[ASCII-2584] Migrating CoreAgent to use IPC cert (#31843)

Author: misteriaud

comp/api/api/apiimpl/api_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/DataDog/datadog-agent/comp/aggregator/demultiplexer/demultiplexerimpl"
 	"github.com/DataDog/datadog-agent/comp/api/api/apiimpl/observability"
 	api "github.com/DataDog/datadog-agent/comp/api/api/def"
-	"github.com/DataDog/datadog-agent/comp/api/authtoken/fetchonlyimpl"
+	"github.com/DataDog/datadog-agent/comp/api/authtoken/createandfetchimpl"
 	"github.com/DataDog/datadog-agent/comp/collector/collector"
 	"github.com/DataDog/datadog-agent/comp/core/autodiscovery"
 	"github.com/DataDog/datadog-agent/comp/core/autodiscovery/autodiscoveryimpl"
@@ -76,7 +76,7 @@ func getTestAPIServer(t *testing.T, params config.MockParams) testdeps {
 		demultiplexerimpl.MockModule(),
 		fx.Supply(optional.NewNoneOption[rcservice.Component]()),
 		fx.Supply(optional.NewNoneOption[rcservicemrf.Component]()),
-		fetchonlyimpl.MockModule(),
+		createandfetchimpl.Module(),
 		fx.Supply(context.Background()),
 		taggermock.Module(),
 		fx.Provide(func(mock taggermock.Mock) tagger.Component {
@@ -166,7 +166,6 @@ func TestStartBothServersWithObservability(t *testing.T) {
 			req, err := http.NewRequest(http.MethodGet, url, nil)
 			require.NoError(t, err)
 
-			req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", authTokenValue))
 			resp, err := util.GetClient(false).Do(req)
 			require.NoError(t, err)
 			defer resp.Body.Close()

comp/api/api/apiimpl/security.go

@@ -7,16 +7,9 @@ package apiimpl
 
 import (
 	"crypto/subtle"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
 	"errors"
-	"fmt"
 	"net/http"
-	"runtime"
-	"strings"
 
-	"github.com/DataDog/datadog-agent/pkg/api/security"
 	"github.com/DataDog/datadog-agent/pkg/api/util"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
@@ -44,44 +37,3 @@ func parseToken(token string) (interface{}, error) {
 	// type.
 	return struct{}{}, nil
 }
-
-func buildSelfSignedKeyPair(additionalHostIdentities ...string) ([]byte, []byte) {
-	hosts := []string{"127.0.0.1", "localhost", "::1"}
-	hosts = append(hosts, additionalHostIdentities...)
-	_, rootCertPEM, rootKey, err := security.GenerateRootCert(hosts, 2048)
-	if err != nil {
-		return nil, nil
-	}
-
-	// PEM encode the private key
-	rootKeyPEM := pem.EncodeToMemory(&pem.Block{
-		Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(rootKey),
-	})
-
-	// Create and return TLS private cert and key
-	return rootCertPEM, rootKeyPEM
-}
-
-func initializeTLS(additionalHostIdentities ...string) (*tls.Certificate, *x509.CertPool, error) {
-	// print the caller to identify what is calling this function
-	if _, file, line, ok := runtime.Caller(1); ok {
-		log.Infof("[%s:%d] Initializing TLS certificates for hosts %v", file, line, strings.Join(additionalHostIdentities, ", "))
-	}
-
-	cert, key := buildSelfSignedKeyPair(additionalHostIdentities...)
-	if cert == nil {
-		return nil, nil, errors.New("unable to generate certificate")
-	}
-	pair, err := tls.X509KeyPair(cert, key)
-	if err != nil {
-		return nil, nil, fmt.Errorf("unable to generate TLS key pair: %v", err)
-	}
-
-	tlsCertPool := x509.NewCertPool()
-	ok := tlsCertPool.AppendCertsFromPEM(cert)
-	if !ok {
-		return nil, nil, fmt.Errorf("unable to add new certificate to pool")
-	}
-
-	return &pair, tlsCertPool, nil
-}

comp/api/api/apiimpl/server.go

@@ -11,6 +11,7 @@ import (
 	stdLog "log"
 	"net"
 	"net/http"
+	"strconv"
 
 	"github.com/DataDog/datadog-agent/comp/api/api/apiimpl/observability"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
@@ -47,43 +48,23 @@ func (server *apiServer) startServers() error {
 		return fmt.Errorf("unable to get IPC address and port: %v", err)
 	}
 
-	additionalHostIdentities := []string{apiAddr}
-
-	ipcServerHost, ipcServerHostPort, ipcServerEnabled := getIPCServerAddressPort()
-	if ipcServerEnabled {
-		additionalHostIdentities = append(additionalHostIdentities, ipcServerHost)
-	}
-
-	tlsKeyPair, tlsCertPool, err := initializeTLS(additionalHostIdentities...)
-	if err != nil {
-		return fmt.Errorf("unable to initialize TLS: %v", err)
-	}
-
-	// tls.Config is written to when serving, so it has to be cloned for each server
-	tlsConfig := func() *tls.Config {
-		return &tls.Config{
-			Certificates: []tls.Certificate{*tlsKeyPair},
-			NextProtos:   []string{"h2"},
-			MinVersion:   tls.VersionTLS12,
-		}
-	}
-
 	tmf := observability.NewTelemetryMiddlewareFactory(server.telemetry)
 
 	// start the CMD server
 	if err := server.startCMDServer(
 		apiAddr,
-		tlsConfig(),
-		tlsCertPool,
 		tmf,
 		server.cfg,
 	); err != nil {
 		return fmt.Errorf("unable to start CMD API server: %v", err)
 	}
 
 	// start the IPC server
-	if ipcServerEnabled {
-		if err := server.startIPCServer(ipcServerHostPort, tlsConfig(), tmf); err != nil {
+	if ipcServerPort := server.cfg.GetInt("agent_ipc.port"); ipcServerPort > 0 {
+		ipcServerHost := server.cfg.GetString("agent_ipc.host")
+		ipcServerHostPort := net.JoinHostPort(ipcServerHost, strconv.Itoa(ipcServerPort))
+
+		if err := server.startIPCServer(ipcServerHostPort, tmf); err != nil {
 			// if we fail to start the IPC server, we should stop the CMD server
 			server.stopServers()
 			return fmt.Errorf("unable to start IPC API server: %v", err)

comp/api/api/apiimpl/server_cmd.go

@@ -7,8 +7,6 @@ package apiimpl
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"net/http"
 	"time"
@@ -35,8 +33,6 @@ const cmdServerShortName string = "CMD"
 
 func (server *apiServer) startCMDServer(
 	cmdAddr string,
-	tlsConfig *tls.Config,
-	tlsCertPool *x509.CertPool,
 	tmf observability.TelemetryMiddlewareFactory,
 	cfg config.Component,
 ) (err error) {
@@ -54,7 +50,7 @@ func (server *apiServer) startCMDServer(
 	maxMessageSize := cfg.GetInt("cluster_agent.cluster_tagger.grpc_max_message_size")
 
 	opts := []grpc.ServerOption{
-		grpc.Creds(credentials.NewClientTLSFromCert(tlsCertPool, cmdAddr)),
+		grpc.Creds(credentials.NewTLS(server.authToken.GetTLSServerConfig())),
 		grpc.StreamInterceptor(grpc_auth.StreamServerInterceptor(authInterceptor)),
 		grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(authInterceptor)),
 		grpc.MaxRecvMsgSize(maxMessageSize),
@@ -79,11 +75,7 @@ func (server *apiServer) startCMDServer(
 		autodiscovery:       server.autoConfig,
 	})
 
-	dcreds := credentials.NewTLS(&tls.Config{
-		ServerName: cmdAddr,
-		RootCAs:    tlsCertPool,
-	})
-	dopts := []grpc.DialOption{grpc.WithTransportCredentials(dcreds)}
+	dopts := []grpc.DialOption{grpc.WithTransportCredentials(credentials.NewTLS(server.authToken.GetTLSClientConfig()))}
 
 	// starting grpc gateway
 	ctx := context.Background()
@@ -133,7 +125,7 @@ func (server *apiServer) startCMDServer(
 
 	srv := grpcutil.NewMuxedGRPCServer(
 		cmdAddr,
-		tlsConfig,
+		server.authToken.GetTLSServerConfig(),
 		s,
 		grpcutil.TimeoutHandlerFunc(cmdMuxHandler, time.Duration(pkgconfigsetup.Datadog().GetInt64("server_timeout"))*time.Second),
 	)

comp/api/api/apiimpl/server_ipc.go

@@ -6,7 +6,6 @@
 package apiimpl
 
 import (
-	"crypto/tls"
 	"net/http"
 	"time"
 
@@ -18,7 +17,7 @@ import (
 const ipcServerName string = "IPC API Server"
 const ipcServerShortName string = "IPC"
 
-func (server *apiServer) startIPCServer(ipcServerAddr string, tlsConfig *tls.Config, tmf observability.TelemetryMiddlewareFactory) (err error) {
+func (server *apiServer) startIPCServer(ipcServerAddr string, tmf observability.TelemetryMiddlewareFactory) (err error) {
 	server.ipcListener, err = getListener(ipcServerAddr)
 	if err != nil {
 		return err
@@ -39,7 +38,7 @@ func (server *apiServer) startIPCServer(ipcServerAddr string, tlsConfig *tls.Con
 	ipcServer := &http.Server{
 		Addr:      ipcServerAddr,
 		Handler:   http.TimeoutHandler(ipcMuxHandler, time.Duration(pkgconfigsetup.Datadog().GetInt64("server_timeout"))*time.Second, "timeout"),
-		TLSConfig: tlsConfig,
+		TLSConfig: server.authToken.GetTLSServerConfig(),
 	}
 
 	startServer(server.ipcListener, ipcServer, ipcServerName)