Skip to content

Add TLS support #2697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
matt-bathyscope wants to merge 22 commits into from
Closed

Add TLS support #2697

matt-bathyscope wants to merge 22 commits into from

Conversation

@matt-bathyscope
Copy link
Contributor

@matt-bathyscope matt-bathyscope commented Jun 16, 2024

This PR adds support for TLS in nginx using a self-signed certificate that's unique to each robot, along with additional changes needed for other components to work when TLS is enabled.

  • Moves the nginx config to /etc/blueos/nginx/ instead of the current tools path in the container so we have persistence.
  • Updates the bootstrap container's version-chooser reachability check to accept the self-signed cert so it doesn't kill the core container.
  • Adds a checkbox to the vehicle configuration wizard to enable the TLS feature.
  • Generates a certificate (when needed) that includes the alternate hostname(s) and IPs for the robot. This feature shells out to openssl to do the crypto operations, but attempts to mitigate any command injection risk by escaping parameters (like hostname) with the shlex.quote function. The cert and key files are stored alongside the nginx config.
  • There are two "template" nginx configs, one with TLS and one without, that are shipped with the core. The code moves the correct one into place depending on whether or not TLS should be enabled.

How to test this

  1. Manually choose the TLS-aware bootstrap and core images from CI (or from the correct tag on DockerHub)
  2. Re-run the vehicle setup wizard
  3. Check the Enable TLS box on the Customize step
    Screenshot 2024-06-16 at 13 09 11
  4. Complete the wizard
    Screenshot 2024-06-16 at 13 09 26
  5. Navigate to https://<your robot hostname>
  6. Accept the cert warning
  7. You should have TLS now

@CLAassistant
Copy link

CLAassistant commented Jun 16, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

patrickelectric
patrickelectric requested changes Jun 16, 2024
View reviewed changes
Copy link
Member

@patrickelectric patrickelectric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll check it more deeply during the week

@patrickelectric patrickelectric added the merge-after-stable Should be merged only after next stable release label Jun 19, 2024
@patrickelectric
Copy link
Member

patrickelectric commented Jul 2, 2024

Hi @matt-bathyscope can you sign the CLA ?

@matt-bathyscope matt-bathyscope mentioned this pull request Jun 20, 2025
Open
@matt-bathyscope
Copy link
Contributor Author

matt-bathyscope commented Jun 20, 2025

Closing this one as there is an updated/rebased PR #3389

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickelectric patrickelectric patrickelectric requested changes

Assignees

No one assigned

Labels

merge-after-stable Should be merged only after next stable release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@matt-bathyscope @CLAassistant @patrickelectric