From 6d64394ad466fe362f0db170732aad5cf1672b58 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 7 Feb 2024 10:53:53 +0530 Subject: [PATCH 01/40] add: modified as per server need Signed-off-by: Arvindh --- docker/.env | 1 + docker/nginx/entrypoint.sh | 2 ++ docker/nginx/nginx-key.conf | 41 ++++++++++++++++++++++++------------ docker/nginx/nginx-x509.conf | 37 +++++++++++++++++++++----------- 4 files changed, 55 insertions(+), 26 deletions(-) diff --git a/docker/.env b/docker/.env index c433e7f103..1f459de82b 100644 --- a/docker/.env +++ b/docker/.env @@ -7,6 +7,7 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 +MG_NGINX_SERVER_NAME=localhost ## Nats MG_NATS_PORT=4222 diff --git a/docker/nginx/entrypoint.sh b/docker/nginx/entrypoint.sh index 1076b600fc..5449b2dbc8 100755 --- a/docker/nginx/entrypoint.sh +++ b/docker/nginx/entrypoint.sh @@ -12,6 +12,8 @@ else fi envsubst ' + ${MG_NGINX_SERVER_NAME} + ${MG_UI_PORT} ${MG_AUTH_HTTP_PORT} ${MG_USERS_HTTP_PORT} ${MG_THINGS_HTTP_PORT} diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index aa0fa05edb..a2d3eb5f77 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -48,9 +48,15 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - server_name localhost; + set $dynamic_server_name $MG_NGINX_SERVER_NAME; - location ~ ^/(channels)/(.+)/(things)/(.+) { + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; + + location ~ ^/api/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; @@ -58,7 +64,7 @@ http { # Proxy pass to users & groups id to things service for listing of channels # /users/{userID}/channels - Listing of channels belongs to userID # /groups/{userGroupID}/channels - Listing of channels belongs to userGroupID - location ~ ^/(users|groups)/(.+)/(channels|things) { + location ~ ^/api/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { @@ -71,7 +77,7 @@ http { # Proxy pass to channel id to users service for listing of channels # /channels/{channelID}/users - Listing of Users belongs to channelID # /channels/{channelID}/groups - Listing of User Groups belongs to channelID - location ~ ^/(channels|things)/(.+)/(users|groups) { + location ~ ^/api/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { @@ -83,7 +89,7 @@ http { # Proxy pass to user id to auth service for listing of domains # /users/{userID}/domains - Listing of Domains belongs to userID - location ~ ^/(users)/(.+)/(domains) { + location ~ ^/api/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { @@ -95,7 +101,7 @@ http { # Proxy pass to domain id to users service for listing of users # /domains/{domainID}/users - Listing of Users belongs to domainID - location ~ ^/(domains)/(.+)/(users) { + location ~ ^/api/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { @@ -107,51 +113,51 @@ http { # Proxy pass to auth service - location ~ ^/(domains) { + location ~ ^/api/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; } # Proxy pass to users service - location ~ ^/(users|groups|password|authorize) { + location ~ ^/api/(users|groups|password|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}; } - location ^~ /users/policies { + location ^~ /api/users/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}/policies; } # Proxy pass to things service - location ~ ^/(things|channels|connect|disconnect|identify) { + location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - location ^~ /things/policies { + location ^~ /api/things/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/policies; } # Proxy pass to invitations service - location ~ ^/(invitations) { + location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } - location /health { + location /api/health { include snippets/proxy-headers.conf; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - location /metrics { + location /api/metrics { include snippets/proxy-headers.conf; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } @@ -179,6 +185,13 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } + + location / { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + proxy_pass http://ui:${MG_UI_PORT}/`; + } + } } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index efed25da56..91adb40033 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -56,51 +56,57 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - server_name localhost; + set $dynamic_server_name $MG_NGINX_SERVER_NAME; + + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; # Proxy pass to users service - location ~ ^/(users|groups|password|policies|authorize) { + location ~ ^/api/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}; } - location ^~ /users/policies { + location ^~ /api/users/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}/policies; - } + } # Proxy pass to things service - location ~ ^/(things|channels|connect|disconnect|identify) { + location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - - location ^~ /things/policies { + + location ^~ /api/things/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/policies; } # Proxy pass to invitations service - location ~ ^/(invitations) { + location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } - - location /health { + + location /api/health { include snippets/proxy-headers.conf; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - location /metrics { + location /api/metrics { include snippets/proxy-headers.conf; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - + # Proxy pass to magistrala-http-adapter location /http/ { include snippets/verify-ssl-client.conf; @@ -128,6 +134,13 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } + + location / { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + proxy_pass http://ui:${MG_UI_PORT}/`; + } + } } From 26f35d29a172e246dfa2f0b21b3dc3c8c3f9e6b6 Mon Sep 17 00:00:00 2001 From: arvindh123 Date: Wed, 7 Feb 2024 09:08:22 +0000 Subject: [PATCH 02/40] ignore letsencrypt dir Signed-off-by: arvindh123 Signed-off-by: Arvindh --- docker/ssl/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/ssl/.gitignore b/docker/ssl/.gitignore index 9ea7050a88..f82e313aaa 100644 --- a/docker/ssl/.gitignore +++ b/docker/ssl/.gitignore @@ -5,3 +5,4 @@ *grpc-client* *srl *conf +letsencrypt \ No newline at end of file From b54beafd21e21e20147e90753dcca0f2e9de1b15 Mon Sep 17 00:00:00 2001 From: arvindh123 Date: Wed, 7 Feb 2024 09:08:58 +0000 Subject: [PATCH 03/40] add: certbot and env variables for certificate Signed-off-by: arvindh123 Signed-off-by: Arvindh --- docker/.env | 5 +++-- docker/docker-compose.yml | 28 ++++++++++++++++++++++++---- docker/nginx/nginx-key.conf | 23 ++++++++++++++++++++++- docker/nginx/nginx-x509.conf | 23 ++++++++++++++++++++++- 4 files changed, 71 insertions(+), 8 deletions(-) diff --git a/docker/.env b/docker/.env index 1f459de82b..764e4de572 100644 --- a/docker/.env +++ b/docker/.env @@ -7,8 +7,9 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 -MG_NGINX_SERVER_NAME=localhost - +# MG_NGINX_SERVER_NAME=example.com +# MG_NGINX_SERVER_CERT=./ssl/certs/letsencrypt/live/example.com/fullchain.pem +# MG_NGINX_SERVER_KEY=./ssl/certs/letsencrypt/live/example.com/privkey.pem ## Nats MG_NATS_PORT=4222 MG_NATS_HTTP_PORT=8222 diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 2e501cd887..191edfefd9 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -234,10 +234,20 @@ services: - ./nginx/entrypoint.sh:/docker-entrypoint.d/entrypoint.sh - ./nginx/snippets:/etc/nginx/snippets - ./ssl/authorization.js:/etc/nginx/authorization.js - - ./ssl/certs/magistrala-server.crt:/etc/ssl/certs/magistrala-server.crt - - ./ssl/certs/ca.crt:/etc/ssl/certs/ca.crt - - ./ssl/certs/magistrala-server.key:/etc/ssl/private/magistrala-server.key - - ./ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem + - ./certbot/www:/usr/share/nginx/html/certbot/www:ro + - type: bind + source: ${MG_NGINX_SERVER_CERT:-./ssl/certs/magistrala-server.crt} + target: /etc/ssl/certs/magistrala-server.crt + - type: bind + source: ${MG_NGINX_SERVER_KEY:-./ssl/certs/magistrala-server.key} + target: /etc/ssl/private/magistrala-server.key + - type: bind + source: ${MG_NGINX_SERVER_CA:-./ssl/certs/ca.crt} + target: /etc/ssl/certs/ca.crt + - type: bind + source: ${MG_NGINX_SERVER_DHPARAM:-./ssl/dhparam.pem} + target: /etc/ssl/certs/dhparam.pem + ports: - ${MG_NGINX_HTTP_PORT}:${MG_NGINX_HTTP_PORT} - ${MG_NGINX_SSL_PORT}:${MG_NGINX_SSL_PORT} @@ -255,6 +265,16 @@ services: - ws-adapter - coap-adapter + certbot: + image: certbot/certbot:latest + container_name: magistrala-certbot + command: certonly --webroot -w /var/www/certbot/ -d ${MG_NGINX_SERVER_NAME} --email arvindh123@gmail.com --non-interactive --agree-tos --no-eff-email + volumes: + - ./certbot/www/:/var/www/certbot/:rw + - ./ssl/certs/letsencrypt:/etc/letsencrypt:rw + depends_on: + - nginx + things-db: image: postgres:16.1-alpine container_name: magistrala-things-db diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index a2d3eb5f77..821e9d5123 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -36,6 +36,27 @@ http { server { listen 80 default_server; listen [::]:80 default_server; + + set $dynamic_server_name $MG_NGINX_SERVER_NAME; + + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; + + server_tokens off; + + location ^~ /.well-known/acme-challenge/ { + root /usr/share/nginx/html/certbot/www; + } + + location / { + return 301 https://$dynamic_server_name$request_uri; + } + } + + server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; @@ -189,7 +210,7 @@ http { location / { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://ui:${MG_UI_PORT}/`; + proxy_pass http://ui:${MG_UI_PORT}; } } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 91adb40033..8691f49c95 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -43,6 +43,27 @@ http { server { listen 80 default_server; listen [::]:80 default_server; + + set $dynamic_server_name $MG_NGINX_SERVER_NAME; + + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; + + server_tokens off; + + location ^~ /.well-known/acme-challenge/ { + root /usr/share/nginx/html/certbot/www; + } + + location / { + return 301 https://$dynamic_server_name$request_uri; + } + } + + server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_verify_client optional; @@ -138,7 +159,7 @@ http { location / { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://ui:${MG_UI_PORT}/`; + proxy_pass http://ui:${MG_UI_PORT}; } } From 0c23330bd9f00c44bb9016222a3c824edfb4bb8e Mon Sep 17 00:00:00 2001 From: arvindh123 Date: Wed, 7 Feb 2024 12:06:16 +0000 Subject: [PATCH 04/40] fix: path Signed-off-by: arvindh123 Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 30 +++++++-------- docker/nginx/nginx-x509.conf | 74 +++++++++++++++++++++++++++++++++--- 2 files changed, 84 insertions(+), 20 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 821e9d5123..4f5db792d9 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -80,7 +80,7 @@ http { location ~ ^/api/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to users & groups id to things service for listing of channels # /users/{userID}/channels - Listing of channels belongs to userID @@ -89,10 +89,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } # Proxy pass to channel id to users service for listing of channels @@ -102,10 +102,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; break; } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to user id to auth service for listing of domains @@ -114,10 +114,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } # Proxy pass to domain id to users service for listing of users @@ -126,10 +126,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; break; } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; } @@ -137,14 +137,14 @@ http { location ~ ^/api/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; } # Proxy pass to users service location ~ ^/api/(users|groups|password|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } location ^~ /api/users/policies { @@ -157,7 +157,7 @@ http { location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location ^~ /api/things/policies { @@ -170,17 +170,17 @@ http { location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; } location /api/health { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location /api/metrics { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to magistrala-http-adapter diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 8691f49c95..5cc6c1b78a 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -85,11 +85,75 @@ http { server_name $dynamic_server_name; + location ~ ^/api/(channels)/(.+)/(things)/(.+) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + } + + # Proxy pass to users & groups id to things service for listing of channels + # /users/{userID}/channels - Listing of channels belongs to userID + # /groups/{userGroupID}/channels - Listing of channels belongs to userGroupID + location ~ ^/api/(users|groups)/(.+)/(channels|things) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + if ($request_method = GET) { + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + break; + } + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + } + + # Proxy pass to channel id to users service for listing of channels + # /channels/{channelID}/users - Listing of Users belongs to channelID + # /channels/{channelID}/groups - Listing of User Groups belongs to channelID + location ~ ^/api/(channels|things)/(.+)/(users|groups) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + if ($request_method = GET) { + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + break; + } + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + } + + # Proxy pass to user id to auth service for listing of domains + # /users/{userID}/domains - Listing of Domains belongs to userID + location ~ ^/api/(users)/(.+)/(domains) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + if ($request_method = GET) { + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + break; + } + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + } + + # Proxy pass to domain id to users service for listing of users + # /domains/{domainID}/users - Listing of Users belongs to domainID + location ~ ^/api/(domains)/(.+)/(users) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + if ($request_method = GET) { + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + break; + } + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + } + + + # Proxy pass to auth service + location ~ ^/api/(domains) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + } + # Proxy pass to users service location ~ ^/api/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } location ^~ /api/users/policies { @@ -102,7 +166,7 @@ http { location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location ^~ /api/things/policies { @@ -115,17 +179,17 @@ http { location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; } location /api/health { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location /api/metrics { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to magistrala-http-adapter From 40fdbdf46097d26af9199a17d1efd14c2d382851 Mon Sep 17 00:00:00 2001 From: arvindh123 Date: Wed, 7 Feb 2024 12:49:09 +0000 Subject: [PATCH 05/40] fix: api sub route path Signed-off-by: arvindh123 Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 41 +++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 4f5db792d9..9525096536 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -80,7 +80,8 @@ http { location ~ ^/api/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to users & groups id to things service for listing of channels # /users/{userID}/channels - Listing of channels belongs to userID @@ -88,11 +89,12 @@ http { location ~ ^/api/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } # Proxy pass to channel id to users service for listing of channels @@ -101,11 +103,12 @@ http { location ~ ^/api/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to user id to auth service for listing of domains @@ -113,11 +116,12 @@ http { location ~ ^/api/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } # Proxy pass to domain id to users service for listing of users @@ -125,11 +129,12 @@ http { location ~ ^/api/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; } @@ -137,14 +142,16 @@ http { location ~ ^/api/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; } # Proxy pass to users service location ~ ^/api/(users|groups|password|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } location ^~ /api/users/policies { @@ -157,7 +164,8 @@ http { location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location ^~ /api/things/policies { @@ -170,17 +178,20 @@ http { location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } location /api/health { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location /api/metrics { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to magistrala-http-adapter From c3f1b1f1e2658f7c592db940048c4094cab6b8fc Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 7 Feb 2024 21:58:30 +0530 Subject: [PATCH 06/40] fix: api route Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 12 ++++++---- docker/nginx/nginx-x509.conf | 45 ++++++++++++++++++++++++------------ 2 files changed, 38 insertions(+), 19 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 9525096536..aa410d11d3 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -89,12 +89,13 @@ http { location ~ ^/api/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { proxy_pass http://things:${MG_THINGS_HTTP_PORT}; break; } proxy_pass http://users:${MG_USERS_HTTP_PORT}; + break; } # Proxy pass to channel id to users service for listing of channels @@ -103,12 +104,13 @@ http { location ~ ^/api/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + break; } # Proxy pass to user id to auth service for listing of domains @@ -116,12 +118,13 @@ http { location ~ ^/api/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; break; } proxy_pass http://users:${MG_USERS_HTTP_PORT}; + break; } # Proxy pass to domain id to users service for listing of users @@ -129,12 +132,13 @@ http { location ~ ^/api/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + break; } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 5cc6c1b78a..f35057e626 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -88,7 +88,8 @@ http { location ~ ^/api/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to users & groups id to things service for listing of channels @@ -97,11 +98,13 @@ http { location ~ ^/api/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; + break; } # Proxy pass to channel id to users service for listing of channels @@ -110,11 +113,13 @@ http { location ~ ^/api/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + break; } # Proxy pass to user id to auth service for listing of domains @@ -122,11 +127,13 @@ http { location ~ ^/api/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; + break; } # Proxy pass to domain id to users service for listing of users @@ -134,11 +141,13 @@ http { location ~ ^/api/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; + rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + break; } @@ -146,14 +155,16 @@ http { location ~ ^/api/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; } # Proxy pass to users service location ~ ^/api/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } location ^~ /api/users/policies { @@ -166,7 +177,8 @@ http { location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location ^~ /api/things/policies { @@ -179,17 +191,20 @@ http { location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } location /api/health { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location /api/metrics { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + rewrite ^/api(/.*)$ $1 break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to magistrala-http-adapter From a38f44ac78c5a7e52391b70e0709e9069618f42e Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 14 Feb 2024 12:50:35 +0530 Subject: [PATCH 07/40] add: add support for vault open source and hcp vault Signed-off-by: Arvindh --- certs/mocks/pki.go | 5 + certs/pki/vault.go | 109 ++++++++++++- cmd/certs/main.go | 16 +- docker/.env | 68 +++++--- docker/addons/certs/docker-compose.yml | 9 +- docker/nginx/entrypoint.sh | 5 + docker/nginx/nginx-key.conf | 34 ++++ docker/nginx/nginx-x509.conf | 35 ++++ docker/vault/.gitignore | 4 + docker/vault/things_cert_issue.hcl | 32 ++++ docker/vault/vault-hcp-create-approle.sh | 70 ++++++++ docker/vault/vault-hcp-set-pki.sh | 194 +++++++++++++++++++++++ go.mod | 9 +- go.sum | 44 +++++ 14 files changed, 597 insertions(+), 37 deletions(-) create mode 100644 docker/vault/.gitignore create mode 100644 docker/vault/things_cert_issue.hcl create mode 100755 docker/vault/vault-hcp-create-approle.sh create mode 100755 docker/vault/vault-hcp-set-pki.sh diff --git a/certs/mocks/pki.go b/certs/mocks/pki.go index 3e183b4aad..502917ff99 100644 --- a/certs/mocks/pki.go +++ b/certs/mocks/pki.go @@ -6,6 +6,7 @@ package mocks import ( "bufio" "bytes" + "context" "crypto/ecdsa" "crypto/rand" "crypto/rsa" @@ -160,6 +161,10 @@ func (a *agent) Revoke(serial string) (time.Time, error) { return time.Now(), nil } +func (a *agent) LoginAndRenew(ctx context.Context) error { + return nil +} + func publicKey(priv interface{}) (interface{}, error) { if priv == nil { return nil, errPrivateKeyEmpty diff --git a/certs/pki/vault.go b/certs/pki/vault.go index e1918704a6..7877a80f08 100644 --- a/certs/pki/vault.go +++ b/certs/pki/vault.go @@ -5,11 +5,14 @@ package pki import ( + "context" "encoding/json" + "log/slog" "time" "github.com/absmach/magistrala/pkg/errors" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/api/auth/approle" "github.com/mitchellh/mapstructure" ) @@ -30,6 +33,13 @@ var ( ErrFailedCertRevocation = errors.New("failed to revoke certificate") errFailedCertDecoding = errors.New("failed to decode response from vault service") + errFailedToLogin = errors.New("failed to login to Vault") + errFailedAppRole = errors.New("failed to create vault new app role") + errNoAuthInfo = errors.New("no auth information from Vault") + errNonRenewal = errors.New("token is not configured to be renewable") + errRenewWatcher = errors.New("unable to initialize new lifetime watcher for renewing auth token") + errFailedRenew = errors.New("failed to renew token") + errCouldNotRenew = errors.New("token can no longer be renewed") ) type Cert struct { @@ -52,10 +62,15 @@ type Agent interface { // Revoke revokes certificate from PKI Revoke(serial string) (time.Time, error) + + // Login to PKI and renews token + LoginAndRenew(ctx context.Context) error } type pkiAgent struct { - token string + appRole string + appSecret string + namespace string path string role string host string @@ -63,6 +78,8 @@ type pkiAgent struct { readURL string revokeURL string client *api.Client + secret *api.Secret + logger *slog.Logger } type certReq struct { @@ -75,7 +92,7 @@ type certRevokeReq struct { } // NewVaultClient instantiates a Vault client. -func NewVaultClient(token, host, path, role string) (Agent, error) { +func NewVaultClient(appRole, appSecret, host, namespace, path, role string, logger *slog.Logger) (Agent, error) { conf := api.DefaultConfig() conf.Address = host @@ -83,13 +100,19 @@ func NewVaultClient(token, host, path, role string) (Agent, error) { if err != nil { return nil, err } - client.SetToken(token) + if len(namespace) > 0 { + client.SetNamespace(namespace) + } + p := pkiAgent{ - token: token, + appRole: appRole, + appSecret: appSecret, host: host, + namespace: namespace, role: role, path: path, client: client, + logger: logger, issueURL: "/" + path + "/" + issue + "/" + role, readURL: "/" + path + "/" + cert + "/", revokeURL: "/" + path + "/" + revoke, @@ -162,3 +185,81 @@ func (p *pkiAgent) Revoke(serial string) (time.Time, error) { return time.Unix(0, int64(rev)*int64(time.Second)), nil } + +func (p *pkiAgent) LoginAndRenew(ctx context.Context) error { + for { + select { + case <-ctx.Done(): + p.logger.Info("pki login and renew function stopping") + return nil + default: + err := p.login() + if err != nil { + p.logger.Info("unable to authenticate to Vault", slog.Any("error", err)) + time.Sleep(5 * time.Second) + break + } + tokenErr := p.manageTokenLifecycle() + if tokenErr != nil { + p.logger.Info("unable to start managing token lifecycle", slog.Any("error", tokenErr)) + time.Sleep(5 * time.Second) + } + } + } +} + +func (p *pkiAgent) login() error { + secretID := &approle.SecretID{FromString: p.appSecret} + + authMethod, err := approle.NewAppRoleAuth( + p.appRole, + secretID, + ) + if err != nil { + return errors.Wrap(errFailedAppRole, err) + } + if len(p.namespace) > 0 { + p.client.SetNamespace(p.namespace) + } + secret, err := p.client.Auth().Login(context.Background(), authMethod) + if err != nil { + return errors.Wrap(errFailedToLogin, err) + } + if secret == nil { + return errNoAuthInfo + } + p.secret = secret + return nil +} + +func (p *pkiAgent) manageTokenLifecycle() error { + renew := p.secret.Auth.Renewable + if !renew { + return errNonRenewal + } + + watcher, err := p.client.NewLifetimeWatcher(&api.LifetimeWatcherInput{ + Secret: p.secret, + Increment: 3600, // Requesting token for 3600s = 1h, If this is more than token_max_ttl, then response token will have token_max_ttl + }) + if err != nil { + return errors.Wrap(errRenewWatcher, err) + } + + go watcher.Start() + defer watcher.Stop() + + for { + select { + case err := <-watcher.DoneCh(): + if err != nil { + return errors.Wrap(errFailedRenew, err) + } + // This occurs once the token has reached max TTL or if token is disabled for renewal. + return errCouldNotRenew + + case renewal := <-watcher.RenewCh(): + p.logger.Info("Successfully renewed token", slog.Any("renewed_at", renewal.RenewedAt)) + } + } +} diff --git a/cmd/certs/main.go b/cmd/certs/main.go index 598d91a585..91bc1f7e02 100644 --- a/cmd/certs/main.go +++ b/cmd/certs/main.go @@ -57,10 +57,12 @@ type config struct { SignCAKeyPath string `env:"MG_CERTS_SIGN_CA_KEY_PATH" envDefault:"ca.key"` // 3rd party PKI API access settings - PkiHost string `env:"MG_CERTS_VAULT_HOST" envDefault:""` - PkiPath string `env:"MG_VAULT_PKI_INT_PATH" envDefault:"pki_int"` - PkiRole string `env:"MG_VAULT_CA_ROLE_NAME" envDefault:"magistrala"` - PkiToken string `env:"MG_VAULT_TOKEN" envDefault:""` + PkiHost string `env:"MG_CERTS_VAULT_HOST" envDefault:""` + PkiAppRoleID string `env:"MG_CERTS_VAULT_APPROLE_ROLEID" envDefault:""` + PkiAppSecret string `env:"MG_CERTS_VAULT_APPROLE_SECRET" envDefault:""` + PkiNamespace string `env:"MG_CERTS_VAULT_NAMESPACE" envDefault:""` + PkiPath string `env:"MG_CERTS_VAULT_PKI_INT_PATH" envDefault:"pki_int"` + PkiRole string `env:"MG_CERTS_VAULT_PKI_INT_ROLE_NAME" envDefault:"magistrala"` } func main() { @@ -94,13 +96,17 @@ func main() { return } - pkiclient, err := vault.NewVaultClient(cfg.PkiToken, cfg.PkiHost, cfg.PkiPath, cfg.PkiRole) + pkiclient, err := vault.NewVaultClient(cfg.PkiAppRoleID, cfg.PkiAppSecret, cfg.PkiHost, cfg.PkiNamespace, cfg.PkiPath, cfg.PkiRole, logger) if err != nil { logger.Error("failed to configure client for PKI engine") exitCode = 1 return } + g.Go(func() error { + return pkiclient.LoginAndRenew(ctx) + }) + dbConfig := pgclient.Config{Name: defDB} if err := env.ParseWithOptions(&dbConfig, env.Options{Prefix: envPrefixDB}); err != nil { logger.Error(err.Error()) diff --git a/docker/.env b/docker/.env index 764e4de572..82f7c7fdde 100644 --- a/docker/.env +++ b/docker/.env @@ -7,7 +7,7 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 -# MG_NGINX_SERVER_NAME=example.com +MG_NGINX_SERVER_NAME=localhost # MG_NGINX_SERVER_CERT=./ssl/certs/letsencrypt/live/example.com/fullchain.pem # MG_NGINX_SERVER_KEY=./ssl/certs/letsencrypt/live/example.com/privkey.pem ## Nats @@ -313,13 +313,57 @@ MG_PROVISION_CERTS_HOURS_VALID=2400h MG_PROVISION_CERTS_RSA_BITS=2048 MG_PROVISION_INSTANCE_ID= +### Vault +MG_VAULT_HOST=vault +MG_VAULT_PORT=8200 +MG_VAULT_ADDR=http://127.0.0.1:8200 +MG_VAULT_NAMESPACE=magistrala +MG_VAULT_UNSEAL_KEY_1= +MG_VAULT_UNSEAL_KEY_2= +MG_VAULT_UNSEAL_KEY_3= +MG_VAULT_TOKEN= +MG_VAULT_CA_NAME=magistrala +MG_VAULT_CA_ROLE_NAME=magistrala + +MG_VAULT_PKI_PATH=pki +MG_VAULT_PKI_ROLE_NAME=magistrala_things_int_ca +MG_VAULT_PKI_FILE_NAME=mg_things_root +MG_VAULT_PKI_CA_CN='Magistrala Things Root Certificate Authority' +MG_VAULT_PKI_CA_OU='Abstract Machines' +MG_VAULT_PKI_CA_O='Magistrala' +MG_VAULT_PKI_CA_C='FRANCE' +MG_VAULT_PKI_CA_L='PARIS' +MG_VAULT_PKI_CA_ST='PARIS' +MG_VAULT_PKI_CA_ADDR='141 Quai de Valmy' +MG_VAULT_PKI_CA_PO='75010' +MG_VAULT_PKI_CLUSTER_PATH=http://localhost +MG_VAULT_PKI_CLUSTER_AIA_PATH=http://localhost + +MG_VAULT_PKI_INT_PATH=pki_int +MG_VAULT_PKI_INT_ROLE_NAME=magistrala_things_cert +MG_VAULT_CA_ROLE_NAME=magistrala_things_cert +MG_VAULT_PKI_INT_FILE_NAME=mg_things_int +MG_VAULT_PKI_INT_CA_CN='Magistrala Things Intermediate Certificate Authority' +MG_VAULT_PKI_INT_CA_OU='Abstract Machines' +MG_VAULT_PKI_INT_CA_O='Magistrala' +MG_VAULT_PKI_INT_CA_C='FRANCE' +MG_VAULT_PKI_INT_CA_L='PARIS' +MG_VAULT_PKI_INT_CA_ST='PARIS' +MG_VAULT_PKI_INT_CA_ADDR='141 Quai de Valmy' +MG_VAULT_PKI_INT_CA_PO='75010' +MG_VAULT_PKI_INT_CLUSTER_PATH=http://localhost +MG_VAULT_PKI_INT_CLUSTER_AIA_PATH=http://localhost + # Certs MG_CERTS_LOG_LEVEL=debug MG_CERTS_SIGN_CA_PATH=/etc/ssl/certs/ca.crt MG_CERTS_SIGN_CA_KEY_PATH=/etc/ssl/certs/ca.key -MG_CERTS_VAULT_HOST=http://vault:8200 -MG_VAULT_PKI_INT_PATH=pki_int -MG_VAULT_CA_ROLE_NAME=magistrala +MG_CERTS_VAULT_HOST=${MG_VAULT_ADDR} +MG_CERTS_VAULT_NAMESPACE=${MG_VAULT_NAMESPACE} +MG_CERTS_VAULT_APPROLE_ROLEID=magistrala +MG_CERTS_VAULT_APPROLE_SECRET=magistrala +MG_CERTS_VAULT_PKI_INT_PATH=${MG_VAULT_PKI_INT_PATH} +MG_CERTS_VAULT_PKI_INT_ROLE_NAME=${MG_VAULT_PKI_INT_ROLE_NAME} MG_CERTS_HTTP_HOST=certs MG_CERTS_HTTP_PORT=9019 MG_CERTS_HTTP_SERVER_CERT= @@ -335,22 +379,6 @@ MG_CERTS_DB_SSL_KEY= MG_CERTS_DB_SSL_ROOT_CERT= MG_CERTS_INSTANCE_ID= -### Vault -MG_VAULT_HOST=vault -MG_VAULT_PORT=8200 -MG_VAULT_UNSEAL_KEY_1= -MG_VAULT_UNSEAL_KEY_2= -MG_VAULT_UNSEAL_KEY_3= -MG_VAULT_TOKEN= -MG_VAULT_CA_NAME=magistrala -MG_VAULT_CA_ROLE_NAME=magistrala -MG_VAULT_PKI_PATH=pki -MG_VAULT_PKI_INT_PATH=pki_int -MG_VAULT_CA_CN=magistrala.com -MG_VAULT_CA_OU='Magistrala Cloud' -MG_VAULT_CA_O='Magistrala Labs' -MG_VAULT_CA_C=Serbia -MG_VAULT_CA_L=Belgrade ### LoRa MG_LORA_ADAPTER_LOG_LEVEL=debug diff --git a/docker/addons/certs/docker-compose.yml b/docker/addons/certs/docker-compose.yml index f5b1591a8e..7d25026189 100644 --- a/docker/addons/certs/docker-compose.yml +++ b/docker/addons/certs/docker-compose.yml @@ -44,10 +44,11 @@ services: MG_CERTS_SIGN_CA_PATH: ${MG_CERTS_SIGN_CA_PATH} MG_CERTS_SIGN_CA_KEY_PATH: ${MG_CERTS_SIGN_CA_KEY_PATH} MG_CERTS_VAULT_HOST: ${MG_CERTS_VAULT_HOST} - MG_VAULT_PKI_INT_PATH: ${MG_VAULT_PKI_INT_PATH} - MG_VAULT_CA_ROLE_NAME: ${MG_VAULT_CA_ROLE_NAME} - MG_VAULT_PKI_PATH: ${MG_VAULT_PKI_PATH} - MG_VAULT_TOKEN: ${MG_VAULT_TOKEN} + MG_CERTS_VAULT_NAMESPACE: ${MG_CERTS_VAULT_NAMESPACE} + MG_CERTS_VAULT_APPROLE_ROLEID: ${MG_CERTS_VAULT_APPROLE_ROLEID} + MG_CERTS_VAULT_APPROLE_SECRET: ${MG_CERTS_VAULT_APPROLE_SECRET} + MG_CERTS_VAULT_PKI_INT_PATH: ${MG_CERTS_VAULT_PKI_INT_PATH} + MG_CERTS_VAULT_PKI_INT_ROLE_NAME: ${MG_CERTS_VAULT_PKI_INT_ROLE_NAME} MG_CERTS_HTTP_HOST: ${MG_CERTS_HTTP_HOST} MG_CERTS_HTTP_PORT: ${MG_CERTS_HTTP_PORT} MG_CERTS_HTTP_SERVER_CERT: ${MG_CERTS_HTTP_SERVER_CERT} diff --git a/docker/nginx/entrypoint.sh b/docker/nginx/entrypoint.sh index 5449b2dbc8..2688236a0c 100755 --- a/docker/nginx/entrypoint.sh +++ b/docker/nginx/entrypoint.sh @@ -13,6 +13,11 @@ fi envsubst ' ${MG_NGINX_SERVER_NAME} + ${MG_CERTS_HTTP_PORT} + ${MG_BOOTSTRAP_HTTP_PORT} + ${MG_PROVISION_HTTP_PORT} + ${MG_TIMESCALE_READER_HTTP_PORT} + ${MG_VAULT_PORT} ${MG_UI_PORT} ${MG_AUTH_HTTP_PORT} ${MG_USERS_HTTP_PORT} diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index aa410d11d3..3f999b18ae 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -186,6 +186,34 @@ http { proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } + location ~ ^/api/(bootstrap) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/bootstrap(/.*)$ $1 break; + proxy_pass http://bootstrap:${MG_BOOTSTRAP_HTTP_PORT}; + } + + location ~ ^/api/(certs) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/certs(/.*)$ $1 break; + proxy_pass http://certs:${MG_CERTS_HTTP_PORT}; + } + + location ~ ^/api/(provision) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/provision(/.*)$ $1 break; + proxy_pass http://provision:${MG_PROVISION_HTTP_PORT}; + } + + location ~ ^/api/(reader) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/provision(/.*)$ $1 break; + proxy_pass http://timescale-reader:${MG_TIMESCALE_READER_HTTP_PORT}; + } + location /api/health { include snippets/proxy-headers.conf; rewrite ^/api(/.*)$ $1 break; @@ -198,6 +226,12 @@ http { proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } + ## Expose VAULT CRL, OCSP endpoint to public for verification of certificate. + location /certs/ { + include snippets/proxy-headers.conf; + proxy_pass http://vault:${MG_VAULT_PORT}/v1/; + } + # Proxy pass to magistrala-http-adapter location /http/ { include snippets/proxy-headers.conf; diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index f35057e626..ce66aea15c 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -195,6 +195,34 @@ http { proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } + location ~ ^/api/(bootstrap) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/bootstrap(/.*)$ $1 break; + proxy_pass http://bootstrap:${MG_BOOTSTRAP_HTTP_PORT}; + } + + location ~ ^/api/(certs) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/certs(/.*)$ $1 break; + proxy_pass http://certs:${MG_CERTS_HTTP_PORT}; + } + + location ~ ^/api/(provision) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/provision(/.*)$ $1 break; + proxy_pass http://provision:${MG_PROVISION_HTTP_PORT}; + } + + location ~ ^/api/(reader) { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + rewrite ^/api/provision(/.*)$ $1 break; + proxy_pass http://timescale-reader:${MG_TIMESCALE_READER_HTTP_PORT}; + } + location /api/health { include snippets/proxy-headers.conf; rewrite ^/api(/.*)$ $1 break; @@ -207,6 +235,13 @@ http { proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } + + ## Expose VAULT CRL, OCSP endpoint to public for verification of certificate. + location /certs/ { + include snippets/proxy-headers.conf; + proxy_pass http://vault:${MG_VAULT_PORT}/v1/; + } + # Proxy pass to magistrala-http-adapter location /http/ { include snippets/verify-ssl-client.conf; diff --git a/docker/vault/.gitignore b/docker/vault/.gitignore new file mode 100644 index 0000000000..f1f87eef0b --- /dev/null +++ b/docker/vault/.gitignore @@ -0,0 +1,4 @@ +# Copyright (c) Abstract Machines +# SPDX-License-Identifier: Apache-2.0 + +certs/* \ No newline at end of file diff --git a/docker/vault/things_cert_issue.hcl b/docker/vault/things_cert_issue.hcl new file mode 100644 index 0000000000..794af0ce0a --- /dev/null +++ b/docker/vault/things_cert_issue.hcl @@ -0,0 +1,32 @@ + +# Allow issue certificate with role with default issuer from Intermediate PKI +path "pki_int/issue/+" { + capabilities = ["create", "update"] +} + +## Revole certificate from Intermediate PKI +path "pki_int/revoke" { + capabilities = ["create", "update"] +} + +## List Revoked Certificates from Intermediate PKI +path "pki_int/certs/revoked" { + capabilities = ["list"] +} + + +## List Certificates from Intermediate PKI +path "pki_int/certs" { + capabilities = ["list"] +} + +## Read Certificate from Intermediate PKI +path "pki_int/cert/+" { + capabilities = ["read"] +} +path "pki_int/cert/+/raw" { + capabilities = ["read"] +} +path "pki_int/cert/+/raw/pem" { + capabilities = ["read"] +} diff --git a/docker/vault/vault-hcp-create-approle.sh b/docker/vault/vault-hcp-create-approle.sh new file mode 100755 index 0000000000..cedbd1aef6 --- /dev/null +++ b/docker/vault/vault-hcp-create-approle.sh @@ -0,0 +1,70 @@ +#!/usr/bin/bash +# Copyright (c) Abstract Machines +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +echo "$scriptdir" +export MAGISTRALA_DIR=$scriptdir/../../ + +# cd $scriptdir + +# echo "$MAGISTRALA_DIR" + +readDotEnv() { + set -o allexport + source $MAGISTRALA_DIR/docker/.env + set +o allexport +} + +vaultCreatePolicy() { + vault policy write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} things_cert_issue $scriptdir/things_cert_issue.hcl +} + +vaultCreateRole() { + echo "Creating new AppRole" + # vault auth enable approle + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer \ + token_policies=things_cert_issue secret_id_num_uses=0 \ + secret_id_ttl=0 token_ttl=1h token_max_ttl=3h token_num_uses=0 +} + +vaultWriteCustomRoleID(){ + echo "Writing custom role id" + vault read -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer/role-id + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer/role-id role_id=${MG_CERTS_VAULT_APPROLE_ROLEID} +} + +vaultWriteCustomSecret() { + echo "Writing custom secret" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -f auth/approle/role/things_cert_issuer/secret-id + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer/custom-secret-id secret_id=${MG_CERTS_VAULT_APPROLE_SECRET} num_uses=0 ttl=0 +} + +vaultTestRoleLogin() { +echo "Testing custom roleid secret by logging in" +vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/login \ + role_id=${MG_CERTS_VAULT_APPROLE_ROLEID} \ + secret_id=${MG_CERTS_VAULT_APPROLE_SECRET} + +} +if ! command -v jq &> /dev/null +then + echo "jq command could not be found, please install it and try again." + exit +fi + +readDotEnv + + +vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} + +vaultCreatePolicy +vaultCreateRole +vaultCreateRole +vaultWriteCustomRoleID +vaultWriteCustomSecret +vaultTestRoleLogin + +exit 0 diff --git a/docker/vault/vault-hcp-set-pki.sh b/docker/vault/vault-hcp-set-pki.sh new file mode 100755 index 0000000000..e4578b398e --- /dev/null +++ b/docker/vault/vault-hcp-set-pki.sh @@ -0,0 +1,194 @@ +#!/usr/bin/bash +# Copyright (c) Abstract Machines +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +echo "$scriptdir" +export MAGISTRALA_DIR=$scriptdir/../../ + +# cd $scriptdir + +# echo "$MAGISTRALA_DIR" + +readDotEnv() { + set -o allexport + source $MAGISTRALA_DIR/docker/.env + set +o allexport +} + +# vault() { +# docker exec -it magistrala-vault vault "$@" +# } + +vaultEnablePKI() { + vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path ${MG_VAULT_PKI_PATH} pki + vault secrets tune -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -max-lease-ttl=87600h ${MG_VAULT_PKI_PATH} +} + +vaultConfigPKIClusterPath() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/cluster aia_path=${MG_VAULT_PKI_CLUSTER_AIA_PATH} path=${MG_VAULT_PKI_CLUSTER_PATH} +} + +vaultConfigPKICrl() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" +} + + +vaultAddRoleToSecret() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/roles/${MG_VAULT_PKI_ROLE_NAME} \ + allow_any_name=true \ + max_ttl="8760h" \ + default_ttl="8760h" \ + generate_lease=true +} + +vaultGenerateRootCACertificate() { + echo "Generate root CA certificate" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_PATH}/root/generate/exported \ + common_name="\"$MG_VAULT_PKI_CA_CN\"" \ + ou="\"$MG_VAULT_PKI_CA_OU\"" \ + organization="\"$MG_VAULT_PKI_CA_O\"" \ + country="\"$MG_VAULT_PKI_CA_C\"" \ + locality="\"$MG_VAULT_PKI_CA_L\"" \ + province="\"$MG_VAULT_PKI_CA_ST\"" \ + street_address="\"$MG_VAULT_PKI_CA_ADDR\"" \ + postal_code="\"$MG_VAULT_PKI_CA_PO\"" \ + ttl=87600h | tee >(jq -r .data.certificate >data/${MG_VAULT_PKI_FILE_NAME}_ca.crt) \ + >(jq -r .data.issuing_ca >data/${MG_VAULT_PKI_FILE_NAME}_issuing_ca.crt) \ + >(jq -r .data.private_key >data/${MG_VAULT_PKI_FILE_NAME}_ca.key) +} + +vaultSetupRootCAIssuingURLs() { + echo "Setup URLs for CRL and issuing" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/urls \ + issuing_certificates="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/ca" \ + crl_distribution_points="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/crl" \ + ocsp_servers="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/ocsp" \ + enable_templating=true +} + + +vaultGenerateIntermediateCAPKI() { + echo "Generate Intermediate CA PKI" + vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path=${MG_VAULT_PKI_INT_PATH} pki + vault secrets tune -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -max-lease-ttl=43800h ${MG_VAULT_PKI_INT_PATH} +} + +vaultConfigIntermediatePKIClusterPath() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/cluster aia_path=${MG_VAULT_PKI_INT_CLUSTER_AIA_PATH} path=${MG_VAULT_PKI_INT_CLUSTER_PATH} +} + +vaultConfigIntermediatePKICrl() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" +} + + + +vaultGenerateIntermediateCSR() { + echo "Generate intermediate CSR" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/intermediate/generate/exported \ + common_name="\"$MG_VAULT_PKI_INT_CA_CN\"" \ + ou="\"$MG_VAULT_PKI_INT_CA_OU\""\ + organization="\"$MG_VAULT_PKI_INT_CA_O\"" \ + country="\"$MG_VAULT_PKI_INT_CA_C\"" \ + locality="\"$MG_VAULT_PKI_INT_CA_L\"" \ + province="\"$MG_VAULT_PKI_INT_CA_ST\"" \ + street_address="\"$MG_VAULT_PKI_INT_CA_ADDR\"" \ + postal_code="\"$MG_VAULT_PKI_INT_CA_PO\"" \ + | tee >(jq -r .data.csr >data/${MG_VAULT_PKI_INT_FILE_NAME}.csr) \ + >(jq -r .data.private_key >data/${MG_VAULT_PKI_INT_FILE_NAME}.key) +} + +vaultSignIntermediateCSR() { + echo "Sign intermediate CSR" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_PATH}/root/sign-intermediate \ + csr=@data/${MG_VAULT_PKI_INT_FILE_NAME}.csr ttl="8760h" \ + ou="\"$MG_VAULT_PKI_INT_CA_OU\""\ + organization="\"$MG_VAULT_PKI_INT_CA_O\"" \ + country="\"$MG_VAULT_PKI_INT_CA_C\"" \ + locality="\"$MG_VAULT_PKI_INT_CA_L\"" \ + province="\"$MG_VAULT_PKI_INT_CA_ST\"" \ + street_address="\"$MG_VAULT_PKI_INT_CA_ADDR\"" \ + postal_code="\"$MG_VAULT_PKI_INT_CA_PO\"" \ + | tee >(jq -r .data.certificate >data/${MG_VAULT_PKI_INT_FILE_NAME}.crt) \ + >(jq -r .data.issuing_ca >data/${MG_VAULT_PKI_INT_FILE_NAME}_issuing_ca.crt) +} + +vaultInjectIntermediateCertificate() { + echo "Inject Intermediate Certificate" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/intermediate/set-signed certificate=@data/${MG_VAULT_PKI_INT_FILE_NAME}.crt +} + +vaultGenerateIntermediateCertificateBundle() { + echo "Generate intermediate certificate bundle" + cat data/${MG_VAULT_PKI_INT_FILE_NAME}.crt data/${MG_VAULT_PKI_FILE_NAME}_ca.crt \ + > data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt +} + +vaultSetupIntermediateIssuingURLs() { + echo "Setup URLs for CRL and issuing" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/urls \ + issuing_certificates="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/ca" \ + crl_distribution_points="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/crl" \ + ocsp_servers="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/ocsp" \ + enable_templating=true +} + +vaultSetupCARole() { + echo "Setup CA role" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/roles/${MG_VAULT_PKI_INT_ROLE_NAME} \ + allow_subdomains=true \ + allow_any_name=true \ + max_ttl="720h" +} + +vaultGenerateTestCertificate() { + echo "Generate Test certificate" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/issue/${MG_VAULT_PKI_INT_ROLE_NAME} \ + common_name="testThingCert" ttl="8670h" \ + | tee >(jq -r .data.certificate >data/testThingCert.crt) \ + >(jq -r .data.private_key >data/testThingCert.key) +} + + +if ! command -v jq &> /dev/null +then + echo "jq command could not be found, please install it and try again." + exit +fi + +readDotEnv + +mkdir -p data + +vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} + +vaultEnablePKI +vaultConfigPKIClusterPath +vaultConfigPKICrl +vaultAddRoleToSecret +vaultGenerateRootCACertificate +vaultSetupRootCAIssuingURLs +vaultGenerateIntermediateCAPKI +vaultConfigIntermediatePKIClusterPath +vaultConfigIntermediatePKICrl +vaultGenerateIntermediateCSR +vaultSignIntermediateCSR +vaultInjectIntermediateCertificate +vaultGenerateIntermediateCertificateBundle +vaultSetupIntermediateIssuingURLs +vaultSetupCARole +# vaultGenerateTestCertificate + +echo "Copying certificate files" +mkdir -p ${MAGISTRALA_DIR}/docker/vault/certs +cp -v data/${MG_VAULT_PKI_FILE_NAME}_ca.crt ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_FILE_NAME}_ca.crt +cp -v data/${MG_VAULT_PKI_FILE_NAME}_ca.key ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_FILE_NAME}_ca.key +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.key ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_INT_FILE_NAME}.key +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.crt ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_INT_FILE_NAME}.crt +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt + + +exit 0 diff --git a/go.mod b/go.mod index 69b3397290..ce6d068a69 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/gookit/color v1.5.4 github.com/gopcua/opcua v0.1.6 github.com/gorilla/websocket v1.5.1 - github.com/hashicorp/vault/api v1.10.0 + github.com/hashicorp/vault/api v1.12.0 github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f github.com/influxdata/influxdb-client-go/v2 v2.13.0 github.com/ivanpirog/coloredcobra v1.0.1 @@ -54,8 +54,8 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 go.opentelemetry.io/otel/sdk v1.22.0 go.opentelemetry.io/otel/trace v1.22.0 - golang.org/x/crypto v0.18.0 - golang.org/x/net v0.20.0 + golang.org/x/crypto v0.19.0 + golang.org/x/net v0.21.0 golang.org/x/sync v0.6.0 gonum.org/v1/gonum v0.14.0 google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac @@ -110,6 +110,7 @@ require ( github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.6 // indirect github.com/hashicorp/hcl v1.0.0 // indirect + github.com/hashicorp/vault/api/auth/approle v0.6.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect @@ -174,7 +175,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.17.0 // indirect diff --git a/go.sum b/go.sum index 7ad59cad7d..5853168b52 100644 --- a/go.sum +++ b/go.sum @@ -26,6 +26,7 @@ github.com/absmach/senml v1.0.5 h1:zNPRYpGr2Wsb8brAusz8DIfFqemy1a2dNbmMnegY3GE= github.com/absmach/senml v1.0.5/go.mod h1:NDEjk3O4V4YYu9Bs2/+t/AZ/F+0wu05ikgecp+/FsSU= github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ= github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/authzed/authzed-go v0.10.1 h1:0aX2Ox9PPPknID92kLs/FnmhCmfl6Ni16v3ZTLsds5M= github.com/authzed/authzed-go v0.10.1/go.mod h1:ZsaFPCiMjwT0jLW0gCyYzh3elHqhKDDGGRySyykXwqc= github.com/authzed/grpcutil v0.0.0-20230908193239-4286bb1d6403 h1:bQeIwWWRI9bl93poTqpix4sYHi+gnXUPK7N6bMtXzBE= @@ -33,6 +34,7 @@ github.com/authzed/grpcutil v0.0.0-20230908193239-4286bb1d6403/go.mod h1:s3qC7V7 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932/go.mod h1:NOuUCSz6Q9T7+igc/hlvDOUdtWKryOrtFyIVABv/p7k= github.com/bitly/go-hostpool v0.1.0 h1:XKmsF6k5el6xHG3WPJ8U0Ku/ye7njX7W81Ng7O2ioR0= github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw= @@ -41,7 +43,9 @@ github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4Yn github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= github.com/caarlos0/env/v10 v10.0.0 h1:yIHUBZGsyqCnpTkbjk8asUlx6RFhhEs+h7TOBdgdzXA= github.com/caarlos0/env/v10 v10.0.0/go.mod h1:ZfulV76NvVPw3tm591U4SwL3Xx9ldzBP9aGxzeN7G18= +github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= @@ -95,6 +99,7 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= @@ -179,6 +184,7 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= @@ -203,27 +209,38 @@ github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMW github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M= github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ= github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4= +github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck= +github.com/hashicorp/vault/api/auth/approle v0.6.0 h1:ELfFFQlTM/e97WJKu1HvNFa7lQ3tlTwwzrR1NJE1V7Y= +github.com/hashicorp/vault/api/auth/approle v0.6.0/go.mod h1:CCoIl1xBC3lAWpd1HV+0ovk76Z8b8Mdepyk21h3pGk0= github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f h1:7LYC+Yfkj3CTRcShK0KOL/w6iTiKyqqBA9a41Wnggw8= github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f/go.mod h1:pFlLw2CfqZiIBOx6BuCeRLCrfxBJipTY0nIOF/VbGcI= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -339,13 +356,18 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -355,8 +377,11 @@ github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A github.com/mattn/go-sqlite3 v1.14.19 h1:fhGleo2h1p8tVChob4I9HpmVFIAkKGpiukdrgQbWfGI= github.com/mattn/go-sqlite3 v1.14.19/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/miekg/dns v1.1.29/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= @@ -424,6 +449,7 @@ github.com/plgd-dev/kit/v2 v2.0.0-20211006190727-057b33161b90/go.mod h1:Z7oKFLSG github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= @@ -447,6 +473,7 @@ github.com/rubenv/sql-migrate v1.6.1 h1:bo6/sjsan9HaXAsNxYP/jCEDUGibHp8JmOBw7NTG github.com/rubenv/sql-migrate v1.6.1/go.mod h1:tPzespupJS0jacLfhbwto/UjSX+8h2FdWB7ar+QlHa0= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= @@ -589,8 +616,12 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= @@ -630,8 +661,11 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= @@ -646,6 +680,7 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -657,6 +692,7 @@ golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -678,8 +714,12 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -687,6 +727,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -697,8 +739,10 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= From 8096f26afcc9624769e80e5c69d24f858faa8dc2 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 14 Feb 2024 13:25:50 +0530 Subject: [PATCH 08/40] fix: vault create approle script Signed-off-by: Arvindh --- docker/vault/vault-hcp-create-approle.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docker/vault/vault-hcp-create-approle.sh b/docker/vault/vault-hcp-create-approle.sh index cedbd1aef6..ed5776d088 100755 --- a/docker/vault/vault-hcp-create-approle.sh +++ b/docker/vault/vault-hcp-create-approle.sh @@ -19,12 +19,21 @@ readDotEnv() { } vaultCreatePolicy() { + echo "Creating new policy for AppRole" vault policy write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} things_cert_issue $scriptdir/things_cert_issue.hcl } +vaultEnableAppRole() { + echo "Enabling AppRole" + vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle +} +vaultDeleteRole() { + echo "Deleteing old AppRole" + vault delete -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer +} + vaultCreateRole() { echo "Creating new AppRole" - # vault auth enable approle vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer \ token_policies=things_cert_issue secret_id_num_uses=0 \ secret_id_ttl=0 token_ttl=1h token_max_ttl=3h token_num_uses=0 @@ -61,7 +70,7 @@ readDotEnv vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} vaultCreatePolicy -vaultCreateRole +vaultDeleteRole vaultCreateRole vaultWriteCustomRoleID vaultWriteCustomSecret From ddd72d323dd54d9ebbd1b28a8d97ca87e7973867 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 14 Feb 2024 13:27:43 +0530 Subject: [PATCH 09/40] fix: vault create approle script Signed-off-by: Arvindh --- docker/vault/vault-hcp-create-approle.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/vault/vault-hcp-create-approle.sh b/docker/vault/vault-hcp-create-approle.sh index ed5776d088..7459942643 100755 --- a/docker/vault/vault-hcp-create-approle.sh +++ b/docker/vault/vault-hcp-create-approle.sh @@ -70,6 +70,7 @@ readDotEnv vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} vaultCreatePolicy +vaultEnableAppRole vaultDeleteRole vaultCreateRole vaultWriteCustomRoleID From 9d3b6748b75731cb050427eb81addc0a945b3f95 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 14 Feb 2024 13:31:53 +0530 Subject: [PATCH 10/40] fix: vault create approle script Signed-off-by: Arvindh --- docker/vault/vault-hcp-create-approle.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docker/vault/vault-hcp-create-approle.sh b/docker/vault/vault-hcp-create-approle.sh index 7459942643..815be6d9ae 100755 --- a/docker/vault/vault-hcp-create-approle.sh +++ b/docker/vault/vault-hcp-create-approle.sh @@ -24,9 +24,12 @@ vaultCreatePolicy() { } vaultEnableAppRole() { - echo "Enabling AppRole" - vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle + if [ "$1" == "enable_app_role" ]; then + echo "Enabling AppRole" + vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle + fi } + vaultDeleteRole() { echo "Deleteing old AppRole" vault delete -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer From c163827e6a99ddaf5a68d405ad41dd1d2ca51c0a Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 14 Feb 2024 13:35:24 +0530 Subject: [PATCH 11/40] fix: vault create approle script Signed-off-by: Arvindh --- docker/vault/vault-hcp-create-approle.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docker/vault/vault-hcp-create-approle.sh b/docker/vault/vault-hcp-create-approle.sh index 815be6d9ae..b4b51e4188 100755 --- a/docker/vault/vault-hcp-create-approle.sh +++ b/docker/vault/vault-hcp-create-approle.sh @@ -12,6 +12,8 @@ export MAGISTRALA_DIR=$scriptdir/../../ # echo "$MAGISTRALA_DIR" +ENABLE_APP_ROLE=${1:-not_enable_app_role} + readDotEnv() { set -o allexport source $MAGISTRALA_DIR/docker/.env @@ -24,7 +26,7 @@ vaultCreatePolicy() { } vaultEnableAppRole() { - if [ "$1" == "enable_app_role" ]; then + if [ "$ENABLE_APP_ROLE" == "enable_app_role" ]; then echo "Enabling AppRole" vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle fi From b6224e66a268cd16f5cf68f8e0cfed049767bee6 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Wed, 14 Feb 2024 13:39:05 +0530 Subject: [PATCH 12/40] remove env var Signed-off-by: Arvindh --- docker/.env | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/.env b/docker/.env index 82f7c7fdde..d4a3f426c1 100644 --- a/docker/.env +++ b/docker/.env @@ -341,7 +341,6 @@ MG_VAULT_PKI_CLUSTER_AIA_PATH=http://localhost MG_VAULT_PKI_INT_PATH=pki_int MG_VAULT_PKI_INT_ROLE_NAME=magistrala_things_cert -MG_VAULT_CA_ROLE_NAME=magistrala_things_cert MG_VAULT_PKI_INT_FILE_NAME=mg_things_int MG_VAULT_PKI_INT_CA_CN='Magistrala Things Intermediate Certificate Authority' MG_VAULT_PKI_INT_CA_OU='Abstract Machines' From 7f13ff9b34e5e35e94017cdf880be61fb03ac670 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 13:39:27 +0530 Subject: [PATCH 13/40] Revert "fix: api route" This reverts commit 66e1d3f6e74a0ee9c2e062494b46175f9d675bf4. Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 12 ++++------ docker/nginx/nginx-x509.conf | 45 ++++++++++++------------------------ 2 files changed, 19 insertions(+), 38 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 3f999b18ae..721c672fed 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -89,13 +89,12 @@ http { location ~ ^/api/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { proxy_pass http://things:${MG_THINGS_HTTP_PORT}; break; } proxy_pass http://users:${MG_USERS_HTTP_PORT}; - break; } # Proxy pass to channel id to users service for listing of channels @@ -104,13 +103,12 @@ http { location ~ ^/api/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } proxy_pass http://things:${MG_THINGS_HTTP_PORT}; - break; } # Proxy pass to user id to auth service for listing of domains @@ -118,13 +116,12 @@ http { location ~ ^/api/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; break; } proxy_pass http://users:${MG_USERS_HTTP_PORT}; - break; } # Proxy pass to domain id to users service for listing of users @@ -132,13 +129,12 @@ http { location ~ ^/api/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; + rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; - break; } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index ce66aea15c..88a05f038c 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -88,8 +88,7 @@ http { location ~ ^/api/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to users & groups id to things service for listing of channels @@ -98,13 +97,11 @@ http { location ~ ^/api/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}; - break; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } # Proxy pass to channel id to users service for listing of channels @@ -113,13 +110,11 @@ http { location ~ ^/api/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; break; } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; - break; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to user id to auth service for listing of domains @@ -127,13 +122,11 @@ http { location ~ ^/api/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}; - break; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } # Proxy pass to domain id to users service for listing of users @@ -141,13 +134,11 @@ http { location ~ ^/api/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; break; } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; - break; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; } @@ -155,16 +146,14 @@ http { location ~ ^/api/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; } # Proxy pass to users service location ~ ^/api/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } location ^~ /api/users/policies { @@ -177,8 +166,7 @@ http { location ~ ^/api/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location ^~ /api/things/policies { @@ -191,8 +179,7 @@ http { location ~ ^/api/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; } location ~ ^/api/(bootstrap) { @@ -225,14 +212,12 @@ http { location /api/health { include snippets/proxy-headers.conf; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location /api/metrics { include snippets/proxy-headers.conf; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } From 6b0bb75402d9b83bd0d5f6b2fd5f655cc6c54ca4 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 13:48:23 +0530 Subject: [PATCH 14/40] vault_certs Signed-off-by: Arvindh --- docker/.env | 4 +- docker/nginx/entrypoint.sh | 7 -- docker/nginx/nginx-key.conf | 69 ++++--------------- docker/nginx/nginx-x509.conf | 129 +++-------------------------------- 4 files changed, 24 insertions(+), 185 deletions(-) diff --git a/docker/.env b/docker/.env index d4a3f426c1..5a824d48be 100644 --- a/docker/.env +++ b/docker/.env @@ -7,9 +7,7 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 -MG_NGINX_SERVER_NAME=localhost -# MG_NGINX_SERVER_CERT=./ssl/certs/letsencrypt/live/example.com/fullchain.pem -# MG_NGINX_SERVER_KEY=./ssl/certs/letsencrypt/live/example.com/privkey.pem + ## Nats MG_NATS_PORT=4222 MG_NATS_HTTP_PORT=8222 diff --git a/docker/nginx/entrypoint.sh b/docker/nginx/entrypoint.sh index 2688236a0c..1076b600fc 100755 --- a/docker/nginx/entrypoint.sh +++ b/docker/nginx/entrypoint.sh @@ -12,13 +12,6 @@ else fi envsubst ' - ${MG_NGINX_SERVER_NAME} - ${MG_CERTS_HTTP_PORT} - ${MG_BOOTSTRAP_HTTP_PORT} - ${MG_PROVISION_HTTP_PORT} - ${MG_TIMESCALE_READER_HTTP_PORT} - ${MG_VAULT_PORT} - ${MG_UI_PORT} ${MG_AUTH_HTTP_PORT} ${MG_USERS_HTTP_PORT} ${MG_THINGS_HTTP_PORT} diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 721c672fed..93cab4dc02 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -69,15 +69,9 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - set $dynamic_server_name $MG_NGINX_SERVER_NAME; - - if ($dynamic_server_name = '') { - set $dynamic_server_name "localhost"; - } - - server_name $dynamic_server_name; + server_name localhost; - location ~ ^/api/(channels)/(.+)/(things)/(.+) { + location ~ ^/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; @@ -86,7 +80,7 @@ http { # Proxy pass to users & groups id to things service for listing of channels # /users/{userID}/channels - Listing of channels belongs to userID # /groups/{userGroupID}/channels - Listing of channels belongs to userGroupID - location ~ ^/api/(users|groups)/(.+)/(channels|things) { + location ~ ^/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; @@ -100,7 +94,7 @@ http { # Proxy pass to channel id to users service for listing of channels # /channels/{channelID}/users - Listing of Users belongs to channelID # /channels/{channelID}/groups - Listing of User Groups belongs to channelID - location ~ ^/api/(channels|things)/(.+)/(users|groups) { + location ~ ^/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; @@ -113,7 +107,7 @@ http { # Proxy pass to user id to auth service for listing of domains # /users/{userID}/domains - Listing of Domains belongs to userID - location ~ ^/api/(users)/(.+)/(domains) { + location ~ ^/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; @@ -126,7 +120,7 @@ http { # Proxy pass to domain id to users service for listing of users # /domains/{domainID}/users - Listing of Users belongs to domainID - location ~ ^/api/(domains)/(.+)/(users) { + location ~ ^/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; @@ -139,7 +133,7 @@ http { # Proxy pass to auth service - location ~ ^/api/(domains) { + location ~ ^/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; @@ -147,76 +141,48 @@ http { } # Proxy pass to users service - location ~ ^/api/(users|groups|password|authorize) { + location ~ ^/(users|groups|password|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; proxy_pass http://users:${MG_USERS_HTTP_PORT}; } - location ^~ /api/users/policies { + location ^~ /users/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}/policies; } # Proxy pass to things service - location ~ ^/api/(things|channels|connect|disconnect|identify) { + location ~ ^/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - location ^~ /api/things/policies { + location ^~ /things/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/policies; } # Proxy pass to invitations service - location ~ ^/api/(invitations) { + location ~ ^/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; rewrite ^/api(/.*)$ $1 break; proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } - location ~ ^/api/(bootstrap) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/bootstrap(/.*)$ $1 break; - proxy_pass http://bootstrap:${MG_BOOTSTRAP_HTTP_PORT}; - } - - location ~ ^/api/(certs) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/certs(/.*)$ $1 break; - proxy_pass http://certs:${MG_CERTS_HTTP_PORT}; - } - - location ~ ^/api/(provision) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/provision(/.*)$ $1 break; - proxy_pass http://provision:${MG_PROVISION_HTTP_PORT}; - } - - location ~ ^/api/(reader) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/provision(/.*)$ $1 break; - proxy_pass http://timescale-reader:${MG_TIMESCALE_READER_HTTP_PORT}; - } - - location /api/health { + location /health { include snippets/proxy-headers.conf; rewrite ^/api(/.*)$ $1 break; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - location /api/metrics { + location /metrics { include snippets/proxy-headers.conf; rewrite ^/api(/.*)$ $1 break; proxy_pass http://things:${MG_THINGS_HTTP_PORT}; @@ -251,13 +217,6 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } - - location / { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://ui:${MG_UI_PORT}; - } - } } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 88a05f038c..57801df37f 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -77,156 +77,52 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - set $dynamic_server_name $MG_NGINX_SERVER_NAME; - - if ($dynamic_server_name = '') { - set $dynamic_server_name "localhost"; - } - - server_name $dynamic_server_name; - - location ~ ^/api/(channels)/(.+)/(things)/(.+) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; - } - - # Proxy pass to users & groups id to things service for listing of channels - # /users/{userID}/channels - Listing of channels belongs to userID - # /groups/{userGroupID}/channels - Listing of channels belongs to userGroupID - location ~ ^/api/(users|groups)/(.+)/(channels|things) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; - break; - } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; - } - - # Proxy pass to channel id to users service for listing of channels - # /channels/{channelID}/users - Listing of Users belongs to channelID - # /channels/{channelID}/groups - Listing of User Groups belongs to channelID - location ~ ^/api/(channels|things)/(.+)/(users|groups) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; - break; - } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; - } - - # Proxy pass to user id to auth service for listing of domains - # /users/{userID}/domains - Listing of Domains belongs to userID - location ~ ^/api/(users)/(.+)/(domains) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; - break; - } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; - } - - # Proxy pass to domain id to users service for listing of users - # /domains/{domainID}/users - Listing of Users belongs to domainID - location ~ ^/api/(domains)/(.+)/(users) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; - break; - } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; - } - - - # Proxy pass to auth service - location ~ ^/api/(domains) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; - } + server_name localhost; # Proxy pass to users service - location ~ ^/api/(users|groups|password|policies|authorize) { + location ~ ^/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } - location ^~ /api/users/policies { + location ^~ /users/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://users:${MG_USERS_HTTP_PORT}/policies; } # Proxy pass to things service - location ~ ^/api/(things|channels|connect|disconnect|identify) { + location ~ ^/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } - location ^~ /api/things/policies { + location ^~ /things/policies { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/policies; } # Proxy pass to invitations service - location ~ ^/api/(invitations) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; - } - - location ~ ^/api/(bootstrap) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/bootstrap(/.*)$ $1 break; - proxy_pass http://bootstrap:${MG_BOOTSTRAP_HTTP_PORT}; - } - - location ~ ^/api/(certs) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/certs(/.*)$ $1 break; - proxy_pass http://certs:${MG_CERTS_HTTP_PORT}; - } - - location ~ ^/api/(provision) { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - rewrite ^/api/provision(/.*)$ $1 break; - proxy_pass http://provision:${MG_PROVISION_HTTP_PORT}; - } - - location ~ ^/api/(reader) { + location ~ ^/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api/provision(/.*)$ $1 break; - proxy_pass http://timescale-reader:${MG_TIMESCALE_READER_HTTP_PORT}; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } - location /api/health { + location /health { include snippets/proxy-headers.conf; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } - location /api/metrics { + location /metrics { include snippets/proxy-headers.conf; proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } - ## Expose VAULT CRL, OCSP endpoint to public for verification of certificate. - location /certs/ { - include snippets/proxy-headers.conf; - proxy_pass http://vault:${MG_VAULT_PORT}/v1/; - } - # Proxy pass to magistrala-http-adapter location /http/ { include snippets/verify-ssl-client.conf; @@ -254,13 +150,6 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } - - location / { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://ui:${MG_UI_PORT}; - } - } } From cb92b4c1458e944a58e104c2e2cff17e8573c34e Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 14:19:08 +0530 Subject: [PATCH 15/40] Revert "fix: api sub route path" This reverts commit 34ac0470723df7301159233fc3c6facf5359c871. Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 41 ++++++++++++++----------------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 93cab4dc02..fc677febfd 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -74,8 +74,7 @@ http { location ~ ^/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to users & groups id to things service for listing of channels # /users/{userID}/channels - Listing of channels belongs to userID @@ -83,12 +82,11 @@ http { location ~ ^/(users|groups)/(.+)/(channels|things) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } # Proxy pass to channel id to users service for listing of channels @@ -97,12 +95,11 @@ http { location ~ ^/(channels|things)/(.+)/(users|groups) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; break; } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } # Proxy pass to user id to auth service for listing of domains @@ -110,12 +107,11 @@ http { location ~ ^/(users)/(.+)/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } # Proxy pass to domain id to users service for listing of users @@ -123,12 +119,11 @@ http { location ~ ^/(domains)/(.+)/(users) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; break; } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; } @@ -136,16 +131,14 @@ http { location ~ ^/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; } # Proxy pass to users service location ~ ^/(users|groups|password|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://users:${MG_USERS_HTTP_PORT}; + proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; } location ^~ /users/policies { @@ -158,8 +151,7 @@ http { location ~ ^/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location ^~ /things/policies { @@ -172,20 +164,17 @@ http { location ~ ^/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; } location /health { include snippets/proxy-headers.conf; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } location /metrics { include snippets/proxy-headers.conf; - rewrite ^/api(/.*)$ $1 break; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; } ## Expose VAULT CRL, OCSP endpoint to public for verification of certificate. From f4e08586bc142ee3d186590173948fef149e6a82 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 14:20:50 +0530 Subject: [PATCH 16/40] Revert "fix: path" This reverts commit 7db464f0adac1745d713f7717f39a2bac3ea1777. Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 30 +++++++++++++++--------------- docker/nginx/nginx-x509.conf | 16 +++++++++++----- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index fc677febfd..968ff8cf0a 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -74,7 +74,7 @@ http { location ~ ^/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to users & groups id to things service for listing of channels # /users/{userID}/channels - Listing of channels belongs to userID @@ -83,10 +83,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } # Proxy pass to channel id to users service for listing of channels @@ -96,10 +96,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } # Proxy pass to user id to auth service for listing of domains @@ -108,10 +108,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; break; } - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } # Proxy pass to domain id to users service for listing of users @@ -120,10 +120,10 @@ http { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; if ($request_method = GET) { - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; break; } - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; } @@ -131,14 +131,14 @@ http { location ~ ^/(domains) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://auth:${MG_AUTH_HTTP_PORT}/$1; + proxy_pass http://auth:${MG_AUTH_HTTP_PORT}; } # Proxy pass to users service location ~ ^/(users|groups|password|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } location ^~ /users/policies { @@ -151,7 +151,7 @@ http { location ~ ^/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location ^~ /things/policies { @@ -164,17 +164,17 @@ http { location ~ ^/(invitations) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}/$1; + proxy_pass http://invitations:${MG_INVITATIONS_HTTP_PORT}; } location /health { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location /metrics { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } ## Expose VAULT CRL, OCSP endpoint to public for verification of certificate. diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 57801df37f..625316e990 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -77,13 +77,19 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - server_name localhost; + set $dynamic_server_name $MG_NGINX_SERVER_NAME; + + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; # Proxy pass to users service location ~ ^/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://users:${MG_USERS_HTTP_PORT}/$1; + proxy_pass http://users:${MG_USERS_HTTP_PORT}; } location ^~ /users/policies { @@ -96,7 +102,7 @@ http { location ~ ^/(things|channels|connect|disconnect|identify) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location ^~ /things/policies { @@ -114,12 +120,12 @@ http { location /health { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } location /metrics { include snippets/proxy-headers.conf; - proxy_pass http://things:${MG_THINGS_HTTP_PORT}/$1; + proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } From d9990db44d60822f1b7ff2abbdd5a935c8d381d7 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 14:22:39 +0530 Subject: [PATCH 17/40] Revert "add: certbot and env variables for certificate" This reverts commit 290252d177239af974188d896cfe77c400a4fb51. Signed-off-by: Arvindh --- docker/.env | 1 + docker/docker-compose.yml | 28 ++++------------------------ docker/nginx/nginx-key.conf | 28 +++++++--------------------- docker/nginx/nginx-x509.conf | 28 +++++++--------------------- 4 files changed, 19 insertions(+), 66 deletions(-) diff --git a/docker/.env b/docker/.env index 5a824d48be..176ac657d4 100644 --- a/docker/.env +++ b/docker/.env @@ -7,6 +7,7 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 +MG_NGINX_SERVER_NAME=localhost ## Nats MG_NATS_PORT=4222 diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 191edfefd9..2e501cd887 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -234,20 +234,10 @@ services: - ./nginx/entrypoint.sh:/docker-entrypoint.d/entrypoint.sh - ./nginx/snippets:/etc/nginx/snippets - ./ssl/authorization.js:/etc/nginx/authorization.js - - ./certbot/www:/usr/share/nginx/html/certbot/www:ro - - type: bind - source: ${MG_NGINX_SERVER_CERT:-./ssl/certs/magistrala-server.crt} - target: /etc/ssl/certs/magistrala-server.crt - - type: bind - source: ${MG_NGINX_SERVER_KEY:-./ssl/certs/magistrala-server.key} - target: /etc/ssl/private/magistrala-server.key - - type: bind - source: ${MG_NGINX_SERVER_CA:-./ssl/certs/ca.crt} - target: /etc/ssl/certs/ca.crt - - type: bind - source: ${MG_NGINX_SERVER_DHPARAM:-./ssl/dhparam.pem} - target: /etc/ssl/certs/dhparam.pem - + - ./ssl/certs/magistrala-server.crt:/etc/ssl/certs/magistrala-server.crt + - ./ssl/certs/ca.crt:/etc/ssl/certs/ca.crt + - ./ssl/certs/magistrala-server.key:/etc/ssl/private/magistrala-server.key + - ./ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem ports: - ${MG_NGINX_HTTP_PORT}:${MG_NGINX_HTTP_PORT} - ${MG_NGINX_SSL_PORT}:${MG_NGINX_SSL_PORT} @@ -265,16 +255,6 @@ services: - ws-adapter - coap-adapter - certbot: - image: certbot/certbot:latest - container_name: magistrala-certbot - command: certonly --webroot -w /var/www/certbot/ -d ${MG_NGINX_SERVER_NAME} --email arvindh123@gmail.com --non-interactive --agree-tos --no-eff-email - volumes: - - ./certbot/www/:/var/www/certbot/:rw - - ./ssl/certs/letsencrypt:/etc/letsencrypt:rw - depends_on: - - nginx - things-db: image: postgres:16.1-alpine container_name: magistrala-things-db diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 968ff8cf0a..9755426c0d 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -36,27 +36,6 @@ http { server { listen 80 default_server; listen [::]:80 default_server; - - set $dynamic_server_name $MG_NGINX_SERVER_NAME; - - if ($dynamic_server_name = '') { - set $dynamic_server_name "localhost"; - } - - server_name $dynamic_server_name; - - server_tokens off; - - location ^~ /.well-known/acme-challenge/ { - root /usr/share/nginx/html/certbot/www; - } - - location / { - return 301 https://$dynamic_server_name$request_uri; - } - } - - server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; @@ -206,6 +185,13 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } + + location / { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + proxy_pass http://ui:${MG_UI_PORT}/`; + } + } } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 625316e990..cb17a68e6b 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -43,27 +43,6 @@ http { server { listen 80 default_server; listen [::]:80 default_server; - - set $dynamic_server_name $MG_NGINX_SERVER_NAME; - - if ($dynamic_server_name = '') { - set $dynamic_server_name "localhost"; - } - - server_name $dynamic_server_name; - - server_tokens off; - - location ^~ /.well-known/acme-challenge/ { - root /usr/share/nginx/html/certbot/www; - } - - location / { - return 301 https://$dynamic_server_name$request_uri; - } - } - - server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_verify_client optional; @@ -156,6 +135,13 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } + + location / { + include snippets/proxy-headers.conf; + add_header Access-Control-Expose-Headers Location; + proxy_pass http://ui:${MG_UI_PORT}/`; + } + } } From 1fad340a4fedca84aea1e938384f508bef57726d Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 14:22:53 +0530 Subject: [PATCH 18/40] Revert "ignore letsencrypt dir" This reverts commit 2523e61c50ebe34cdba9f4cdc1bef15a64d22679. Signed-off-by: Arvindh --- docker/ssl/.gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/ssl/.gitignore b/docker/ssl/.gitignore index f82e313aaa..9ea7050a88 100644 --- a/docker/ssl/.gitignore +++ b/docker/ssl/.gitignore @@ -5,4 +5,3 @@ *grpc-client* *srl *conf -letsencrypt \ No newline at end of file From a692e412147b1b66c5dd8bbcd4390a20b2f35732 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 14:23:41 +0530 Subject: [PATCH 19/40] Revert "add: modified as per server need" This reverts commit 456b6272193f06dd5402c7243a0b43e82fd7266f. Signed-off-by: Arvindh --- docker/.env | 1 - docker/nginx/nginx-key.conf | 7 ------- docker/nginx/nginx-x509.conf | 16 +--------------- 3 files changed, 1 insertion(+), 23 deletions(-) diff --git a/docker/.env b/docker/.env index 176ac657d4..5a824d48be 100644 --- a/docker/.env +++ b/docker/.env @@ -7,7 +7,6 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 -MG_NGINX_SERVER_NAME=localhost ## Nats MG_NATS_PORT=4222 diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index 9755426c0d..d0d0ea4a10 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -185,13 +185,6 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } - - location / { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://ui:${MG_UI_PORT}/`; - } - } } diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index cb17a68e6b..78d100a292 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -56,13 +56,7 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - set $dynamic_server_name $MG_NGINX_SERVER_NAME; - - if ($dynamic_server_name = '') { - set $dynamic_server_name "localhost"; - } - - server_name $dynamic_server_name; + server_name localhost; # Proxy pass to users service location ~ ^/(users|groups|password|policies|authorize) { @@ -107,7 +101,6 @@ http { proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - # Proxy pass to magistrala-http-adapter location /http/ { include snippets/verify-ssl-client.conf; @@ -135,13 +128,6 @@ http { include snippets/ws-upgrade.conf; proxy_pass http://ws-adapter:${MG_WS_ADAPTER_HTTP_PORT}/; } - - location / { - include snippets/proxy-headers.conf; - add_header Access-Control-Expose-Headers Location; - proxy_pass http://ui:${MG_UI_PORT}/`; - } - } } From 2e88faad19f2e7ca2074b823e67d663c2a30bc13 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 14:27:07 +0530 Subject: [PATCH 20/40] revert back Signed-off-by: Arvindh --- docker/nginx/nginx-key.conf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index d0d0ea4a10..aa0fa05edb 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -156,12 +156,6 @@ http { proxy_pass http://things:${MG_THINGS_HTTP_PORT}; } - ## Expose VAULT CRL, OCSP endpoint to public for verification of certificate. - location /certs/ { - include snippets/proxy-headers.conf; - proxy_pass http://vault:${MG_VAULT_PORT}/v1/; - } - # Proxy pass to magistrala-http-adapter location /http/ { include snippets/proxy-headers.conf; From 3a31d480a0c6dd8a640784208d3fbd878d51725e Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 16:33:45 +0530 Subject: [PATCH 21/40] remove new vault dir Signed-off-by: Arvindh --- docker/vault/.gitignore | 4 - docker/vault/things_cert_issue.hcl | 32 ---- docker/vault/vault-hcp-create-approle.sh | 85 ---------- docker/vault/vault-hcp-set-pki.sh | 194 ----------------------- 4 files changed, 315 deletions(-) delete mode 100644 docker/vault/.gitignore delete mode 100644 docker/vault/things_cert_issue.hcl delete mode 100755 docker/vault/vault-hcp-create-approle.sh delete mode 100755 docker/vault/vault-hcp-set-pki.sh diff --git a/docker/vault/.gitignore b/docker/vault/.gitignore deleted file mode 100644 index f1f87eef0b..0000000000 --- a/docker/vault/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -# Copyright (c) Abstract Machines -# SPDX-License-Identifier: Apache-2.0 - -certs/* \ No newline at end of file diff --git a/docker/vault/things_cert_issue.hcl b/docker/vault/things_cert_issue.hcl deleted file mode 100644 index 794af0ce0a..0000000000 --- a/docker/vault/things_cert_issue.hcl +++ /dev/null @@ -1,32 +0,0 @@ - -# Allow issue certificate with role with default issuer from Intermediate PKI -path "pki_int/issue/+" { - capabilities = ["create", "update"] -} - -## Revole certificate from Intermediate PKI -path "pki_int/revoke" { - capabilities = ["create", "update"] -} - -## List Revoked Certificates from Intermediate PKI -path "pki_int/certs/revoked" { - capabilities = ["list"] -} - - -## List Certificates from Intermediate PKI -path "pki_int/certs" { - capabilities = ["list"] -} - -## Read Certificate from Intermediate PKI -path "pki_int/cert/+" { - capabilities = ["read"] -} -path "pki_int/cert/+/raw" { - capabilities = ["read"] -} -path "pki_int/cert/+/raw/pem" { - capabilities = ["read"] -} diff --git a/docker/vault/vault-hcp-create-approle.sh b/docker/vault/vault-hcp-create-approle.sh deleted file mode 100755 index b4b51e4188..0000000000 --- a/docker/vault/vault-hcp-create-approle.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/bash -# Copyright (c) Abstract Machines -# SPDX-License-Identifier: Apache-2.0 - -set -euo pipefail - -scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -echo "$scriptdir" -export MAGISTRALA_DIR=$scriptdir/../../ - -# cd $scriptdir - -# echo "$MAGISTRALA_DIR" - -ENABLE_APP_ROLE=${1:-not_enable_app_role} - -readDotEnv() { - set -o allexport - source $MAGISTRALA_DIR/docker/.env - set +o allexport -} - -vaultCreatePolicy() { - echo "Creating new policy for AppRole" - vault policy write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} things_cert_issue $scriptdir/things_cert_issue.hcl -} - -vaultEnableAppRole() { - if [ "$ENABLE_APP_ROLE" == "enable_app_role" ]; then - echo "Enabling AppRole" - vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle - fi -} - -vaultDeleteRole() { - echo "Deleteing old AppRole" - vault delete -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer -} - -vaultCreateRole() { - echo "Creating new AppRole" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer \ - token_policies=things_cert_issue secret_id_num_uses=0 \ - secret_id_ttl=0 token_ttl=1h token_max_ttl=3h token_num_uses=0 -} - -vaultWriteCustomRoleID(){ - echo "Writing custom role id" - vault read -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer/role-id - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer/role-id role_id=${MG_CERTS_VAULT_APPROLE_ROLEID} -} - -vaultWriteCustomSecret() { - echo "Writing custom secret" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -f auth/approle/role/things_cert_issuer/secret-id - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/things_cert_issuer/custom-secret-id secret_id=${MG_CERTS_VAULT_APPROLE_SECRET} num_uses=0 ttl=0 -} - -vaultTestRoleLogin() { -echo "Testing custom roleid secret by logging in" -vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/login \ - role_id=${MG_CERTS_VAULT_APPROLE_ROLEID} \ - secret_id=${MG_CERTS_VAULT_APPROLE_SECRET} - -} -if ! command -v jq &> /dev/null -then - echo "jq command could not be found, please install it and try again." - exit -fi - -readDotEnv - - -vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} - -vaultCreatePolicy -vaultEnableAppRole -vaultDeleteRole -vaultCreateRole -vaultWriteCustomRoleID -vaultWriteCustomSecret -vaultTestRoleLogin - -exit 0 diff --git a/docker/vault/vault-hcp-set-pki.sh b/docker/vault/vault-hcp-set-pki.sh deleted file mode 100755 index e4578b398e..0000000000 --- a/docker/vault/vault-hcp-set-pki.sh +++ /dev/null @@ -1,194 +0,0 @@ -#!/usr/bin/bash -# Copyright (c) Abstract Machines -# SPDX-License-Identifier: Apache-2.0 - -set -euo pipefail - -scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -echo "$scriptdir" -export MAGISTRALA_DIR=$scriptdir/../../ - -# cd $scriptdir - -# echo "$MAGISTRALA_DIR" - -readDotEnv() { - set -o allexport - source $MAGISTRALA_DIR/docker/.env - set +o allexport -} - -# vault() { -# docker exec -it magistrala-vault vault "$@" -# } - -vaultEnablePKI() { - vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path ${MG_VAULT_PKI_PATH} pki - vault secrets tune -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -max-lease-ttl=87600h ${MG_VAULT_PKI_PATH} -} - -vaultConfigPKIClusterPath() { - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/cluster aia_path=${MG_VAULT_PKI_CLUSTER_AIA_PATH} path=${MG_VAULT_PKI_CLUSTER_PATH} -} - -vaultConfigPKICrl() { - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" -} - - -vaultAddRoleToSecret() { - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/roles/${MG_VAULT_PKI_ROLE_NAME} \ - allow_any_name=true \ - max_ttl="8760h" \ - default_ttl="8760h" \ - generate_lease=true -} - -vaultGenerateRootCACertificate() { - echo "Generate root CA certificate" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_PATH}/root/generate/exported \ - common_name="\"$MG_VAULT_PKI_CA_CN\"" \ - ou="\"$MG_VAULT_PKI_CA_OU\"" \ - organization="\"$MG_VAULT_PKI_CA_O\"" \ - country="\"$MG_VAULT_PKI_CA_C\"" \ - locality="\"$MG_VAULT_PKI_CA_L\"" \ - province="\"$MG_VAULT_PKI_CA_ST\"" \ - street_address="\"$MG_VAULT_PKI_CA_ADDR\"" \ - postal_code="\"$MG_VAULT_PKI_CA_PO\"" \ - ttl=87600h | tee >(jq -r .data.certificate >data/${MG_VAULT_PKI_FILE_NAME}_ca.crt) \ - >(jq -r .data.issuing_ca >data/${MG_VAULT_PKI_FILE_NAME}_issuing_ca.crt) \ - >(jq -r .data.private_key >data/${MG_VAULT_PKI_FILE_NAME}_ca.key) -} - -vaultSetupRootCAIssuingURLs() { - echo "Setup URLs for CRL and issuing" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/urls \ - issuing_certificates="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/ca" \ - crl_distribution_points="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/crl" \ - ocsp_servers="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/ocsp" \ - enable_templating=true -} - - -vaultGenerateIntermediateCAPKI() { - echo "Generate Intermediate CA PKI" - vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path=${MG_VAULT_PKI_INT_PATH} pki - vault secrets tune -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -max-lease-ttl=43800h ${MG_VAULT_PKI_INT_PATH} -} - -vaultConfigIntermediatePKIClusterPath() { - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/cluster aia_path=${MG_VAULT_PKI_INT_CLUSTER_AIA_PATH} path=${MG_VAULT_PKI_INT_CLUSTER_PATH} -} - -vaultConfigIntermediatePKICrl() { - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" -} - - - -vaultGenerateIntermediateCSR() { - echo "Generate intermediate CSR" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/intermediate/generate/exported \ - common_name="\"$MG_VAULT_PKI_INT_CA_CN\"" \ - ou="\"$MG_VAULT_PKI_INT_CA_OU\""\ - organization="\"$MG_VAULT_PKI_INT_CA_O\"" \ - country="\"$MG_VAULT_PKI_INT_CA_C\"" \ - locality="\"$MG_VAULT_PKI_INT_CA_L\"" \ - province="\"$MG_VAULT_PKI_INT_CA_ST\"" \ - street_address="\"$MG_VAULT_PKI_INT_CA_ADDR\"" \ - postal_code="\"$MG_VAULT_PKI_INT_CA_PO\"" \ - | tee >(jq -r .data.csr >data/${MG_VAULT_PKI_INT_FILE_NAME}.csr) \ - >(jq -r .data.private_key >data/${MG_VAULT_PKI_INT_FILE_NAME}.key) -} - -vaultSignIntermediateCSR() { - echo "Sign intermediate CSR" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_PATH}/root/sign-intermediate \ - csr=@data/${MG_VAULT_PKI_INT_FILE_NAME}.csr ttl="8760h" \ - ou="\"$MG_VAULT_PKI_INT_CA_OU\""\ - organization="\"$MG_VAULT_PKI_INT_CA_O\"" \ - country="\"$MG_VAULT_PKI_INT_CA_C\"" \ - locality="\"$MG_VAULT_PKI_INT_CA_L\"" \ - province="\"$MG_VAULT_PKI_INT_CA_ST\"" \ - street_address="\"$MG_VAULT_PKI_INT_CA_ADDR\"" \ - postal_code="\"$MG_VAULT_PKI_INT_CA_PO\"" \ - | tee >(jq -r .data.certificate >data/${MG_VAULT_PKI_INT_FILE_NAME}.crt) \ - >(jq -r .data.issuing_ca >data/${MG_VAULT_PKI_INT_FILE_NAME}_issuing_ca.crt) -} - -vaultInjectIntermediateCertificate() { - echo "Inject Intermediate Certificate" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/intermediate/set-signed certificate=@data/${MG_VAULT_PKI_INT_FILE_NAME}.crt -} - -vaultGenerateIntermediateCertificateBundle() { - echo "Generate intermediate certificate bundle" - cat data/${MG_VAULT_PKI_INT_FILE_NAME}.crt data/${MG_VAULT_PKI_FILE_NAME}_ca.crt \ - > data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt -} - -vaultSetupIntermediateIssuingURLs() { - echo "Setup URLs for CRL and issuing" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/urls \ - issuing_certificates="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/ca" \ - crl_distribution_points="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/crl" \ - ocsp_servers="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/ocsp" \ - enable_templating=true -} - -vaultSetupCARole() { - echo "Setup CA role" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/roles/${MG_VAULT_PKI_INT_ROLE_NAME} \ - allow_subdomains=true \ - allow_any_name=true \ - max_ttl="720h" -} - -vaultGenerateTestCertificate() { - echo "Generate Test certificate" - vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/issue/${MG_VAULT_PKI_INT_ROLE_NAME} \ - common_name="testThingCert" ttl="8670h" \ - | tee >(jq -r .data.certificate >data/testThingCert.crt) \ - >(jq -r .data.private_key >data/testThingCert.key) -} - - -if ! command -v jq &> /dev/null -then - echo "jq command could not be found, please install it and try again." - exit -fi - -readDotEnv - -mkdir -p data - -vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} - -vaultEnablePKI -vaultConfigPKIClusterPath -vaultConfigPKICrl -vaultAddRoleToSecret -vaultGenerateRootCACertificate -vaultSetupRootCAIssuingURLs -vaultGenerateIntermediateCAPKI -vaultConfigIntermediatePKIClusterPath -vaultConfigIntermediatePKICrl -vaultGenerateIntermediateCSR -vaultSignIntermediateCSR -vaultInjectIntermediateCertificate -vaultGenerateIntermediateCertificateBundle -vaultSetupIntermediateIssuingURLs -vaultSetupCARole -# vaultGenerateTestCertificate - -echo "Copying certificate files" -mkdir -p ${MAGISTRALA_DIR}/docker/vault/certs -cp -v data/${MG_VAULT_PKI_FILE_NAME}_ca.crt ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_FILE_NAME}_ca.crt -cp -v data/${MG_VAULT_PKI_FILE_NAME}_ca.key ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_FILE_NAME}_ca.key -cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.key ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_INT_FILE_NAME}.key -cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.crt ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_INT_FILE_NAME}.crt -cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt ${MAGISTRALA_DIR}/docker/vault/certs/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt - - -exit 0 From e5d39ecd48f0960a22520de8b0d5d114a2dcf4c4 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 20:36:16 +0530 Subject: [PATCH 22/40] update vault scritps and env vars Signed-off-by: Arvindh --- docker/.env | 39 +++-- docker/addons/vault/.gitignore | 1 + docker/addons/vault/README.md | 75 +++++--- ...magistrala_things_certs_issue.template.hcl | 32 ++++ docker/addons/vault/vault-create-approle.sh | 96 +++++++++++ docker/addons/vault/vault-init.sh | 2 + docker/addons/vault/vault-set-pki.sh | 163 ++++++++++++------ 7 files changed, 318 insertions(+), 90 deletions(-) create mode 100644 docker/addons/vault/magistrala_things_certs_issue.template.hcl create mode 100755 docker/addons/vault/vault-create-approle.sh diff --git a/docker/.env b/docker/.env index 5a824d48be..b74dc1e266 100644 --- a/docker/.env +++ b/docker/.env @@ -7,6 +7,7 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 +MG_NGINX_SERVER_NAME=localhost ## Nats MG_NATS_PORT=4222 @@ -314,53 +315,55 @@ MG_PROVISION_INSTANCE_ID= ### Vault MG_VAULT_HOST=vault MG_VAULT_PORT=8200 -MG_VAULT_ADDR=http://127.0.0.1:8200 +MG_VAULT_ADDR=http://vault:8200 MG_VAULT_NAMESPACE=magistrala MG_VAULT_UNSEAL_KEY_1= MG_VAULT_UNSEAL_KEY_2= MG_VAULT_UNSEAL_KEY_3= MG_VAULT_TOKEN= -MG_VAULT_CA_NAME=magistrala -MG_VAULT_CA_ROLE_NAME=magistrala MG_VAULT_PKI_PATH=pki -MG_VAULT_PKI_ROLE_NAME=magistrala_things_int_ca -MG_VAULT_PKI_FILE_NAME=mg_things_root -MG_VAULT_PKI_CA_CN='Magistrala Things Root Certificate Authority' -MG_VAULT_PKI_CA_OU='Abstract Machines' +MG_VAULT_PKI_ROLE_NAME=magistrala_int_ca +MG_VAULT_PKI_FILE_NAME=mg_root +MG_VAULT_PKI_CA_CN='Magistrala Root Certificate Authority' +MG_VAULT_PKI_CA_OU='Magistrala' MG_VAULT_PKI_CA_O='Magistrala' MG_VAULT_PKI_CA_C='FRANCE' MG_VAULT_PKI_CA_L='PARIS' MG_VAULT_PKI_CA_ST='PARIS' -MG_VAULT_PKI_CA_ADDR='141 Quai de Valmy' -MG_VAULT_PKI_CA_PO='75010' +MG_VAULT_PKI_CA_ADDR='5 Av. Anatole' +MG_VAULT_PKI_CA_PO='75007' MG_VAULT_PKI_CLUSTER_PATH=http://localhost MG_VAULT_PKI_CLUSTER_AIA_PATH=http://localhost MG_VAULT_PKI_INT_PATH=pki_int -MG_VAULT_PKI_INT_ROLE_NAME=magistrala_things_cert -MG_VAULT_PKI_INT_FILE_NAME=mg_things_int -MG_VAULT_PKI_INT_CA_CN='Magistrala Things Intermediate Certificate Authority' -MG_VAULT_PKI_INT_CA_OU='Abstract Machines' +MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME=magistrala_server_certs +MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME=magistrala_things_certs +MG_VAULT_PKI_INT_FILE_NAME=mg_int +MG_VAULT_PKI_INT_CA_CN='Magistrala Intermediate Certificate Authority' +MG_VAULT_PKI_INT_CA_OU='Magistrala' MG_VAULT_PKI_INT_CA_O='Magistrala' MG_VAULT_PKI_INT_CA_C='FRANCE' MG_VAULT_PKI_INT_CA_L='PARIS' MG_VAULT_PKI_INT_CA_ST='PARIS' -MG_VAULT_PKI_INT_CA_ADDR='141 Quai de Valmy' -MG_VAULT_PKI_INT_CA_PO='75010' +MG_VAULT_PKI_INT_CA_ADDR='5 Av. Anatole' +MG_VAULT_PKI_INT_CA_PO='75007' MG_VAULT_PKI_INT_CLUSTER_PATH=http://localhost MG_VAULT_PKI_INT_CLUSTER_AIA_PATH=http://localhost +MG_VAULT_THINGS_CERTS_ISSUER_ROLEID=magistrala +MG_VAULT_THINGS_CERTS_ISSUER_SECRET=magistrala + # Certs MG_CERTS_LOG_LEVEL=debug MG_CERTS_SIGN_CA_PATH=/etc/ssl/certs/ca.crt MG_CERTS_SIGN_CA_KEY_PATH=/etc/ssl/certs/ca.key MG_CERTS_VAULT_HOST=${MG_VAULT_ADDR} MG_CERTS_VAULT_NAMESPACE=${MG_VAULT_NAMESPACE} -MG_CERTS_VAULT_APPROLE_ROLEID=magistrala -MG_CERTS_VAULT_APPROLE_SECRET=magistrala +MG_CERTS_VAULT_APPROLE_ROLEID=${MG_VAULT_THINGS_CERTS_ISSUER_ROLEID} +MG_CERTS_VAULT_APPROLE_SECRET=${MG_VAULT_THINGS_CERTS_ISSUER_SECRET} MG_CERTS_VAULT_PKI_INT_PATH=${MG_VAULT_PKI_INT_PATH} -MG_CERTS_VAULT_PKI_INT_ROLE_NAME=${MG_VAULT_PKI_INT_ROLE_NAME} +MG_CERTS_VAULT_PKI_INT_ROLE_NAME=${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} MG_CERTS_HTTP_HOST=certs MG_CERTS_HTTP_PORT=9019 MG_CERTS_HTTP_SERVER_CERT= diff --git a/docker/addons/vault/.gitignore b/docker/addons/vault/.gitignore index 167a4fd8d7..acabadec87 100644 --- a/docker/addons/vault/.gitignore +++ b/docker/addons/vault/.gitignore @@ -2,3 +2,4 @@ # SPDX-License-Identifier: Apache-2.0 data +magistrala_things_certs_issue.hcl \ No newline at end of file diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index d21b3c0221..23f1334c1d 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -1,4 +1,4 @@ -# Vault +# # Vault This is Vault service deployment to be used with Magistrala. @@ -6,23 +6,48 @@ When the Vault service is started, some initialization steps need to be done to ## Configuration -| Variable | Description | Default | -| --------------------- | ------------------------------------------------------- | ---------------- | -| MG_VAULT_HOST | Vault service address | vault | -| MG_VAULT_PORT | Vault service port | 8200 | -| MG_VAULT_UNSEAL_KEY_1 | Vault unseal key | "" | -| MG_VAULT_UNSEAL_KEY_2 | Vault unseal key | "" | -| MG_VAULT_UNSEAL_KEY_3 | Vault unseal key | "" | -| MG_VAULT_TOKEN | Vault cli access token | "" | -| MG_VAULT_PKI_PATH | Vault secrets engine path for CA | pki | -| MG_VAULT_PKI_INT_PATH | Vault secrets engine path for intermediate CA | pki_int | -| MG_VAULT_CA_ROLE_NAME | Vault secrets engine role | magistrala | -| MG_VAULT_CA_NAME | Certificates name used by `vault-set-pki.sh` | magistrala | -| MG_VAULT_CA_CN | Common name used for CA creation by `vault-set-pki.sh` | magistrala.com | -| MG_VAULT_CA_OU | Org unit used for CA creation by `vault-set-pki.sh` | Magistrala Cloud | -| MG_VAULT_CA_O | Organization used for CA creation by `vault-set-pki.sh` | Magistrala Labs | -| MG_VAULT_CA_C | Country used for CA creation by `vault-set-pki.sh` | Serbia | -| MG_VAULT_CA_L | Location used for CA creation by `vault-set-pki.sh` | Belgrade | + +| Variable | Description | Default | +| :---------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- | +| MG_VAULT_HOST | Vault service address | vault | +| MG_VAULT_PORT | Vault service port | 8200 | +| MG_VAULT_ADDR | Vault Address | http://vault:8200 | +| MG_VAULT_UNSEAL_KEY_1 | Vault unseal key | "" | +| MG_VAULT_UNSEAL_KEY_2 | Vault unseal key | "" | +| MG_VAULT_UNSEAL_KEY_3 | Vault unseal key | "" | +| MG_VAULT_TOKEN | Vault cli access token | "" | +| | | | +| MG_VAULT_PKI_PATH | Vault secrets engine path for Root CA | pki | +| MG_VAULT_PKI_ROLE_NAME | Vault Root CA role name to issue intermediate CA | magistrala_int_ca | +| MG_VAULT_PKI_FILE_NAME | Root CA Certificates name used by`vault-set-pki.sh` | mg_root | +| MG_VAULT_PKI_CA_CN | Common name used for Root CA creation by`vault-set-pki.sh` | Magistrala Root Certificate Authority | +| MG_VAULT_PKI_CA_OU | Organization unit used for Root CA creation by`vault-set-pki.sh` | Magistrala | +| MG_VAULT_PKI_CA_O | Organization used for Root CA creation by`vault-set-pki.sh` | Magistrala | +| MG_VAULT_PKI_CA_C | Country used for Root CA creation by`vault-set-pki.sh` | FRANCE | +| MG_VAULT_PKI_CA_L | Location used for Root CA creation by`vault-set-pki.sh` | PARIS | +| MG_VAULT_PKI_CA_ST | State or Provisions used for Root CA creation by`vault-set-pki.sh` | PARIS | +| MG_VAULT_PKI_CA_ADDR | Address used for Root CA creation by`vault-set-pki.sh` | 5 Av. Anatole | +| MG_VAULT_PKI_CA_PO | Postal code used for Root CA creation by`vault-set-pki.sh` | 75007 | +| MG_VAULT_PKI_CLUSTER_PATH | Vault Root CA Cluster Path | http://localhost | +| MG_VAULT_PKI_CLUSTER_AIA_PATH | Vault Root CA Cluster AIA Path | http://localhost | +| | | | +| MG_VAULT_PKI_INT_PATH | Vault secrets engine path for Intermediate CA | pki_int | +| MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME | Vault Intermediate CA role name to issue server certificate | magistrala_server_certs | +| MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME | Vault Intermediate CA role name to issue Things certificates | magistrala_things_certs | +| MG_VAULT_PKI_INT_FILE_NAME | Intermediate CA Certificates name used by`vault-set-pki.sh` | mg_root | +| MG_VAULT_PKI_INT_CA_CN | Common name used for Intermediate CA creation by`vault-set-pki.sh` | Magistrala Root Certificate Authority | +| MG_VAULT_PKI_INT_CA_OU | Organization unit used for Root CA creation by`vault-set-pki.sh` | Magistrala | +| MG_VAULT_PKI_INT_CA_O | Organization used for Intermediate CA creation by`vault-set-pki.sh` | Magistrala | +| MG_VAULT_PKI_INT_CA_C | Country used for Intermediate CA creation by`vault-set-pki.sh` | FRANCE | +| MG_VAULT_PKI_INT_CA_L | Location used for Intermediate CA creation by`vault-set-pki.sh` | PARIS | +| MG_VAULT_PKI_INT_CA_ST | State or Provisions used for Intermediate CA creation by`vault-set-pki.sh` | PARIS | +| MG_VAULT_PKI_INT_CA_ADDR | Address used for Intermediate CA creation by`vault-set-pki.sh` | 5 Av. Anatole | +| MG_VAULT_PKI_INT_CA_PO | Postal code used for Intermediate CA creation by`vault-set-pki.sh` | 75007 | +| MG_VAULT_PKI_INT_CLUSTER_PATH | Vault Intermediate CA Cluster Path | http://localhost | +| MG_VAULT_PKI_INT_CLUSTER_AIA_PATH | Vault Intermediate CA Cluster AIA Path | http://localhost | +| | | | +| MG_VAULT_THINGS_CERTS_ISSUER_ROLEID | Vault Intermediate CA Things Certificate issuer AppRole authentication RoleID | magistrala | +| MG_VAULT_THINGS_CERTS_ISSUER_SECRET | Vault Intermediate CA Things Certificate issuer AppRole authentication Secret | magistrala | ## Setup @@ -31,12 +56,12 @@ The following scripts are provided, which work on the running Vault service in D 1. `vault-init.sh` Calls `vault operator init` to perform the initial vault initialization and generates -a `data/secrets` file which contains the Vault unseal keys and root tokens. +a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys and root tokens. After this step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file. -Example contents for `data/secrets`: +Example contents for `docker/addons/vault/data/secrets`: ```bash Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI @@ -78,7 +103,15 @@ starting the container. This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate. After it runs, it copies the necessary certificates and keys to the `docker/ssl/certs` folder. -The CA parameters are obtained from the environment variables starting with `MG_VAULT_CA` in `.env` file. +The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`. Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generateissu root CA. Environmental variables starting with`MG_VAULT_PKI_INT`in`docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA + +A copy of all generate certificates, keys and CSR by `vault-set-pki.sh` will present at `docker/addons/vault/data/secrets` + +4. `vault-create-approle.sh` + +This script is used to enable app role authorization in Vault. Certs service used the approle credentials to issue , revoke things certificate from vault intermedate CA. + +`vault-create-approle` script by default tries to enable auth approle. If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step, `vault-create-approle.sh skip_enable_app_role` ## Vault CLI diff --git a/docker/addons/vault/magistrala_things_certs_issue.template.hcl b/docker/addons/vault/magistrala_things_certs_issue.template.hcl new file mode 100644 index 0000000000..1b13f6db1b --- /dev/null +++ b/docker/addons/vault/magistrala_things_certs_issue.template.hcl @@ -0,0 +1,32 @@ + +# Allow issue certificate with role with default issuer from Intermediate PKI +path "${MG_VAULT_PKI_INT_PATH}/issue/${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME}" { + capabilities = ["create", "update"] +} + +## Revole certificate from Intermediate PKI +path "${MG_VAULT_PKI_INT_PATH}/revoke" { + capabilities = ["create", "update"] +} + +## List Revoked Certificates from Intermediate PKI +path "${MG_VAULT_PKI_INT_PATH}/certs/revoked" { + capabilities = ["list"] +} + + +## List Certificates from Intermediate PKI +path "${MG_VAULT_PKI_INT_PATH}/certs" { + capabilities = ["list"] +} + +## Read Certificate from Intermediate PKI +path "${MG_VAULT_PKI_INT_PATH}/cert/+" { + capabilities = ["read"] +} +path "${MG_VAULT_PKI_INT_PATH}/cert/+/raw" { + capabilities = ["read"] +} +path "${MG_VAULT_PKI_INT_PATH}/cert/+/raw/pem" { + capabilities = ["read"] +} diff --git a/docker/addons/vault/vault-create-approle.sh b/docker/addons/vault/vault-create-approle.sh new file mode 100755 index 0000000000..27cbf3b426 --- /dev/null +++ b/docker/addons/vault/vault-create-approle.sh @@ -0,0 +1,96 @@ +#!/usr/bin/bash +# Copyright (c) Abstract Machines +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +export MAGISTRALA_DIR=$scriptdir/../../../ + +cd $scriptdir + +SKIP_ENABLE_APP_ROLE=${1:-} + +readDotEnv() { + set -o allexport + source $MAGISTRALA_DIR/docker/.env + set +o allexport +} + +vault() { + docker exec -it magistrala-vault vault "$@" +} + +vaultCreatePolicyFile() { + envsubst ' + ${MG_VAULT_PKI_INT_PATH} + ${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} + ' < magistrala_things_certs_issue.template.hcl > magistrala_things_certs_issue.hcl +} +vaultCreatePolicy() { + echo "Creating new policy for AppRole" + docker cp magistrala_things_certs_issue.hcl magistrala-vault:/vault/magistrala_things_certs_issue.hcl + vault policy write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} magistrala_things_certs_issue /vault//magistrala_things_certs_issue.hcl +} + +vaultEnableAppRole() { + if [ "$SKIP_ENABLE_APP_ROLE" == "skip_enable_app_role" ]; then + echo "Skipping Enable AppRole" + elif + echo "Enabling AppRole" + vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle + fi +} + +vaultDeleteRole() { + echo "Deleteing old AppRole" + vault delete -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/magistrala_things_certs_issuer +} + +vaultCreateRole() { + echo "Creating new AppRole" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/magistrala_things_certs_issuer \ + token_policies=magistrala_things_certs_issue secret_id_num_uses=0 \ + secret_id_ttl=0 token_ttl=1h token_max_ttl=3h token_num_uses=0 +} + +vaultWriteCustomRoleID(){ + echo "Writing custom role id" + vault read -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/magistrala_things_certs_issuer/role-id + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/magistrala_things_certs_issuer/role-id role_id=${MG_VAULT_THINGS_CERTS_ISSUER_ROLEID} +} + +vaultWriteCustomSecret() { + echo "Writing custom secret" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -f auth/approle/role/magistrala_things_certs_issuer/secret-id + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/role/magistrala_things_certs_issuer/custom-secret-id secret_id=${MG_VAULT_THINGS_CERTS_ISSUER_SECRET} num_uses=0 ttl=0 +} + +vaultTestRoleLogin() { +echo "Testing custom roleid secret by logging in" +vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/login \ + role_id=${MG_VAULT_THINGS_CERTS_ISSUER_ROLEID} \ + secret_id=${MG_VAULT_THINGS_CERTS_ISSUER_SECRET} + +} +if ! command -v jq &> /dev/null +then + echo "jq command could not be found, please install it and try again." + exit +fi + +readDotEnv + + +vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} + +vaultCreatePolicyFile +vaultCreatePolicy +vaultEnableAppRole +vaultDeleteRole +vaultCreateRole +vaultWriteCustomRoleID +vaultWriteCustomSecret +vaultTestRoleLogin + +exit 0 diff --git a/docker/addons/vault/vault-init.sh b/docker/addons/vault/vault-init.sh index d8ab5cbbbe..ab229fa0bd 100755 --- a/docker/addons/vault/vault-init.sh +++ b/docker/addons/vault/vault-init.sh @@ -7,6 +7,8 @@ set -euo pipefail scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" export MAGISTRALA_DIR=$scriptdir/../../../ +cd $scriptdir + write_env() { sed -i "s,MG_VAULT_UNSEAL_KEY_1=.*,MG_VAULT_UNSEAL_KEY_1=$(awk -F ": " '$1 == "Unseal Key 1" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env sed -i "s,MG_VAULT_UNSEAL_KEY_2=.*,MG_VAULT_UNSEAL_KEY_2=$(awk -F ": " '$1 == "Unseal Key 2" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env diff --git a/docker/addons/vault/vault-set-pki.sh b/docker/addons/vault/vault-set-pki.sh index c2a7003d4e..4049912668 100755 --- a/docker/addons/vault/vault-set-pki.sh +++ b/docker/addons/vault/vault-set-pki.sh @@ -20,90 +20,145 @@ vault() { } vaultEnablePKI() { - vault secrets enable -path ${MG_VAULT_PKI_PATH} pki - vault secrets tune -max-lease-ttl=87600h ${MG_VAULT_PKI_PATH} + vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path ${MG_VAULT_PKI_PATH} pki + vault secrets tune -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -max-lease-ttl=87600h ${MG_VAULT_PKI_PATH} } +vaultConfigPKIClusterPath() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/cluster aia_path=${MG_VAULT_PKI_CLUSTER_AIA_PATH} path=${MG_VAULT_PKI_CLUSTER_PATH} +} + +vaultConfigPKICrl() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" +} + + vaultAddRoleToSecret() { - vault write ${MG_VAULT_PKI_PATH}/roles/${MG_VAULT_CA_NAME} \ + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/roles/${MG_VAULT_PKI_ROLE_NAME} \ allow_any_name=true \ - max_ttl="4300h" \ - default_ttl="4300h" \ + max_ttl="8760h" \ + default_ttl="8760h" \ generate_lease=true } vaultGenerateRootCACertificate() { echo "Generate root CA certificate" - vault write -format=json ${MG_VAULT_PKI_PATH}/root/generate/exported \ - common_name="\"$MG_VAULT_CA_CN CA Root\"" \ - ou="\"$MG_VAULT_CA_OU\""\ - organization="\"$MG_VAULT_CA_O\"" \ - country="\"$MG_VAULT_CA_C\"" \ - locality="\"$MG_VAULT_CA_L\"" \ - ttl=87600h | tee >(jq -r .data.certificate >data/${MG_VAULT_CA_NAME}_ca.crt) \ - >(jq -r .data.issuing_ca >data/${MG_VAULT_CA_NAME}_issuing_ca.crt) \ - >(jq -r .data.private_key >data/${MG_VAULT_CA_NAME}_ca.key) + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_PATH}/root/generate/exported \ + common_name="\"$MG_VAULT_PKI_CA_CN\"" \ + ou="\"$MG_VAULT_PKI_CA_OU\"" \ + organization="\"$MG_VAULT_PKI_CA_O\"" \ + country="\"$MG_VAULT_PKI_CA_C\"" \ + locality="\"$MG_VAULT_PKI_CA_L\"" \ + province="\"$MG_VAULT_PKI_CA_ST\"" \ + street_address="\"$MG_VAULT_PKI_CA_ADDR\"" \ + postal_code="\"$MG_VAULT_PKI_CA_PO\"" \ + ttl=87600h | tee >(jq -r .data.certificate >data/${MG_VAULT_PKI_FILE_NAME}_ca.crt) \ + >(jq -r .data.issuing_ca >data/${MG_VAULT_PKI_FILE_NAME}_issuing_ca.crt) \ + >(jq -r .data.private_key >data/${MG_VAULT_PKI_FILE_NAME}_ca.key) } +vaultSetupRootCAIssuingURLs() { + echo "Setup URLs for CRL and issuing" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/urls \ + issuing_certificates="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/ca" \ + crl_distribution_points="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/crl" \ + ocsp_servers="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_PATH}/ocsp" \ + enable_templating=true +} + + vaultGenerateIntermediateCAPKI() { echo "Generate Intermediate CA PKI" - vault secrets enable -path=${MG_VAULT_PKI_INT_PATH} pki - vault secrets tune -max-lease-ttl=43800h ${MG_VAULT_PKI_INT_PATH} + vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path=${MG_VAULT_PKI_INT_PATH} pki + vault secrets tune -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -max-lease-ttl=43800h ${MG_VAULT_PKI_INT_PATH} +} + +vaultConfigIntermediatePKIClusterPath() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/cluster aia_path=${MG_VAULT_PKI_INT_CLUSTER_AIA_PATH} path=${MG_VAULT_PKI_INT_CLUSTER_PATH} } +vaultConfigIntermediatePKICrl() { + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" +} + + + vaultGenerateIntermediateCSR() { echo "Generate intermediate CSR" - vault write -format=json ${MG_VAULT_PKI_INT_PATH}/intermediate/generate/exported \ - common_name="$MG_VAULT_CA_CN Intermediate Authority" \ - | tee >(jq -r .data.csr >data/${MG_VAULT_CA_NAME}_int.csr) \ - >(jq -r .data.private_key >data/${MG_VAULT_CA_NAME}_int.key) + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/intermediate/generate/exported \ + common_name="\"$MG_VAULT_PKI_INT_CA_CN\"" \ + ou="\"$MG_VAULT_PKI_INT_CA_OU\""\ + organization="\"$MG_VAULT_PKI_INT_CA_O\"" \ + country="\"$MG_VAULT_PKI_INT_CA_C\"" \ + locality="\"$MG_VAULT_PKI_INT_CA_L\"" \ + province="\"$MG_VAULT_PKI_INT_CA_ST\"" \ + street_address="\"$MG_VAULT_PKI_INT_CA_ADDR\"" \ + postal_code="\"$MG_VAULT_PKI_INT_CA_PO\"" \ + | tee >(jq -r .data.csr >data/${MG_VAULT_PKI_INT_FILE_NAME}.csr) \ + >(jq -r .data.private_key >data/${MG_VAULT_PKI_INT_FILE_NAME}.key) } vaultSignIntermediateCSR() { echo "Sign intermediate CSR" - docker cp data/${MG_VAULT_CA_NAME}_int.csr magistrala-vault:/vault/${MG_VAULT_CA_NAME}_int.csr - vault write -format=json ${MG_VAULT_PKI_PATH}/root/sign-intermediate \ - csr=@/vault/${MG_VAULT_CA_NAME}_int.csr \ - | tee >(jq -r .data.certificate >data/${MG_VAULT_CA_NAME}_int.crt) \ - >(jq -r .data.issuing_ca >data/${MG_VAULT_CA_NAME}_int_issuing_ca.crt) + docker cp data/${MG_VAULT_PKI_INT_FILE_NAME}.csr magistrala-vault:/vault/${MG_VAULT_PKI_INT_FILE_NAME}.csr + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_PATH}/root/sign-intermediate \ + csr=@/vault/${MG_VAULT_PKI_INT_FILE_NAME}.csr ttl="8760h" \ + ou="\"$MG_VAULT_PKI_INT_CA_OU\""\ + organization="\"$MG_VAULT_PKI_INT_CA_O\"" \ + country="\"$MG_VAULT_PKI_INT_CA_C\"" \ + locality="\"$MG_VAULT_PKI_INT_CA_L\"" \ + province="\"$MG_VAULT_PKI_INT_CA_ST\"" \ + street_address="\"$MG_VAULT_PKI_INT_CA_ADDR\"" \ + postal_code="\"$MG_VAULT_PKI_INT_CA_PO\"" \ + | tee >(jq -r .data.certificate >data/${MG_VAULT_PKI_INT_FILE_NAME}.crt) \ + >(jq -r .data.issuing_ca >data/${MG_VAULT_PKI_INT_FILE_NAME}_issuing_ca.crt) } vaultInjectIntermediateCertificate() { echo "Inject Intermediate Certificate" - docker cp data/${MG_VAULT_CA_NAME}_int.crt magistrala-vault:/vault/${MG_VAULT_CA_NAME}_int.crt - vault write ${MG_VAULT_PKI_INT_PATH}/intermediate/set-signed certificate=@/vault/${MG_VAULT_CA_NAME}_int.crt + docker cp data/${MG_VAULT_PKI_INT_FILE_NAME}.crt magistrala-vault:/vault/${MG_VAULT_PKI_INT_FILE_NAME}.crt + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/intermediate/set-signed certificate=@/vault/${MG_VAULT_PKI_INT_FILE_NAME}.crt } vaultGenerateIntermediateCertificateBundle() { echo "Generate intermediate certificate bundle" - cat data/${MG_VAULT_CA_NAME}_int.crt data/${MG_VAULT_CA_NAME}_ca.crt \ - > data/${MG_VAULT_CA_NAME}_int_bundle.crt + cat data/${MG_VAULT_PKI_INT_FILE_NAME}.crt data/${MG_VAULT_PKI_FILE_NAME}_ca.crt \ + > data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt } -vaultSetupIssuingURLs() { +vaultSetupIntermediateIssuingURLs() { echo "Setup URLs for CRL and issuing" - VAULT_ADDR=http://$MG_VAULT_HOST:$MG_VAULT_PORT - vault write ${MG_VAULT_PKI_INT_PATH}/config/urls \ - issuing_certificates="$VAULT_ADDR/v1/${MG_VAULT_PKI_INT_PATH}/ca" \ - crl_distribution_points="$VAULT_ADDR/v1/${MG_VAULT_PKI_INT_PATH}/crl" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/urls \ + issuing_certificates="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/ca" \ + crl_distribution_points="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/crl" \ + ocsp_servers="{{cluster_aia_path}}/v1/${MG_VAULT_PKI_INT_PATH}/ocsp" \ + enable_templating=true } -vaultSetupCARole() { - echo "Setup CA role" - vault write ${MG_VAULT_PKI_INT_PATH}/roles/${MG_VAULT_CA_ROLE_NAME} \ +vaultSetupServerCertsRole() { + echo "Setup Server Certs role" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/roles/${MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME} \ allow_subdomains=true \ - allow_any_name=true \ - max_ttl="720h" + max_ttl="4320h" } vaultGenerateServerCertificate() { echo "Generate server certificate" - vault write -format=json ${MG_VAULT_PKI_INT_PATH}/issue/${MG_VAULT_CA_ROLE_NAME} \ - common_name="$MG_VAULT_CA_CN" ttl="8670h" \ - | tee >(jq -r .data.certificate >data/${MG_VAULT_CA_CN}.crt) \ - >(jq -r .data.private_key >data/${MG_VAULT_CA_CN}.key) + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/issue/${MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME} \ + common_name="$MG_NGINX_SERVER_NAME" ttl="4320h" \ + | tee >(jq -r .data.certificate >data/${MG_NGINX_SERVER_NAME}.crt) \ + >(jq -r .data.private_key >data/${MG_NGINX_SERVER_NAME}.key) } +vaultSetupThingCertsRole() { + echo "Setup Thing Certs role" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/roles/${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} \ + allow_subdomains=true \ + allow_any_name=true \ + max_ttl="2160h" +} + + vaultCleanupFiles() { docker exec magistrala-vault sh -c 'rm -rf /vault/*.{crt,csr}' } @@ -118,27 +173,33 @@ readDotEnv mkdir -p data -vault login ${MG_VAULT_TOKEN} +vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} vaultEnablePKI +vaultConfigPKIClusterPath +vaultConfigPKICrl vaultAddRoleToSecret vaultGenerateRootCACertificate +vaultSetupRootCAIssuingURLs vaultGenerateIntermediateCAPKI +vaultConfigIntermediatePKIClusterPath +vaultConfigIntermediatePKICrl vaultGenerateIntermediateCSR vaultSignIntermediateCSR vaultInjectIntermediateCertificate vaultGenerateIntermediateCertificateBundle -vaultSetupIssuingURLs -vaultSetupCARole +vaultSetupIntermediateIssuingURLs +vaultSetupServerCertsRole vaultGenerateServerCertificate +vaultSetupThingCertsRole vaultCleanupFiles echo "Copying certificate files" +mkdir -p ${MAGISTRALA_DIR}/docker/vault/certs -cp -v data/${MG_VAULT_CA_CN}.crt ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.crt -cp -v data/${MG_VAULT_CA_CN}.key ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.key -cp -v data/${MG_VAULT_CA_NAME}_int.key ${MAGISTRALA_DIR}/docker/ssl/certs/ca.key -cp -v data/${MG_VAULT_CA_NAME}_int.crt ${MAGISTRALA_DIR}/docker/ssl/certs/ca.crt -cp -v data/${MG_VAULT_CA_NAME}_int_bundle.crt ${MAGISTRALA_DIR}/docker/ssl/bundle.pem +cp -v data/${MG_NGINX_SERVER_NAME}.crt ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.crt +cp -v data/${MG_NGINX_SERVER_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.key +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/ca.key +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt ${MAGISTRALA_DIR}/docker/ssl/certs/ca.crt exit 0 From 95a11889215b8c451038e2e380d059e516dc6098 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 20:36:44 +0530 Subject: [PATCH 23/40] update nginx Signed-off-by: Arvindh --- docker/nginx/entrypoint.sh | 1 + docker/nginx/nginx-key.conf | 10 ++++++++-- docker/nginx/nginx-x509.conf | 11 +++++++++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/docker/nginx/entrypoint.sh b/docker/nginx/entrypoint.sh index 1076b600fc..6b90377035 100755 --- a/docker/nginx/entrypoint.sh +++ b/docker/nginx/entrypoint.sh @@ -12,6 +12,7 @@ else fi envsubst ' + ${MG_NGINX_SERVER_NAME} ${MG_AUTH_HTTP_PORT} ${MG_USERS_HTTP_PORT} ${MG_THINGS_HTTP_PORT} diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index aa0fa05edb..d3e9f7da45 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -39,6 +39,14 @@ http { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; + set $dynamic_server_name $MG_NGINX_SERVER_NAME; + + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; + include snippets/ssl.conf; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; @@ -48,8 +56,6 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - server_name localhost; - location ~ ^/(channels)/(.+)/(things)/(.+) { include snippets/proxy-headers.conf; add_header Access-Control-Expose-Headers Location; diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 78d100a292..4f95e1edbb 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -45,6 +45,15 @@ http { listen [::]:80 default_server; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; + + set $dynamic_server_name $MG_NGINX_SERVER_NAME; + + if ($dynamic_server_name = '') { + set $dynamic_server_name "localhost"; + } + + server_name $dynamic_server_name; + ssl_verify_client optional; include snippets/ssl.conf; include snippets/ssl-client.conf; @@ -56,8 +65,6 @@ http { add_header Access-Control-Allow-Methods '*'; add_header Access-Control-Allow-Headers '*'; - server_name localhost; - # Proxy pass to users service location ~ ^/(users|groups|password|policies|authorize) { include snippets/proxy-headers.conf; From a85a7bcb31ec155d16467067d7c735ed52b4f708 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 20:37:09 +0530 Subject: [PATCH 24/40] update nginx Signed-off-by: Arvindh --- docker/README.md | 15 +++++++++++++++ docker/docker-compose.yml | 18 +++++++++++++----- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/docker/README.md b/docker/README.md index 9361bcc0c8..44ab8138cb 100644 --- a/docker/README.md +++ b/docker/README.md @@ -117,3 +117,18 @@ services: volumes: - magistrala-broker-volume:/data ``` + +## Nginx Configuration + +Nginx is the entry point for all traffic to Magistrala. +By using environment variables file at `docker/.env` you can modify the below given Nginx directive. + +`MG_NGINX_SERVER_NAME` environmental variable is used to configure the `server_name` parameter in nginx, It's default value is `localhost`. + +`MG_NGINX_SERVER_CERT` environmental variable is used to configure nginx directive `ssl_certificate`. If environmental variable `MG_NGINX_SERVER_CERT` is empty then by default server certificate in the path `docker/ssl/certs/magistrala-server.crt` will be assigned. + +`MG_NGINX_SERVER_KEY` environmental variable is used to configure nginx directive `ssl_certificate_key`. If environmental variable `MG_NGINX_SERVER_KEY` is empty then by default server certificate key in the path `docker/ssl/certs/magistrala-server.key` will be assigned. + +`MG_NGINX_SERVER_CLIENT_CA` environmental variable is used to configure nginx directive `ssl_client_certificate`. If environmental variable `MG_NGINX_SERVER_CLIENT_CA` is empty then by default certificate in the path `docker/ssl/certs/ca.crt` will be assigned. + +`MG_NGINX_SERVER_DHPARAM` environmental variable is used to configure nginx directive `ssl_dhparam`. If environmental variable `MG_NGINX_SERVER_DHPARAM` is empty then by default file in the path `docker/ssl/dhparam.pem` will be assigned. diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 2e501cd887..93781c863e 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -234,10 +234,18 @@ services: - ./nginx/entrypoint.sh:/docker-entrypoint.d/entrypoint.sh - ./nginx/snippets:/etc/nginx/snippets - ./ssl/authorization.js:/etc/nginx/authorization.js - - ./ssl/certs/magistrala-server.crt:/etc/ssl/certs/magistrala-server.crt - - ./ssl/certs/ca.crt:/etc/ssl/certs/ca.crt - - ./ssl/certs/magistrala-server.key:/etc/ssl/private/magistrala-server.key - - ./ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem + - type: bind + source: ${MG_NGINX_SERVER_CERT:-./ssl/certs/magistrala-server.crt} + target: /etc/ssl/certs/magistrala-server.crt + - type: bind + source: ${MG_NGINX_SERVER_KEY:-./ssl/certs/magistrala-server.key} + target: /etc/ssl/private/magistrala-server.key + - type: bind + source: ${MG_NGINX_SERVER_CLIENT_CA:-./ssl/certs/ca.crt} + target: /etc/ssl/certs/ca.crt + - type: bind + source: ${MG_NGINX_SERVER_DHPARAM:-./ssl/dhparam.pem} + target: /etc/ssl/certs/dhparam.pem ports: - ${MG_NGINX_HTTP_PORT}:${MG_NGINX_HTTP_PORT} - ${MG_NGINX_SSL_PORT}:${MG_NGINX_SSL_PORT} @@ -716,7 +724,7 @@ services: MG_UI_DB_SSL_MODE: ${MG_UI_DB_SSL_MODE} MG_UI_DB_SSL_CERT: ${MG_UI_DB_SSL_CERT} MG_UI_DB_SSL_KEY: ${MG_UI_DB_SSL_KEY} - MG_UI_DB_SSL_ROOT_CERT: ${MG_UI_DB_SSL_ROOT_CERT} + MG_UI_DB_SSL_ROOT_CERT: ${MG_UI_DB_SSL_ROOT_CERT} ports: - ${MG_UI_PORT}:${MG_UI_PORT} networks: From cf718d6907880e331b590ddeeebb1c7f17cbbb3e Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 20:49:57 +0530 Subject: [PATCH 25/40] update certs readme Signed-off-by: Arvindh --- certs/README.md | 77 ++++++++++++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 36 deletions(-) diff --git a/certs/README.md b/certs/README.md index d279b93650..2fd969dabb 100644 --- a/certs/README.md +++ b/certs/README.md @@ -30,38 +30,41 @@ curl -s -S -X DELETE http://localhost:9019/certs/revoke -H "Authorization: Beare The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values. -| Variable | Description | Default | -| ------------------------- | --------------------------------------------------------------------------- | ----------------------------------- | -| MG_CERTS_LOG_LEVEL | Log level for the Certs (debug, info, warn, error) | info | -| MG_CERTS_HTTP_HOST | Service Certs host | "" | -| MG_CERTS_HTTP_PORT | Service Certs port | 9019 | -| MG_CERTS_HTTP_SERVER_CERT | Path to the PEM encoded server certificate file | "" | -| MG_CERTS_HTTP_SERVER_KEY | Path to the PEM encoded server key file | "" | -| MG_AUTH_GRPC_URL | Auth service gRPC URL | | -| MG_AUTH_GRPC_TIMEOUT | Auth service gRPC request timeout in seconds | 1s | -| MG_AUTH_GRPC_CLIENT_CERT | Path to the PEM encoded auth service gRPC client certificate file | "" | -| MG_AUTH_GRPC_CLIENT_KEY | Path to the PEM encoded auth service gRPC client key file | "" | -| MG_AUTH_GRPC_SERVER_CERTS | Path to the PEM encoded auth server gRPC server trusted CA certificate file | "" | -| MG_CERTS_SIGN_CA_PATH | Path to the PEM encoded CA certificate file | ca.crt | -| MG_CERTS_SIGN_CA_KEY_PATH | Path to the PEM encoded CA key file | ca.key | -| MG_CERTS_VAULT_HOST | Vault host | "" | -| MG_VAULT_PKI_INT_PATH | Vault PKI intermediate path | pki_int | -| MG_VAULT_CA_ROLE_NAME | Vault PKI role name | magistrala | -| MG_VAULT_TOKEN | Vault token | "" | -| MG_CERTS_DB_HOST | Database host | localhost | -| MG_CERTS_DB_PORT | Database port | 5432 | -| MG_CERTS_DB_PASS | Database password | magistrala | -| MG_CERTS_DB_USER | Database user | magistrala | -| MG_CERTS_DB_NAME | Database name | certs | -| MG_CERTS_DB_SSL_MODE | Database SSL mode | disable | -| MG_CERTS_DB_SSL_CERT | Database SSL certificate | "" | -| MG_CERTS_DB_SSL_KEY | Database SSL key | "" | -| MG_CERTS_DB_SSL_ROOT_CERT | Database SSL root certificate | "" | -| MG_THINGS_URL | Things service URL | | -| MG_JAEGER_URL | Jaeger server URL | | -| MG_JAEGER_TRACE_RATIO | Jaeger sampling ratio | 1.0 | -| MG_SEND_TELEMETRY | Send telemetry to magistrala call home server | true | -| MG_CERTS_INSTANCE_ID | Service instance ID | "" | + +| Variable | Description | Default | +| :------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------ | +| MG_CERTS_LOG_LEVEL | Log level for the Certs (debug, info, warn, error) | info | +| MG_CERTS_HTTP_HOST | Service Certs host | "" | +| MG_CERTS_HTTP_PORT | Service Certs port | 9019 | +| MG_CERTS_HTTP_SERVER_CERT | Path to the PEM encoded server certificate file | "" | +| MG_CERTS_HTTP_SERVER_KEY | Path to the PEM encoded server key file | "" | +| MG_AUTH_GRPC_URL | Auth service gRPC URL | [localhost:8181](localhost:8181) | +| MG_AUTH_GRPC_TIMEOUT | Auth service gRPC request timeout in seconds | 1s | +| MG_AUTH_GRPC_CLIENT_CERT | Path to the PEM encoded auth service gRPC client certificate file | "" | +| MG_AUTH_GRPC_CLIENT_KEY | Path to the PEM encoded auth service gRPC client key file | "" | +| MG_AUTH_GRPC_SERVER_CERTS | Path to the PEM encoded auth server gRPC server trusted CA certificate file | "" | +| MG_CERTS_SIGN_CA_PATH | Path to the PEM encoded CA certificate file | ca.crt | +| MG_CERTS_SIGN_CA_KEY_PATH | Path to the PEM encoded CA key file | ca.key | +| MG_CERTS_VAULT_HOST | Vault host | http://vault:8200 | +| MG_CERTS_VAULT_NAMESPACE | Vault namespace in which pki is present | magistrala | +| MG_CERTS_VAULT_APPROLE_ROLEID | Vault AppRole auth RoleID | magistrala | +| MG_CERTS_VAULT_APPROLE_SECRET | Vault AppRole auth Secret | magistrala | +| MG_CERTS_VAULT_PKI_INT_PATH | Vault intermediate PKI path | pki_int | +| MG_CERTS_VAULT_PKI_INT_ROLE_NAME | Vault Intermediate PKI Things certificate issue role | magistrala_things_certs | +| MG_CERTS_DB_HOST | Database host | localhost | +| MG_CERTS_DB_PORT | Database port | 5432 | +| MG_CERTS_DB_PASS | Database password | magistrala | +| MG_CERTS_DB_USER | Database user | magistrala | +| MG_CERTS_DB_NAME | Database name | certs | +| MG_CERTS_DB_SSL_MODE | Database SSL mode | disable | +| MG_CERTS_DB_SSL_CERT | Database SSL certificate | "" | +| MG_CERTS_DB_SSL_KEY | Database SSL key | "" | +| MG_CERTS_DB_SSL_ROOT_CERT | Database SSL root certificate | "" | +| MG_THINGS_URL | Things service URL | [localhost:9000](localhost:9000) | +| MG_JAEGER_URL | Jaeger server URL | [http://localhost:14268/api/traces](http://localhost:14268/api/traces) | +| MG_JAEGER_TRACE_RATIO | Jaeger sampling ratio | 1.0 | +| MG_SEND_TELEMETRY | Send telemetry to magistrala call home server | true | +| MG_CERTS_INSTANCE_ID | Service instance ID | "" | ## Deployment @@ -95,10 +98,12 @@ MG_AUTH_GRPC_CLIENT_KEY="" \ MG_AUTH_GRPC_SERVER_CERTS="" \ MG_CERTS_SIGN_CA_PATH=ca.crt \ MG_CERTS_SIGN_CA_KEY_PATH=ca.key \ -MG_CERTS_VAULT_HOST="" \ -MG_VAULT_PKI_INT_PATH=pki_int \ -MG_VAULT_CA_ROLE_NAME=magistrala \ -MG_VAULT_TOKEN="" \ +MG_CERTS_VAULT_HOST=http://vault:8200 \ +MG_CERTS_VAULT_NAMESPACE=magistrala \ +MG_CERTS_VAULT_APPROLE_ROLEID=magistrala \ +MG_CERTS_VAULT_APPROLE_SECRET=magistrala \ +MG_CERTS_VAULT_PKI_INT_PATH=pki_int \ +MG_CERTS_VAULT_PKI_INT_ROLE_NAME=magistrala_things_certs \ MG_CERTS_DB_HOST=localhost \ MG_CERTS_DB_PORT=5432 \ MG_CERTS_DB_PASS=magistrala \ From 4b7d4fe44846782f3d169f9602fb9da3a2c387ab Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 21:07:47 +0530 Subject: [PATCH 26/40] update vault scripts Signed-off-by: Arvindh --- docker/addons/vault/README.md | 21 ++++++++++++-------- docker/addons/vault/vault-certs-copy.sh | 26 +++++++++++++++++++++++++ docker/addons/vault/vault-set-pki.sh | 8 -------- 3 files changed, 39 insertions(+), 16 deletions(-) create mode 100755 docker/addons/vault/vault-certs-copy.sh diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index 23f1334c1d..76e13b4ee2 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -8,7 +8,7 @@ When the Vault service is started, some initialization steps need to be done to | Variable | Description | Default | -| :---------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- | +| :-------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------- | | MG_VAULT_HOST | Vault service address | vault | | MG_VAULT_PORT | Vault service port | 8200 | | MG_VAULT_ADDR | Vault Address | http://vault:8200 | @@ -16,7 +16,6 @@ When the Vault service is started, some initialization steps need to be done to | MG_VAULT_UNSEAL_KEY_2 | Vault unseal key | "" | | MG_VAULT_UNSEAL_KEY_3 | Vault unseal key | "" | | MG_VAULT_TOKEN | Vault cli access token | "" | -| | | | | MG_VAULT_PKI_PATH | Vault secrets engine path for Root CA | pki | | MG_VAULT_PKI_ROLE_NAME | Vault Root CA role name to issue intermediate CA | magistrala_int_ca | | MG_VAULT_PKI_FILE_NAME | Root CA Certificates name used by`vault-set-pki.sh` | mg_root | @@ -30,7 +29,6 @@ When the Vault service is started, some initialization steps need to be done to | MG_VAULT_PKI_CA_PO | Postal code used for Root CA creation by`vault-set-pki.sh` | 75007 | | MG_VAULT_PKI_CLUSTER_PATH | Vault Root CA Cluster Path | http://localhost | | MG_VAULT_PKI_CLUSTER_AIA_PATH | Vault Root CA Cluster AIA Path | http://localhost | -| | | | | MG_VAULT_PKI_INT_PATH | Vault secrets engine path for Intermediate CA | pki_int | | MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME | Vault Intermediate CA role name to issue server certificate | magistrala_server_certs | | MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME | Vault Intermediate CA role name to issue Things certificates | magistrala_things_certs | @@ -45,7 +43,6 @@ When the Vault service is started, some initialization steps need to be done to | MG_VAULT_PKI_INT_CA_PO | Postal code used for Intermediate CA creation by`vault-set-pki.sh` | 75007 | | MG_VAULT_PKI_INT_CLUSTER_PATH | Vault Intermediate CA Cluster Path | http://localhost | | MG_VAULT_PKI_INT_CLUSTER_AIA_PATH | Vault Intermediate CA Cluster AIA Path | http://localhost | -| | | | | MG_VAULT_THINGS_CERTS_ISSUER_ROLEID | Vault Intermediate CA Things Certificate issuer AppRole authentication RoleID | magistrala | | MG_VAULT_THINGS_CERTS_ISSUER_SECRET | Vault Intermediate CA Things Certificate issuer AppRole authentication Secret | magistrala | @@ -61,7 +58,7 @@ a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys a After this step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file. -Example contents for `docker/addons/vault/data/secrets`: +Example contents for `data/secrets`: ```bash Unseal Key 1: Ay0YZecYJ2HVtNtXfPootXK5LtF+JZoDmBb7IbbYdLBI @@ -101,11 +98,15 @@ starting the container. 3. `vault-set-pki.sh` This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate. -After it runs, it copies the necessary certificates and keys to the `docker/ssl/certs` folder. -The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`. Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generateissu root CA. Environmental variables starting with`MG_VAULT_PKI_INT`in`docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA +All generate certificates, keys and CSR by `vault-set-pki.sh` will be present at `docker/addons/vault/data` + +The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`. + +Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generate root CA. + +Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA -A copy of all generate certificates, keys and CSR by `vault-set-pki.sh` will present at `docker/addons/vault/data/secrets` 4. `vault-create-approle.sh` @@ -113,6 +114,10 @@ This script is used to enable app role authorization in Vault. Certs service use `vault-create-approle` script by default tries to enable auth approle. If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step, `vault-create-approle.sh skip_enable_app_role` +5. `vault-certs-copy.sh` + +This scripts copies the necessary certificates and keys from `docker/addons/vault/data` to the `docker/ssl/certs` folder. + ## Vault CLI It can also be useful to run the Vault CLI for inspection and administration work. diff --git a/docker/addons/vault/vault-certs-copy.sh b/docker/addons/vault/vault-certs-copy.sh new file mode 100755 index 0000000000..b2a8ded282 --- /dev/null +++ b/docker/addons/vault/vault-certs-copy.sh @@ -0,0 +1,26 @@ +#!/usr/bin/bash +# Copyright (c) Abstract Machines +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +export MAGISTRALA_DIR=$scriptdir/../../../ + +cd $scriptdir + +readDotEnv() { + set -o allexport + source $MAGISTRALA_DIR/docker/.env + set +o allexport +} + +readDotEnv + +echo "Copying certificate files" +cp -v data/${MG_NGINX_SERVER_NAME}.crt ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.crt +cp -v data/${MG_NGINX_SERVER_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.key +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/ca.key +cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt ${MAGISTRALA_DIR}/docker/ssl/certs/ca.crt + +exit 0 diff --git a/docker/addons/vault/vault-set-pki.sh b/docker/addons/vault/vault-set-pki.sh index 4049912668..49fef753e9 100755 --- a/docker/addons/vault/vault-set-pki.sh +++ b/docker/addons/vault/vault-set-pki.sh @@ -194,12 +194,4 @@ vaultGenerateServerCertificate vaultSetupThingCertsRole vaultCleanupFiles -echo "Copying certificate files" -mkdir -p ${MAGISTRALA_DIR}/docker/vault/certs - -cp -v data/${MG_NGINX_SERVER_NAME}.crt ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.crt -cp -v data/${MG_NGINX_SERVER_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.key -cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/ca.key -cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt ${MAGISTRALA_DIR}/docker/ssl/certs/ca.crt - exit 0 From 38a93ee2d41468bff1bf057e1a61e8baa3ae8296 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 21:17:41 +0530 Subject: [PATCH 27/40] update certs env vars Signed-off-by: Arvindh --- certs/README.md | 72 +++++++++++++++++++++++------------------------ cmd/certs/main.go | 4 +-- docker/.env | 4 +-- 3 files changed, 40 insertions(+), 40 deletions(-) diff --git a/certs/README.md b/certs/README.md index 2fd969dabb..ad89e581c2 100644 --- a/certs/README.md +++ b/certs/README.md @@ -31,40 +31,40 @@ curl -s -S -X DELETE http://localhost:9019/certs/revoke -H "Authorization: Beare The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values. -| Variable | Description | Default | -| :------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------ | -| MG_CERTS_LOG_LEVEL | Log level for the Certs (debug, info, warn, error) | info | -| MG_CERTS_HTTP_HOST | Service Certs host | "" | -| MG_CERTS_HTTP_PORT | Service Certs port | 9019 | -| MG_CERTS_HTTP_SERVER_CERT | Path to the PEM encoded server certificate file | "" | -| MG_CERTS_HTTP_SERVER_KEY | Path to the PEM encoded server key file | "" | -| MG_AUTH_GRPC_URL | Auth service gRPC URL | [localhost:8181](localhost:8181) | -| MG_AUTH_GRPC_TIMEOUT | Auth service gRPC request timeout in seconds | 1s | -| MG_AUTH_GRPC_CLIENT_CERT | Path to the PEM encoded auth service gRPC client certificate file | "" | -| MG_AUTH_GRPC_CLIENT_KEY | Path to the PEM encoded auth service gRPC client key file | "" | -| MG_AUTH_GRPC_SERVER_CERTS | Path to the PEM encoded auth server gRPC server trusted CA certificate file | "" | -| MG_CERTS_SIGN_CA_PATH | Path to the PEM encoded CA certificate file | ca.crt | -| MG_CERTS_SIGN_CA_KEY_PATH | Path to the PEM encoded CA key file | ca.key | -| MG_CERTS_VAULT_HOST | Vault host | http://vault:8200 | -| MG_CERTS_VAULT_NAMESPACE | Vault namespace in which pki is present | magistrala | -| MG_CERTS_VAULT_APPROLE_ROLEID | Vault AppRole auth RoleID | magistrala | -| MG_CERTS_VAULT_APPROLE_SECRET | Vault AppRole auth Secret | magistrala | -| MG_CERTS_VAULT_PKI_INT_PATH | Vault intermediate PKI path | pki_int | -| MG_CERTS_VAULT_PKI_INT_ROLE_NAME | Vault Intermediate PKI Things certificate issue role | magistrala_things_certs | -| MG_CERTS_DB_HOST | Database host | localhost | -| MG_CERTS_DB_PORT | Database port | 5432 | -| MG_CERTS_DB_PASS | Database password | magistrala | -| MG_CERTS_DB_USER | Database user | magistrala | -| MG_CERTS_DB_NAME | Database name | certs | -| MG_CERTS_DB_SSL_MODE | Database SSL mode | disable | -| MG_CERTS_DB_SSL_CERT | Database SSL certificate | "" | -| MG_CERTS_DB_SSL_KEY | Database SSL key | "" | -| MG_CERTS_DB_SSL_ROOT_CERT | Database SSL root certificate | "" | -| MG_THINGS_URL | Things service URL | [localhost:9000](localhost:9000) | -| MG_JAEGER_URL | Jaeger server URL | [http://localhost:14268/api/traces](http://localhost:14268/api/traces) | -| MG_JAEGER_TRACE_RATIO | Jaeger sampling ratio | 1.0 | -| MG_SEND_TELEMETRY | Send telemetry to magistrala call home server | true | -| MG_CERTS_INSTANCE_ID | Service instance ID | "" | +| Variable | Description | Default | +| :---------------------------------------- | --------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| MG_CERTS_LOG_LEVEL | Log level for the Certs (debug, info, warn, error) | info | +| MG_CERTS_HTTP_HOST | Service Certs host | "" | +| MG_CERTS_HTTP_PORT | Service Certs port | 9019 | +| MG_CERTS_HTTP_SERVER_CERT | Path to the PEM encoded server certificate file | "" | +| MG_CERTS_HTTP_SERVER_KEY | Path to the PEM encoded server key file | "" | +| MG_AUTH_GRPC_URL | Auth service gRPC URL | [localhost:8181](localhost:8181) | +| MG_AUTH_GRPC_TIMEOUT | Auth service gRPC request timeout in seconds | 1s | +| MG_AUTH_GRPC_CLIENT_CERT | Path to the PEM encoded auth service gRPC client certificate file | "" | +| MG_AUTH_GRPC_CLIENT_KEY | Path to the PEM encoded auth service gRPC client key file | "" | +| MG_AUTH_GRPC_SERVER_CERTS | Path to the PEM encoded auth server gRPC server trusted CA certificate file | "" | +| MG_CERTS_SIGN_CA_PATH | Path to the PEM encoded CA certificate file | ca.crt | +| MG_CERTS_SIGN_CA_KEY_PATH | Path to the PEM encoded CA key file | ca.key | +| MG_CERTS_VAULT_HOST | Vault host | http://vault:8200 | +| MG_CERTS_VAULT_NAMESPACE | Vault namespace in which pki is present | magistrala | +| MG_CERTS_VAULT_APPROLE_ROLEID | Vault AppRole auth RoleID | magistrala | +| MG_CERTS_VAULT_APPROLE_SECRET | Vault AppRole auth Secret | magistrala | +| MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH | Vault PKI path for issuing Things Certificates | pki_int | +| MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME | Vault PKI Role Name for issuing Things Certificates | magistrala_things_certs | +| MG_CERTS_DB_HOST | Database host | localhost | +| MG_CERTS_DB_PORT | Database port | 5432 | +| MG_CERTS_DB_PASS | Database password | magistrala | +| MG_CERTS_DB_USER | Database user | magistrala | +| MG_CERTS_DB_NAME | Database name | certs | +| MG_CERTS_DB_SSL_MODE | Database SSL mode | disable | +| MG_CERTS_DB_SSL_CERT | Database SSL certificate | "" | +| MG_CERTS_DB_SSL_KEY | Database SSL key | "" | +| MG_CERTS_DB_SSL_ROOT_CERT | Database SSL root certificate | "" | +| MG_THINGS_URL | Things service URL | [localhost:9000](localhost:9000) | +| MG_JAEGER_URL | Jaeger server URL | [http://localhost:14268/api/traces](http://localhost:14268/api/traces) | +| MG_JAEGER_TRACE_RATIO | Jaeger sampling ratio | 1.0 | +| MG_SEND_TELEMETRY | Send telemetry to magistrala call home server | true | +| MG_CERTS_INSTANCE_ID | Service instance ID | "" | ## Deployment @@ -102,8 +102,8 @@ MG_CERTS_VAULT_HOST=http://vault:8200 \ MG_CERTS_VAULT_NAMESPACE=magistrala \ MG_CERTS_VAULT_APPROLE_ROLEID=magistrala \ MG_CERTS_VAULT_APPROLE_SECRET=magistrala \ -MG_CERTS_VAULT_PKI_INT_PATH=pki_int \ -MG_CERTS_VAULT_PKI_INT_ROLE_NAME=magistrala_things_certs \ +MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH=pki_int \ +MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME=magistrala_things_certs \ MG_CERTS_DB_HOST=localhost \ MG_CERTS_DB_PORT=5432 \ MG_CERTS_DB_PASS=magistrala \ diff --git a/cmd/certs/main.go b/cmd/certs/main.go index 91bc1f7e02..0d0237acfe 100644 --- a/cmd/certs/main.go +++ b/cmd/certs/main.go @@ -61,8 +61,8 @@ type config struct { PkiAppRoleID string `env:"MG_CERTS_VAULT_APPROLE_ROLEID" envDefault:""` PkiAppSecret string `env:"MG_CERTS_VAULT_APPROLE_SECRET" envDefault:""` PkiNamespace string `env:"MG_CERTS_VAULT_NAMESPACE" envDefault:""` - PkiPath string `env:"MG_CERTS_VAULT_PKI_INT_PATH" envDefault:"pki_int"` - PkiRole string `env:"MG_CERTS_VAULT_PKI_INT_ROLE_NAME" envDefault:"magistrala"` + PkiPath string `env:"MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH" envDefault:"pki_int"` + PkiRole string `env:"MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME" envDefault:"magistrala"` } func main() { diff --git a/docker/.env b/docker/.env index b74dc1e266..0ba77b103d 100644 --- a/docker/.env +++ b/docker/.env @@ -362,8 +362,8 @@ MG_CERTS_VAULT_HOST=${MG_VAULT_ADDR} MG_CERTS_VAULT_NAMESPACE=${MG_VAULT_NAMESPACE} MG_CERTS_VAULT_APPROLE_ROLEID=${MG_VAULT_THINGS_CERTS_ISSUER_ROLEID} MG_CERTS_VAULT_APPROLE_SECRET=${MG_VAULT_THINGS_CERTS_ISSUER_SECRET} -MG_CERTS_VAULT_PKI_INT_PATH=${MG_VAULT_PKI_INT_PATH} -MG_CERTS_VAULT_PKI_INT_ROLE_NAME=${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} +MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH=${MG_VAULT_PKI_INT_PATH} +MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME=${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} MG_CERTS_HTTP_HOST=certs MG_CERTS_HTTP_PORT=9019 MG_CERTS_HTTP_SERVER_CERT= From d64284546710dd8c9c0c246a595103dc764447dc Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 21:19:57 +0530 Subject: [PATCH 28/40] fix add new line gitignore Signed-off-by: Arvindh --- docker/addons/vault/.gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/addons/vault/.gitignore b/docker/addons/vault/.gitignore index acabadec87..4f14d396c2 100644 --- a/docker/addons/vault/.gitignore +++ b/docker/addons/vault/.gitignore @@ -2,4 +2,4 @@ # SPDX-License-Identifier: Apache-2.0 data -magistrala_things_certs_issue.hcl \ No newline at end of file +magistrala_things_certs_issue.hcl From 16617c53bc09d8ced15a72de3ba98997d865f202 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 21:20:17 +0530 Subject: [PATCH 29/40] fix vault readme Signed-off-by: Arvindh --- docker/addons/vault/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index 76e13b4ee2..279a8e90ad 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -1,4 +1,4 @@ -# # Vault +# Vault This is Vault service deployment to be used with Magistrala. From 3c777c4aae5a136345298a2dd849ba1e01f6869a Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 21:20:37 +0530 Subject: [PATCH 30/40] fix vault readme Signed-off-by: Arvindh --- docker/addons/vault/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index 279a8e90ad..4e14aa653c 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -6,7 +6,6 @@ When the Vault service is started, some initialization steps need to be done to ## Configuration - | Variable | Description | Default | | :-------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------- | | MG_VAULT_HOST | Vault service address | vault | From 5650ae7c262f3d55ef013222e1a798230f6c1182 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 22:43:20 +0530 Subject: [PATCH 31/40] fix certs compose & vault script Signed-off-by: Arvindh --- docker/addons/certs/docker-compose.yml | 4 +- docker/addons/vault/README.md | 49 +++++++++++---------- docker/addons/vault/vault-create-approle.sh | 2 +- docker/addons/vault/vault-env-copy.sh | 21 +++++++++ docker/addons/vault/vault-init.sh | 8 ---- 5 files changed, 49 insertions(+), 35 deletions(-) create mode 100755 docker/addons/vault/vault-env-copy.sh diff --git a/docker/addons/certs/docker-compose.yml b/docker/addons/certs/docker-compose.yml index 7d25026189..41b9661161 100644 --- a/docker/addons/certs/docker-compose.yml +++ b/docker/addons/certs/docker-compose.yml @@ -47,8 +47,8 @@ services: MG_CERTS_VAULT_NAMESPACE: ${MG_CERTS_VAULT_NAMESPACE} MG_CERTS_VAULT_APPROLE_ROLEID: ${MG_CERTS_VAULT_APPROLE_ROLEID} MG_CERTS_VAULT_APPROLE_SECRET: ${MG_CERTS_VAULT_APPROLE_SECRET} - MG_CERTS_VAULT_PKI_INT_PATH: ${MG_CERTS_VAULT_PKI_INT_PATH} - MG_CERTS_VAULT_PKI_INT_ROLE_NAME: ${MG_CERTS_VAULT_PKI_INT_ROLE_NAME} + MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH: ${MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH} + MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME: ${MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME} MG_CERTS_HTTP_HOST: ${MG_CERTS_HTTP_HOST} MG_CERTS_HTTP_PORT: ${MG_CERTS_HTTP_PORT} MG_CERTS_HTTP_SERVER_CERT: ${MG_CERTS_HTTP_SERVER_CERT} diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index 4e14aa653c..d0085906af 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -6,8 +6,9 @@ When the Vault service is started, some initialization steps need to be done to ## Configuration + | Variable | Description | Default | -| :-------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------- | +| :---------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- | | MG_VAULT_HOST | Vault service address | vault | | MG_VAULT_PORT | Vault service port | 8200 | | MG_VAULT_ADDR | Vault Address | http://vault:8200 | @@ -49,13 +50,9 @@ When the Vault service is started, some initialization steps need to be done to The following scripts are provided, which work on the running Vault service in Docker. -1. `vault-init.sh` - -Calls `vault operator init` to perform the initial vault initialization and generates -a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys and root tokens. +### 1. `vault-init.sh` -After this step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, -`MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file. +Calls `vault operator init` to perform the initial vault initialization and generates a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys and root tokens. Example contents for `data/secrets`: @@ -83,37 +80,41 @@ bash-4.4 Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example) ``` -2. `vault-unseal.sh` +### 2. `vault-env-copy.sh` -This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get secrets. -This can be used if you don't want to restart the service. +After first step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file. -The unseal environment variables need to be set in `.env` for the script to work (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, -`MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`). +`vault-env-copy.sh` scripts copies values from `docker/addons/vault/data/secrets` file and update environmental variables `MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3` present in `.env` file. -This script should not be necessary to run after the initial setup, since the Vault service unseals itself when -starting the container. +### 3. `vault-unseal.sh` -3. `vault-set-pki.sh` +This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get secrets. + +This can be used if you don't want to restart the service. -This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate. +The unseal environment variables need to be set in `.env` for the script to work (`MG_VAULT_TOKEN`,`MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`). -All generate certificates, keys and CSR by `vault-set-pki.sh` will be present at `docker/addons/vault/data` +This script should not be necessary to run after the initial setup, since the Vault service unseals itself when starting the container. -The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`. +### 4. `vault-set-pki.sh` -Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generate root CA. +This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate. +All generate certificates, keys and CSR by `vault-set-pki.sh` will be present at `docker/addons/vault/data`. -Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA +The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`. +Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generate root CA. +Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA. -4. `vault-create-approle.sh` +### 5. `vault-create-approle.sh` -This script is used to enable app role authorization in Vault. Certs service used the approle credentials to issue , revoke things certificate from vault intermedate CA. +This script is used to enable app role authorization in Vault. Certs service used the approle credentials to issue, revoke things certificate from vault intermedate CA. -`vault-create-approle` script by default tries to enable auth approle. If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step, `vault-create-approle.sh skip_enable_app_role` +`vault-create-approle` script by default tries to enable auth approle. +If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step. +To skip enable auth approle step use the following `vault-create-approle.sh skip_enable_app_role` -5. `vault-certs-copy.sh` +### 6. `vault-certs-copy.sh` This scripts copies the necessary certificates and keys from `docker/addons/vault/data` to the `docker/ssl/certs` folder. diff --git a/docker/addons/vault/vault-create-approle.sh b/docker/addons/vault/vault-create-approle.sh index 27cbf3b426..f8707833d5 100755 --- a/docker/addons/vault/vault-create-approle.sh +++ b/docker/addons/vault/vault-create-approle.sh @@ -36,7 +36,7 @@ vaultCreatePolicy() { vaultEnableAppRole() { if [ "$SKIP_ENABLE_APP_ROLE" == "skip_enable_app_role" ]; then echo "Skipping Enable AppRole" - elif + else echo "Enabling AppRole" vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle fi diff --git a/docker/addons/vault/vault-env-copy.sh b/docker/addons/vault/vault-env-copy.sh new file mode 100755 index 0000000000..c28e86121c --- /dev/null +++ b/docker/addons/vault/vault-env-copy.sh @@ -0,0 +1,21 @@ +#!/usr/bin/bash +# Copyright (c) Abstract Machines +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" +export MAGISTRALA_DIR=$scriptdir/../../../ + +cd $scriptdir + +write_env() { + sed -i "s,MG_VAULT_UNSEAL_KEY_1=.*,MG_VAULT_UNSEAL_KEY_1=$(awk -F ": " '$1 == "Unseal Key 1" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env + sed -i "s,MG_VAULT_UNSEAL_KEY_2=.*,MG_VAULT_UNSEAL_KEY_2=$(awk -F ": " '$1 == "Unseal Key 2" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env + sed -i "s,MG_VAULT_UNSEAL_KEY_3=.*,MG_VAULT_UNSEAL_KEY_3=$(awk -F ": " '$1 == "Unseal Key 3" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env + sed -i "s,MG_VAULT_TOKEN=.*,MG_VAULT_TOKEN=$(awk -F ": " '$1 == "Initial Root Token" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env +} + + + +write_env diff --git a/docker/addons/vault/vault-init.sh b/docker/addons/vault/vault-init.sh index ab229fa0bd..e375cbc23a 100755 --- a/docker/addons/vault/vault-init.sh +++ b/docker/addons/vault/vault-init.sh @@ -9,12 +9,6 @@ export MAGISTRALA_DIR=$scriptdir/../../../ cd $scriptdir -write_env() { - sed -i "s,MG_VAULT_UNSEAL_KEY_1=.*,MG_VAULT_UNSEAL_KEY_1=$(awk -F ": " '$1 == "Unseal Key 1" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env - sed -i "s,MG_VAULT_UNSEAL_KEY_2=.*,MG_VAULT_UNSEAL_KEY_2=$(awk -F ": " '$1 == "Unseal Key 2" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env - sed -i "s,MG_VAULT_UNSEAL_KEY_3=.*,MG_VAULT_UNSEAL_KEY_3=$(awk -F ": " '$1 == "Unseal Key 3" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env - sed -i "s,MG_VAULT_TOKEN=.*,MG_VAULT_TOKEN=$(awk -F ": " '$1 == "Initial Root Token" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env -} vault() { docker exec -it magistrala-vault vault "$@" } @@ -22,5 +16,3 @@ vault() { mkdir -p data vault operator init 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' > data/secrets) - -write_env From f99ec6f7c0bf1100a60d51e41f153e64ec815d63 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 23:00:36 +0530 Subject: [PATCH 32/40] fix golangci-lint Signed-off-by: Arvindh --- certs/pki/vault.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/certs/pki/vault.go b/certs/pki/vault.go index 7877a80f08..c9ed27349b 100644 --- a/certs/pki/vault.go +++ b/certs/pki/vault.go @@ -193,7 +193,7 @@ func (p *pkiAgent) LoginAndRenew(ctx context.Context) error { p.logger.Info("pki login and renew function stopping") return nil default: - err := p.login() + err := p.login(ctx) if err != nil { p.logger.Info("unable to authenticate to Vault", slog.Any("error", err)) time.Sleep(5 * time.Second) @@ -208,7 +208,7 @@ func (p *pkiAgent) LoginAndRenew(ctx context.Context) error { } } -func (p *pkiAgent) login() error { +func (p *pkiAgent) login(ctx context.Context) error { secretID := &approle.SecretID{FromString: p.appSecret} authMethod, err := approle.NewAppRoleAuth( @@ -221,7 +221,7 @@ func (p *pkiAgent) login() error { if len(p.namespace) > 0 { p.client.SetNamespace(p.namespace) } - secret, err := p.client.Auth().Login(context.Background(), authMethod) + secret, err := p.client.Auth().Login(ctx, authMethod) if err != nil { return errors.Wrap(errFailedToLogin, err) } From 0d53381182aab439f85b39d637c42f76755f0a86 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 23:04:44 +0530 Subject: [PATCH 33/40] fix golangci-lint Signed-off-by: Arvindh --- certs/pki/vault.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certs/pki/vault.go b/certs/pki/vault.go index c9ed27349b..91f4617c0a 100644 --- a/certs/pki/vault.go +++ b/certs/pki/vault.go @@ -100,7 +100,7 @@ func NewVaultClient(appRole, appSecret, host, namespace, path, role string, logg if err != nil { return nil, err } - if len(namespace) > 0 { + if namespace != "" { client.SetNamespace(namespace) } @@ -218,7 +218,7 @@ func (p *pkiAgent) login(ctx context.Context) error { if err != nil { return errors.Wrap(errFailedAppRole, err) } - if len(p.namespace) > 0 { + if p.namespace != "" { p.client.SetNamespace(p.namespace) } secret, err := p.client.Auth().Login(ctx, authMethod) From a643084e55474257a8714c042d215ce607c62740 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Mon, 19 Feb 2024 23:14:17 +0530 Subject: [PATCH 34/40] fix vault script Signed-off-by: Arvindh --- docker/addons/vault/vault-create-approle.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/addons/vault/vault-create-approle.sh b/docker/addons/vault/vault-create-approle.sh index f8707833d5..b63abb16b8 100755 --- a/docker/addons/vault/vault-create-approle.sh +++ b/docker/addons/vault/vault-create-approle.sh @@ -30,7 +30,7 @@ vaultCreatePolicyFile() { vaultCreatePolicy() { echo "Creating new policy for AppRole" docker cp magistrala_things_certs_issue.hcl magistrala-vault:/vault/magistrala_things_certs_issue.hcl - vault policy write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} magistrala_things_certs_issue /vault//magistrala_things_certs_issue.hcl + vault policy write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} magistrala_things_certs_issue /vault/magistrala_things_certs_issue.hcl } vaultEnableAppRole() { From bf32e4c43728a4a7a438c843d74db7e91243f41d Mon Sep 17 00:00:00 2001 From: Arvindh Date: Tue, 20 Feb 2024 16:27:19 +0530 Subject: [PATCH 35/40] fix spacing in vault scripts Signed-off-by: Arvindh --- docker/addons/vault/vault-create-approle.sh | 17 ++++++++--------- docker/addons/vault/vault-env-copy.sh | 2 -- docker/addons/vault/vault-set-pki.sh | 5 ----- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/docker/addons/vault/vault-create-approle.sh b/docker/addons/vault/vault-create-approle.sh index b63abb16b8..59b8b44c7a 100755 --- a/docker/addons/vault/vault-create-approle.sh +++ b/docker/addons/vault/vault-create-approle.sh @@ -22,10 +22,10 @@ vault() { } vaultCreatePolicyFile() { - envsubst ' - ${MG_VAULT_PKI_INT_PATH} - ${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} - ' < magistrala_things_certs_issue.template.hcl > magistrala_things_certs_issue.hcl + envsubst ' + ${MG_VAULT_PKI_INT_PATH} + ${MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME} + ' < magistrala_things_certs_issue.template.hcl > magistrala_things_certs_issue.hcl } vaultCreatePolicy() { echo "Creating new policy for AppRole" @@ -67,10 +67,10 @@ vaultWriteCustomSecret() { } vaultTestRoleLogin() { -echo "Testing custom roleid secret by logging in" -vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/login \ - role_id=${MG_VAULT_THINGS_CERTS_ISSUER_ROLEID} \ - secret_id=${MG_VAULT_THINGS_CERTS_ISSUER_SECRET} + echo "Testing custom roleid secret by logging in" + vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} auth/approle/login \ + role_id=${MG_VAULT_THINGS_CERTS_ISSUER_ROLEID} \ + secret_id=${MG_VAULT_THINGS_CERTS_ISSUER_SECRET} } if ! command -v jq &> /dev/null @@ -81,7 +81,6 @@ fi readDotEnv - vault login -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_TOKEN} vaultCreatePolicyFile diff --git a/docker/addons/vault/vault-env-copy.sh b/docker/addons/vault/vault-env-copy.sh index c28e86121c..92c773e513 100755 --- a/docker/addons/vault/vault-env-copy.sh +++ b/docker/addons/vault/vault-env-copy.sh @@ -16,6 +16,4 @@ write_env() { sed -i "s,MG_VAULT_TOKEN=.*,MG_VAULT_TOKEN=$(awk -F ": " '$1 == "Initial Root Token" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env } - - write_env diff --git a/docker/addons/vault/vault-set-pki.sh b/docker/addons/vault/vault-set-pki.sh index 49fef753e9..2b55318a4f 100755 --- a/docker/addons/vault/vault-set-pki.sh +++ b/docker/addons/vault/vault-set-pki.sh @@ -32,7 +32,6 @@ vaultConfigPKICrl() { vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" } - vaultAddRoleToSecret() { vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_PATH}/roles/${MG_VAULT_PKI_ROLE_NAME} \ allow_any_name=true \ @@ -66,7 +65,6 @@ vaultSetupRootCAIssuingURLs() { enable_templating=true } - vaultGenerateIntermediateCAPKI() { echo "Generate Intermediate CA PKI" vault secrets enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -path=${MG_VAULT_PKI_INT_PATH} pki @@ -81,8 +79,6 @@ vaultConfigIntermediatePKICrl() { vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} ${MG_VAULT_PKI_INT_PATH}/config/crl expiry="5m" ocsp_disable=false ocsp_expiry=0 auto_rebuild=true auto_rebuild_grace_period="2m" enable_delta=true delta_rebuild_interval="1m" } - - vaultGenerateIntermediateCSR() { echo "Generate intermediate CSR" vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/intermediate/generate/exported \ @@ -158,7 +154,6 @@ vaultSetupThingCertsRole() { max_ttl="2160h" } - vaultCleanupFiles() { docker exec magistrala-vault sh -c 'rm -rf /vault/*.{crt,csr}' } From 7d235bee0138b614b22ebff6c7d0e8c7dbb523ae Mon Sep 17 00:00:00 2001 From: Arvindh Date: Tue, 20 Feb 2024 16:55:06 +0530 Subject: [PATCH 36/40] change hypen to underscore in vault script Signed-off-by: Arvindh --- docker/addons/vault/README.md | 60 +++++++++++++++++------------------ 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index d0085906af..85739ad2ad 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -18,29 +18,29 @@ When the Vault service is started, some initialization steps need to be done to | MG_VAULT_TOKEN | Vault cli access token | "" | | MG_VAULT_PKI_PATH | Vault secrets engine path for Root CA | pki | | MG_VAULT_PKI_ROLE_NAME | Vault Root CA role name to issue intermediate CA | magistrala_int_ca | -| MG_VAULT_PKI_FILE_NAME | Root CA Certificates name used by`vault-set-pki.sh` | mg_root | -| MG_VAULT_PKI_CA_CN | Common name used for Root CA creation by`vault-set-pki.sh` | Magistrala Root Certificate Authority | -| MG_VAULT_PKI_CA_OU | Organization unit used for Root CA creation by`vault-set-pki.sh` | Magistrala | -| MG_VAULT_PKI_CA_O | Organization used for Root CA creation by`vault-set-pki.sh` | Magistrala | -| MG_VAULT_PKI_CA_C | Country used for Root CA creation by`vault-set-pki.sh` | FRANCE | -| MG_VAULT_PKI_CA_L | Location used for Root CA creation by`vault-set-pki.sh` | PARIS | -| MG_VAULT_PKI_CA_ST | State or Provisions used for Root CA creation by`vault-set-pki.sh` | PARIS | -| MG_VAULT_PKI_CA_ADDR | Address used for Root CA creation by`vault-set-pki.sh` | 5 Av. Anatole | -| MG_VAULT_PKI_CA_PO | Postal code used for Root CA creation by`vault-set-pki.sh` | 75007 | +| MG_VAULT_PKI_FILE_NAME | Root CA Certificates name used by`vault_set_pki.sh` | mg_root | +| MG_VAULT_PKI_CA_CN | Common name used for Root CA creation by`vault_set_pki.sh` | Magistrala Root Certificate Authority | +| MG_VAULT_PKI_CA_OU | Organization unit used for Root CA creation by`vault_set_pki.sh` | Magistrala | +| MG_VAULT_PKI_CA_O | Organization used for Root CA creation by`vault_set_pki.sh` | Magistrala | +| MG_VAULT_PKI_CA_C | Country used for Root CA creation by`vault_set_pki.sh` | FRANCE | +| MG_VAULT_PKI_CA_L | Location used for Root CA creation by`vault_set_pki.sh` | PARIS | +| MG_VAULT_PKI_CA_ST | State or Provisions used for Root CA creation by`vault_set_pki.sh` | PARIS | +| MG_VAULT_PKI_CA_ADDR | Address used for Root CA creation by`vault_set_pki.sh` | 5 Av. Anatole | +| MG_VAULT_PKI_CA_PO | Postal code used for Root CA creation by`vault_set_pki.sh` | 75007 | | MG_VAULT_PKI_CLUSTER_PATH | Vault Root CA Cluster Path | http://localhost | | MG_VAULT_PKI_CLUSTER_AIA_PATH | Vault Root CA Cluster AIA Path | http://localhost | | MG_VAULT_PKI_INT_PATH | Vault secrets engine path for Intermediate CA | pki_int | | MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME | Vault Intermediate CA role name to issue server certificate | magistrala_server_certs | | MG_VAULT_PKI_INT_THINGS_CERTS_ROLE_NAME | Vault Intermediate CA role name to issue Things certificates | magistrala_things_certs | -| MG_VAULT_PKI_INT_FILE_NAME | Intermediate CA Certificates name used by`vault-set-pki.sh` | mg_root | -| MG_VAULT_PKI_INT_CA_CN | Common name used for Intermediate CA creation by`vault-set-pki.sh` | Magistrala Root Certificate Authority | -| MG_VAULT_PKI_INT_CA_OU | Organization unit used for Root CA creation by`vault-set-pki.sh` | Magistrala | -| MG_VAULT_PKI_INT_CA_O | Organization used for Intermediate CA creation by`vault-set-pki.sh` | Magistrala | -| MG_VAULT_PKI_INT_CA_C | Country used for Intermediate CA creation by`vault-set-pki.sh` | FRANCE | -| MG_VAULT_PKI_INT_CA_L | Location used for Intermediate CA creation by`vault-set-pki.sh` | PARIS | -| MG_VAULT_PKI_INT_CA_ST | State or Provisions used for Intermediate CA creation by`vault-set-pki.sh` | PARIS | -| MG_VAULT_PKI_INT_CA_ADDR | Address used for Intermediate CA creation by`vault-set-pki.sh` | 5 Av. Anatole | -| MG_VAULT_PKI_INT_CA_PO | Postal code used for Intermediate CA creation by`vault-set-pki.sh` | 75007 | +| MG_VAULT_PKI_INT_FILE_NAME | Intermediate CA Certificates name used by`vault_set_pki.sh` | mg_root | +| MG_VAULT_PKI_INT_CA_CN | Common name used for Intermediate CA creation by`vault_set_pki.sh` | Magistrala Root Certificate Authority | +| MG_VAULT_PKI_INT_CA_OU | Organization unit used for Root CA creation by`vault_set_pki.sh` | Magistrala | +| MG_VAULT_PKI_INT_CA_O | Organization used for Intermediate CA creation by`vault_set_pki.sh` | Magistrala | +| MG_VAULT_PKI_INT_CA_C | Country used for Intermediate CA creation by`vault_set_pki.sh` | FRANCE | +| MG_VAULT_PKI_INT_CA_L | Location used for Intermediate CA creation by`vault_set_pki.sh` | PARIS | +| MG_VAULT_PKI_INT_CA_ST | State or Provisions used for Intermediate CA creation by`vault_set_pki.sh` | PARIS | +| MG_VAULT_PKI_INT_CA_ADDR | Address used for Intermediate CA creation by`vault_set_pki.sh` | 5 Av. Anatole | +| MG_VAULT_PKI_INT_CA_PO | Postal code used for Intermediate CA creation by`vault_set_pki.sh` | 75007 | | MG_VAULT_PKI_INT_CLUSTER_PATH | Vault Intermediate CA Cluster Path | http://localhost | | MG_VAULT_PKI_INT_CLUSTER_AIA_PATH | Vault Intermediate CA Cluster AIA Path | http://localhost | | MG_VAULT_THINGS_CERTS_ISSUER_ROLEID | Vault Intermediate CA Things Certificate issuer AppRole authentication RoleID | magistrala | @@ -50,7 +50,7 @@ When the Vault service is started, some initialization steps need to be done to The following scripts are provided, which work on the running Vault service in Docker. -### 1. `vault-init.sh` +### 1. `vault_init.sh` Calls `vault operator init` to perform the initial vault initialization and generates a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys and root tokens. @@ -80,13 +80,13 @@ bash-4.4 Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example) ``` -### 2. `vault-env-copy.sh` +### 2. `vault_env_copy.sh` After first step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file. -`vault-env-copy.sh` scripts copies values from `docker/addons/vault/data/secrets` file and update environmental variables `MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3` present in `.env` file. +`vault_env_copy.sh` scripts copies values from `docker/addons/vault/data/secrets` file and update environmental variables `MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3` present in `.env` file. -### 3. `vault-unseal.sh` +### 3. `vault_unseal.sh` This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get secrets. @@ -96,25 +96,25 @@ The unseal environment variables need to be set in `.env` for the script to work This script should not be necessary to run after the initial setup, since the Vault service unseals itself when starting the container. -### 4. `vault-set-pki.sh` +### 4. `vault_set_pki.sh` This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate. -All generate certificates, keys and CSR by `vault-set-pki.sh` will be present at `docker/addons/vault/data`. +All generate certificates, keys and CSR by `vault_set_pki.sh` will be present at `docker/addons/vault/data`. The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`. -Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generate root CA. -Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA. +Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault_set_pki.sh` to generate root CA. +Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault_set_pki.sh` to generate intermediate CA. -### 5. `vault-create-approle.sh` +### 5. `vault_create_approle.sh` This script is used to enable app role authorization in Vault. Certs service used the approle credentials to issue, revoke things certificate from vault intermedate CA. -`vault-create-approle` script by default tries to enable auth approle. +`vault_create_approle.sh` script by default tries to enable auth approle. If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step. -To skip enable auth approle step use the following `vault-create-approle.sh skip_enable_app_role` +To skip enable auth approle step use the following `vault_create_approle.sh skip_enable_app_role` -### 6. `vault-certs-copy.sh` +### 6. `vault_certs_copy.sh` This scripts copies the necessary certificates and keys from `docker/addons/vault/data` to the `docker/ssl/certs` folder. From c052f3c1798907b599f8478dc27f76461a902789 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Tue, 20 Feb 2024 16:58:25 +0530 Subject: [PATCH 37/40] change hypen to underscore in vault script Signed-off-by: Arvindh --- docker/addons/vault/README.md | 6 +++--- .../vault/{vault-certs-copy.sh => vault_copy_certs.sh} | 0 .../addons/vault/{vault-env-copy.sh => vault_copy_env.sh} | 0 .../{vault-create-approle.sh => vault_create_approle.sh} | 0 docker/addons/vault/{vault-init.sh => vault_init.sh} | 0 docker/addons/vault/{vault-set-pki.sh => vault_set_pki.sh} | 0 docker/addons/vault/{vault-unseal.sh => vault_unseal.sh} | 0 7 files changed, 3 insertions(+), 3 deletions(-) rename docker/addons/vault/{vault-certs-copy.sh => vault_copy_certs.sh} (100%) rename docker/addons/vault/{vault-env-copy.sh => vault_copy_env.sh} (100%) rename docker/addons/vault/{vault-create-approle.sh => vault_create_approle.sh} (100%) rename docker/addons/vault/{vault-init.sh => vault_init.sh} (100%) rename docker/addons/vault/{vault-set-pki.sh => vault_set_pki.sh} (100%) rename docker/addons/vault/{vault-unseal.sh => vault_unseal.sh} (100%) diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md index 85739ad2ad..193fa4dafa 100644 --- a/docker/addons/vault/README.md +++ b/docker/addons/vault/README.md @@ -80,11 +80,11 @@ bash-4.4 Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example) ``` -### 2. `vault_env_copy.sh` +### 2. `vault_copy_env.sh` After first step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file. -`vault_env_copy.sh` scripts copies values from `docker/addons/vault/data/secrets` file and update environmental variables `MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3` present in `.env` file. +`vault_copy_env.sh` scripts copies values from `docker/addons/vault/data/secrets` file and update environmental variables `MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3` present in `.env` file. ### 3. `vault_unseal.sh` @@ -114,7 +114,7 @@ This script is used to enable app role authorization in Vault. Certs service use If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step. To skip enable auth approle step use the following `vault_create_approle.sh skip_enable_app_role` -### 6. `vault_certs_copy.sh` +### 6. `vault_copy_certs.sh` This scripts copies the necessary certificates and keys from `docker/addons/vault/data` to the `docker/ssl/certs` folder. diff --git a/docker/addons/vault/vault-certs-copy.sh b/docker/addons/vault/vault_copy_certs.sh similarity index 100% rename from docker/addons/vault/vault-certs-copy.sh rename to docker/addons/vault/vault_copy_certs.sh diff --git a/docker/addons/vault/vault-env-copy.sh b/docker/addons/vault/vault_copy_env.sh similarity index 100% rename from docker/addons/vault/vault-env-copy.sh rename to docker/addons/vault/vault_copy_env.sh diff --git a/docker/addons/vault/vault-create-approle.sh b/docker/addons/vault/vault_create_approle.sh similarity index 100% rename from docker/addons/vault/vault-create-approle.sh rename to docker/addons/vault/vault_create_approle.sh diff --git a/docker/addons/vault/vault-init.sh b/docker/addons/vault/vault_init.sh similarity index 100% rename from docker/addons/vault/vault-init.sh rename to docker/addons/vault/vault_init.sh diff --git a/docker/addons/vault/vault-set-pki.sh b/docker/addons/vault/vault_set_pki.sh similarity index 100% rename from docker/addons/vault/vault-set-pki.sh rename to docker/addons/vault/vault_set_pki.sh diff --git a/docker/addons/vault/vault-unseal.sh b/docker/addons/vault/vault_unseal.sh similarity index 100% rename from docker/addons/vault/vault-unseal.sh rename to docker/addons/vault/vault_unseal.sh From 38504a9d1646c346b2ab685087e227a8bd4037a3 Mon Sep 17 00:00:00 2001 From: Arvindh Date: Tue, 20 Feb 2024 17:28:39 +0530 Subject: [PATCH 38/40] fix nginx server_name env variable Signed-off-by: Arvindh --- docker/.env | 9 ++++----- docker/README.md | 2 +- docker/nginx/nginx-key.conf | 2 +- docker/nginx/nginx-x509.conf | 2 +- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/docker/.env b/docker/.env index 0ba77b103d..118fc63784 100644 --- a/docker/.env +++ b/docker/.env @@ -7,7 +7,6 @@ MG_NGINX_HTTP_PORT=80 MG_NGINX_SSL_PORT=443 MG_NGINX_MQTT_PORT=1883 MG_NGINX_MQTTS_PORT=8883 -MG_NGINX_SERVER_NAME=localhost ## Nats MG_NATS_PORT=4222 @@ -317,10 +316,10 @@ MG_VAULT_HOST=vault MG_VAULT_PORT=8200 MG_VAULT_ADDR=http://vault:8200 MG_VAULT_NAMESPACE=magistrala -MG_VAULT_UNSEAL_KEY_1= -MG_VAULT_UNSEAL_KEY_2= -MG_VAULT_UNSEAL_KEY_3= -MG_VAULT_TOKEN= +MG_VAULT_UNSEAL_KEY_1=Lx86tEcq7Xtdp5SojuaTBOSwdFQw6SDlJN6JRoyR9oih +MG_VAULT_UNSEAL_KEY_2=5AlgVQgR9+9IFgytW0YdGohPOxDN3XuaRp4w78jk6x9H +MG_VAULT_UNSEAL_KEY_3=THVF+etPqxw7AQh3JkNIIlDDlUeHNYFmrICoOqVf1kMF +MG_VAULT_TOKEN=hvs.dh1kZ6lW4OlefOgLwyS1IVfl MG_VAULT_PKI_PATH=pki MG_VAULT_PKI_ROLE_NAME=magistrala_int_ca diff --git a/docker/README.md b/docker/README.md index 44ab8138cb..4f36f96e77 100644 --- a/docker/README.md +++ b/docker/README.md @@ -123,7 +123,7 @@ services: Nginx is the entry point for all traffic to Magistrala. By using environment variables file at `docker/.env` you can modify the below given Nginx directive. -`MG_NGINX_SERVER_NAME` environmental variable is used to configure the `server_name` parameter in nginx, It's default value is `localhost`. +`MG_NGINX_SERVER_NAME` environmental variable is used to configure nginx directive `server_name`. If environmental variable `MG_NGINX_SERVER_NAME` is empty then default value `localhost` will set to `server_name`. `MG_NGINX_SERVER_CERT` environmental variable is used to configure nginx directive `ssl_certificate`. If environmental variable `MG_NGINX_SERVER_CERT` is empty then by default server certificate in the path `docker/ssl/certs/magistrala-server.crt` will be assigned. diff --git a/docker/nginx/nginx-key.conf b/docker/nginx/nginx-key.conf index d3e9f7da45..b33a0667b0 100644 --- a/docker/nginx/nginx-key.conf +++ b/docker/nginx/nginx-key.conf @@ -39,7 +39,7 @@ http { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; - set $dynamic_server_name $MG_NGINX_SERVER_NAME; + set $dynamic_server_name "$MG_NGINX_SERVER_NAME"; if ($dynamic_server_name = '') { set $dynamic_server_name "localhost"; diff --git a/docker/nginx/nginx-x509.conf b/docker/nginx/nginx-x509.conf index 4f95e1edbb..1c35f83e63 100644 --- a/docker/nginx/nginx-x509.conf +++ b/docker/nginx/nginx-x509.conf @@ -46,7 +46,7 @@ http { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; - set $dynamic_server_name $MG_NGINX_SERVER_NAME; + set $dynamic_server_name "$MG_NGINX_SERVER_NAME"; if ($dynamic_server_name = '') { set $dynamic_server_name "localhost"; From 295e9f87b3c88e052940ea92cccb26ccaa3fb9ab Mon Sep 17 00:00:00 2001 From: Arvindh Date: Tue, 20 Feb 2024 17:32:12 +0530 Subject: [PATCH 39/40] remove vault dummy token from .env Signed-off-by: Arvindh --- docker/.env | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/.env b/docker/.env index 118fc63784..4a5e0bcb84 100644 --- a/docker/.env +++ b/docker/.env @@ -316,10 +316,10 @@ MG_VAULT_HOST=vault MG_VAULT_PORT=8200 MG_VAULT_ADDR=http://vault:8200 MG_VAULT_NAMESPACE=magistrala -MG_VAULT_UNSEAL_KEY_1=Lx86tEcq7Xtdp5SojuaTBOSwdFQw6SDlJN6JRoyR9oih -MG_VAULT_UNSEAL_KEY_2=5AlgVQgR9+9IFgytW0YdGohPOxDN3XuaRp4w78jk6x9H -MG_VAULT_UNSEAL_KEY_3=THVF+etPqxw7AQh3JkNIIlDDlUeHNYFmrICoOqVf1kMF -MG_VAULT_TOKEN=hvs.dh1kZ6lW4OlefOgLwyS1IVfl +MG_VAULT_UNSEAL_KEY_1= +MG_VAULT_UNSEAL_KEY_2= +MG_VAULT_UNSEAL_KEY_3= +MG_VAULT_TOKEN= MG_VAULT_PKI_PATH=pki MG_VAULT_PKI_ROLE_NAME=magistrala_int_ca From 3e770765820a4ad259958daa03ca587bded0451e Mon Sep 17 00:00:00 2001 From: Arvindh Date: Tue, 20 Feb 2024 18:13:31 +0530 Subject: [PATCH 40/40] update vault scripts Signed-off-by: Arvindh --- docker/addons/vault/vault_copy_certs.sh | 11 +++++++++-- docker/addons/vault/vault_set_pki.sh | 13 ++++++++++--- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/docker/addons/vault/vault_copy_certs.sh b/docker/addons/vault/vault_copy_certs.sh index b2a8ded282..1f00a8f516 100755 --- a/docker/addons/vault/vault_copy_certs.sh +++ b/docker/addons/vault/vault_copy_certs.sh @@ -17,9 +17,16 @@ readDotEnv() { readDotEnv +server_name="localhost" + +# Check if MG_NGINX_SERVER_NAME is set or not empty +if [ -n "${MG_NGINX_SERVER_NAME:-}" ]; then + server_name="$MG_NGINX_SERVER_NAME" +fi + echo "Copying certificate files" -cp -v data/${MG_NGINX_SERVER_NAME}.crt ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.crt -cp -v data/${MG_NGINX_SERVER_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.key +cp -v data/${server_name}.crt ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.crt +cp -v data/${server_name}.key ${MAGISTRALA_DIR}/docker/ssl/certs/magistrala-server.key cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}.key ${MAGISTRALA_DIR}/docker/ssl/certs/ca.key cp -v data/${MG_VAULT_PKI_INT_FILE_NAME}_bundle.crt ${MAGISTRALA_DIR}/docker/ssl/certs/ca.crt diff --git a/docker/addons/vault/vault_set_pki.sh b/docker/addons/vault/vault_set_pki.sh index 2b55318a4f..51bfee1cff 100755 --- a/docker/addons/vault/vault_set_pki.sh +++ b/docker/addons/vault/vault_set_pki.sh @@ -15,6 +15,13 @@ readDotEnv() { set +o allexport } +server_name="localhost" + +# Check if MG_NGINX_SERVER_NAME is set or not empty +if [ -n "${MG_NGINX_SERVER_NAME:-}" ]; then + server_name="$MG_NGINX_SERVER_NAME" +fi + vault() { docker exec -it magistrala-vault vault "$@" } @@ -141,9 +148,9 @@ vaultSetupServerCertsRole() { vaultGenerateServerCertificate() { echo "Generate server certificate" vault write -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} -format=json ${MG_VAULT_PKI_INT_PATH}/issue/${MG_VAULT_PKI_INT_SERVER_CERTS_ROLE_NAME} \ - common_name="$MG_NGINX_SERVER_NAME" ttl="4320h" \ - | tee >(jq -r .data.certificate >data/${MG_NGINX_SERVER_NAME}.crt) \ - >(jq -r .data.private_key >data/${MG_NGINX_SERVER_NAME}.key) + common_name="$server_name" ttl="4320h" \ + | tee >(jq -r .data.certificate >data/${server_name}.crt) \ + >(jq -r .data.private_key >data/${server_name}.key) } vaultSetupThingCertsRole() {