes compose/agent_certs/keystore.pass | 1 + compose/auth_proxy.yml | 23 ++++++++++++---------- compose/auth_proxy_alpha_config.yaml | 7 +++++++ compose/cryostat-grafana.yml | 2 +- compose/cryostat.yml | 13 +++++++++++- compose/cryostat_docker.yml | 12 ++++++++++- compose/jfr-datasource.yml | 14 ++++++++++--- compose/reports.yml | 9 ++++++++- src/main/resources/application.properties | 4 +++- 11 files changed, 67 insertions(+), 18 deletions(-) create mode 100644 compose/agent_certs/agent-keystore.p12 create mode 100644 compose/agent_certs/agent_server.cer create mode 100644 compose/agent_certs/keystore.pass diff --git a/compose/agent_certs/agent-keystore.p12 b/compose/agent_certs/agent-keystore.p12 new file mode 100644 index 0000000000000000000000000000000000000000..80a9aa40a639ec49cb579590ba04d624e55f14b4 GIT binary patch literal 3498 zcma)9c{mh|x1Jee#xR8J%FZCe*s>I|@B5bdP_~po4JjrJV@a|TS(0t+1~K?3g_1R7 zU$QS*BRhlJ@45H+zUTgR?;qzm=e*~<=Q)3!_cicfbVbCW-)E{bNfIy8mIpX@Q^|0yN|g7>K&}4}+Q>WrtGy zH-)3FfmwEz8LI0})_G%iJXuSGB-&$7YwbWF1S1H@hk`?B{(B+_Mh!q+g~0Ac>H*!T zz(8>@WA3}0+jBt*%$#YVM<4bWVSg53WX_zCWGm_so59RnJ$?7{b-Y%<`OyTamf7z4 za7V58QN!SSm94RT1)W1dBrqxDavm1h{gnH|qJ82)vW8h`($>MIBeOYmI>XJz)Xg+L z@Of;HZ+v}jv9|X`tcw(eeZw!8_b5NmZy>k`FR$UocX`Pe!58pXe*DOQ3h2N$Q=vCkW4?pLT$~*j!D-S?NS76r#oWgU@HX_`4ZsjsCReV z*Lxm43cbs)wdqT;CIc5(HPj&y=KwS=*VYOHJ!&fvmqw zJ~=!aeJ3xz#vwSQ_3Qo7N=QB{0HK(Q(M5dL_t6Kx9pWda+==PkwYXcO@;4$Sguah zmq5h(+F-^4XtD3_aX;5VUCQ(CL*3APdMfEgQi{(sF^|yP9;u4HHR8l{vpr^FF~U+y(Lh8yjcp8}#28Y9Thth9LMRsvRAkU8hPC*m4Fjp|e1mXO6EZ z>2#R-57q})uTK?!byIW`m!SLr?qJB);ZNDGxG=u;&go$JyIqXK^&>8w*KCZRrq$Fg z7R2ao;AN*@h)K5<0(IOzWzuK$5i#*3O|ZP>w^D2P6`IWp91wg4y%6+iQrKh@E^FpC z`-BsxH(V;i(NDm_U*cK5&xbzTV%Ermr@A_nzw~X)Hjk)b3w?o$_jSh7F!{keFDkH= z$Fs}`SwnIj=Q6Yyz2EXhh(-BB3C;X((wyabnEkcsJ9s6uOen#Ly{u+PaM<|e;NzdV zljIT~7>HMTKc*_wF3u{e;;b%Zv5T|?q+n~CPKnyHHl~1d1q1)kOd6s3^&H38Sy?0?oFW;Z0Cw&OK1tcph2oEt)LGHO?Lw6#geONQL%pPSt# zhDmcr+u;l00^Bhws)N@*1>c<@_Yt|ht!eMm@Anp?D<|erqczm{n{PY6cL`?9qZOb5 zkd;s`i(xRVeY3PnWM6zkazM&|&P9}HE13P68um~;wtZYTWJy}pyUc-u|4VXnY>4#^ zVC7_yVIAn?eDk+U@m<^X8C&spA?MRh2V+-sa)Ac$+G9dc8BWpg$=#1`Pp2KB4V1)( zYw8n;nld2WhlYcSF#$Ey-d1d!C9PuMws8b;UGvJ!?4DlA{-maNR!(cK@( zlAwEl3GBN*z^?6CkQxOTZH&z)3?ql#IDxO_5U;!A7Q+6FS0K4y*UK^|XaLd#%wA$XJN_Ij4~Sq2e~ z=yJjmj5X?kxr{G^zOPee5Z8i0x=UC=XM*v9S2vNiA?fdO;)do(_)%gqk2a135o&GO zH!xhyms^UK{Z>ey;Q6lV5Km!8XzQl}W9 z=p;hgc-CKAn?Xi>Rc~dJoo~AZsXh?A-G3F#;^l_Q|BH) z*%=P&xXh99Yf6D%c`V&NHMCG3!sd{Q@X%uaA=qk*kVK9WlTxAH)X4YvfC$g8+b($J zL!^XVn2*(4mTqqr(sTEdU#b|tg5-iFx<-{%NwmaV17(2`u6O4M|1KEKs=DNm{%C=< zYBE@wSB)Z7GfSBhY;5U-_}t7pJhH7Dx=7=6LFcL6m*bKSR}54#_a4bAF}lM%5%7hL z%o1qBrk0t+w; zgUv>n8&R%cX$utcAGw9GNb~XV09*im0AIjkz(ar+0Qo2L0R;Ss|AROI9;5jGZD*Bc z0W(`Y@N(mmR*+V_E+?-bC!;8@h$2u+|I-A8i`8IR~$oj1g(TmtY_}GdTR*e&B(QEumd{Ef68OC##P3KleW05X6GYl zuLahW_D0Sujk`X|30YUjEN=VMi|Nk8h^y$kEYzO)A9#%4Yu9z7-xWCa5Dv7+`7DlbVV2ZB*GQ>e(|C8jA$F3YV-l(RgXZUpSMhQWbUZ?bRDMbxXKxnk>k# zX08psa&B(v=ixM33C1vrVB<93WNzpZy%7d@A;vKK2hp4T_}kbc1H*CZ#F2%Bm8=RH zJh?~G;#{3nvY}q*4r2{RpsysxoY$0Z6?5I`nyH6!-k4(R{w}^br6VbG#*!_mMs0yl zExLfl#swJn%gMRz;4O)U7l9E%onOui8FVs8h}8z%zRBJ>>o~5XAgKSRq&|S@%%9S# zUc`F5qG;Tkr0PAmSzXG?wfi1eICyrxg~JRu$q}i{?5t)*f^$67^kfo3E&1|`pS}1N zU=To|TaU4QftWl9bs3wi_$v8w>u5UTW2o1{dcB#9RCHQsh3U+g)lq>L>I;3&+10;X zZ()|(V<%{>}9*p&L)1%P(oaMrfi+1k)&@*Y9%_3HblM|0Gby&Vrz==FFl7mFI5T{7-El;O|= z`XF@%24yVoB=%Y7^*k|Cfe0JmMBHSATwQXm)cQ8;;>2C*O4|I;`F*Sj)s^B$zOmY4 z{FQN4;5+5G*A)<)VE}brTriV^cOLA#*JKd-jLv_{#m}5}{)yBts~H=2&(4LWi&+x( zy(_GZXQZ0H4K5_}&aoy|!wDr`6uj6J*L&CV@#MArh?PDm3$&UTkCU(2PywpZXA5Ce z)sgt3&PZ5GwBJ6fG1<5F^dd;N+kDQy+;(wXFHb>*1T8Z zPuyfk>3^GGKam9?J3%0#T{yCAfMeEan2TaVW-6V&f)@*rH7M() zH+z(1zE&*VT3m$6D?Tk}ABc)k$PF*fGWff+-&#CZuBz>JLd-{afan4l_&CAOct<|v z#<#I+nf(T`jn8&Q7pO>RNhipU!Ip&hylT2`Z9w!lZe%i#kN9!!%J_g*;=0Foj>lrw z2?1M5!{5@ekXYqg1pK|7S4vfqR!BFsTH%z>hQ*`zcA9Wl^XlB?tMaCMK4e#Gs&(*q zw&=&`mE98fX&nKPLi#=!$9cHfA2u?$flVcO+}%#LlZ=K>SMtG7n5To65JdJ0!|&lY zwj%%LJ`+frn%jg{j&%NmXenM&P?jZ@K)l)G9Ot z>C-z!C)xvUKIxWB{IpKP`q?B%jN8_;0%eSnM$!NCzkq<$05D&(+tsN^p%qiMd#AN85K^Mn)c11_NV5ZUas>=1>+k zVJ2rsLqP+65Qj^c!?~z3zqll^1SZ5R%#jQgGLRGJH8L?UGc-3eH#RjfiUM*?k+|d; z+QhgB*>Q}l49rc8{R{?8j9pAkjExK{9rzYbdp>`^@*$ZOt=3sK8NWSq>!iM^ZF+oo zvy`{R1+O&0>wY#<54rwaH91$g%FD0B`n>T&j^Ou?4msUxSAVFPE$+`wLj+e@U8l*WvWV z85}FV+&FY# znkL8i^!mAw0~JEiLyxy`-Zsqow=7YlV+7 zCAI-&#i6?^=Qvac1-O}I)r2s}3K%oJ^$vU94d+ve7nQISS6c$}}w4b^0NL_*J|Gbnn4#sPyIzQ!@QgMB= zu)j6;XO`8EiUJl#cdeUxtBd2zgLCsLFO^P-i2kP7uAR;BWB#(}#m}c(Ex9sIr84)za}Xf_)YP8_%hMwbt+5Dp4vXHSiG@u#d;1&F4k?K`{chk zA6ghM+#dY?{-Txs?fu!0p9%HvkPVrdYsvbay>R)8E#EQ@O1(e0^ld@&nuC{SYl_@6 zj}c^BdMI1p#LMQ~1wnno8As2H_<0nWScUE0r572YEo|j?Pqf0#dBqOhC#&KZzVdar z7MD*uHsjmH{6GAb{Le1@*=6)H?&6Y;PoWoQ@W_`O;F&1G@hh-&hS7##o)Q)TyZ&EW zZElt8DmGM^S_=nrZ%^Elyn4Z^8- + -XX:+FlightRecorder + -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m + -XX:StartFlightRecording=name=startup,settings=profile,disk=true,duration=30s + -Dcom.sun.management.jmxremote.autodiscovery=true + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=9091 + -Dcom.sun.management.jmxremote.rmi.port=9091 + -Djava.rmi.server.hostname=127.0.0.1 + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false restart: unless-stopped healthcheck: test: curl --fail http://cryostat:${CRYOSTAT_HTTP_PORT}/health/liveness || exit 1 diff --git a/compose/cryostat_docker.yml b/compose/cryostat_docker.yml index 84bd86501..0874e7da2 100644 --- a/compose/cryostat_docker.yml +++ b/compose/cryostat_docker.yml @@ -35,7 +35,17 @@ services: CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" CRYOSTAT_DISCOVERY_DOCKER_ENABLED: "true" CRYOSTAT_DISCOVERY_JDP_ENABLED: "true" - JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -XX:+FlightRecorder + -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m + -Dcom.sun.management.jmxremote.autodiscovery=true + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=9091 + -Dcom.sun.management.jmxremote.rmi.port=9091 + -Djava.rmi.server.hostname=127.0.0.1 + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false restart: unless-stopped healthcheck: test: curl --fail http://cryostat:8181/health/liveness || exit 1 diff --git a/compose/jfr-datasource.yml b/compose/jfr-datasource.yml index c0e847485..57a7a26a7 100644 --- a/compose/jfr-datasource.yml +++ b/compose/jfr-datasource.yml @@ -2,7 +2,7 @@ version: "3" services: cryostat: environment: - - GRAFANA_DATASOURCE_URL=http://jfr-datasource:8080 + - GRAFANA_DATASOURCE_URL=https://jfr-datasource:8443 jfr-datasource: image: ${JFR_DATASOURCE_IMAGE:-quay.io/cryostat/jfr-datasource:latest} hostname: jfr-datasource @@ -20,9 +20,17 @@ services: io.cryostat.jmxHost: "jfr-datasource" io.cryostat.jmxPort: "11223" environment: - JAVA_OPTS_APPEND: "-Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=11223 -Dcom.sun.management.jmxremote.rmi.port=11223 -Djava.rmi.server.hostname=jfr-datasource -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -Dcom.sun.management.jmxremote.autodiscovery=true + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=11223 + -Dcom.sun.management.jmxremote.rmi.port=11223 + -Djava.rmi.server.hostname=jfr-datasource + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false healthcheck: - test: curl --fail http://localhost:8080/ || exit 1 + test: curl --fail https://localhost:8443/ || exit 1 retries: 3 interval: 30s start_period: 30s diff --git a/compose/reports.yml b/compose/reports.yml index 29e7da021..9df97d149 100644 --- a/compose/reports.yml +++ b/compose/reports.yml @@ -17,7 +17,14 @@ services: labels: kompose.service.expose: "reports" environment: - JAVA_OPTS_APPEND: "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=11224 -Dcom.sun.management.jmxremote.rmi.port=11224 -Djava.rmi.server.hostname=reports -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false" + JAVA_OPTS_APPEND: >- + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port=11224 + -Dcom.sun.management.jmxremote.rmi.port=11224 + -Djava.rmi.server.hostname=reports + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.local.only=false QUARKUS_HTTP_PORT: 10001 healthcheck: test: curl --fail http://localhost:10001/ || exit 1 diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 6a22d0f69..a402ae504 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -34,7 +34,7 @@ cryostat.services.reports.storage-cache.enabled=true cryostat.services.reports.storage-cache.name=archivedreports cryostat.services.reports.storage-cache.expiry-duration=24h -cryostat.http.proxy.tls-enabled=true +cryostat.http.proxy.tls-enabled=false cryostat.http.proxy.host=${quarkus.http.host} cryostat.http.proxy.port=${quarkus.http.port} cryostat.http.proxy.path=/ @@ -56,6 +56,8 @@ quarkus.http.limits.max-form-attribute-size=1G quarkus.http.limits.max-body-size=1G quarkus.vertx.prefer-native-transport=true quarkus.tls.trust-all=true +quarkus.ssl.native=true +quarkus.rest-client.extensions-api.verify-host=false quarkus.smallrye-openapi.path=/api quarkus.smallrye-openapi.info-title=Cryostat API From b2e19805e37f0b7dd474f2c3497a950e38624482 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 25 Jun 2024 14:11:47 -0400 Subject: [PATCH 17/30] fix cert CN --- compose/agent_certs/agent-keystore.p12 | Bin 3498 -> 0 bytes compose/agent_certs/agent_server.cer | Bin 1037 -> 0 bytes compose/agent_certs/generate-agent-certs.sh | 8 +++++--- compose/agent_certs/keystore.pass | 1 - compose/auth_certs/generate.sh | 0 compose/auth_proxy_alpha_config.yaml | 3 +-- compose/cryostat_docker.yml | 1 - src/main/resources/application.properties | 3 --- 8 files changed, 6 insertions(+), 10 deletions(-) delete mode 100644 compose/agent_certs/agent-keystore.p12 delete mode 100644 compose/agent_certs/agent_server.cer delete mode 100644 compose/agent_certs/keystore.pass mode change 100755 => 100644 compose/auth_certs/generate.sh diff --git a/compose/agent_certs/agent-keystore.p12 b/compose/agent_certs/agent-keystore.p12 deleted file mode 100644 index 80a9aa40a639ec49cb579590ba04d624e55f14b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3498 zcma)9c{mh|x1Jee#xR8J%FZCe*s>I|@B5bdP_~po4JjrJV@a|TS(0t+1~K?3g_1R7 zU$QS*BRhlJ@45H+zUTgR?;qzm=e*~<=Q)3!_cicfbVbCW-)E{bNfIy8mIpX@Q^|0yN|g7>K&}4}+Q>WrtGy zH-)3FfmwEz8LI0})_G%iJXuSGB-&$7YwbWF1S1H@hk`?B{(B+_Mh!q+g~0Ac>H*!T zz(8>@WA3}0+jBt*%$#YVM<4bWVSg53WX_zCWGm_so59RnJ$?7{b-Y%<`OyTamf7z4 za7V58QN!SSm94RT1)W1dBrqxDavm1h{gnH|qJ82)vW8h`($>MIBeOYmI>XJz)Xg+L z@Of;HZ+v}jv9|X`tcw(eeZw!8_b5NmZy>k`FR$UocX`Pe!58pXe*DOQ3h2N$Q=vCkW4?pLT$~*j!D-S?NS76r#oWgU@HX_`4ZsjsCReV z*Lxm43cbs)wdqT;CIc5(HPj&y=KwS=*VYOHJ!&fvmqw zJ~=!aeJ3xz#vwSQ_3Qo7N=QB{0HK(Q(M5dL_t6Kx9pWda+==PkwYXcO@;4$Sguah zmq5h(+F-^4XtD3_aX;5VUCQ(CL*3APdMfEgQi{(sF^|yP9;u4HHR8l{vpr^FF~U+y(Lh8yjcp8}#28Y9Thth9LMRsvRAkU8hPC*m4Fjp|e1mXO6EZ z>2#R-57q})uTK?!byIW`m!SLr?qJB);ZNDGxG=u;&go$JyIqXK^&>8w*KCZRrq$Fg z7R2ao;AN*@h)K5<0(IOzWzuK$5i#*3O|ZP>w^D2P6`IWp91wg4y%6+iQrKh@E^FpC z`-BsxH(V;i(NDm_U*cK5&xbzTV%Ermr@A_nzw~X)Hjk)b3w?o$_jSh7F!{keFDkH= z$Fs}`SwnIj=Q6Yyz2EXhh(-BB3C;X((wyabnEkcsJ9s6uOen#Ly{u+PaM<|e;NzdV zljIT~7>HMTKc*_wF3u{e;;b%Zv5T|?q+n~CPKnyHHl~1d1q1)kOd6s3^&H38Sy?0?oFW;Z0Cw&OK1tcph2oEt)LGHO?Lw6#geONQL%pPSt# zhDmcr+u;l00^Bhws)N@*1>c<@_Yt|ht!eMm@Anp?D<|erqczm{n{PY6cL`?9qZOb5 zkd;s`i(xRVeY3PnWM6zkazM&|&P9}HE13P68um~;wtZYTWJy}pyUc-u|4VXnY>4#^ zVC7_yVIAn?eDk+U@m<^X8C&spA?MRh2V+-sa)Ac$+G9dc8BWpg$=#1`Pp2KB4V1)( zYw8n;nld2WhlYcSF#$Ey-d1d!C9PuMws8b;UGvJ!?4DlA{-maNR!(cK@( zlAwEl3GBN*z^?6CkQxOTZH&z)3?ql#IDxO_5U;!A7Q+6FS0K4y*UK^|XaLd#%wA$XJN_Ij4~Sq2e~ z=yJjmj5X?kxr{G^zOPee5Z8i0x=UC=XM*v9S2vNiA?fdO;)do(_)%gqk2a135o&GO zH!xhyms^UK{Z>ey;Q6lV5Km!8XzQl}W9 z=p;hgc-CKAn?Xi>Rc~dJoo~AZsXh?A-G3F#;^l_Q|BH) z*%=P&xXh99Yf6D%c`V&NHMCG3!sd{Q@X%uaA=qk*kVK9WlTxAH)X4YvfC$g8+b($J zL!^XVn2*(4mTqqr(sTEdU#b|tg5-iFx<-{%NwmaV17(2`u6O4M|1KEKs=DNm{%C=< zYBE@wSB)Z7GfSBhY;5U-_}t7pJhH7Dx=7=6LFcL6m*bKSR}54#_a4bAF}lM%5%7hL z%o1qBrk0t+w; zgUv>n8&R%cX$utcAGw9GNb~XV09*im0AIjkz(ar+0Qo2L0R;Ss|AROI9;5jGZD*Bc z0W(`Y@N(mmR*+V_E+?-bC!;8@h$2u+|I-A8i`8IR~$oj1g(TmtY_}GdTR*e&B(QEumd{Ef68OC##P3KleW05X6GYl zuLahW_D0Sujk`X|30YUjEN=VMi|Nk8h^y$kEYzO)A9#%4Yu9z7-xWCa5Dv7+`7DlbVV2ZB*GQ>e(|C8jA$F3YV-l(RgXZUpSMhQWbUZ?bRDMbxXKxnk>k# zX08psa&B(v=ixM33C1vrVB<93WNzpZy%7d@A;vKK2hp4T_}kbc1H*CZ#F2%Bm8=RH zJh?~G;#{3nvY}q*4r2{RpsysxoY$0Z6?5I`nyH6!-k4(R{w}^br6VbG#*!_mMs0yl zExLfl#swJn%gMRz;4O)U7l9E%onOui8FVs8h}8z%zRBJ>>o~5XAgKSRq&|S@%%9S# zUc`F5qG;Tkr0PAmSzXG?wfi1eICyrxg~JRu$q}i{?5t)*f^$67^kfo3E&1|`pS}1N zU=To|TaU4QftWl9bs3wi_$v8w>u5UTW2o1{dcB#9RCHQsh3U+g)lq>L>I;3&+10;X zZ()|(V<%{>}9*p&L)1%P(oaMrfi+1k)&@*Y9%_3HblM|0Gby&Vrz==FFl7mFI5T{7-El;O|= z`XF@%24yVoB=%Y7^*k|Cfe0JmMBHSATwQXm)cQ8;;>2C*O4|I;`F*Sj)s^B$zOmY4 z{FQN4;5+5G*A)<)VE}brTriV^cOLA#*JKd-jLv_{#m}5}{)yBts~H=2&(4LWi&+x( zy(_GZXQZ0H4K5_}&aoy|!wDr`6uj6J*L&CV@#MArh?PDm3$&UTkCU(2PywpZXA5Ce z)sgt3&PZ5GwBJ6fG1<5F^dd;N+kDQy+;(wXFHb>*1T8Z zPuyfk>3^GGKam9?J3%0#T{yCAfMeEan2TaVW-6V&f)@*rH7M() zH+z(1zE&*VT3m$6D?Tk}ABc)k$PF*fGWff+-&#CZuBz>JLd-{afan4l_&CAOct<|v z#<#I+nf(T`jn8&Q7pO>RNhipU!Ip&hylT2`Z9w!lZe%i#kN9!!%J_g*;=0Foj>lrw z2?1M5!{5@ekXYqg1pK|7S4vfqR!BFsTH%z>hQ*`zcA9Wl^XlB?tMaCMK4e#Gs&(*q zw&=&`mE98fX&nKPLi#=!$9cHfA2u?$flVcO+}%#LlZ=K>SMtG7n5To65JdJ0!|&lY zwj%%LJ`+frn%jg{j&%NmXenM&P?jZ@K)l)G9Ot z>C-z!C)xvUKIxWB{IpKP`q?B%jN8_;0%eSnM$!NCzkq<$05D&(+tsN^p%qiMd#AN85K^Mn)c11_NV5ZUas>=1>+k zVJ2rsLqP+65Qj^c!?~z3zqll^1SZ5R%#jQgGLRGJH8L?UGc-3eH#RjfiUM*?k+|d; z+QhgB*>Q}l49rc8{R{?8j9pAkjExK{9rzYbdp>`^@*$ZOt=3sK8NWSq>!iM^ZF+oo zvy`{R1+O&0>wY#<54rwaH91$g%FD0B`n>T&j^Ou?4msUxSAVFPE$+`wLj+e@U8l*WvWV z85}FV+&FY# znkL8i^!mAw0~JEiLyxy`-Zsqow=7YlV+7 zCAI-&#i6?^=Qvac1-O}I)r2s}3K%oJ^$vU94d+ve7nQISS6c$}}w4b^0NL_*J|Gbnn4#sPyIzQ!@QgMB= zu)j6;XO`8EiUJl#cdeUxtBd2zgLCsLFO^P-i2kP7uAR;BWB#(}#m}c(Ex9sIr84)za}Xf_)YP8_%hMwbt+5Dp4vXHSiG@u#d;1&F4k?K`{chk zA6ghM+#dY?{-Txs?fu!0p9%HvkPVrdYsvbay>R)8E#EQ@O1(e0^ld@&nuC{SYl_@6 zj}c^BdMI1p#LMQ~1wnno8As2H_<0nWScUE0r572YEo|j?Pqf0#dBqOhC#&KZzVdar z7MD*uHsjmH{6GAb{Le1@*=6)H?&6Y;PoWoQ@W_`O;F&1G@hh-&hS7##o)Q)TyZ&EW zZElt8DmGM^S_=nrZ%^Elyn4Z^8 $SSL_KEYSTORE_PASS_FILE keytool \ -genkeypair -v \ - -alias custom-cryostat \ - -dname "cn=cryostat, o=Cryostat, c=CA" \ + -alias quarkus-test-agent \ + -dname "CN=quarkus-test-agent, O=Cryostat, C=CA" \ -storetype PKCS12 \ -validity 365 \ -keyalg RSA \ @@ -52,7 +52,9 @@ keytool \ keytool \ -exportcert -v \ - -alias custom-cryostat \ + -alias quarkus-test-agent \ -keystore "$SSL_KEYSTORE" \ -storepass "$SSL_KEYSTORE_PASS" \ -file agent_server.cer + +cp agent_server.cer "$CERTS_DIR/../../truststore/quarkus-test-agent.cer" diff --git a/compose/agent_certs/keystore.pass b/compose/agent_certs/keystore.pass deleted file mode 100644 index e14287c54..000000000 --- a/compose/agent_certs/keystore.pass +++ /dev/null @@ -1 +0,0 @@ -yRqnnF6MIB2czgtDulVrgCY_d2OnQ7st diff --git a/compose/auth_certs/generate.sh b/compose/auth_certs/generate.sh old mode 100755 new mode 100644 diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config.yaml index d99074172..8f7f9a57c 100644 --- a/compose/auth_proxy_alpha_config.yaml +++ b/compose/auth_proxy_alpha_config.yaml @@ -1,6 +1,5 @@ server: - BindAddress: http://0.0.0.0:8080 - SecureBindAddress: :8443 + SecureBindAddress: 0.0.0.0:8443 TLS: Key: fromFile: /certs/private.key diff --git a/compose/cryostat_docker.yml b/compose/cryostat_docker.yml index 0874e7da2..14a3f30fb 100644 --- a/compose/cryostat_docker.yml +++ b/compose/cryostat_docker.yml @@ -32,7 +32,6 @@ services: QUARKUS_HTTP_HOST: "cryostat" CRYOSTAT_HTTP_PROXY_HOST: "auth" CRYOSTAT_HTTP_PROXY_PORT: "8080" - CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" CRYOSTAT_DISCOVERY_DOCKER_ENABLED: "true" CRYOSTAT_DISCOVERY_JDP_ENABLED: "true" JAVA_OPTS_APPEND: >- diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index a402ae504..10d21479a 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -55,9 +55,6 @@ quarkus.http.body.delete-uploaded-files-on-end=true quarkus.http.limits.max-form-attribute-size=1G quarkus.http.limits.max-body-size=1G quarkus.vertx.prefer-native-transport=true -quarkus.tls.trust-all=true -quarkus.ssl.native=true -quarkus.rest-client.extensions-api.verify-host=false quarkus.smallrye-openapi.path=/api quarkus.smallrye-openapi.info-title=Cryostat API From a4edd91b912343f94642b7539155dd6a655f9eee Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Thu, 27 Jun 2024 14:13:12 -0400 Subject: [PATCH 18/30] update https redirect to http --- compose/auth_proxy.yml | 16 +++++++++------- compose/auth_proxy_alpha_config.yaml | 10 ++-------- compose/cryostat-grafana.yml | 4 ++-- compose/cryostat.yml | 2 +- compose/cryostat_docker.yml | 2 +- compose/grafana_no_proxy.yml | 2 +- compose/jfr-datasource.yml | 6 +++--- compose/reports.yml | 2 +- compose/s3-seaweed.yml | 2 +- compose/s3_no_proxy.yml | 2 +- 10 files changed, 22 insertions(+), 26 deletions(-) diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 0b656fbd9..4cf066aa6 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -5,7 +5,7 @@ services: - "${CRYOSTAT_HTTP_PORT}" environment: CRYOSTAT_HTTP_PROXY_HOST: auth - CRYOSTAT_HTTP_PROXY_PORT: '8443' + CRYOSTAT_HTTP_PROXY_PORT: "8080" CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: "true" QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: "true" @@ -33,26 +33,28 @@ services: cpus: "0.1" memory: 32m image: ${OAUTH2_PROXY_IMAGE:-quay.io/oauth2-proxy/oauth2-proxy:latest} - command: --alpha-config=/tmp/auth_proxy_alpha_config.yaml + command: + - --alpha-config=/tmp/auth_proxy_alpha_config.yaml volumes: - auth_proxy_cfg:/tmp - auth_proxy_certs:/certs hostname: auth ports: + - "8080:8080" - "8443:8443" labels: kompose.service.expose: "auth" environment: OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: https://localhost:8443/oauth2/callback + OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ - OAUTH2_PROXY_SKIP_AUTH_ROUTES: ^/health.* - PROXY_PROTOCOL: https - PROXY_PORT: 8443 + OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/health(/liveness)?$$" + PROXY_PROTOCOL: http + PROXY_PORT: 8080 restart: unless-stopped healthcheck: - test: wget -q --spider https://auth:8443/ping || exit 1 + test: wget -q --spider http://localhost:8080/ping || exit 1 interval: 10s retries: 3 start_period: 30s diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config.yaml index 8f7f9a57c..25efaceac 100644 --- a/compose/auth_proxy_alpha_config.yaml +++ b/compose/auth_proxy_alpha_config.yaml @@ -1,5 +1,6 @@ server: - SecureBindAddress: 0.0.0.0:8443 + BindAddress: http://0.0.0.0:8080 + SecureBindAddress: :8443 TLS: Key: fromFile: /certs/private.key @@ -26,10 +27,3 @@ providers: clientId: CLIENT_ID clientSecret: CLIENT_SECRET provider: google -injectRequestHeaders: - - name: "X-Forwarded-Proto" - values: - - fromEnv: PROXY_PROTOCOL - - name: "X-Forwarded-Port" - values: - - fromEnv: PROXY_PORT diff --git a/compose/cryostat-grafana.yml b/compose/cryostat-grafana.yml index 7289cf26d..322656c22 100644 --- a/compose/cryostat-grafana.yml +++ b/compose/cryostat-grafana.yml @@ -11,13 +11,13 @@ services: deploy: resources: limits: - cpus: '0.1' + cpus: "0.1" memory: 256m environment: - GF_INSTALL_PLUGINS=grafana-simple-json-datasource - GF_AUTH_ANONYMOUS_ENABLED=true - GF_SERVER_DOMAIN=localhost - - GF_SERVER_ROOT_URL=https://localhost:8443/grafana/ + - GF_SERVER_ROOT_URL=http://localhost:8080/grafana/ - GF_SERVER_SERVE_FROM_SUB_PATH=true - JFR_DATASOURCE_URL=http://jfr-datasource:8080 expose: diff --git a/compose/cryostat.yml b/compose/cryostat.yml index 42a6e6d9b..eb6953872 100644 --- a/compose/cryostat.yml +++ b/compose/cryostat.yml @@ -4,7 +4,7 @@ services: deploy: resources: limits: - cpus: '2' + cpus: "2" memory: 512m image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:latest} volumes: diff --git a/compose/cryostat_docker.yml b/compose/cryostat_docker.yml index 14a3f30fb..cb67c20da 100644 --- a/compose/cryostat_docker.yml +++ b/compose/cryostat_docker.yml @@ -9,7 +9,7 @@ services: deploy: resources: limits: - cpus: '2' + cpus: "2" memory: 512m image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:latest} volumes: diff --git a/compose/grafana_no_proxy.yml b/compose/grafana_no_proxy.yml index 8e1b1997d..577834e8f 100644 --- a/compose/grafana_no_proxy.yml +++ b/compose/grafana_no_proxy.yml @@ -6,7 +6,7 @@ services: - GRAFANA_DASHBOARD_URL=http://grafana:3000 grafana: ports: - - '3000:3000' + - "3000:3000" environment: - GF_SERVER_DOMAIN= - GF_SERVER_ROOT_URL= diff --git a/compose/jfr-datasource.yml b/compose/jfr-datasource.yml index 57a7a26a7..692a1a664 100644 --- a/compose/jfr-datasource.yml +++ b/compose/jfr-datasource.yml @@ -2,7 +2,7 @@ version: "3" services: cryostat: environment: - - GRAFANA_DATASOURCE_URL=https://jfr-datasource:8443 + - GRAFANA_DATASOURCE_URL=http://jfr-datasource:8080 jfr-datasource: image: ${JFR_DATASOURCE_IMAGE:-quay.io/cryostat/jfr-datasource:latest} hostname: jfr-datasource @@ -10,7 +10,7 @@ services: deploy: resources: limits: - cpus: '0.4' + cpus: "0.4" memory: 512m expose: - "8080" @@ -30,7 +30,7 @@ services: -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false healthcheck: - test: curl --fail https://localhost:8443/ || exit 1 + test: curl --fail http://localhost:8080/ || exit 1 retries: 3 interval: 30s start_period: 30s diff --git a/compose/reports.yml b/compose/reports.yml index 9df97d149..0a1849851 100644 --- a/compose/reports.yml +++ b/compose/reports.yml @@ -10,7 +10,7 @@ services: deploy: resources: limits: - cpus: '0.5' + cpus: "0.5" memory: 512m expose: - "10001" diff --git a/compose/s3-seaweed.yml b/compose/s3-seaweed.yml index d4ef60ddd..4d796e313 100644 --- a/compose/s3-seaweed.yml +++ b/compose/s3-seaweed.yml @@ -25,7 +25,7 @@ services: CRYOSTAT_SECRET_KEY: secret_key DATA_DIR: /data IP_BIND: 0.0.0.0 - WEED_V: '4' # glog logging level + WEED_V: "4" # glog logging level volumes: - seaweed_data:/data ports: diff --git a/compose/s3_no_proxy.yml b/compose/s3_no_proxy.yml index 0569cf7f6..b47d0f631 100644 --- a/compose/s3_no_proxy.yml +++ b/compose/s3_no_proxy.yml @@ -5,4 +5,4 @@ services: - "${STORAGE_PORT}:${STORAGE_PORT}" cryostat: environment: - STORAGE_EXT_URL: '' + STORAGE_EXT_URL: "" From 10159204d5496b067b81462f5fd96d0568f430a3 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 2 Jul 2024 12:26:21 -0400 Subject: [PATCH 19/30] https default protocol --- compose/auth_proxy.yml | 13 ++++--- ...yaml => auth_proxy_alpha_config_http.yaml} | 6 ---- compose/auth_proxy_alpha_config_https.yaml | 35 +++++++++++++++++++ compose/cryostat-grafana.yml | 2 +- compose/jfr-datasource.yml | 2 +- compose/sample-apps.yml | 8 ++--- smoketest.bash | 14 ++++++-- 7 files changed, 59 insertions(+), 21 deletions(-) rename compose/{auth_proxy_alpha_config.yaml => auth_proxy_alpha_config_http.yaml} (80%) create mode 100644 compose/auth_proxy_alpha_config_https.yaml diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 4cf066aa6..10f6fd6f3 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -5,7 +5,7 @@ services: - "${CRYOSTAT_HTTP_PORT}" environment: CRYOSTAT_HTTP_PROXY_HOST: auth - CRYOSTAT_HTTP_PROXY_PORT: "8080" + CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_PROXY_PORT}" CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: "true" QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: "true" @@ -40,21 +40,20 @@ services: - auth_proxy_certs:/certs hostname: auth ports: - - "8080:8080" - - "8443:8443" + - "${CRYOSTAT_PROXY_PORT}:${CRYOSTAT_PROXY_PORT}" labels: kompose.service.expose: "auth" environment: OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd OAUTH2_PROXY_HTPASSWD_USER_GROUP: write - OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback + OAUTH2_PROXY_REDIRECT_URL: ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_ OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/health(/liveness)?$$" - PROXY_PROTOCOL: http - PROXY_PORT: 8080 + CRYOSTAT_PROXY_PROTOCOL: ${CRYOSTAT_PROXY_PROTOCOL} + CRYOSTAT_PROXY_PORT: ${CRYOSTAT_PROXY_PORT} restart: unless-stopped healthcheck: - test: wget -q --spider http://localhost:8080/ping || exit 1 + test: wget -q --spider ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ping || exit 1 interval: 10s retries: 3 start_period: 30s diff --git a/compose/auth_proxy_alpha_config.yaml b/compose/auth_proxy_alpha_config_http.yaml similarity index 80% rename from compose/auth_proxy_alpha_config.yaml rename to compose/auth_proxy_alpha_config_http.yaml index 25efaceac..676f55b2b 100644 --- a/compose/auth_proxy_alpha_config.yaml +++ b/compose/auth_proxy_alpha_config_http.yaml @@ -1,11 +1,5 @@ server: BindAddress: http://0.0.0.0:8080 - SecureBindAddress: :8443 - TLS: - Key: - fromFile: /certs/private.key - Cert: - fromFile: /certs/certificate.pem upstreamConfig: proxyRawPath: true upstreams: diff --git a/compose/auth_proxy_alpha_config_https.yaml b/compose/auth_proxy_alpha_config_https.yaml new file mode 100644 index 000000000..14842b442 --- /dev/null +++ b/compose/auth_proxy_alpha_config_https.yaml @@ -0,0 +1,35 @@ +server: + SecureBindAddress: 0.0.0.0:8443 + TLS: + Key: + fromFile: /certs/private.key + Cert: + fromFile: /certs/certificate.pem +upstreamConfig: + proxyRawPath: true + upstreams: + - id: cryostat + path: / + uri: http://cryostat:8181 + - id: grafana + path: /grafana/ + uri: http://grafana:3000 + - id: storage + path: ^/storage/(.*)$ + rewriteTarget: /$1 + uri: http://s3:${STORAGE_PORT} + passHostHeader: false + proxyWebSockets: false +providers: + - id: dummy + name: Unused - Sign In Below + clientId: CLIENT_ID + clientSecret: CLIENT_SECRET + provider: google +injectRequestHeaders: + - name: "X-Forwarded-Proto" + values: + - fromEnv: CRYOSTAT_PROXY_PROTOCOL + - name: "X-Forwarded-Port" + values: + - fromEnv: CRYOSTAT_PROXY_PORT diff --git a/compose/cryostat-grafana.yml b/compose/cryostat-grafana.yml index 322656c22..3c030bc38 100644 --- a/compose/cryostat-grafana.yml +++ b/compose/cryostat-grafana.yml @@ -17,7 +17,7 @@ services: - GF_INSTALL_PLUGINS=grafana-simple-json-datasource - GF_AUTH_ANONYMOUS_ENABLED=true - GF_SERVER_DOMAIN=localhost - - GF_SERVER_ROOT_URL=http://localhost:8080/grafana/ + - GF_SERVER_ROOT_URL=${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/grafana/ - GF_SERVER_SERVE_FROM_SUB_PATH=true - JFR_DATASOURCE_URL=http://jfr-datasource:8080 expose: diff --git a/compose/jfr-datasource.yml b/compose/jfr-datasource.yml index 692a1a664..ca6b0bcd6 100644 --- a/compose/jfr-datasource.yml +++ b/compose/jfr-datasource.yml @@ -30,7 +30,7 @@ services: -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false healthcheck: - test: curl --fail http://localhost:8080/ || exit 1 + test: curl --fail ${CRYOSTAT_PROXY_PROTOCOL}://localhost:${CRYOSTAT_PROXY_PORT}/ || exit 1 retries: 3 interval: 30s start_period: 30s diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index e620987f7..1d47eb6b6 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -16,7 +16,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-1" CRYOSTAT_AGENT_WEBSERVER_PORT: "8910" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-1:8910/" - CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8443/" + CRYOSTAT_AGENT_BASEURI: "${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -48,7 +48,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-2" CRYOSTAT_AGENT_WEBSERVER_PORT: "8911" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-2:8911/" - CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8443/" + CRYOSTAT_AGENT_BASEURI: "${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -81,7 +81,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-3" CRYOSTAT_AGENT_WEBSERVER_PORT: "8912" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-3:8912/" - CRYOSTAT_AGENT_BASEURI: "https://${CRYOSTAT_HTTP_HOST}:8443/" + CRYOSTAT_AGENT_BASEURI: "${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/" CRYOSTAT_AGENT_TRUST_ALL: "true" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass @@ -144,7 +144,7 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_PORT: 9977 CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ - CRYOSTAT_AGENT_BASEURI: https://${CRYOSTAT_HTTP_HOST}:8443/ + CRYOSTAT_AGENT_BASEURI: ${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/ CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/agent-keystore.p12 CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent_server.cer diff --git a/smoketest.bash b/smoketest.bash index 27af18dc4..2f808bb64 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -24,6 +24,7 @@ CRYOSTAT_HTTP_PORT=${CRYOSTAT_HTTP_PORT:-8080} USE_PROXY=${USE_PROXY:-true} DEPLOY_GRAFANA=${DEPLOY_GRAFANA:-true} DRY_RUN=${DRY_RUN:-false} +USE_HTTPS=${USE_HTTPS:-false} display_usage() { echo "Usage:" @@ -97,11 +98,18 @@ if [ "${DEPLOY_GRAFANA}" = "true" ]; then ) fi - +CRYOSTAT_PROXY_PORT=8080 +CRYOSTAT_PROXY_PROTOCOL=http +AUTH_PROXY_ALPHA_CONFIG_FILE=auth_proxy_alpha_config_http if [ "${USE_PROXY}" = "true" ]; then FILES+=("${DIR}/compose/auth_proxy.yml") CRYOSTAT_HTTP_HOST=auth CRYOSTAT_HTTP_PORT=8181 + if [ "${USE_HTTPS}" = "true" ]; then + CRYOSTAT_PROXY_PORT=8443 + CRYOSTAT_PROXY_PROTOCOL=https + AUTH_PROXY_ALPHA_CONFIG_FILE=auth_proxy_alpha_config_https + fi else FILES+=("${DIR}/compose/no_proxy.yml") if [ "${s3}" != "none" ]; then @@ -116,6 +124,8 @@ export CRYOSTAT_HTTP_HOST export CRYOSTAT_HTTP_PORT export GRAFANA_DASHBOARD_EXT_URL export DATABASE_GENERATION +export CRYOSTAT_PROXY_PORT +export CRYOSTAT_PROXY_PROTOCOL s3Manifest="${DIR}/compose/s3-${s3}.yml" if [ ! -f "${s3Manifest}" ]; then @@ -209,7 +219,7 @@ createProxyCfgVolume() { local cfg cfg="$(mktemp)" chmod 644 "${cfg}" - envsubst '$STORAGE_PORT' < "${DIR}/compose/auth_proxy_alpha_config.yaml" > "${cfg}" + envsubst '$STORAGE_PORT' < "${DIR}/compose/${AUTH_PROXY_ALPHA_CONFIG_FILE}.yaml" > "${cfg}" "${container_engine}" cp "${DIR}/compose/auth_proxy_htpasswd" proxy_cfg_helper:/tmp/auth_proxy_htpasswd "${container_engine}" cp "${cfg}" proxy_cfg_helper:/tmp/auth_proxy_alpha_config.yaml } From 7b23ad924c8b71649360db3b4ad5f4c572868492 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 2 Jul 2024 13:22:00 -0400 Subject: [PATCH 20/30] add -k flag for http --- smoketest.bash | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/smoketest.bash b/smoketest.bash index 2f808bb64..065cf503a 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -40,11 +40,12 @@ display_usage() { echo -e "\t-c [podman|docker]\t\t\t\tUse Podman or Docker Container Engine (default \"podman\")." echo -e "\t-b\t\t\t\t\t\tOpen a Browser tab for each running service's first mapped port (ex. auth proxy login, database viewer)" echo -e "\t-n\t\t\t\t\t\tDo Not apply configuration changes, instead emit the compose YAML that would have been used to stdout." + echo -e "\t-k\t\t\t\t\t\tEnable http protocol" } s3=seaweed ce=podman -while getopts "hs:prGtOVXcbn" opt; do +while getopts "hs:prGtOVXcbnk" opt; do case $opt in h) display_usage @@ -84,6 +85,9 @@ while getopts "hs:prGtOVXcbn" opt; do n) DRY_RUN=true ;; + k) + USE_HTTPS=false + ;; *) display_usage exit 1 From 312326bd9f85042b50aececff6cf0e81ea5d6658 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 2 Jul 2024 13:28:29 -0400 Subject: [PATCH 21/30] reviews --- smoketest.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/smoketest.bash b/smoketest.bash index 065cf503a..8007aa8e8 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -24,7 +24,7 @@ CRYOSTAT_HTTP_PORT=${CRYOSTAT_HTTP_PORT:-8080} USE_PROXY=${USE_PROXY:-true} DEPLOY_GRAFANA=${DEPLOY_GRAFANA:-true} DRY_RUN=${DRY_RUN:-false} -USE_HTTPS=${USE_HTTPS:-false} +USE_HTTPS=${USE_HTTPS:-true} display_usage() { echo "Usage:" @@ -243,7 +243,7 @@ createProxyCertsVolume() { exit 2 fi } -if [ "${USE_PROXY}" = "true" ]; then +if [ "${USE_PROXY}" = "true" ] && [ "${USE_HTTPS}" = "true" ]; then createProxyCertsVolume fi From 42dc1d21b136f6bd73bb29970f01f4cb69e43564 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 2 Jul 2024 13:36:08 -0400 Subject: [PATCH 22/30] remove HTTPS check for auth_certs --- smoketest.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/smoketest.bash b/smoketest.bash index 8007aa8e8..2fa46774e 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -243,7 +243,7 @@ createProxyCertsVolume() { exit 2 fi } -if [ "${USE_PROXY}" = "true" ] && [ "${USE_HTTPS}" = "true" ]; then +if [ "${USE_PROXY}" = "true" ]; then createProxyCertsVolume fi From 28e053bbde03449a659728ce0c78760f34dd366e Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 2 Jul 2024 13:59:01 -0400 Subject: [PATCH 23/30] auth_proxy_https.yml --- compose/auth_proxy.yml | 3 --- compose/auth_proxy_https.yml | 9 +++++++++ smoketest.bash | 3 ++- 3 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 compose/auth_proxy_https.yml diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index 10f6fd6f3..bd0fbd73b 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -37,7 +37,6 @@ services: - --alpha-config=/tmp/auth_proxy_alpha_config.yaml volumes: - auth_proxy_cfg:/tmp - - auth_proxy_certs:/certs hostname: auth ports: - "${CRYOSTAT_PROXY_PORT}:${CRYOSTAT_PROXY_PORT}" @@ -62,5 +61,3 @@ services: volumes: auth_proxy_cfg: external: true - auth_proxy_certs: - external: true diff --git a/compose/auth_proxy_https.yml b/compose/auth_proxy_https.yml new file mode 100644 index 000000000..9556b5e6c --- /dev/null +++ b/compose/auth_proxy_https.yml @@ -0,0 +1,9 @@ +version: "3" +services: + auth: + volumes: + - auth_proxy_certs:/certs + +volumes: + auth_proxy_certs: + external: true diff --git a/smoketest.bash b/smoketest.bash index 2fa46774e..1544fcc08 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -110,6 +110,7 @@ if [ "${USE_PROXY}" = "true" ]; then CRYOSTAT_HTTP_HOST=auth CRYOSTAT_HTTP_PORT=8181 if [ "${USE_HTTPS}" = "true" ]; then + FILES+=("${DIR}/compose/auth_proxy_https.yml") CRYOSTAT_PROXY_PORT=8443 CRYOSTAT_PROXY_PROTOCOL=https AUTH_PROXY_ALPHA_CONFIG_FILE=auth_proxy_alpha_config_https @@ -243,7 +244,7 @@ createProxyCertsVolume() { exit 2 fi } -if [ "${USE_PROXY}" = "true" ]; then +if [ "${USE_PROXY}" = "true" ] && [ "${USE_HTTPS}" = "true" ]; then createProxyCertsVolume fi From 4f926154aeaa8b3d71b487b0ee4e9a2329a652a1 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Wed, 3 Jul 2024 09:43:33 -0400 Subject: [PATCH 24/30] generate certs in smoketest --- README.md | 2 -- compose/auth_proxy.yml | 3 +-- compose/auth_proxy_https.yml | 4 ++++ compose/sample-apps.yml | 7 +----- compose/sample-apps_https.yml | 10 ++++++++ smoketest.bash | 45 +++++++++++++++++++++++++++-------- 6 files changed, 51 insertions(+), 20 deletions(-) create mode 100644 compose/sample-apps_https.yml diff --git a/README.md b/README.md index 3f1ca6b31..296f24ab5 100644 --- a/README.md +++ b/README.md @@ -147,8 +147,6 @@ This will spin up the cryostat container and its required services. $ ./mvnw package ; podman image prune -f # alternatively, use Quarkus CLI instead of the Maven wrapper $ quarkus build ; podman image prune -f -# generate a certificate and key for the server to enable HTTPS connections -$ sh compose/auth_certs/generate.sh # check the available smoketest options $ bash smoketest.bash -h # run a smoketest scenario diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml index bd0fbd73b..c5051ca08 100644 --- a/compose/auth_proxy.yml +++ b/compose/auth_proxy.yml @@ -5,8 +5,7 @@ services: - "${CRYOSTAT_HTTP_PORT}" environment: CRYOSTAT_HTTP_PROXY_HOST: auth - CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_PROXY_PORT}" - CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" + CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_HTTP_PORT}" QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: "true" QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: "true" QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: "true" diff --git a/compose/auth_proxy_https.yml b/compose/auth_proxy_https.yml index 9556b5e6c..d3b7a24af 100644 --- a/compose/auth_proxy_https.yml +++ b/compose/auth_proxy_https.yml @@ -1,5 +1,9 @@ version: "3" services: + cryostat: + environment: + CRYOSTAT_HTTP_PROXY_PORT: "${CRYOSTAT_PROXY_PORT}" + CRYOSTAT_HTTP_PROXY_TLS_ENABLED: "true" auth: volumes: - auth_proxy_certs:/certs diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index 1d47eb6b6..f757d6dba 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -143,11 +143,8 @@ services: CRYOSTAT_AGENT_APP_NAME: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent CRYOSTAT_AGENT_WEBSERVER_PORT: 9977 - CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ + CRYOSTAT_AGENT_CALLBACK: http://quarkus-test-agent:9977/ CRYOSTAT_AGENT_BASEURI: ${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/ - CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass - CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/agent-keystore.p12 - CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent_server.cer CRYOSTAT_AGENT_BASEURI_RANGE: public CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" @@ -158,8 +155,6 @@ services: CRYOSTAT_AGENT_HARVESTER_EXIT_MAX_AGE_MS: 60000 CRYOSTAT_AGENT_HARVESTER_EXIT_MAX_SIZE_B: 153600 # "$(echo 1024*150 | bc)" CRYOSTAT_AGENT_API_WRITES_ENABLED: "true" - volumes: - - ${DIR}/compose/agent_certs:/certs:z restart: always healthcheck: test: curl --fail http://localhost:10010 || exit 1 diff --git a/compose/sample-apps_https.yml b/compose/sample-apps_https.yml new file mode 100644 index 000000000..dc4afa238 --- /dev/null +++ b/compose/sample-apps_https.yml @@ -0,0 +1,10 @@ +version: "3" +services: + quarkus-test-agent: + environment: + CRYOSTAT_AGENT_CALLBACK: https://quarkus-test-agent:9977/ + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_PASS: /certs/keystore.pass + CRYOSTAT_AGENT_WEBSERVER_TLS_KEYSTORE_FILE: /certs/agent-keystore.p12 + CRYOSTAT_AGENT_WEBSERVER_TLS_CERT_FILE: /certs/agent_server.cer + volumes: + - ${DIR}/compose/agent_certs:/certs:z diff --git a/smoketest.bash b/smoketest.bash index 1544fcc08..0a2247654 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -24,7 +24,8 @@ CRYOSTAT_HTTP_PORT=${CRYOSTAT_HTTP_PORT:-8080} USE_PROXY=${USE_PROXY:-true} DEPLOY_GRAFANA=${DEPLOY_GRAFANA:-true} DRY_RUN=${DRY_RUN:-false} -USE_HTTPS=${USE_HTTPS:-true} +USE_TLS=${USE_TLS:-true} +SAMPLE_APPS_USE_TLS=${SAMPLE_APPS_USE_TLS:-false} display_usage() { echo "Usage:" @@ -35,17 +36,18 @@ display_usage() { echo -e "\t-G\t\t\t\t\t\texclude Grafana dashboard and jfr-datasource from deployment." echo -e "\t-r\t\t\t\t\t\tconfigure a cryostat-Reports sidecar instance" echo -e "\t-t\t\t\t\t\t\tinclude sample applications for Testing." + echo -e "\t-A\t\t\t\t\t\tDisable TLS on sample applications' Agents." echo -e "\t-V\t\t\t\t\t\tdo not discard data storage Volumes on exit." echo -e "\t-X\t\t\t\t\t\tdeploy additional development aid tools." echo -e "\t-c [podman|docker]\t\t\t\tUse Podman or Docker Container Engine (default \"podman\")." echo -e "\t-b\t\t\t\t\t\tOpen a Browser tab for each running service's first mapped port (ex. auth proxy login, database viewer)" echo -e "\t-n\t\t\t\t\t\tDo Not apply configuration changes, instead emit the compose YAML that would have been used to stdout." - echo -e "\t-k\t\t\t\t\t\tEnable http protocol" + echo -e "\t-k\t\t\t\t\t\tDisable TLS on the auth Proxy." } s3=seaweed ce=podman -while getopts "hs:prGtOVXcbnk" opt; do +while getopts "hs:prGtAOVXcbnk" opt; do case $opt in h) display_usage @@ -61,7 +63,19 @@ while getopts "hs:prGtOVXcbnk" opt; do DEPLOY_GRAFANA=false ;; t) - FILES+=("${DIR}/compose/sample-apps.yml") + FILES+=( + "${DIR}/compose/sample-apps.yml" + "${DIR}/compose/sample-apps_https.yml") + SAMPLE_APPS_USE_TLS=true + ;; + A) + SAMPLE_APPS_USE_TLS=false + SAMPLE_APP_HTTPS_FILE="${DIR}/compose/sample-apps_https.yml" + for i in "${!FILES[@]}"; do + if [[ ${FILES[i]} = $SAMPLE_APP_HTTPS_FILE ]]; then + unset "FILES[i]" + fi + done ;; O) PULL_IMAGES=false @@ -86,7 +100,7 @@ while getopts "hs:prGtOVXcbnk" opt; do DRY_RUN=true ;; k) - USE_HTTPS=false + USE_TLS=false ;; *) display_usage @@ -109,7 +123,7 @@ if [ "${USE_PROXY}" = "true" ]; then FILES+=("${DIR}/compose/auth_proxy.yml") CRYOSTAT_HTTP_HOST=auth CRYOSTAT_HTTP_PORT=8181 - if [ "${USE_HTTPS}" = "true" ]; then + if [ "${USE_TLS}" = "true" ]; then FILES+=("${DIR}/compose/auth_proxy_https.yml") CRYOSTAT_PROXY_PORT=8443 CRYOSTAT_PROXY_PROTOCOL=https @@ -201,6 +215,15 @@ cleanup() { ${container_engine} volume rm auth_proxy_cfg || true ${container_engine} volume rm auth_proxy_certs || true fi + if [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + rm ${DIR}/compose/agent_certs/agent_server.cer + rm ${DIR}/compose/agent_certs/agent-keystore.p12 + rm ${DIR}/compose/agent_certs/keystore.pass + fi + if [ "${USE_TLS}" = "true" ]; then + rm ${DIR}/compose/auth_certs/certificate.pem + rm ${DIR}/compose/auth_certs/private.key + fi if [ "${s3}" = "localstack" ]; then ${container_engine} rm localstack_cfg_helper || true ${container_engine} volume rm localstack_cfg || true @@ -218,6 +241,10 @@ cleanup() { trap cleanup EXIT cleanup +if [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + sh ${DIR}/compose/agent_certs/generate-agent-certs.sh generate +fi + createProxyCfgVolume() { "${container_engine}" volume create auth_proxy_cfg "${container_engine}" container create --name proxy_cfg_helper -v auth_proxy_cfg:/tmp busybox @@ -239,12 +266,10 @@ createProxyCertsVolume() { chmod 644 "${DIR}/compose/auth_certs/private.key" "${container_engine}" cp "${DIR}/compose/auth_certs/certificate.pem" proxy_certs_helper:/certs/certificate.pem "${container_engine}" cp "${DIR}/compose/auth_certs/private.key" proxy_certs_helper:/certs/private.key - else - echo "Did you run auth_certs/generate.sh?" - exit 2 fi } -if [ "${USE_PROXY}" = "true" ] && [ "${USE_HTTPS}" = "true" ]; then +if [ "${USE_PROXY}" = "true" ] && [ "${USE_TLS}" = "true" ]; then + sh "${DIR}/compose/auth_certs/generate.sh" createProxyCertsVolume fi From 1fde049d36b34ef2bab63bde512eb9a812eae646 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Wed, 3 Jul 2024 10:33:32 -0400 Subject: [PATCH 25/30] review --- smoketest.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/smoketest.bash b/smoketest.bash index 0a2247654..e8c0dfaea 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -42,7 +42,7 @@ display_usage() { echo -e "\t-c [podman|docker]\t\t\t\tUse Podman or Docker Container Engine (default \"podman\")." echo -e "\t-b\t\t\t\t\t\tOpen a Browser tab for each running service's first mapped port (ex. auth proxy login, database viewer)" echo -e "\t-n\t\t\t\t\t\tDo Not apply configuration changes, instead emit the compose YAML that would have been used to stdout." - echo -e "\t-k\t\t\t\t\t\tDisable TLS on the auth Proxy." + echo -e "\t-k\t\t\t\t\t\tDisable TLS on the auth proxy." } s3=seaweed From 4c1341cfcceca477cc7de05c13e7d4b95c13c26d Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Wed, 3 Jul 2024 11:04:34 -0400 Subject: [PATCH 26/30] fix sample app flags --- smoketest.bash | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/smoketest.bash b/smoketest.bash index e8c0dfaea..a227af2f1 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -25,7 +25,8 @@ USE_PROXY=${USE_PROXY:-true} DEPLOY_GRAFANA=${DEPLOY_GRAFANA:-true} DRY_RUN=${DRY_RUN:-false} USE_TLS=${USE_TLS:-true} -SAMPLE_APPS_USE_TLS=${SAMPLE_APPS_USE_TLS:-false} +SAMPLE_APPS_USE_TLS=${SAMPLE_APPS_USE_TLS:-true} +INCLUDE_SAMPLE_APPS=${INCLUDE_SAMPLE_APPS:-false} display_usage() { echo "Usage:" @@ -66,16 +67,10 @@ while getopts "hs:prGtAOVXcbnk" opt; do FILES+=( "${DIR}/compose/sample-apps.yml" "${DIR}/compose/sample-apps_https.yml") - SAMPLE_APPS_USE_TLS=true + INCLUDE_SAMPLE_APPS=true ;; A) SAMPLE_APPS_USE_TLS=false - SAMPLE_APP_HTTPS_FILE="${DIR}/compose/sample-apps_https.yml" - for i in "${!FILES[@]}"; do - if [[ ${FILES[i]} = $SAMPLE_APP_HTTPS_FILE ]]; then - unset "FILES[i]" - fi - done ;; O) PULL_IMAGES=false @@ -116,6 +111,15 @@ if [ "${DEPLOY_GRAFANA}" = "true" ]; then ) fi +if [ "${SAMPLE_APPS_USE_TLS}" = "false" ] && [ "${INCLUDE_SAMPLE_APPS}" = "true" ]; then + SAMPLE_APP_HTTPS_FILE="${DIR}/compose/sample-apps_https.yml" + for i in "${!FILES[@]}"; do + if [[ "${FILES[i]}" = "${SAMPLE_APP_HTTPS_FILE}" ]]; then + unset "FILES[i]" + fi + done +fi + CRYOSTAT_PROXY_PORT=8080 CRYOSTAT_PROXY_PROTOCOL=http AUTH_PROXY_ALPHA_CONFIG_FILE=auth_proxy_alpha_config_http @@ -215,7 +219,7 @@ cleanup() { ${container_engine} volume rm auth_proxy_cfg || true ${container_engine} volume rm auth_proxy_certs || true fi - if [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + if [ "${INCLUDE_SAMPLE_APPS}" = "true" ] && [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then rm ${DIR}/compose/agent_certs/agent_server.cer rm ${DIR}/compose/agent_certs/agent-keystore.p12 rm ${DIR}/compose/agent_certs/keystore.pass @@ -241,7 +245,7 @@ cleanup() { trap cleanup EXIT cleanup -if [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then +if [ "${INCLUDE_SAMPLE_APPS}" = "true" ] && [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then sh ${DIR}/compose/agent_certs/generate-agent-certs.sh generate fi From 708525d14e771f6d3882f0bb898a3e6ded1a11a9 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Wed, 3 Jul 2024 13:15:23 -0400 Subject: [PATCH 27/30] cleanup --- smoketest.bash | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/smoketest.bash b/smoketest.bash index a227af2f1..c889d3fb2 100755 --- a/smoketest.bash +++ b/smoketest.bash @@ -64,9 +64,6 @@ while getopts "hs:prGtAOVXcbnk" opt; do DEPLOY_GRAFANA=false ;; t) - FILES+=( - "${DIR}/compose/sample-apps.yml" - "${DIR}/compose/sample-apps_https.yml") INCLUDE_SAMPLE_APPS=true ;; A) @@ -111,13 +108,11 @@ if [ "${DEPLOY_GRAFANA}" = "true" ]; then ) fi -if [ "${SAMPLE_APPS_USE_TLS}" = "false" ] && [ "${INCLUDE_SAMPLE_APPS}" = "true" ]; then - SAMPLE_APP_HTTPS_FILE="${DIR}/compose/sample-apps_https.yml" - for i in "${!FILES[@]}"; do - if [[ "${FILES[i]}" = "${SAMPLE_APP_HTTPS_FILE}" ]]; then - unset "FILES[i]" - fi - done +if [ "${INCLUDE_SAMPLE_APPS}" = "true" ]; then + FILES+=("${DIR}/compose/sample-apps.yml") + if [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then + FILES+=("${DIR}/compose/sample-apps_https.yml") + fi fi CRYOSTAT_PROXY_PORT=8080 @@ -220,13 +215,13 @@ cleanup() { ${container_engine} volume rm auth_proxy_certs || true fi if [ "${INCLUDE_SAMPLE_APPS}" = "true" ] && [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then - rm ${DIR}/compose/agent_certs/agent_server.cer - rm ${DIR}/compose/agent_certs/agent-keystore.p12 - rm ${DIR}/compose/agent_certs/keystore.pass + rm "${DIR}/compose/agent_certs/agent_server.cer" + rm "${DIR}/compose/agent_certs/agent-keystore.p12" + rm "${DIR}/compose/agent_certs/keystore.pass" fi if [ "${USE_TLS}" = "true" ]; then - rm ${DIR}/compose/auth_certs/certificate.pem - rm ${DIR}/compose/auth_certs/private.key + rm "${DIR}/compose/auth_certs/certificate.pem" + rm "${DIR}/compose/auth_certs/private.key" fi if [ "${s3}" = "localstack" ]; then ${container_engine} rm localstack_cfg_helper || true @@ -246,7 +241,7 @@ trap cleanup EXIT cleanup if [ "${INCLUDE_SAMPLE_APPS}" = "true" ] && [ "${SAMPLE_APPS_USE_TLS}" = "true" ]; then - sh ${DIR}/compose/agent_certs/generate-agent-certs.sh generate + sh "${DIR}/compose/agent_certs/generate-agent-certs.sh" generate fi createProxyCfgVolume() { From cc4c355ea286588e32230bcc38847bbe5383198d Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Fri, 5 Jul 2024 10:39:47 -0400 Subject: [PATCH 28/30] update quarkus-test-agent image update webui From 87d15c49e401df44f564a5ea9b9659a4af8903c1 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Mon, 15 Jul 2024 11:11:05 -0400 Subject: [PATCH 29/30] update sample app configs --- compose/sample-apps.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml index f757d6dba..78295c359 100644 --- a/compose/sample-apps.yml +++ b/compose/sample-apps.yml @@ -11,8 +11,8 @@ services: JMX_PORT: 9093 USE_JDP: "true" CRYOSTAT_AGENT_APP_NAME: vertx-fib-demo-1 - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-1" CRYOSTAT_AGENT_WEBSERVER_PORT: "8910" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-1:8910/" @@ -43,8 +43,8 @@ services: USE_JDP: "true" USE_AUTH: "true" CRYOSTAT_AGENT_APP_NAME: "vertx-fib-demo-2" - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-2" CRYOSTAT_AGENT_WEBSERVER_PORT: "8911" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-2:8911/" @@ -76,8 +76,8 @@ services: USE_AUTH: "true" USE_SSL: "true" CRYOSTAT_AGENT_APP_NAME: "vertx-fib-demo-3" - CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-3" CRYOSTAT_AGENT_WEBSERVER_PORT: "8912" CRYOSTAT_AGENT_CALLBACK: "http://sample-app-3:8912/" @@ -177,10 +177,10 @@ services: CRYOSTAT_AGENT_WEBSERVER_HOST: gameserver CRYOSTAT_AGENT_WEBSERVER_PORT: 9494 CRYOSTAT_AGENT_CALLBACK: http://gameserver:9494/ - CRYOSTAT_AGENT_BASEURI: http://${CRYOSTAT_HTTP_HOST}:8080/ + CRYOSTAT_AGENT_BASEURI: ${CRYOSTAT_PROXY_PROTOCOL}://${CRYOSTAT_HTTP_HOST}:${CRYOSTAT_PROXY_PORT}/ CRYOSTAT_AGENT_BASEURI_RANGE: public - CRYOSTAT_AGENT_SSL_TRUST_ALL: "true" - CRYOSTAT_AGENT_SSL_VERIFY_HOSTNAME: "false" + CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUST_ALL: "true" + CRYOSTAT_AGENT_WEBCLIENT_TLS_VERIFY_HOSTNAME: "false" CRYOSTAT_AGENT_AUTHORIZATION_TYPE: basic CRYOSTAT_AGENT_AUTHORIZATION_VALUE: user:pass CRYOSTAT_AGENT_API_WRITES_ENABLED: "true" From 9e52b0159b6681ded106fee16272c0c2ded6feff Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Mon, 15 Jul 2024 12:03:23 -0400 Subject: [PATCH 30/30] reviews --- compose/agent_certs/generate-agent-certs.sh | 8 ++++---- compose/auth_certs/generate.sh | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/compose/agent_certs/generate-agent-certs.sh b/compose/agent_certs/generate-agent-certs.sh index 271f36835..65c38a809 100755 --- a/compose/agent_certs/generate-agent-certs.sh +++ b/compose/agent_certs/generate-agent-certs.sh @@ -2,7 +2,7 @@ set -x -CERTS_DIR=$(realpath "$(dirname "$0")") +CERTS_DIR="$(realpath "$(dirname "$0")")" SSL_KEYSTORE=agent-keystore.p12 @@ -10,7 +10,7 @@ SSL_KEYSTORE_PASS_FILE=keystore.pass cleanup() { cd "$CERTS_DIR" - rm $SSL_KEYSTORE $SSL_KEYSTORE_PASS_FILE agent-server.cer + rm "$SSL_KEYSTORE" "$SSL_KEYSTORE_PASS_FILE" agent-server.cer cd - } @@ -33,12 +33,12 @@ genpass() { < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32 } -SSL_KEYSTORE_PASS=$(genpass) +SSL_KEYSTORE_PASS="$(genpass)" cd "$CERTS_DIR" trap "cd -" EXIT -echo "$SSL_KEYSTORE_PASS" > $SSL_KEYSTORE_PASS_FILE +echo "$SSL_KEYSTORE_PASS" > "$SSL_KEYSTORE_PASS_FILE" keytool \ -genkeypair -v \ diff --git a/compose/auth_certs/generate.sh b/compose/auth_certs/generate.sh index 68e91c731..5ca54784c 100644 --- a/compose/auth_certs/generate.sh +++ b/compose/auth_certs/generate.sh @@ -4,4 +4,4 @@ set -xe CERTS_DIR="$(dirname "$(readlink -f "$0")")" -openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ${CERTS_DIR}/certificate.pem -keyout ${CERTS_DIR}/private.key +openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out "${CERTS_DIR}/certificate.pem" -keyout "${CERTS_DIR}/private.key"