Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Launch Nexus using a self-signed x.509 certificate #1287

Merged
merged 7 commits into from
Jun 28, 2022
Merged

Launch Nexus using a self-signed x.509 certificate #1287

merged 7 commits into from
Jun 28, 2022

Conversation

smklein
Copy link
Collaborator

@smklein smklein commented Jun 28, 2022

Part of #249

This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent.

  • The packaging system expects to find these certificates within ./out/certs, named cert.pem and key.pem.
  • ./tools/create_self_signed_cert.sh is capable of creating a self-signed certificate.

Copy link
Collaborator

@davepacheco davepacheco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. Two things:

  • If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.
  • I wonder if we should update the example config files and the simulated run instructions so that people are doing this in that workflow too. But that doesn't have to be in this PR!

@smklein
Copy link
Collaborator Author

smklein commented Jun 28, 2022

This looks good. Two things:

  • If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.

The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".

  • I wonder if we should update the example config files and the simulated run instructions so that people are doing this in that workflow too. But that doesn't have to be in this PR!

Sounds good

@davepacheco
Copy link
Collaborator

This looks good. Two things:

  • If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.

The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".

Sounds good. I was worried because I didn't see anything in this PR that would obviously fail in that case.

#
# For those with access, certificates are available in:
#
# https://github.com/oxidecomputer/configs/tree/master/nginx/ssl/wildcard.oxide-preview.com
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This location is will change eventually as a some things get decoupled. Not to block this PR, but for future reference.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the heads up. The flow for importing a non-self-signed cert is clearly half-baked; I needed to pull them manually.

Until we have a good authentication story for it, the manual approach seems better than something insecure, but I'd like to remedy that when we can.

@smklein
Copy link
Collaborator Author

smklein commented Jun 28, 2022

This looks good. Two things:

  • If somebody forgets to create the self-signed certificate but still runs builds the image, what's the failure mode? It'd be nice if that fails building the image rather than failing at runtime.

The packaging tools complain when constructing the Nexus zone image - so it is not a runtime failure. I wanted to make the certificates mandatory for running in "real" nexus to make it very difficult to "not have them at runtime, somehow".

Sounds good. I was worried because I didn't see anything in this PR that would obviously fail in that case.

Hrm... I realized, the thing we were actually checking for was the presence of a directory in out/certs. I've updated the packaging stuff to be more specific about the individual files.

@smklein smklein enabled auto-merge (squash) June 28, 2022 18:46
@smklein smklein merged commit a0e5d59 into main Jun 28, 2022
@smklein smklein deleted the x509 branch June 28, 2022 19:56
smklein added a commit that referenced this pull request Jun 29, 2022
smklein added a commit that referenced this pull request Jun 29, 2022
jmpesp added a commit to jmpesp/omicron that referenced this pull request Jun 29, 2022
smklein added a commit that referenced this pull request Jul 26, 2022
Part of #249

This PR forces Nexus's external interface to be served via HTTPS when deployed by the sled-agent.

- The packaging system expects to find these certificates within `./out/certs`, named `cert.pem` and `key.pem`.
- `./tools/create_self_signed_cert.sh` is capable of creating a self-signed certificate.
jmpesp pushed a commit to jmpesp/omicron that referenced this pull request Aug 8, 2022
…1500)

Another attempt at oxidecomputer#1287

In addition to launching an HTTPS server, this also launches an HTTP server so we can smoothly migrate clients (like the CLI).

Part of oxidecomputer#249
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants