Skip to content

Commit

Permalink
Enhance the canned server's cert and Keycloak configuration
Browse files Browse the repository at this point in the history
Include 'alternate names' for all of the server's hostnames and IP addresses.
Ensure that the Keycloak realm and client in the Pbench Server configuration
file match the configuration of the canned Keycloak server, and make the value
of the Keycloak server in the Pbench Server config file be configurable.
  • Loading branch information
webbnh committed Aug 1, 2023
1 parent a6b28c8 commit 9139636
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 13 deletions.
4 changes: 3 additions & 1 deletion server/pbenchinacan/etc/pbench-server/pbench-server.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ uri = postgresql://pbenchcontainer:pbench@localhost:5432/pbenchcontainer
secret-key = "pbench-in-a-can secret shhh"

[openid]
server_url = https://localhost:8090
server_url = ##KEYCLOAK_SERVER_URL##
realm = ##KEYCLOAK_REALM##
client = ##KEYCLOAK_CLIENT##

# Provide a CA cert for the pbenchinacan Keycloak server connection.
tls_ca_file = /etc/pki/tls/certs/pbench_CA.crt
Expand Down
47 changes: 35 additions & 12 deletions server/pbenchinacan/run-pbench-in-a-can
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,41 @@ export PB_SERVER_IMAGE_PULL_POLICY="${PB_SERVER_IMAGE_PULL_POLICY:-${PB_COMMON_I
# Directory to use for the fully built dashboard code.
export PB_DASHBOARD_DIR="${PB_DASHBOARD_DIR:-${PWD}/dashboard/build/}"

# Keycloak realm and client IDs to be used by the load_keycloak.sh script and
# the pbench-server.cfg file.
export KEYCLOAK_REALM=${KEYCLOAK_REALM:-"pbench-server"}
export KEYCLOAK_CLIENT=${KEYCLOAK_CLIENT:-"pbench-client"}

# Note: the value of PB_HOST_IP will be used to generate the TLS certificate
# and so it (not `localhost`) must also be used to access the Pbench Server;
# otherwise, the TLS validation will fail due to a host mismatch.
if [[ -z "${PB_HOST_IP}" ]]; then
host_ip_list=$(hostname -I)
PB_HOST_IP=${host_ip_list%% *}
export PB_HOST_IP
fi
# Name or IP address to be used by the client to access the Pbench Server, to
# load the Dashboard, and to interface with the canned Keycloak server
host_name=${PB_HOST:-localhost}

host_name=${PB_HOST_NAME:-$(hostname --fqdn)}
# Set a value for the -addext "subjectAltName=..." option to the cert creation.
# Set the initial value "manually" and skip the "dummy" value to make the
# comma-separated concatenations work nicely.
#
# Notes about the use of `readarray`: in order for the output array to be
# visible to the rest of the commands, the `readarray` command must not be
# executed in a subprocess, and therefore it cannot be on the receiving end
# of a pipe. Instead we execute the `hostname` command in a "command
# expansion" inside a "here string". Unfortunately, this causes a newline
# to be appended to the output, so that if we divide the result on spaces
# we end up with an extra array entry containing just a newline. So, instead
# we translate the spaces into newlines ("squeezing" out any repeated
# delimiters) and use the `readarray` default delimiter which is the newline.
subj_alt_name="DNS.1:localhost"
readarray -t cert_hostnames <<< "$(echo "dummy $(hostname -A)" | tr -s ' ' '\n')"
for ((i=1; i < ${#cert_hostnames[*]}; i++)); do
subj_alt_name+=", DNS.$((i+1)):${cert_hostnames[i]}"
done
readarray -t cert_ipaddrs <<< "$(echo "127.0.0.1 $(hostname -I)" | tr -s ' ' '\n')"
for ((i=0; i < ${#cert_ipaddrs[*]}; i++)); do
subj_alt_name+=", IP.$((i+1)):${cert_ipaddrs[i]}"
done
echo "subjectAltName is <${subj_alt_name}>."

grep -q ${host_name} <<< ${subj_alt_name} \
|| echo "Warning: requested host name/addr (${host_name}) is not covered by the TLS cert." >&2

# Set up TMP_DIR, if it's not already defined, to point to WORKSPACE_TMP, if it
# is defined (e.g., by the CI), or to `/var/tmp/pbench` as a fallback.
Expand Down Expand Up @@ -65,8 +87,9 @@ cp ${pbiac_etc}/pbench-server/pbench-server.cfg ${PB_DEPLOY_FILES}/
# Customize the Pbench Server config file for canned operation
sed -Ei \
-e "/^ *realhost/ s/=.*/= $(hostname -f)/" \
-e "s/<keycloak_realm>/${KEYCLOAK_REALM}/" \
-e "s/<keycloak_client>/${KEYCLOAK_CLIENT}/" \
-e "s|##KEYCLOAK_SERVER_URL##|https://${host_name}:8090|" \
-e "s/##KEYCLOAK_REALM##/${KEYCLOAK_REALM}/" \
-e "s/##KEYCLOAK_CLIENT##/${KEYCLOAK_CLIENT}/" \
-e "s/##ADMIN_NAMES##/${PB_ADMIN_NAMES}/" \
${PB_DEPLOY_FILES}/pbench-server.cfg

Expand Down Expand Up @@ -132,7 +155,7 @@ podman run \
-addext "authorityKeyIdentifier = keyid,issuer" \
-addext "basicConstraints=CA:FALSE" \
-addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \
-addext "subjectAltName = IP.2:${PB_HOST_IP}, DNS:localhost" \
-addext "subjectAltName = ${subj_alt_name}" \
2>&1 | sed -E -e '/^[.+*-]*$/ d'

chmod 0640 ${PB_DEPLOY_FILES}/pbench-server.key
Expand Down

0 comments on commit 9139636

Please sign in to comment.