[#5] don't skip tls checks

lavocatt · Msarawan · commit 9d037df70e8f · 2025-02-24T21:11:07.000+05:30
The jolokia api server will now check the the TLS cert of the broker
when the connection is secured. In order to do so, at deploy time, a
cluster issuer gets created by the script. This cluster issuer needs to
be used to generate the cert the broker would use for its console.

An example for a broker called ex-aao within the default namespace would
be:

```
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ex-aao-console-certificate-cert
  namespace: default
spec:
  secretName: ex-aao-console-certificate-cert-secret
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048

  isCA: false

  commonName: ex-aao-console-cert

  dnsNames:
    - ex-aao-wconsj-0-svc-rte-default.apps-crc.testing
    - ex-aao-wconsj-0-svc.default
  issuerRef:
    name: jolokia-api-server-selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
```

When running in dev mode, if the broker is secured by TLS you'll also
need the trust bundle to connect to it. To do so checkout the README
instructions.
diff --git a/.env b/.env
@@ -1,4 +1,3 @@
-
 PLUGIN_VERSION=0.1.2
 PLUGIN_NAME='ActiveMQ Artemis Jolokia api-server'
 
@@ -9,13 +8,3 @@ SERVER_KEY=/var/serving-cert/tls.key
 # logging
 LOG_LEVEL='info'
 ENABLE_REQUEST_LOG='false'
-
-# security
-
-# replace the token in production deployment
-SECRET_ACCESS_TOKEN=1e13d44f998dee277deae621a9012cf300b94c91
-
-API_SERVER_SECURITY_ENABLED=true
-API_SERVER_SECURITY_AUTH_TYPE=jwt
-USERS_FILE_URL=.users.json
-ENDPOINTS_FILE_URL=.endpoints.json
diff --git a/README.md b/README.md
@@ -9,7 +9,67 @@ supported.
 
 ## Dev setup
 
+### Create the cluster issuer
+
+To allow the jolokia api server to trust the broker in case the broker is using
+a TLS secured connection, you'll need to have a trust bundle to load. The trust
+bundle will come from a cluster issuer that is also used to issue certs for the
+broker.
+
+One way to obtain this cluster issuer correctly configured is to deploy the
+upstream's jolokia api server to your cluster regardless to the fact that you
+may also run it locally alongside the bridge when developing locally.
+
+To do that follow the section about deploying.
+
+#### using the cluster issuer to secure the connection
+
+The cluster issuer needs to be used to generate the cert the broker would use
+for its console.
+
+An example for a broker called ex-aao within the myproject namespace would
+be:
+
+> [!NOTE]
+> you need to adapt the domain name in the CR with the one of your cluster. One
+> way to obtain it is to this one liner:
+> `oc get -n openshift-ingress-operator ingresscontroller/default -o json | jq '.status.domain'`
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ex-aao-console-certificate-cert
+  namespace: myproject
+spec:
+  secretName: ex-aao-console-certificate-cert-secret
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+
+  isCA: false
+
+  commonName: ex-aao-console-cert
+
+  dnsNames:
+    - ex-aao-wconsj-0-svc-rte-default.mydomain.tld
+    - ex-aao-wconsj-0-svc.default
+  issuerRef:
+    name: jolokia-api-server-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
 ```
+
+### Build and start
+
+If you have followed the previous step, you need to download the trust bundle so
+that your dev env has access to it and can connect to a TLS broker.
+
+```sh
+cd trust
+./download-ca.sh -c jolokia-api-server-selfsigned-issuer
+cd ..
 yarn build
 yarn start
 ```
@@ -19,7 +79,7 @@ yarn start
 After updating the `openapi.yml` file, please make sure to generate the
 documentation:
 
-```
+```sh
 yarn run build-api-doc
 ```
 
@@ -51,15 +111,6 @@ deployed. for example:
 
 The optional -ns (or --nosec) argument can be used to disable security.
 
----
-
-**Note:**
-
-you should enable security in your application. Disable security can only
-be used for test purposes.
-
----
-
 The `deploy.sh` script uses `oc kustomize` (built-in
 [kustomize](https://github.com/kubernetes-sigs/kustomize)) command to configure
 and deploy the plugin using resources and patches defined under ./deploy
@@ -71,60 +122,21 @@ To undeploy, run
 ./undeploy.sh
 ```
 
-### Notes about the JWT secret
-
-The api server uses SECRET_ACCESS_TOKEN env var to get the secret for generating
-jwt tokens. It has a default value in .env for dev purposes.
-
-In production you should override it with your own secret.
-
-The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile.
-It makes sure when you build the api server image a new random key is used.
-
-## Security Model of the API Server
-
-The API Server provides a security model that provides authentication and authorization of incoming clients.
-The security can be enabled/disabled (i.e. via `API_SERVER_SECURITY_ENABLED` env var)
-
-### Authentication
-
-Currently the api server support `jwt` token authentication.
-
-#### The login api
-
-The login api is defined in openapi.yml
-
-```yaml
-/server/login
-```
-
-A client logs in to an api server by sending a POST request to the login path. The request body contains login information (i.e. username and password for jwt authentication type)
-
-Please refer to [api.md](api.md) for details of the log api.
-
-Currently the security manager uses local file to store user's info. The default users file name is `.users.json`
-The users file name can be configured using `USERS_FILE_URL` env var. See `.test.users.json` for sample values.
-
-### Authorization
-
-Currently the api server doesn't perform authorization on logged in users.
-
-### Endpoints Management
-
-The server keeps a list of jolokia endpoints for clients to access. The endpoints are loaded from a local file named
-`.endpoints.json`. Each top level entry represents a jolokia endpoint. An entry has a unique name and details to access the jolokia api. See `.test.endpoints.json` for sample values.
-
 ### Accessing a jolokia endpoint
 
-When an authenticated client sends a request to the api-server, it should present its token in the request header
+When an authenticated client sends a request to the api-server, it should
+present its token in the request header.
 
-    'Authorization: Bearer `token`'
+'Authorization: Bearer `token`'
 
-It also need to give the `targetEndpoint` in the query part of the request if the request is to access an jolokia endpoint.
+It also need to give the `targetEndpoint` in the query part of the request if
+the request is to access an jolokia endpoint.
 
 For example `/execBrokerOperation?targetEndpoint=broker1`.
 
 ### Direct Proxy
 
-Direct Proxy means a client can pass a broker's endpoint info to the api-server in order to access it via the api-server.
-For example the [self-provisioning plugin](https://github.com/artemiscloud/activemq-artemis-self-provisioning-plugin) uses this api to access the jolokia of a broker's jolokia endpoint.
+Direct Proxy means a client can pass a broker's endpoint info to the api-server
+in order to access it via the api-server. For example the [self-provisioning
+plugin](https://github.com/arkmq-org/activemq-artemis-self-provisioning-plugin)
+uses this api to access the jolokia of a broker's jolokia endpoint.
diff --git a/deploy.sh b/deploy.sh
@@ -35,5 +35,37 @@ while [[ $# -gt 0 ]]; do
   esac
 done
 
+# find the cert-manager operator namespace, if this can't be retrived there's no
+# possibility to proceed
+certManagerNamespace=$(oc get Subscriptions --all-namespaces -ojson | jq -r '.items[] | select(.spec.name == "cert-manager") | .metadata.namespace')
+if test -z "$certManagerNamespace"
+then
+      echo "cert-manager's namespace can't be determined, check that it is installed"
+      oc get Subscriptions --all-namespaces
+      exit 1
+fi
+echo "cert-manager's namespace: $certManagerNamespace"
+
+# retrieve the cluster domain to produce a valid cluster issuer
+clusterDomain=$(oc get -n openshift-ingress-operator ingresscontroller/default -o json | jq -r '.status.domain')
+if test -z "$certManagerNamespace"
+then
+      echo "The cluster domain can't be retrived"
+      exit 1
+fi
+echo "cluster domain: $clusterDomain"
+
 echo "deploying using image: ${API_SERVER_IMAGE}"
-oc kustomize deploy | sed "s|image: .*|image: ${API_SERVER_IMAGE}|" | oc apply -f -
+oc kustomize deploy \
+    | sed "s|image: .*|image: ${API_SERVER_IMAGE}|" \
+    | sed "s|- issuer.mydomain.tld|- issuer.${clusterDomain}|" \
+    | oc apply -f -
+
+
+while ! kubectl get secret jolokia-api-server-selfsigned-ca-cert-secret   --namespace openshift-operators; do echo "Waiting for the CA"; sleep 1; done
+# copy the secret from the cert-manager namespace to the jolokia api server
+# namespace
+oc get secret jolokia-api-server-selfsigned-ca-cert-secret \
+    --namespace=openshift-operators -oyaml \
+    | sed s/"namespace: ${certManagerNamespace}"/"namespace: activemq-artemis-jolokia-api-server"/\ \
+    | kubectl apply -n activemq-artemis-jolokia-api-server -f -
diff --git a/deploy/cluster-issuer.yaml b/deploy/cluster-issuer.yaml
@@ -0,0 +1,33 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: jolokia-api-server-selfsigned-root-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: jolokia-api-server-selfsigned-ca-cert
+  namespace: openshift-operators
+spec:
+  isCA: true
+  commonName: jolokia-api-server-selfsigned-ca-cert
+  secretName: jolokia-api-server-selfsigned-ca-cert-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - issuer.mydomain.tld
+  issuerRef:
+    name: jolokia-api-server-selfsigned-root-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: jolokia-api-server-selfsigned-issuer
+spec:
+  ca:
+    secretName: jolokia-api-server-selfsigned-ca-cert-secret
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
@@ -18,6 +18,9 @@ spec:
       containers:
         - name: activemq-artemis-jolokia-api-server
           image: quay.io/arkmq-org/activemq-artemis-jolokia-api-server:latest
+          env:
+            - name: NODE_EXTRA_CA_CERTS
+              value: '/var/jolokia-api-server-selfsigned-ca-cert-secret/ca.crt'
           ports:
             - containerPort: 9443
               protocol: TCP
@@ -38,11 +41,18 @@ spec:
             - name: plugin-serving-cert
               readOnly: true
               mountPath: /var/serving-cert
+            - name: jolokia-api-server-selfsigned-ca-cert-secret
+              readOnly: true
+              mountPath: /var/jolokia-api-server-selfsigned-ca-cert-secret
       volumes:
         - name: plugin-serving-cert
           secret:
             secretName: plugin-serving-cert
             defaultMode: 420
+        - name: jolokia-api-server-selfsigned-ca-cert-secret
+          secret:
+            secretName: jolokia-api-server-selfsigned-ca-cert-secret
+            defaultMode: 420
       restartPolicy: Always
       dnsPolicy: ClusterFirst
   strategy:
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
@@ -1,6 +1,5 @@
-namespace: activemq-artemis-jolokia-api-server
-
 resources:
   - namespace.yaml
+  - cluster-issuer.yaml
   - deployment.yaml
   - service.yaml
diff --git a/package.json b/package.json
@@ -18,7 +18,7 @@
     "format:all": "prettier --config ./.prettierrc.yml --write './src/**/*'",
     "lint": "yarn eslint src --fix && stylelint \"src/**/*.css\" --allow-empty-input --fix",
     "prepare": "husky install",
-    "start": "node ./dist/app.js",
+    "start": "NODE_EXTRA_CA_CERTS=./trust/ca.crt node ./dist/app.js",
     "test": "NODE_TLS_REJECT_UNAUTHORIZED=0 TZ=UTC jest --runInBand",
     "test:coverage": "yarn run test --watch=false --coverage",
     "test:generate-output": "yarn test -- --json --outputFile=.jest-test-results.json",
diff --git a/src/api/apiutil/artemis_jolokia.ts b/src/api/apiutil/artemis_jolokia.ts
@@ -1,7 +1,6 @@
 import { logger } from '../../utils/logger';
 import { AuthOptions } from '../../utils/security_util';
 import fetch from 'node-fetch';
-import https from 'https';
 
 // search the broker
 const brokerSearchPattern = 'org.apache.activemq.artemis:broker=*';
@@ -122,12 +121,6 @@ export class ArtemisJolokia {
       headers: headers,
     };
 
-    if (reqUrl.startsWith('https')) {
-      authOpts['agent'] = new https.Agent({
-        rejectUnauthorized: false,
-      });
-    }
-
     authOpts.headers.set('Authorization', 'Bearer ' + token);
     return authOpts;
   }
@@ -169,6 +162,10 @@ export class ArtemisJolokia {
       .then((message) => {
         const resp: JolokiaResponseType = JSON.parse(message);
         return resp.value;
+      })
+      .catch((err) => {
+        logger.error(err);
+        throw err;
       });
 
     return reply;
@@ -211,6 +208,7 @@ export class ArtemisJolokia {
         return resp.value;
       })
       .catch((err) => {
+        logger.error(err);
         throw err;
       });
 
@@ -251,6 +249,7 @@ export class ArtemisJolokia {
         return jsonObj as JolokiaExecResponse;
       })
       .catch((err) => {
+        logger.error(err);
         throw err;
       });
 
@@ -287,6 +286,7 @@ export class ArtemisJolokia {
         return resp;
       })
       .catch((err) => {
+        logger.error(err);
         throw err;
       });
     return reply;
diff --git a/trust/.gitignore b/trust/.gitignore
@@ -0,0 +1 @@
+ca.crt
diff --git a/trust/download-ca.sh b/trust/download-ca.sh
diff --git a/undeploy.sh b/undeploy.sh
