Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add (m)TLS #464

Merged
merged 2 commits into from
Jun 27, 2022
Merged

feat: Add (m)TLS #464

merged 2 commits into from
Jun 27, 2022

Conversation

Callisto13
Copy link
Member

@Callisto13 Callisto13 commented Jun 13, 2022

This commit adds the option to configure TLS or mTLS on the server.

There is also a script to generate certs for testing which can be found
at hack/scripts/gen_local_certs.sh.

To manually test I did the following:

./hack/scripts/gen_local_certs.sh all --host localhost --cfssl $(which cfssl) --cfssljson $(which cfssljson) --output localhost

make build
sudo ./bin/flintlockd run \
  --containerd-socket=/run/containerd-dev/containerd.sock \
  --parent-iface="${NET_DEVICE}" \
  --grpc-endpoint=localhost:9091 \
  --tls-cert localhost/localhost.pem \
  --tls-key localhost/localhost-key.pem \
  --tls-client-ca localhost/intermediate-ca.pem \
  --tls-client-validate

I added localhost/liquidmetalclient1.pem and the ca to hammertime,
and verified that the request failed without the certs and worked with them.

On start, flintlockd will log whether TLS is enabled or disabled:

...
INFO[0000] flintlockd, version=undefined, built_on=undefined, commit=undefined
INFO[0000] flintlockd grpc api server starting
WARN[0000] basic authentication is DISABLED
INFO[0000] TLS is enabled
INFO[0000] starting microvm controller
INFO[0000] starting microvm controller with 1 workers    controller=microvm
...

There are unit tests for the validation, but to test that the certs have
been wired in to the server properly, I will need to add some e2e layer
testing. I am going to tackle that in another ticket.

Completing #461, follows on from #462 which will be merged first.

Fixes #243

Co-authored-by: Richard Case [email protected]

@Callisto13
Copy link
Member Author

Callisto13 commented Jun 21, 2022

ci failing on bufbuild/buf#1209, does not block this so i can fix in another pr

edit: fixed and merged

pkg/auth/tls.go Outdated Show resolved Hide resolved
richardcase
richardcase previously approved these changes Jun 27, 2022
Copy link
Member

@richardcase richardcase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just the one comment but i don't think that is essential at all.

@Callisto13
Copy link
Member Author

Lol i completely forgot to do that suggestion

This commit adds the option to configure TLS or mTLS on the server.

There is also a script to generate certs for testing which can be found
at `hack/scripts/gen_local_certs.sh`.

To manually test I did the following:
```
./hack/scripts/gen_local_certs.sh all --host localhost --cfssl $(which
ssl --cfssljson $(which cfssljson)

make build
sudo ./bin/flintlockd run \
  --containerd-socket=/run/containerd-dev/containerd.sock \
  --parent-iface="${NET_DEVICE}" \
  --grpc-endpoint=localhost:9091 \
  --tls-cert localhost/localhost.pem \
  --tls-key localhost/localhost-key.pem \
  --tls-client-ca localhost/intermediate-ca.pem \
  --tls-client-validate
```

I added `localhost/liquidmetalclient1.pem`  and the ca to `hammertime`,
and verified that the request failed without the certs.

On start, flintlockd will log whether TLS is enabled or disabled:
```
...
INFO[0000] flintlockd, version=undefined, built_on=undefined, commit=undefined
INFO[0000] flintlockd grpc api server starting
WARN[0000] basic authentication is DISABLED
INFO[0000] TLS is enabled
INFO[0000] starting microvm controller
INFO[0000] starting microvm controller with 1 workers    controller=microvm
...
```

There are unit tests for the validation, but to test that the certs have
been wired in to the server properly, I will need to add some e2e layer
testing. I am going to tackle that in another ticket.

Co-authored-by: Richard Case <[email protected]>
@richardcase richardcase merged commit 7c72eec into liquidmetal-dev:main Jun 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add TLS support to the gRPC Server
2 participants