TLS changes

Author: Jeff McCormick

apiserver.go

@@ -1,8 +1,8 @@
 package main
 
 import (
-	//"crypto/tls"
-	//"crypto/x509"
+	"crypto/tls"
+	"crypto/x509"
 	log "github.com/Sirupsen/logrus"
 	"github.com/crunchydata/postgres-operator/apiserver/backupservice"
 	"github.com/crunchydata/postgres-operator/apiserver/cloneservice"
@@ -15,11 +15,14 @@ import (
 	"github.com/crunchydata/postgres-operator/apiserver/userservice"
 	"github.com/crunchydata/postgres-operator/apiserver/versionservice"
 	"github.com/gorilla/mux"
-	//"io/ioutil"
+	"io/ioutil"
 	"net/http"
 	"os"
 )
 
+const serverCert = "/config/server.crt"
+const serverKey = "/config/server.key"
+
 func main() {
 
 	debugFlag := os.Getenv("DEBUG")
@@ -51,25 +54,33 @@ func main() {
 	r.HandleFunc("/backups", backupservice.CreateBackupHandler).Methods("POST")
 	//log.Fatal(http.ListenAndServeTLS(":8443", "/config/cert.pem", "/config/key.pem", r))
 	//log.Fatal(http.ListenAndServeTLS(":8443", "/config/secure.domain.com.crt", "/config/secure.domain.com.key", r))
-	//caCert, err := ioutil.ReadFile("/config/client.crt")
-	//if err != nil {
-	//log.Fatal(err)
-	//log.Error("could not read /config/client.crt")
-	//os.Exit(2)
-	//}
-	//caCertPool := x509.NewCertPool()
-	//caCertPool.AppendCertsFromPEM(caCert)
-	//cfg := &tls.Config{
-	//ClientAuth: tls.RequireAndVerifyClientCert,
-	//ClientCAs:  caCertPool,
-	//}
-	//srv := &http.Server{
-	////Addr: ":8443",
-	//Handler:   &handler{},
-	//Handler:   r,
-	//TLSConfig: cfg,
-	//}
 
-	//log.Fatal(srv.ListenAndServeTLS("/config/server.crt", "/config/server.key"))
-	log.Fatal(http.ListenAndServe(":8080", r))
+	caCert, err := ioutil.ReadFile(serverCert)
+	if err != nil {
+		log.Fatal(err)
+		log.Error("could not read " + serverCert)
+		os.Exit(2)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+	cfg := &tls.Config{
+		//ClientAuth: tls.RequireAndVerifyClientCert,
+		ClientCAs: caCertPool,
+	}
+
+	srv := &http.Server{
+		Addr:      ":8443",
+		Handler:   r,
+		TLSConfig: cfg,
+	}
+
+	_, err = ioutil.ReadFile(serverKey)
+	if err != nil {
+		log.Fatal(err)
+		log.Error("could not read " + serverKey)
+		os.Exit(2)
+	}
+
+	log.Fatal(srv.ListenAndServeTLS(serverCert, serverKey))
+	//log.Fatal(http.ListenAndServe(":8080", r))
 }

apiserver/clusterservice/clusterservice.go

@@ -86,6 +86,7 @@ func ShowClusterHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
 	switch r.Method {
 	case "GET":
@@ -113,6 +114,7 @@ func TestClusterHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
 	resp := TestCluster(namespace, clustername)
 

bin/make-certs.sh

@@ -0,0 +1,41 @@
+#!/bin/bash 
+
+# Copyright 2017 Crunchy Data Solutions, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# generate self signed cert for apiserver REST service
+#
+
+openssl req \
+	    -x509 \
+	        -nodes \
+		    -newkey rsa:2048 \
+		        -keyout $COROOT/conf/apiserver/server.key \
+			    -out $COROOT/conf/apiserver/server.crt \
+			        -days 3650 \
+				    -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=*"
+exit
+
+# generate CA
+#openssl genrsa -out $COROOT/conf/apiserver/rootCA.key 4096
+#openssl req -x509 -new -key $COROOT/conf/apiserver/rootCA.key -days 3650 -out $COROOT/conf/apiserver/rootCA.crt
+
+# generate cert for secure.domain.com signed with the created CA
+openssl genrsa -out $COROOT/conf/apiserver/secure.domain.com.key 2048
+openssl req -new -key $COROOT/conf/apiserver/secure.domain.com.key -out $COROOT/conf/apiserver/secure.domain.com.csr
+#In answer to question `Common Name (e.g. server FQDN or YOUR name) []:` you should set `secure.domain.com` (your real domain name)
+openssl x509 -req -in $COROOT/conf/apiserver/secure.domain.com.csr -CA $COROOT/conf/apiserver/rootCA.crt -CAkey $COROOT/conf/apiserver/rootCA.key -CAcreateserial -days 365 -out $COROOT/conf/apiserver/secure.domain.com.crt
+
+#openssl genrsa 2048 > $COROOT/conf/apiserver/key.pem
+#openssl req -new -x509 -key $COROOT/conf/apiserver/key.pem -out $COROOT/conf/apiserver/cert.pem -days 1095

bin/save-images.sh

@@ -0,0 +1,19 @@
+#!/bin/bash 
+
+# Copyright 2017 Crunchy Data Solutions, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+docker save crunchydata/lspvc:$CO_IMAGE_TAG > /tmp/lspvc-$CO_IMAGE_TAG.tar
+docker save crunchydata/postgres-operator:$CO_IMAGE_TAG > /tmp/postgres-operator-$CO_IMAGE_TAG.tar
+docker save crunchydata/csvload:$CO_IMAGE_TAG > /tmp/csvload-$CO_IMAGE_TAG.tar
+docker save crunchydata/apiserver:$CO_IMAGE_TAG > /tmp/apiserver-$CO_IMAGE_TAG.tar

centos7/Dockerfile.apiserver.centos7

@@ -14,7 +14,7 @@ ADD bin/postgres-operator/runpsql.sh /usr/local/bin
 
 VOLUME ["/config", "/operator-conf"]
 
-EXPOSE 8080
+EXPOSE 8443
 
 USER daemon
 

conf/apiserver/server.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIJAPqgQ8XMF5ZnMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEYMBYGA1UE
+CgwPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MQowCAYD
+VQQDDAEqMB4XDTE3MTIxMTIxMzcxNloXDTI3MTIwOTIxMzcxNlowbTELMAkGA1UE
+BhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRgwFgYDVQQK
+DA9HbG9iYWwgU2VjdXJpdHkxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxCjAIBgNV
+BAMMASowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1OzrCLXU91VGF
+rG3Ukg+/YvXvY4hA0Cs+M2JV1+ypewRXF/S2UJDSDLP8nG3U5xLclH7rtCVEps3S
+tDmX6UHYsQYs/tTVmVGyToZJUmpSICETUV15muPQsBqc/on+5dEQCcQc4IwCuQs3
+sox11pTcg1vZsEfCUsLQrgTI/RgHDJEMa4yTgCaCCv9gQ9o6vPHWS8h7f1ej6+zf
+AUIRwN1y3DkiPbwT+3A8hOd90fqz+9RcWmWIJaYfHGz8jx5nErCDgyxlJir1r6Eb
++6gQGo5xfg1Q/8znPhbjr1XzyswD5Kzdq+08mnx9gry7wi/Y8GyZWUWB3pm+MUSk
+xa63e75bAgMBAAGjUDBOMB0GA1UdDgQWBBQgZQYy3rqbS57vDHohT+NfGqf4DTAf
+BgNVHSMEGDAWgBQgZQYy3rqbS57vDHohT+NfGqf4DTAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQAuS63ceqpcMhhDSFgTs225Lk5HCQYwDcBVeelIaZ+l
+S4PeFIwcocPpw7pEPSPlZwOPfFny0nfZv1eqNhaGMig3wkM5V3M9qVM4NSnq7Gid
+Z+ttnvaPcRVROzoj+w6+VzBSvhC006EBEGLM/m/0GImJcQiBnAHzDpuRuOWbSuIy
+1YArI86VVeZGr+sc9bzHucja/wh4vFGAF4mglHrn8Nm/cb7cS4Q2c94kWW6hYsKv
+zhXuPQxJjEwpl80OJ6sQow54zYIOeKrkOoFtss3oqw+cdSSihdP4SDgkuB1tHiy6
+8DrOXaFEZpmjEvxpyPdw8LiXWcgGKJPvoPR8IMHd+roi
+-----END CERTIFICATE-----

conf/apiserver/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1OzrCLXU91VGF
+rG3Ukg+/YvXvY4hA0Cs+M2JV1+ypewRXF/S2UJDSDLP8nG3U5xLclH7rtCVEps3S
+tDmX6UHYsQYs/tTVmVGyToZJUmpSICETUV15muPQsBqc/on+5dEQCcQc4IwCuQs3
+sox11pTcg1vZsEfCUsLQrgTI/RgHDJEMa4yTgCaCCv9gQ9o6vPHWS8h7f1ej6+zf
+AUIRwN1y3DkiPbwT+3A8hOd90fqz+9RcWmWIJaYfHGz8jx5nErCDgyxlJir1r6Eb
++6gQGo5xfg1Q/8znPhbjr1XzyswD5Kzdq+08mnx9gry7wi/Y8GyZWUWB3pm+MUSk
+xa63e75bAgMBAAECggEBAJKubKFKz5CLPd8WLxKUYUCC5RCrG1Vx5v4B8r4N9FM7
+6Mhg8EQ7Mut/MpHrPg3KNH7phUxaUquc4gt+qPql5RBwPtJeMn7rB69sVM21ca4k
+qQCMoz5QOcDnN7MHZUM0WKBFdz/0Ef4GLOkYjwy072kGvGmVfo7uExV5MxBFoJPa
+oD/tYVZGn1n+3gNiVUFSSDNk8an7YDuf9cydV9+oY46w4CDjcPm4i3yF7ebNgaQ6
+4WfC7rofI7a7CzXDJTR+fhsoA3iEHRKkojDLdAMb/CR/L6t31tpG7JIsN/3sLe1U
+iDeI38dpMYK4460F/vjAElOt03xiZPkuZdMrNhdICxkCgYEA2WW75EmBL841/t+S
+IMpKSAUUOtVgu/TPK7WAdfmoyd+09XkvYUD0DXx59k2LfjBuhfzN/+5HpKAPiHqR
+VjryRsvBjM+mixhjTDdZ6CqDJs5VEKPg0v1r29b3FxZY1aHqtL2//cmYMswYXANE
+zTxs/PvinsdYTxs9TC0QmG1eGC0CgYEA1Wl9pXF16LLOzNdQg+wg0lwIzkXnHVeD
+uJVDcXxUY60T+XyM3dUtyZLWfjQzs0xVAmoMe9rPaDvZusVnKyf4/6v6ytlVdFjc
+oNoLcicLnFGQx7C1lBpCPo7Tz/xMd8SPfUbDVdFlgH7qk4DNDq3LzP66A/7NbJxY
+E7z21sX8facCgYEAuoLfmlG9tefyx0HEOsGSzQseegNKxLaZbuR+27hfqSJ2PAvG
+LGfvegqLEFcjEBY5HFbx3VruuDxiVzLgsdxMs5Rn74jPV5KKzn7GcbrXXlmy/V27
+qwikmq1ou7P+bvpFRN9uciucmigj1f0v7+yhjMIFgTeBegzioBIhpMRf79kCgYAz
+xdrIdyUOpcpLoXST/IXd4pv0RrsRwDhhYDyzXGEwqT1uSgv2iRAJlcjZZxqfxcXd
+xxJuPaARfmuMxvUHYDQk+njmGyGDD0e+8gbS06waaSNBfpoeatxlRssV6vQ2HgZd
+cvxSZnFEYgXQcO/OPtVxTt6bt4XocmlfqHkNk4x0gwKBgBFnQ20ZLiN9SFeQk6u1
+sDZn6p24/AggWt5/88ekXlGTkXrs7rGzxl0+NMVG93KiGhJjtND150dC0mRLXAjx
+8iZTtX6+cGY17+hyPlhZreOadtFUXvplAJgYt25tN0CjSBqDXS9ePRapIjjkL5sI
++1Q+Xy5KO5e6+5zkIDPHzpuO
+-----END PRIVATE KEY-----

deploy/deploy.sh

@@ -18,6 +18,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 $DIR/cleanup.sh
 
 $CO_CMD --namespace=$CO_NAMESPACE create configmap apiserver-conf \
+	--from-file=$COROOT/conf/apiserver/server.crt \
+	--from-file=$COROOT/conf/apiserver/server.key \
 	--from-file=$COROOT/conf/apiserver/pgouser \
 	--from-file=$COROOT/conf/apiserver/pgo.yaml \
 	--from-file=$COROOT/conf/apiserver/pgo.csvload-template.json \

deploy/service.json

@@ -8,12 +8,22 @@
         }
     },
     "spec": {
-        "ports": [{
+        "ports": [
+	{
+            "name": "postgres-operator",
             "protocol": "TCP",
             "port": 8080,
             "targetPort": 8080,
             "nodePort": 0
-        }],
+        },
+	{
+            "name": "apiserver",
+            "protocol": "TCP",
+            "port": 8443,
+            "targetPort": 8443,
+            "nodePort": 0
+        }
+	],
         "selector": {
             "name": "postgres-operator"
         },

pgo/cmd/auth.go

@@ -34,6 +34,8 @@ var BasicAuthUsername, BasicAuthPassword string
 
 var caCertPool *x509.CertPool
 var cert tls.Certificate
+var httpclient *http.Client
+var caCertPath, clientCertPath, clientKeyPath string
 
 // StatusCheck ...
 func StatusCheck(resp *http.Response) {
@@ -72,45 +74,57 @@ func GetCredentials() {
 	fullPath := dir + "/" + ".pgouser"
 	log.Debug("looking in " + fullPath + " for credentials")
 	dat, err := ioutil.ReadFile(fullPath)
+	found := false
 	if err != nil {
 		log.Debug(fullPath + " not found")
 	} else {
 		log.Debug(fullPath + " found")
 		log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
 		BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
-		return
+		found = true
+
 	}
 
-	fullPath = etcpath
-	dat, err = ioutil.ReadFile(fullPath)
-	if err != nil {
-		log.Debug(etcpath + " not found")
-	} else {
-		log.Debug(fullPath + " found")
+	if !found {
+		fullPath = etcpath
+		dat, err = ioutil.ReadFile(fullPath)
+		if err != nil {
+			log.Debug(etcpath + " not found")
+		} else {
+			log.Debug(fullPath + " found")
+			log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
+			BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
+			found = true
+		}
+	}
+
+	if !found {
+		pgoUser := os.Getenv(pgouserenvvar)
+		if pgoUser == "" {
+			log.Error(pgouserenvvar + " env var not set")
+			os.Exit(2)
+		}
+
+		fullPath = pgoUser
+		log.Debug(pgouserenvvar + " env var is being used at " + fullPath)
+		dat, err = ioutil.ReadFile(fullPath)
+		if err != nil {
+			log.Error(fullPath + " file not found")
+			os.Exit(2)
+		}
+
 		log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
 		BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
-		return
 	}
 
-	pgoUser := os.Getenv(pgouserenvvar)
-	if pgoUser == "" {
-		log.Error(pgouserenvvar + " env var not set")
-		os.Exit(2)
-	}
+	caCertPath = os.Getenv("PGO_CA_CERT")
 
-	fullPath = pgoUser
-	log.Debug(pgouserenvvar + " env var is being used at " + fullPath)
-	dat, err = ioutil.ReadFile(fullPath)
-	if err != nil {
-		log.Error(fullPath + " file not found")
+	if caCertPath == "" {
+		log.Error("PGO_CA_CERT not specified")
 		os.Exit(2)
 	}
-
-	log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
-	BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
-
-	/**
-	caCert, err := ioutil.ReadFile("/tmp/server.crt")
+	//caCert, err := ioutil.ReadFile("/tmp/server.crt")
+	caCert, err := ioutil.ReadFile(caCertPath)
 	if err != nil {
 		log.Error(err)
 		log.Error("could not read ca certificate")
@@ -119,11 +133,48 @@ func GetCredentials() {
 	caCertPool = x509.NewCertPool()
 	caCertPool.AppendCertsFromPEM(caCert)
 
-	cert, err = tls.LoadX509KeyPair("/tmp/client.crt", "/tmp/client.key")
+	clientCertPath = os.Getenv("PGO_CLIENT_CERT")
+
+	if clientCertPath == "" {
+		log.Error("PGO_CLIENT_CERT not specified")
+		os.Exit(2)
+	}
+
+	_, err = ioutil.ReadFile(clientCertPath)
+	if err != nil {
+		log.Debug(clientCertPath + " not found")
+		os.Exit(2)
+	}
+
+	clientKeyPath = os.Getenv("PGO_CLIENT_KEY")
+
+	if clientKeyPath == "" {
+		log.Error("PGO_CLIENT_KEY not specified")
+		os.Exit(2)
+	}
+
+	_, err = ioutil.ReadFile(clientKeyPath)
+	if err != nil {
+		log.Debug(clientKeyPath + " not found")
+		os.Exit(2)
+	}
+	//cert, err = tls.LoadX509KeyPair("/tmp/example.com.crt", "/tmp/example.com.key")
+	cert, err = tls.LoadX509KeyPair(clientCertPath, clientKeyPath)
 	if err != nil {
 		log.Fatal(err)
-		log.Error("could not load client.crt and client.key")
+		log.Error("could not load example.com.crt and example.com.key")
 		os.Exit(2)
-	} */
+	}
+
+	log.Info("setting up httpclient with TLS")
+	httpclient = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs:            caCertPool,
+				InsecureSkipVerify: true,
+				Certificates:       []tls.Certificate{cert},
+			},
+		},
+	}
 
 }