From ca2ea86cb4645021e1f0b346ce7e34a4aa836895 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 12 Apr 2024 13:15:38 +0200 Subject: [PATCH] chore: create TLS certs in a consistent manner (#2478) * fix: remove suspicious filepath.Join * chore: fix lint * fix: handle error * chore: reverse assertion for lint * feat: support generating TLS certificates on the fly * chore: apply to cockroachdb * chore: support saving the cert and priv key files to disk * chore: apply to rabbitmq * chore: simplify * chore: use in redpanda module * chore: lint * chore: set validFrom internally * fix: properly use the new API in redpanda * docs: document the TLS helpers * chore: simplify WithParent to accept the struct directly * chore: use tlscert package instead * fix: use non-deprecated API * docs: update * docs: fix examples * chore: use released version of tlscert * fix: add common name for the node cert --- container.go | 2 +- docker.go | 4 +- docker_exec_test.go | 5 +- docs/features/tls.md | 17 ++ mkdocs.yml | 1 + modules/cockroachdb/certs.go | 175 +++++------------- modules/cockroachdb/go.mod | 1 + modules/cockroachdb/go.sum | 2 + modules/rabbitmq/examples_test.go | 38 +++- modules/rabbitmq/go.mod | 1 + modules/rabbitmq/go.sum | 2 + modules/rabbitmq/rabbitmq_test.go | 35 +++- modules/rabbitmq/testdata/certs/server_ca.pem | 20 -- .../rabbitmq/testdata/certs/server_cert.pem | 21 --- .../rabbitmq/testdata/certs/server_key.pem | 27 --- modules/redpanda/go.mod | 1 + modules/redpanda/go.sum | 2 + modules/redpanda/redpanda_test.go | 98 ++-------- reaper.go | 1 - 19 files changed, 159 insertions(+), 294 deletions(-) create mode 100644 docs/features/tls.md delete mode 100644 modules/rabbitmq/testdata/certs/server_ca.pem delete mode 100644 modules/rabbitmq/testdata/certs/server_cert.pem delete mode 100644 modules/rabbitmq/testdata/certs/server_key.pem diff --git a/container.go b/container.go index 5a1bf1fcc2..2f24f4c38f 100644 --- a/container.go +++ b/container.go @@ -229,7 +229,7 @@ func (c *ContainerRequest) GetContext() (io.Reader, error) { if dockerIgnoreExists { // only add .dockerignore if it exists - includes = append(includes, filepath.Join(".dockerignore")) + includes = append(includes, ".dockerignore") } includes = append(includes, c.GetDockerfile()) diff --git a/docker.go b/docker.go index 0d0d8cad30..2a8b0c3ef5 100644 --- a/docker.go +++ b/docker.go @@ -637,6 +637,9 @@ func (c *DockerContainer) CopyToContainer(ctx context.Context, fileContent []byt func (c *DockerContainer) copyToContainer(ctx context.Context, fileContent func(tw io.Writer) error, fileContentSize int64, containerFilePath string, fileMode int64) error { buffer, err := tarFile(containerFilePath, fileContent, fileContentSize, fileMode) + if err != nil { + return err + } err = c.provider.client.CopyToContainer(ctx, c.ID, "/", buffer, types.CopyToContainerOptions{}) if err != nil { @@ -1520,7 +1523,6 @@ func (p *DockerProvider) getDefaultNetwork(ctx context.Context, cli client.APICl Attachable: true, Labels: core.DefaultLabels(core.SessionID()), }) - if err != nil { return "", err } diff --git a/docker_exec_test.go b/docker_exec_test.go index 4716c493ab..11f187c226 100644 --- a/docker_exec_test.go +++ b/docker_exec_test.go @@ -8,6 +8,7 @@ import ( "github.com/docker/docker/pkg/stdcopy" "github.com/stretchr/testify/require" + tcexec "github.com/testcontainers/testcontainers-go/exec" ) @@ -133,6 +134,6 @@ func TestExecWithNonMultiplexedResponse(t *testing.T) { require.NotNil(t, stdout) require.NotNil(t, stderr) - require.Equal(t, stdout.String(), "stdout\n") - require.Equal(t, stderr.String(), "stderr\n") + require.Equal(t, "stdout\n", stdout.String()) + require.Equal(t, "stderr\n", stderr.String()) } diff --git a/docs/features/tls.md b/docs/features/tls.md new file mode 100644 index 0000000000..fd8b95266d --- /dev/null +++ b/docs/features/tls.md @@ -0,0 +1,17 @@ +# TLS certificates + +Interacting with services that require TLS certificates is a common issue when working with containers. You can create one or more on-the-fly certificates in order to communicate with your services. + +_Testcontainers for Go_ uses a library to generate certificates on-the-fly. This library is called [tlscert](https://github.com/mdelapenya/tlscert). + +### Examples + +In the following example we are going to start an HTTP server with a self-signed certificate. +It exposes one single handler that will return a simple message when accessed. +The example will also create a client that will connect to the server using the generated certificate, +demonstrating how to use the generated certificate to communicate with a service. + + +[Create a self-signed certificate](../../modules/cockroachdb/certs.go) inside_block:exampleSelfSignedCert +[Sign a self-signed certificate](../../modules/cockroachdb/certs.go) inside_block:exampleSignSelfSignedCert + diff --git a/mkdocs.yml b/mkdocs.yml index 8239016533..dcfc17e496 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -45,6 +45,7 @@ nav: - features/files_and_mounts.md - features/creating_networks.md - features/networking.md + - features/tls.md - features/garbage_collector.md - features/build_from_dockerfile.md - features/docker_auth.md diff --git a/modules/cockroachdb/certs.go b/modules/cockroachdb/certs.go index fc1b399a42..dab738192a 100644 --- a/modules/cockroachdb/certs.go +++ b/modules/cockroachdb/certs.go @@ -1,14 +1,12 @@ package cockroachdb import ( - "crypto/rand" - "crypto/rsa" "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "math/big" + "fmt" "net" "time" + + "github.com/mdelapenya/tlscert" ) type TLSConfig struct { @@ -21,138 +19,49 @@ type TLSConfig struct { // NewTLSConfig creates a new TLSConfig capable of running CockroachDB & connecting over TLS. func NewTLSConfig() (*TLSConfig, error) { - caCert, caKey, err := generateCA() - if err != nil { - return nil, err + // exampleSelfSignedCert { + caCert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "ca", + SubjectCommonName: "Cockroach Test CA", + Host: "localhost,127.0.0.1", + IsCA: true, + ValidFor: time.Hour, + }) + if caCert == nil { + return nil, fmt.Errorf("failed to generate CA certificate") } - - nodeCert, nodeKey, err := generateNode(caCert, caKey) - if err != nil { - return nil, err + // } + + // exampleSignSelfSignedCert { + nodeCert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "node", + SubjectCommonName: "node", + Host: "localhost,127.0.0.1", + IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback}, + ValidFor: time.Hour, + Parent: caCert, // using the CA certificate as parent + }) + if nodeCert == nil { + return nil, fmt.Errorf("failed to generate node certificate") } - - clientCert, clientKey, err := generateClient(caCert, caKey) - if err != nil { - return nil, err + // } + + clientCert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "client", + SubjectCommonName: defaultUser, + Host: "localhost,127.0.0.1", + ValidFor: time.Hour, + Parent: caCert, // using the CA certificate as parent + }) + if clientCert == nil { + return nil, fmt.Errorf("failed to generate client certificate") } return &TLSConfig{ - CACert: caCert, - NodeCert: nodeCert, - NodeKey: nodeKey, - ClientCert: clientCert, - ClientKey: clientKey, + CACert: caCert.Cert, + NodeCert: nodeCert.Bytes, + NodeKey: nodeCert.KeyBytes, + ClientCert: clientCert.Bytes, + ClientKey: clientCert.KeyBytes, }, nil } - -func generateCA() (*x509.Certificate, *rsa.PrivateKey, error) { - template := x509.Certificate{ - SerialNumber: big.NewInt(2019), - Subject: pkix.Name{ - CommonName: "Cockroach Test CA", - }, - NotBefore: time.Now().Add(-time.Hour), - NotAfter: time.Now().Add(time.Hour), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - IsCA: true, - } - - caPrivKey, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - caBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, caPrivKey.Public(), caPrivKey) - if err != nil { - return nil, nil, err - } - - caCert, err := x509.ParseCertificate(caBytes) - if err != nil { - return nil, nil, err - } - - return caCert, caPrivKey, nil -} - -func generateNode(caCert *x509.Certificate, caKey *rsa.PrivateKey) ([]byte, []byte, error) { - template := x509.Certificate{ - SerialNumber: big.NewInt(2019), - Subject: pkix.Name{ - CommonName: "node", - }, - DNSNames: []string{"localhost"}, - IPAddresses: []net.IP{ - net.IPv4(127, 0, 0, 1), - net.IPv6loopback, - }, - NotBefore: time.Now().Add(-time.Hour), - NotAfter: time.Now().Add(time.Hour), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{ - x509.ExtKeyUsageServerAuth, - x509.ExtKeyUsageClientAuth, - }, - BasicConstraintsValid: true, - } - - certPrivKey, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - certBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, certPrivKey.Public(), caKey) - if err != nil { - return nil, nil, err - } - - cert := pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE", - Bytes: certBytes, - }) - certKey := pem.EncodeToMemory(&pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey), - }) - - return cert, certKey, nil -} - -func generateClient(caCert *x509.Certificate, caKey *rsa.PrivateKey) ([]byte, []byte, error) { - template := x509.Certificate{ - SerialNumber: big.NewInt(2019), - Subject: pkix.Name{ - CommonName: defaultUser, - }, - NotBefore: time.Now().Add(-time.Hour), - NotAfter: time.Now().Add(time.Hour), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{ - x509.ExtKeyUsageServerAuth, - x509.ExtKeyUsageClientAuth, - }, - BasicConstraintsValid: true, - } - - certPrivKey, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - certBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, certPrivKey.Public(), caKey) - if err != nil { - return nil, nil, err - } - - cert := pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE", - Bytes: certBytes, - }) - certKey := pem.EncodeToMemory(&pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey), - }) - - return cert, certKey, nil -} diff --git a/modules/cockroachdb/go.mod b/modules/cockroachdb/go.mod index 094a61e8b5..8e78d6c8d5 100644 --- a/modules/cockroachdb/go.mod +++ b/modules/cockroachdb/go.mod @@ -36,6 +36,7 @@ require ( github.com/kr/text v0.2.0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/magiconair/properties v1.8.7 // indirect + github.com/mdelapenya/tlscert v0.1.0 github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.1.0 // indirect diff --git a/modules/cockroachdb/go.sum b/modules/cockroachdb/go.sum index 2365978d8b..1ec215bc59 100644 --- a/modules/cockroachdb/go.sum +++ b/modules/cockroachdb/go.sum @@ -73,6 +73,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mdelapenya/tlscert v0.1.0 h1:YTpF579PYUX475eOL+6zyEO3ngLTOUWck78NBuJVXaM= +github.com/mdelapenya/tlscert v0.1.0/go.mod h1:wrbyM/DwbFCeCeqdPX/8c6hNOqQgbf0rUDErE1uD+64= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= diff --git a/modules/rabbitmq/examples_test.go b/modules/rabbitmq/examples_test.go index a6fc829424..55fcd143da 100644 --- a/modules/rabbitmq/examples_test.go +++ b/modules/rabbitmq/examples_test.go @@ -5,9 +5,10 @@ import ( "fmt" "io" "log" - "path/filepath" + "os" "strings" + "github.com/mdelapenya/tlscert" amqp "github.com/rabbitmq/amqp091-go" "github.com/testcontainers/testcontainers-go" @@ -89,10 +90,39 @@ func ExampleRunContainer_withSSL() { // enableSSL { ctx := context.Background() + tmpDir := os.TempDir() + certDirs := tmpDir + "/rabbitmq" + if err := os.MkdirAll(certDirs, 0755); err != nil { + log.Fatalf("failed to create temporary directory: %s", err) + } + defer os.RemoveAll(certDirs) + + // generates the CA certificate and the certificate + caCert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "ca", + Host: "localhost,127.0.0.1", + IsCA: true, + ParentDir: certDirs, + }) + if caCert == nil { + log.Fatal("failed to generate CA certificate") + } + + cert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "client", + Host: "localhost,127.0.0.1", + IsCA: true, + Parent: caCert, + ParentDir: certDirs, + }) + if cert == nil { + log.Fatal("failed to generate certificate") + } + sslSettings := rabbitmq.SSLSettings{ - CACertFile: filepath.Join("testdata", "certs", "server_ca.pem"), - CertFile: filepath.Join("testdata", "certs", "server_cert.pem"), - KeyFile: filepath.Join("testdata", "certs", "server_key.pem"), + CACertFile: caCert.CertPath, + CertFile: cert.CertPath, + KeyFile: cert.KeyPath, VerificationMode: rabbitmq.SSLVerificationModePeer, FailIfNoCert: true, VerificationDepth: 1, diff --git a/modules/rabbitmq/go.mod b/modules/rabbitmq/go.mod index 4cc07b1c85..2c8134c7dd 100644 --- a/modules/rabbitmq/go.mod +++ b/modules/rabbitmq/go.mod @@ -30,6 +30,7 @@ require ( github.com/klauspost/compress v1.16.0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/magiconair/properties v1.8.7 // indirect + github.com/mdelapenya/tlscert v0.1.0 github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.1.0 // indirect diff --git a/modules/rabbitmq/go.sum b/modules/rabbitmq/go.sum index 3199313edc..79a23800a3 100644 --- a/modules/rabbitmq/go.sum +++ b/modules/rabbitmq/go.sum @@ -63,6 +63,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mdelapenya/tlscert v0.1.0 h1:YTpF579PYUX475eOL+6zyEO3ngLTOUWck78NBuJVXaM= +github.com/mdelapenya/tlscert v0.1.0/go.mod h1:wrbyM/DwbFCeCeqdPX/8c6hNOqQgbf0rUDErE1uD+64= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= diff --git a/modules/rabbitmq/rabbitmq_test.go b/modules/rabbitmq/rabbitmq_test.go index 7079379421..f1f03f8ba9 100644 --- a/modules/rabbitmq/rabbitmq_test.go +++ b/modules/rabbitmq/rabbitmq_test.go @@ -6,11 +6,11 @@ import ( "crypto/x509" "fmt" "io" - "io/ioutil" - "path/filepath" + "os" "strings" "testing" + "github.com/mdelapenya/tlscert" amqp "github.com/rabbitmq/amqp091-go" "github.com/testcontainers/testcontainers-go" @@ -49,10 +49,33 @@ func TestRunContainer_connectUsingAmqp(t *testing.T) { func TestRunContainer_connectUsingAmqps(t *testing.T) { ctx := context.Background() + tmpDir := t.TempDir() + + caCert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "ca", + Host: "localhost,127.0.0.1", + IsCA: true, + ParentDir: tmpDir, + }) + if caCert == nil { + t.Fatal("failed to generate CA certificate") + } + + cert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "client", + Host: "localhost,127.0.0.1", + IsCA: true, + Parent: caCert, + ParentDir: tmpDir, + }) + if cert == nil { + t.Fatal("failed to generate certificate") + } + sslSettings := rabbitmq.SSLSettings{ - CACertFile: filepath.Join("testdata", "certs", "server_ca.pem"), - CertFile: filepath.Join("testdata", "certs", "server_cert.pem"), - KeyFile: filepath.Join("testdata", "certs", "server_key.pem"), + CACertFile: caCert.CertPath, + CertFile: cert.CertPath, + KeyFile: cert.KeyPath, VerificationMode: rabbitmq.SSLVerificationModePeer, FailIfNoCert: false, VerificationDepth: 1, @@ -80,7 +103,7 @@ func TestRunContainer_connectUsingAmqps(t *testing.T) { certs := x509.NewCertPool() - pemData, err := ioutil.ReadFile(sslSettings.CACertFile) + pemData, err := os.ReadFile(sslSettings.CACertFile) if err != nil { t.Fatal(err) } diff --git a/modules/rabbitmq/testdata/certs/server_ca.pem b/modules/rabbitmq/testdata/certs/server_ca.pem deleted file mode 100644 index f22df82909..0000000000 --- a/modules/rabbitmq/testdata/certs/server_ca.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDRzCCAi+gAwIBAgIJAJJIMzvZuRzlMA0GCSqGSIb3DQEBCwUAMDExIDAeBgNV -BAMMF1RMU0dlblNlbGZTaWduZWR0Um9vdENBMQ0wCwYDVQQHDAQkJCQkMCAXDTE5 -MDUwMjA3MjI0OVoYDzIxMTkwNDA4MDcyMjQ5WjAxMSAwHgYDVQQDDBdUTFNHZW5T -ZWxmU2lnbmVkdFJvb3RDQTENMAsGA1UEBwwEJCQkJDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAKko8FmfzrLHyZckvdR1oiSZf80m0t66TMqtLat1Oxjh -CjsxvswwJ/m2I5dM48hwZ+0b2ufkvaudLPq/8jDGyONVfjMGlbe1YlmQMDC7YWdI -XM1nCWAZIKaOHwIkfswuVBAdBVYV4Polu6wjVt5edEpl/IWEpPicXjLOY1Fw3q67 -5tP2Mmo6TJg5YqgB4fH4SmajtP3j+H4puQ8ZPIs26mInEgfCyrMWey/oQX8qqMph -pKMEJYE7DHawriFraOooJadJYojbY5H27nmJe8yXURb3wSQSaKnFZL25cmVm2kue -/lw+n+a2wLdHdU4cmghCURalhcXUNZe7UbdRZ9e9r2cCAwEAAaNgMF4wCwYDVR0P -BAQDAgEGMB0GA1UdDgQWBBSZiNur/XHsqSfdWnB1NPi/ql5+tzAfBgNVHSMEGDAW -gBSZiNur/XHsqSfdWnB1NPi/ql5+tzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 -DQEBCwUAA4IBAQAar/db/T7izD4pyh2titl7Dkgp2iTditfgqRlU0yVGiiB6rLmY -sYE2QAuFhgqyRLPcjVV8F39iRJHQ17SGT8e2iAaUTnbQj0AiskKjonF9+quKuVbr -TpYHk+guS0Jn2rU6HK8WQeYZOh3WdLTu4ArXkxywgwVssQQ9JmpTd9YEYePWfs7i -WZB6AQyL9CD3z1j4i1G4ft6pB1Ps5XjznqMZ2//7AUpoRTrettWqorPWwudQ9yna -B4S6KtvpnxUQSeHJW6Q4NvTrOsvHEOCa6OtwYbWmLf+qbpPb8oHt9UF3ze2PJopB -QzsQop1+gPudG0DX0SgyuQT+SsFjYlDazZdZ ------END CERTIFICATE----- diff --git a/modules/rabbitmq/testdata/certs/server_cert.pem b/modules/rabbitmq/testdata/certs/server_cert.pem deleted file mode 100644 index 8a78318338..0000000000 --- a/modules/rabbitmq/testdata/certs/server_cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDajCCAlKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMSAwHgYDVQQDDBdUTFNH -ZW5TZWxmU2lnbmVkdFJvb3RDQTENMAsGA1UEBwwEJCQkJDAgFw0xOTA1MDIwNzIy -NDlaGA8yMTE5MDQwODA3MjI0OVowIzEQMA4GA1UEAwwHQzY1U1RUMjEPMA0GA1UE -CgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0QXKtb -KVeEuCmZGcZAlAlTBC8E/G3UuX6qKwTR1xEOvUWeBH1n0WeXXGd/p/y6P4lRBeWN -BZ9KcvIlNDeDMy05NfxnO1vnJk9E8/0xwMiY1LJdMHzIzhmrrqXo0u3DT8MmoNR6 -7CTcnG21gi1GrjW8a747yFF0xfukEc6FkyVqLsjtCkHPwrc/sBHVS3aivNWGkJzA -eBXBdWJAg3ZC6T9U+Y8cndWQrpYMJvek1IewlyDSspHZDFmM1OwVwypnMt4fGgaX -5IlUMnNgKmisOSuI529rxLF+mvYIQLRl5bP+1/c9JD5MZ5krA3SrjdwRFS3sQXC3 -nuHqJofFXNkbXQIDAQABo4GYMIGVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMBMG -A1UdJQQMMAoGCCsGAQUFBwMBMCYGA1UdEQQfMB2CB0M2NVNUVDKCB0M2NVNUVDKC -CWxvY2FsaG9zdDAdBgNVHQ4EFgQURq22sa46tA0SGHhEm9jxGP9aDrswHwYDVR0j -BBgwFoAUmYjbq/1x7Kkn3VpwdTT4v6pefrcwDQYJKoZIhvcNAQELBQADggEBAKUP -7RgmJyMVoHxg46F1fjWVhlF4BbQuEtB8mC+4G4e68lDU/TPAbmB3aj91oQDgBiTd -R2O7U6tyitxxrU2r7rFAHGhFHeyCQ3yZMwydO2V3Nm2Ywzdyk8er4yghjg9FS8tH -egDGDDod3l1yrAbHHuXmzDjnAFwHwRkm5cYUz00/IuZ3sQZ70XofL3KXNj1tAtfK -PSpdSAxSTO99ofjVKjlyywQSZKNbXfqD5DGz8e0rmqPfZ+3zi75E5nEuJ3UI2wXg -LuI4j6FIzNQyei/FdSynktcIm+hefQEyex4cho4C8RYB2S5S8RWrnP9jOzsaQFHn -bHXf7dKwRfA6/u8JmtQ= ------END CERTIFICATE----- diff --git a/modules/rabbitmq/testdata/certs/server_key.pem b/modules/rabbitmq/testdata/certs/server_key.pem deleted file mode 100644 index dfbfb6db7e..0000000000 --- a/modules/rabbitmq/testdata/certs/server_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAqR0QXKtbKVeEuCmZGcZAlAlTBC8E/G3UuX6qKwTR1xEOvUWe -BH1n0WeXXGd/p/y6P4lRBeWNBZ9KcvIlNDeDMy05NfxnO1vnJk9E8/0xwMiY1LJd -MHzIzhmrrqXo0u3DT8MmoNR67CTcnG21gi1GrjW8a747yFF0xfukEc6FkyVqLsjt -CkHPwrc/sBHVS3aivNWGkJzAeBXBdWJAg3ZC6T9U+Y8cndWQrpYMJvek1IewlyDS -spHZDFmM1OwVwypnMt4fGgaX5IlUMnNgKmisOSuI529rxLF+mvYIQLRl5bP+1/c9 -JD5MZ5krA3SrjdwRFS3sQXC3nuHqJofFXNkbXQIDAQABAoIBAA0dxvYZCEIFmrKZ -71jzanDQ5FJvvyhA8H3OmC4r+oZ+uTDu5FmezF2OdkvhbyI9VMi2wsT9T9m+yAxw -QXhyUce3WzeXsv4Em8H55fQykBhOtqPQja/EDeMGVK2ACrXJYRufnDBfKoWEOmQb -kjddgZzjaBDHOWXJA5CTet8ysGOAJBTxyzU69k5Vj9B5abG9CofNzGOFF+Uleff5 -ip3sz7JpDXCex3oEs98veco6+8i/MZNo3BnwB5J+P+2MFFKONfPwuNyKAWBza2/X -66Lk3xXBjLJJ+Ww16jkqueTXEq6GCFXavNfdL9aonth5V5YYR/cj+2u2LM1oj9cJ -bp0xbvUCgYEA2Svq1DyR9cfTwrbc/0J2JfrjavClzDYU2oeO2fSU85WEEjJguaja -17Vdo/UsJtiUiSq4UhI1n0haaIpTBCeF2tHGXVEYZ7ZBi1zzdWbWlDxFmi+rcE57 -ytx5w+iLE366tQEMa/Jn3bly54pG5JZAr9TXkpg9sMbzWZri2ocyU/cCgYEAx1l/ -9X9C/OruDp/MhhmVwKfw/X2+RhZRuv0pPcpJu7/gIoLgaxNj41XSeLqLYMlisaRk -GFU17GFXtfRGE1a3z+jj8UPTP2sHk3w8m0yI+pgWgsvG0TJ0B+XsRfpVxFiIoaEs -3AsBaGR+hrRY1dpaJ9Cu3J9mEeToTpbCzPzVDksCgYEAzwSvWNvYY4u2UFHSvz2S -tMfBzCpUUiNno50/ToN5De4ENPhy/eh5nNDVz7qh+PHSPiNMC2gyV4E4NZlOY5Jt -Zdc8ma35brvtJTVZGxwKBsqhqsYwTeFy3kFnjZn6IX5X6r1yIuCzpEfowdEtnS+h -wDtLuAGKJR6x0UP1Zk0ka6cCgYBGE6I1rJzhx7wTi/0bjtbjuKWwlolSnfnxH5ll -zTyKMXMa7qLxQQm2Gq84HWtthJ2bEMzW+O1RwQ5SOiKAHdXT0mx+nXcfLgKlx+CO -PyNP5DLVm8iyNWgwdpTOLKgFs5GkL8JTP9Mo3VrVA4TO+EkFAgjWKXp6A9vd9IVa -Be7nbQKBgAVtFKuf9nbCMfN+W1gN0vlW2lwxCTa4w0KHgIlGIIvnYVuixSgu9fGt -uylQcQirEjqrdzdVF9L2BQ37ZcLaGh1LoCmx8XVCX/HhbwW2RP798P3Z1P7htm16 -ha5OfuPjHvoZklbYJo6EORJZQehS2VP63pjdnmUeMHPFzrPUevI5 ------END RSA PRIVATE KEY----- diff --git a/modules/redpanda/go.mod b/modules/redpanda/go.mod index c78ba08e85..a31e06220f 100644 --- a/modules/redpanda/go.mod +++ b/modules/redpanda/go.mod @@ -35,6 +35,7 @@ require ( github.com/kr/pretty v0.3.1 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/magiconair/properties v1.8.7 // indirect + github.com/mdelapenya/tlscert v0.1.0 github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.1.0 // indirect diff --git a/modules/redpanda/go.sum b/modules/redpanda/go.sum index 6394427cd9..e31f78abc6 100644 --- a/modules/redpanda/go.sum +++ b/modules/redpanda/go.sum @@ -65,6 +65,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mdelapenya/tlscert v0.1.0 h1:YTpF579PYUX475eOL+6zyEO3ngLTOUWck78NBuJVXaM= +github.com/mdelapenya/tlscert v0.1.0/go.mod h1:wrbyM/DwbFCeCeqdPX/8c6hNOqQgbf0rUDErE1uD+64= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= diff --git a/modules/redpanda/redpanda_test.go b/modules/redpanda/redpanda_test.go index cdb264bd56..9d412be1c0 100644 --- a/modules/redpanda/redpanda_test.go +++ b/modules/redpanda/redpanda_test.go @@ -2,8 +2,6 @@ package redpanda_test import ( "context" - "crypto/tls" - "crypto/x509" "fmt" "io" "net/http" @@ -11,6 +9,7 @@ import ( "testing" "time" + "github.com/mdelapenya/tlscert" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/twmb/franz-go/pkg/kadm" @@ -346,12 +345,17 @@ func TestRedpandaProduceWithAutoCreateTopics(t *testing.T) { } func TestRedpandaWithTLS(t *testing.T) { - cert, err := tls.X509KeyPair(localhostCert, localhostKey) - require.NoError(t, err, "failed to load key pair") + tmp := t.TempDir() + cert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "client", + Host: "localhost,127.0.0.1", + ParentDir: tmp, + }) + require.NotNil(t, cert, "failed to generate cert") ctx := context.Background() - container, err := redpanda.RunContainer(ctx, redpanda.WithTLS(localhostCert, localhostKey)) + container, err := redpanda.RunContainer(ctx, redpanda.WithTLS(cert.Bytes, cert.KeyBytes)) require.NoError(t, err) t.Cleanup(func() { @@ -360,13 +364,7 @@ func TestRedpandaWithTLS(t *testing.T) { } }) - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(localhostCert) - - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: caCertPool, - } + tlsConfig := cert.TLSConfig() httpCl := &http.Client{ Timeout: 5 * time.Second, @@ -415,13 +413,19 @@ func TestRedpandaWithTLS(t *testing.T) { } func TestRedpandaWithTLSAndSASL(t *testing.T) { - cert, err := tls.X509KeyPair(localhostCert, localhostKey) - require.NoError(t, err, "failed to load key pair") + tmp := t.TempDir() + + cert := tlscert.SelfSignedFromRequest(tlscert.Request{ + Name: "client", + Host: "localhost,127.0.0.1", + ParentDir: tmp, + }) + require.NotNil(t, cert, "failed to generate cert") ctx := context.Background() container, err := redpanda.RunContainer(ctx, - redpanda.WithTLS(localhostCert, localhostKey), + redpanda.WithTLS(cert.Bytes, cert.KeyBytes), redpanda.WithEnableSASL(), redpanda.WithEnableKafkaAuthorization(), redpanda.WithNewServiceAccount("superuser-1", "test"), @@ -435,13 +439,7 @@ func TestRedpandaWithTLSAndSASL(t *testing.T) { } }) - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(localhostCert) - - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: caCertPool, - } + tlsConfig := cert.TLSConfig() broker, err := container.KafkaSeedBroker(ctx) require.NoError(t, err) @@ -573,59 +571,3 @@ func TestRedpandaListener_NoNetwork(t *testing.T) { require.Contains(t, err.Error(), "container must be attached to at least one network") } - -// localhostCert is a PEM-encoded TLS cert with SAN IPs -// generated from src/crypto/tls: -// go run generate_cert.go --rsa-bits 2048 --host 127.0.0.1,::1,localhost --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h -var localhostCert = []byte(`-----BEGIN CERTIFICATE----- -MIIDODCCAiCgAwIBAgIRAKMykg5qJSCb4L3WtcZznSQwDQYJKoZIhvcNAQELBQAw -EjEQMA4GA1UEChMHQWNtZSBDbzAgFw03MDAxMDEwMDAwMDBaGA8yMDg0MDEyOTE2 -MDAwMFowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBAPYcLIhqCsrmqvsY1gWqI1jx3Ytn5Qjfvlg3BPD/YeD4UVouBhgQ -NIIERFCmDUzu52pXYZeCouBIVDWqZKixQf3PyBzAqbFvX0pTsZrOnvjuoahzjEcl -x+CfkIp58mVaV/8v9TyBYCXNuHlI7Pndu/3U5d6npSg8+dTkwW3VZzZyHpsDW+a4 -ByW02NI58LoHzQPMRg9MFToL1qNQy4PFyADf2N/3/SYOkrbSrXA0jYqXE8yvQGYe -LWcoQ+4YkurSS1TgSNEKxrzGj8w4xRjEjRNsLVNWd8uxZkHwv6LXOn4s39ix3jN4 -7OJJHA8fJAWxAP4ThrpM1j5J+Rq1PD380u8CAwEAAaOBhjCBgzAOBgNVHQ8BAf8E -BAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNV -HQ4EFgQU8gMBt2leRAnGgCQ6pgIYPHY35GAwLAYDVR0RBCUwI4IJbG9jYWxob3N0 -hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IBAQA5F6aw -6JJMsnCjxRGYXb252zqjxOxweawZ2je4UAGSsF27Phm1Bx6/2mzPpgIB0I7xNBFL -ljtqBG/FpH6qWpkkegljL8Z5soXiye/4r1G+V6hadm32/OLQCS//dyq7W1a2uVlS -KdFjoNqRW2PacVQLjnTbP2SJV5CnrJgCsSMXVoNnKdj5gr5ltNNAt9TAJ85iFa5d -rJla/XghtqEOzYtigKPF7EVqRRl4RmPu30hxwDZMT60ptFolfCEeXpDra5uonJMv -ElEbzK8ZzXmvWCj94RjPkGKZs8+SDM2qfKPk5ZW2xJxwqS3tkEkZlj1L+b7zYOlt -aJ65OWCXHLecrgdl ------END CERTIFICATE-----`) - -// localhostKey is the private key for localhostCert. -var localhostKey = []byte(testingKey(`-----BEGIN TESTING KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD2HCyIagrK5qr7 -GNYFqiNY8d2LZ+UI375YNwTw/2Hg+FFaLgYYEDSCBERQpg1M7udqV2GXgqLgSFQ1 -qmSosUH9z8gcwKmxb19KU7Gazp747qGoc4xHJcfgn5CKefJlWlf/L/U8gWAlzbh5 -SOz53bv91OXep6UoPPnU5MFt1Wc2ch6bA1vmuAcltNjSOfC6B80DzEYPTBU6C9aj -UMuDxcgA39jf9/0mDpK20q1wNI2KlxPMr0BmHi1nKEPuGJLq0ktU4EjRCsa8xo/M -OMUYxI0TbC1TVnfLsWZB8L+i1zp+LN/Ysd4zeOziSRwPHyQFsQD+E4a6TNY+Sfka -tTw9/NLvAgMBAAECggEBALKxAiSJ2gw4Lyzhe4PhZIjQE+uEI+etjKbAS/YvdwHB -SlAP2pzeJ0G/l1p3NnEFhUDQ8SrwzxHJclsEvNE+4otGsiUuPgd2tdlhqzKbkxFr -MjT8sH14EQgm0uu4Xyb30ayXRZgI16abF7X4HRfOxxAl5EElt+TfYQYSkd8Nc0Mz -bD7g0riSdOKVhNIkUTT1U7x8ClIgff6vbWztOVP4hGezqEKpO/8+JBkg2GLeH3lC -PyuHEb33Foxg7SX35M1a89EKC2p4ER6/nfg6wGYyIsn42gBk1JgQdg23x7c/0WOu -vcw1unNP2kCbnsCeZ6KPRRGXEjbpTqOTzAUOekOeOgECgYEA9/jwK2wrX2J3kJN7 -v6kmxazigXHCa7XmFMgTfdqiQfXfjdi/4u+4KAX04jWra3ZH4KT98ztPOGjb6KhM -hfMldsxON8S9IQPcbDyj+5R77KU4BG/JQBEOX1uzS9KjMVG5e9ZUpG5UnSoSOgyM -oN3DZto7C5ULO2U2MT8JaoGb53cCgYEA/hPNMsCXFairxKy0BCsvJFan93+GIdwM -YoAGLc4Oj67ES8TYC4h9Im5i81JYOjpY4aZeKdj8S+ozmbqqa/iJiAfOr37xOMuX -AQA2T8uhPXXNXA5s6T3LaIXtzL0NmRRZCtuyEGdCidIXub7Bz8LrfsMc+s/jv57f -4IPmW12PPkkCgYBpEdDqBT5nfzh8SRGhR1IHZlbfVE12CDACVDh2FkK0QjNETjgY -N0zHoKZ/hxAoS4jvNdnoyxOpKj0r2sv54enY6X6nALTGnXUzY4p0GhlcTzFqJ9eV -TuTRIPDaytidGCzIvStGNP2jTmVEtXaM3wphtUxZfwCwXRVWToh12Y8uxwKBgA1a -FQp5vHbS6lPnj344lr2eIC2NcgsNeUkj2S9HCNTcJkylB4Vzor/QdTq8NQ66Sjlx -eLlSQc/retK1UIdkBDY10tK+JQcLC+Btlm0TEmIccrJHv8lyCeJwR1LfDHvi6dr8 -OJtMEd8UP1Lvh1fXsnBy6G71xc4oFzPBOrXKcOChAoGACOgyYe47ZizScsUGjCC7 -xARTEolZhtqHKVd5s9oi95P0r7A1gcNx/9YW0rCT2ZD8BD9H++HTE2L+mh3R9zDn -jwDeW7wVZec+oyGdc9L+B1xU25O+88zNLxlRAX8nXJbHdgL83UclmC51GbXejloP -D4ZNvyXf/6E27Ibu6v2p/vs= ------END TESTING KEY-----`)) - -func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } diff --git a/reaper.go b/reaper.go index 3dff6a7c9d..859f8b76de 100644 --- a/reaper.go +++ b/reaper.go @@ -120,7 +120,6 @@ func lookUpReaperContainer(ctx context.Context, sessionID string) (*DockerContai return nil }, backoff.WithContext(exp, ctx)) - if err != nil { return nil, err }