tls: generate server TLS cert from CA

Makefile

@@ -12,7 +12,7 @@ test/update:
 	go test ./internal/cmd -test.update-golden
 
 dev:
-	docker build . -t infrahq/infra:dev
+	docker buildx build . -t infrahq/infra:dev
 	kubectl config use-context docker-desktop
 	helm upgrade --install --wait  \
 		--set global.image.pullPolicy=Never \

helm/charts/infra/templates/server/configmap.yaml

@@ -36,6 +36,12 @@ data:
 {{- end }}
 {{- end }}
 
+{{- if not .Values.server.config.tls }}
+    tls:
+      ca: "/var/run/secrets/infrahq.com/tls-ca/ca.crt"
+      caPrivateKey: "file:/var/run/secrets/infrahq.com/tls-ca/ca.key"
+{{- end }}
+
     providers:
 {{- .Values.server.additionalProviders | default list | concat .Values.server.config.providers | uniq | toYaml | nindent 6 }}
 

helm/charts/infra/templates/server/deployment.yaml

@@ -48,6 +48,10 @@ spec:
             - name: conf
               mountPath: /etc/infrahq
               readOnly: true
+{{- if (not .Values.server.config.tls) }}
+            - name: tls-ca
+              mountPath: /var/run/secrets/infrahq.com/tls-ca
+{{- end }}
 {{- if .Values.server.persistence.enabled }}
             - name: data
               mountPath: /var/lib/infrahq/server
@@ -89,6 +93,11 @@ spec:
         - name: conf
           configMap:
             name: {{ include "server.fullname" . }}
+{{- if (not .Values.server.config.tls) }}
+        - name: tls-ca
+          secret:
+            secretName: {{ include "server.fullname" . }}-ca
+{{- end }}
 {{- if .Values.server.persistence.enabled }}
         - name: data
           persistentVolumeClaim:

helm/charts/infra/templates/server/secret.yaml

@@ -0,0 +1,29 @@
+
+{{- if include "server.enabled" . | eq "true" }}
+{{- if (not .Values.server.config.tls) }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "server.fullname" . }}-ca
+  labels:
+{{- include "server.labels" . | nindent 4 }}
+data:
+
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-ca" (include "server.fullname" .)) -}}
+{{- if $secret.data }}
+  ca.crt: |
+{{- get $secret.data "ca.crt" | nindent 4 }}
+  ca.key: |
+{{- get $secret.data "ca.key" | nindent 4 }}
+
+{{- else }}
+{{- $ca := genCA "Infra Server" 3650 }}
+  ca.crt: |
+{{- $ca.Cert | b64enc | nindent 4 }}
+  ca.key: |
+{{- $ca.Key | b64enc | nindent 4 }}
+
+{{- end }}{{/* if secret.data */}}
+{{- end }}{{/* if not tls */}}
+{{- end }}{{/* if server.enabled */}}

helm/charts/infra/values.yaml

@@ -531,6 +531,19 @@ server:
     # - name: [email protected]
     #   password: file:/var/run/secrets/[email protected]
 
+    # TLS configuration for the API server. Defaults to generating a self-signed CA and
+    # generating certificates from that CA.
+    tls: {}
+
+    # Configure a CA and private key using files
+    # ca: /path/to/ca.crt
+    # caPrivateKey: file:/path/to/ca.key
+
+    # Configure a TLS certificate and private key using files
+    # certificate: /path/to/server.crt
+    # privateKey: file:/path/to/server.key
+
+
 ## Default connector configurations
 connector:
 

internal/certs/certs.go

@@ -5,7 +5,6 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
-	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -14,10 +13,6 @@ import (
 	"net"
 	"strings"
 	"time"
-
-	"golang.org/x/crypto/acme/autocert"
-
-	"github.com/infrahq/infra/internal/logging"
 )
 
 func GenerateCertificate(hosts []string, caCert *x509.Certificate, caKey crypto.PrivateKey) (certPEM []byte, keyPEM []byte, err error) {
@@ -62,68 +57,6 @@ func GenerateCertificate(hosts []string, caCert *x509.Certificate, caKey crypto.
 	return PEMEncodeCertificate(certBytes), keyBytes, nil
 }
 
-func SelfSignedOrLetsEncryptCert(manager *autocert.Manager) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-		ctx := hello.Context()
-		cert, err := manager.GetCertificate(hello)
-		if err == nil {
-			return cert, nil
-		}
-
-		serverName := hello.ServerName
-
-		if serverName == "" {
-			serverName, _, err = net.SplitHostPort(hello.Conn.LocalAddr().String())
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		certBytes, err := manager.Cache.Get(ctx, serverName+".crt")
-		if err != nil {
-			logging.Warnf("cert: %s", err)
-		}
-
-		keyBytes, err := manager.Cache.Get(ctx, serverName+".key")
-		if err != nil {
-			logging.Warnf("key: %s", err)
-		}
-
-		// if either cert or key is missing, create it
-		if certBytes == nil || keyBytes == nil {
-			ca, caPrivKey, err := newCA()
-			if err != nil {
-				return nil, err
-			}
-
-			certBytes, keyBytes, err = GenerateCertificate([]string{serverName}, ca, caPrivKey)
-			if err != nil {
-				return nil, err
-			}
-
-			if err := manager.Cache.Put(ctx, serverName+".crt", certBytes); err != nil {
-				return nil, err
-			}
-
-			if err := manager.Cache.Put(ctx, serverName+".key", keyBytes); err != nil {
-				return nil, err
-			}
-
-			logging.L.Info().
-				Str("serverName", serverName).
-				Str("fingerprint", Fingerprint(pemDecode(certBytes))).
-				Msg("new server certificate")
-		}
-
-		keypair, err := tls.X509KeyPair(certBytes, keyBytes)
-		if err != nil {
-			return nil, err
-		}
-
-		return &keypair, nil
-	}
-}
-
 // Fingerprint returns a sha256 checksum of the certificate formatted as
 // hex pairs separated by colons. This is a common format used by browsers.
 // The bytes must be the ASN.1 DER form of the x509.Certificate.
@@ -133,11 +66,6 @@ func Fingerprint(raw []byte) string {
 	return strings.ToUpper(s)
 }
 
-func pemDecode(raw []byte) []byte {
-	block, _ := pem.Decode(raw)
-	return block.Bytes
-}
-
 // PEMEncodeCertificate accepts the bytes of a x509 certificate in ASN.1 DER form
 // and returns a PEM encoded representation of that certificate.
 func PEMEncodeCertificate(raw []byte) []byte {
@@ -149,39 +77,3 @@ func PEMEncodeCertificate(raw []byte) []byte {
 func pemEncodePrivateKey(raw []byte) []byte {
 	return pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: raw})
 }
-
-func newCA() (*x509.Certificate, *rsa.PrivateKey, error) {
-	// Generate a CA to sign self-signed certificates
-	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
-	if err != nil {
-		return nil, nil, err
-	}
-
-	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	ca := &x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"Infra"},
-		},
-		NotBefore:             time.Now().Add(-5 * time.Minute).UTC(),
-		NotAfter:              time.Now().AddDate(0, 0, 365).UTC(),
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		IsCA:                  true,
-		BasicConstraintsValid: true,
-	}
-
-	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	// TODO: is there really no other way to get the Raw field populated?
-	ca, _ = x509.ParseCertificate(caBytes)
-
-	return ca, caPrivKey, nil
-}

internal/cmd/list_test.go

@@ -34,14 +34,13 @@ func TestListCmd(t *testing.T) {
 			{User: "[email protected]", Resource: "moon", Role: "inhabitant"},
 		},
 	}
-	opts.Addr = server.ListenerOptions{HTTPS: "127.0.0.1:0", HTTP: "127.0.0.1:0"}
+	setupServerTLSOptions(t, &opts)
 	srv, err := server.New(opts)
 	assert.NilError(t, err)
 
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
 
-	setupCertManager(t, opts.TLSCache, srv.Addrs.HTTPS.String())
 	go func() {
 		assert.Check(t, srv.Run(ctx))
 	}()

internal/cmd/login_test.go

@@ -3,7 +3,6 @@ package cmd
 import (
 	"context"
 	"encoding/pem"
-	"net"
 	"os"
 	"path/filepath"
 	"testing"
@@ -15,7 +14,6 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/hinshun/vt10x"
-	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/sync/errgroup"
 	"gotest.tools/v3/assert"
 	"gotest.tools/v3/assert/opt"
@@ -24,6 +22,7 @@ import (
 
 	"github.com/infrahq/infra/api"
 	"github.com/infrahq/infra/internal/certs"
+	"github.com/infrahq/infra/internal/cmd/types"
 	"github.com/infrahq/infra/internal/race"
 	"github.com/infrahq/infra/internal/server"
 	"github.com/infrahq/infra/uid"
@@ -35,18 +34,14 @@ func TestLoginCmd_SetupAdminOnFirstLogin(t *testing.T) {
 	dir := setupEnv(t)
 
 	opts := defaultServerOptions(dir)
-	opts.Addr = server.ListenerOptions{HTTPS: "127.0.0.1:0", HTTP: "127.0.0.1:0"}
+	setupServerTLSOptions(t, &opts)
 
 	srv, err := server.New(opts)
 	assert.NilError(t, err)
 
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
 
-	host, _, err := net.SplitHostPort(srv.Addrs.HTTPS.String())
-	assert.NilError(t, err)
-
-	setupCertManager(t, opts.TLSCache, host)
 	go func() {
 		assert.Check(t, srv.Run(ctx))
 	}()
@@ -133,7 +128,7 @@ func TestLoginCmd_Options(t *testing.T) {
 	dir := setupEnv(t)
 
 	opts := defaultServerOptions(dir)
-	opts.Addr = server.ListenerOptions{HTTPS: "127.0.0.1:0", HTTP: "127.0.0.1:0"}
+	setupServerTLSOptions(t, &opts)
 	adminAccessKey := "aaaaaaaaaa.bbbbbbbbbbbbbbbbbbbbbbbb"
 	opts.Config.Users = []server.User{
 		{
@@ -147,7 +142,6 @@ func TestLoginCmd_Options(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
 
-	setupCertManager(t, opts.TLSCache, srv.Addrs.HTTPS.String())
 	go func() {
 		assert.Check(t, srv.Run(ctx))
 	}()
@@ -286,23 +280,18 @@ func setupEnv(t *testing.T) string {
 	return dir
 }
 
-// setupCertManager copies the static TLS cert and key into the cache that will
-// be used by the server. This allows the server to skip generating a private key
-// for both the CA and server certificate, which takes multiple seconds.
-func setupCertManager(t *testing.T, dir string, serverName string) {
+func setupServerTLSOptions(t *testing.T, opts *server.Options) {
 	t.Helper()
-	ctx := context.Background()
-	cache := autocert.DirCache(dir)
+
+	opts.Addr = server.ListenerOptions{HTTPS: "127.0.0.1:0", HTTP: "127.0.0.1:0"}
 
 	key, err := os.ReadFile("testdata/pki/localhost.key")
 	assert.NilError(t, err)
-	err = cache.Put(ctx, serverName+".key", key)
-	assert.NilError(t, err)
+	opts.TLS.PrivateKey = string(key)
 
 	cert, err := os.ReadFile("testdata/pki/localhost.crt")
 	assert.NilError(t, err)
-	err = cache.Put(ctx, serverName+".crt", cert)
-	assert.NilError(t, err)
+	opts.TLS.Certificate = types.StringOrFile(cert)
 }
 
 func TestLoginCmd_TLSVerify(t *testing.T) {
@@ -314,21 +303,17 @@ func TestLoginCmd_TLSVerify(t *testing.T) {
 	t.Setenv("KUBECONFIG", kubeConfigPath)
 
 	opts := defaultServerOptions(dir)
+	setupServerTLSOptions(t, &opts)
 	accessKey := "0000000001.adminadminadminadmin1234"
 	opts.Users = []server.User{
 		{Name: "[email protected]", AccessKey: accessKey},
 	}
-	opts.Addr = server.ListenerOptions{HTTPS: "127.0.0.1:0", HTTP: "127.0.0.1:0"}
 	srv, err := server.New(opts)
 	assert.NilError(t, err)
 
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
 
-	host, _, err := net.SplitHostPort(srv.Addrs.HTTPS.String())
-	assert.NilError(t, err)
-
-	setupCertManager(t, opts.TLSCache, host)
 	go func() {
 		assert.Check(t, srv.Run(ctx))
 	}()

internal/cmd/server_test.go

@@ -142,6 +142,7 @@ tls:
   caPrivateKey: file:ca.key
   certificate: testdata/server.crt
   privateKey: file:server.key
+  ACME: true
 
 keys:
   - kind: vault
@@ -223,6 +224,7 @@ users:
 						CAPrivateKey: "file:ca.key",
 						Certificate:  "-----BEGIN CERTIFICATE-----\nnot a real server certificate\n-----END CERTIFICATE-----\n",
 						PrivateKey:   "file:server.key",
+						ACME:         true,
 					},
 
 					Keys: []server.KeyProvider{
@@ -319,6 +321,11 @@ func TestServerCmd_WithSecretsConfig(t *testing.T) {
         http: "127.0.0.1:0"
         https: "127.0.0.1:0"
         metrics: "127.0.0.1:0"
+
+      tls:
+        ca: some-ca
+        caPrivateKey: some-key
+
       secrets:
         - kind: env
           name: base64env