From dbc06d430fa3e6ca6cc8289e17c21da875842b1b Mon Sep 17 00:00:00 2001 From: mmetc <92726601+mmetc@users.noreply.github.com> Date: Mon, 19 Dec 2022 09:50:42 +0100 Subject: [PATCH] docker: separate CLIENT_* and LAPI_* variables for tls certificates (#1931) --- Dockerfile | 14 +++++++- Dockerfile.debian | 14 +++++++- docker/README.md | 11 +++--- docker/config.yaml | 2 -- docker/docker_start.sh | 78 +++++++++++++++++++++++++----------------- 5 files changed, 80 insertions(+), 39 deletions(-) diff --git a/Dockerfile b/Dockerfile index b1a35e399..f6e39cc80 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,7 +32,7 @@ COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli COPY --from=build /go/src/crowdsec/docker/docker_start.sh / COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml -# NOTE: setting default values here will overwrite the ones set in config.yaml +# NOTE: setting default values here would overwrite the ones set in config.yaml # every time the container is started. We set the default in docker/config.yaml # and document them in docker/README.md, but keep the variables empty here. @@ -68,11 +68,23 @@ ENV AGENT_PASSWORD= # TLS setup ----------------------------------- # ENV USE_TLS=false + +ENV LAPI_CACERT_FILE= +ENV LAPI_CERT_FILE= +ENV LAPI_KEY_FILE= + +ENV CLIENT_CACERT_FILE= +ENV CLIENT_CERT_FILE= +ENV CLIENT_KEY_FILE= + +# deprecated in favor of LAPI_* ENV CACERT_FILE= ENV CERT_FILE= ENV KEY_FILE= + # comma-separated list of allowed OU values for TLS bouncer certificates ENV BOUNCERS_ALLOWED_OU= + # comma-separated list of allowed OU values for TLS agent certificates ENV AGENTS_ALLOWED_OU= diff --git a/Dockerfile.debian b/Dockerfile.debian index faebeb860..cb80551bd 100644 --- a/Dockerfile.debian +++ b/Dockerfile.debian @@ -46,7 +46,7 @@ COPY --from=build /go/src/crowdsec/docker/docker_start.sh / COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml -# NOTE: setting default values here will overwrite the ones set in config.yaml +# NOTE: setting default values here would overwrite the ones set in config.yaml # every time the container is started. We set the default in docker/config.yaml # and document them in docker/README.md, but keep the variables empty here. @@ -82,11 +82,23 @@ ENV AGENT_PASSWORD= # TLS setup ----------------------------------- # ENV USE_TLS=false + +ENV LAPI_CACERT_FILE= +ENV LAPI_CERT_FILE= +ENV LAPI_KEY_FILE= + +ENV CLIENT_CACERT_FILE= +ENV CLIENT_CERT_FILE= +ENV CLIENT_KEY_FILE= + +# deprecated in favor of LAPI_* ENV CACERT_FILE= ENV CERT_FILE= ENV KEY_FILE= + # comma-separated list of allowed OU values for TLS bouncer certificates ENV BOUNCERS_ALLOWED_OU= + # comma-separated list of allowed OU values for TLS agent certificates ENV AGENTS_ALLOWED_OU= diff --git a/docker/README.md b/docker/README.md index 717c6e6fa..3b68352de 100644 --- a/docker/README.md +++ b/docker/README.md @@ -226,16 +226,19 @@ Using binds rather than named volumes ([complete explanation here](https://docs. | | | | | __TLS Auth/encryption | | | | `USE_TLS` | false | Enable TLS on the LAPI | -| `CERT_FILE` | /etc/ssl/cert.pem | TLS Certificate path | -| `KEY_FILE` | /etc/ssl/key.pem | TLS Key path | -| `CACERT_FILE` | | CA certificate bundle | +| `CLIENT_CERT_FILE` | /etc/ssl/cert.pem | Client TLS Certificate path | +| `CLIENT_KEY_FILE` | /etc/ssl/key.pem | Client TLS Key path | +| `CLIENT_CACERT_FILE` | | Client CA certificate bundle | +| `LAPI_CERT_FILE` | /etc/ssl/cert.pem | LAPI TLS Certificate path | +| `LAPI_KEY_FILE` | /etc/ssl/key.pem | LAPI TLS Key path | +| `LAPI_CACERT_FILE` | | LAPI CA certificate bundle | | `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma | | `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma | | | | | | __Hub management__ | | | | `COLLECTIONS` | | Collections to install, separated by space: `-e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"` | -| `SCENARIOS` | | Scenarios to install, separated by space | | `PARSERS` | | Parsers to install, separated by space | +| `SCENARIOS` | | Scenarios to install, separated by space | | `POSTOVERFLOWS` | | Postoverflows to install, separated by space | | `DISABLE_COLLECTIONS` | | Collections to remove, separated by space: `-e DISABLE_COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx"` | | `DISABLE_PARSERS` | | Parsers to remove, separated by space | diff --git a/docker/config.yaml b/docker/config.yaml index 33d53e7cd..8c62b3cb1 100644 --- a/docker/config.yaml +++ b/docker/config.yaml @@ -43,8 +43,6 @@ api: online_client: # Central API credentials (to push signals and receive bad IPs) #credentials_path: /etc/crowdsec/online_api_credentials.yaml tls: - cert_file: /etc/ssl/cert.pem - key_file: /etc/ssl/key.pem agents_allowed_ou: - agent-ou bouncers_allowed_ou: diff --git a/docker/docker_start.sh b/docker/docker_start.sh index ae7a28beb..d9c375114 100755 --- a/docker/docker_start.sh +++ b/docker/docker_start.sh @@ -90,6 +90,17 @@ cscli_if_clean() { #-----------------------------------# +if [ -n "$CERT_FILE" ] || [ -n "$KEY_FILE" ] || [ -n "$CACERT_FILE" ]; then + printf '%b' '\033[0;33m' + echo "Warning: the variables CERT_FILE, KEY_FILE and CACERT_FILE have been deprecated." >&2 + echo "Please use LAPI_CERT_FILE, LAPI_KEY_FILE and LAPI_CACERT_FILE insted." >&2 + echo "The old variables will be removed in a future release." >&2 + printf '%b' '\033[0m' + LAPI_CERT_FILE=${LAPI_CERT_FILE:-$CERT_FILE} + LAPI_KEY_FILE=${LAPI_KEY_FILE:-$KEY_FILE} + LAPI_CACERT_FILE=${LAPI_CACERT_FILE:-$CACERT_FILE} +fi + # Check and prestage databases for geodb in GeoLite2-ASN.mmdb GeoLite2-City.mmdb; do # We keep the pre-populated geoip databases in /staging instead of /var, @@ -122,37 +133,39 @@ elif [ -n "$USE_WAL" ] && isfalse "$USE_WAL"; then conf_set '.db_config.use_wal = false' fi -# regenerate local agent credentials (ignore if agent is disabled) -if isfalse "$DISABLE_AGENT"; then - if isfalse "$DISABLE_LOCAL_API"; then - echo "Regenerate local agent credentials" - cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true - cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL" - fi +# regenerate local agent credentials (even if agent is disabled, cscli needs a +# connection to the API) +cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true +if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then + echo "Regenerate local agent credentials" + cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL" +fi - lapi_credentials_path=$(conf_get '.api.client.credentials_path') +lapi_credentials_path=$(conf_get '.api.client.credentials_path') - # we only use the envvars that are actually defined - # in case of persistent configuration +# we only use the envvars that are actually defined +# in case of persistent configuration +conf_set ' + with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) | + with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) | + with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD)) + ' "$lapi_credentials_path" + +if istrue "$USE_TLS"; then conf_set ' - with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) | - with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) | - with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD)) - ' "$lapi_credentials_path" - - if istrue "$USE_TLS"; then - conf_set ' - with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) | - with(select(strenv(KEY_FILE)!=""); .key_path = strenv(KEY_FILE)) | - with(select(strenv(CERT_FILE)!=""); .cert_path = strenv(CERT_FILE)) - ' "$lapi_credentials_path" - else - conf_set ' - del(.ca_cert_path) | - del(.key_path) | - del(.cert_path) - ' "$lapi_credentials_path" - fi + with(select(strenv(CLIENT_CACERT_FILE)!=""); .ca_cert_path = strenv(CLIENT_CACERT_FILE)) | + with(select(.ca_cert_path=="" or .ca_cert_path==null); .ca_cert_path = "/etc/ssl/crowdsec-client/ca.pem") | + with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) | + with(select(.key_path=="" or .key_path==null); .key_path = "/etc/ssl/crowdsec-client/key.pem") | + with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE)) | + with(select(.cert_path=="" or .cert_path==null); .cert_path = "/etc/ssl/crowdsec-client/cert.pem") + ' "$lapi_credentials_path" +else + conf_set ' + del(.ca_cert_path) | + del(.key_path) | + del(.cert_path) + ' "$lapi_credentials_path" fi if isfalse "$DISABLE_LOCAL_API"; then @@ -204,9 +217,12 @@ if istrue "$USE_TLS"; then agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \ bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \ conf_set ' - with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) | - with(select(strenv(CERT_FILE)!=""); .api.server.tls.cert_file = strenv(CERT_FILE)) | - with(select(strenv(KEY_FILE)!=""); .api.server.tls.key_file = strenv(KEY_FILE)) | + with(select(strenv(LAPI_CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(LAPI_CACERT_FILE)) | + with(select(.api.server.tls.ca_cert_path=="" or .api.server.tls.ca_cert_path==null); .api.server.tls.ca_cert_path = "/etc/ssl/crowdsec-lapi/ca.pem") | + with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) | + with(select(.api.server.tls.cert_file=="" or .api.server.tls.cert_file==null); .api.server.tls.cert_file = "/etc/ssl/crowdsec-lapi/cert.pem") | + with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) | + with(select(.api.server.tls.key_file=="" or .api.server.tls.key_file==null); .api.server.tls.key_file = "/etc/ssl/crowdsec-lapi/key.pem") | with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) | with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) | ... comments=""