Skip to content

Commit

Permalink
[issue 76] optional Certificates for mTLS configuration (#78)
Browse files Browse the repository at this point in the history 
* support mtls as optional configuration

* add tests for client mTLS

* fix file path

* better naming for client cert/key

* add mTLS enforcement to storer, add test case for client certificate enforcement
  • Loading branch information
@h0nIg
h0nIg authored Jun 23, 2022
1 parent 7ef902f commit 132efe5
Show file tree
Hide file tree
Showing 8 changed files with 108 additions and 3 deletions.
10 changes: 8 additions & 2 deletions jobs/syslog_forwarder/spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ templates:
blackbox_ctl.erb: bin/blackbox_ctl
blackbox_config.yml.erb: config/blackbox_config.yml
ca_cert.pem.erb: config/ca_cert.pem
client.crt.erb: config/client.crt
client.key.erb: config/client.key
drain.erb: bin/drain
pre-start.erb: bin/pre-start
syslog-release.conf.erb: config/syslog-release.conf
Expand Down Expand Up @@ -103,7 +105,7 @@ properties:
default: false

syslog.tls_enabled:
description: Set this to true to enable TLS.
description: Set this to true to enable TLS / mTLS.
default: false
syslog.permitted_peer:
description: >
Expand All @@ -113,13 +115,17 @@ properties:
example: "*.papertrail.com"
syslog.ca_cert:
description: |
Trusted CAs. Necessary if TLS is enabled
Trusted CAs. Necessary if TLS / mTLS is enabled
AND signing CA is not present in instance cert store.
Overrides instance cert store if set.
example: |
-----BEGIN CERTIFICATE-----
MIIClTCCAf4CCQDc6hJtvGB8RjANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMC...
-----END CERTIFICATE-----
syslog.client_cert:
description: Client certificate for syslog forwarding over mTLS
syslog.client_key:
description: Client key for syslog forwarding over mTLS
syslog.queue_file_name:
description: Spill to disk if queue is full.
default: agg_backlog
Expand Down
1 change: 1 addition & 0 deletions jobs/syslog_forwarder/templates/client.crt.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<% if_p('syslog.client_cert') do |v| %><%= v %><% end %>
1 change: 1 addition & 0 deletions jobs/syslog_forwarder/templates/client.key.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<% if_p('syslog.client_key') do |v| %><%= v %><% end %>
4 changes: 4 additions & 0 deletions jobs/syslog_forwarder/templates/syslog-release-forwarding-setup.conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ $ActionQueueType LinkedList # Allocate on-demand
%>

$DefaultNetstreamDriverCAFile <%= ca_cert_path %> # trust these CAs
<% if_p('syslog.client_cert', 'syslog.client_key') do %>
$DefaultNetstreamDriverCertFile /var/vcap/jobs/syslog_forwarder/config/client.crt
$DefaultNetstreamDriverKeyFile /var/vcap/jobs/syslog_forwarder/config/client.key
<% end %>
$ActionSendStreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS
$ActionSendStreamDriverAuthMode x509/name # authenticate by hostname
Expand Down
4 changes: 4 additions & 0 deletions jobs/syslog_storer/spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ properties:
syslog.tls.private_key:
description: >
Key of the CA that will be used to serve syslog server.
syslog.tls.authmode:
default: anon
description: >
Authentication mode that will be used to validate mTLS certificates.

syslog.max_message_size:
default: 8k
Expand Down
2 changes: 1 addition & 1 deletion jobs/syslog_storer/templates/rsyslog.conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.AuthMode="anon"
StreamDriver.AuthMode="<%= p('syslog.tls.authmode') %>"
)
<% end.else do %>
module(load="imtcp")
Expand Down
12 changes: 12 additions & 0 deletions tests/acceptance_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,18 @@ var _ = Describe("Forwarding loglines to a TCP syslog drain", func() {

TestSharedBehavior()
})

Context("when TLS is configured and mTLS is enforced", func() {
BeforeEach(func() {
Cleanup()
DeployWithVarsStore("manifests/tls-forwarding-mtls.yml")
})
AfterEach(func() {
Cleanup()
})

TestSharedBehavior()
})
})

var _ = Describe("Optional features to reduce CF log volume", func() {
Expand Down
77 changes: 77 additions & 0 deletions tests/manifests/tls-forwarding-mtls.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
---
name: ((deployment))
releases:
- name: syslog
version: latest
stemcells:
- alias: default
os: ((stemcell-os))
version: latest
instance_groups:
- name: forwarder
instances: 1
vm_type: default
stemcell: default
networks:
- name: default
azs:
- z1
jobs:
- name: syslog_forwarder
release: syslog
properties:
syslog:
tls_enabled: true
permitted_peer: "*.storer.default.((deployment)).bosh"
ca_cert: ((syslog_server.ca))
client_cert: ((syslog_client.certificate))
client_key: ((syslog_client.private_key))
- name: storer
instances: 1
vm_type: default
stemcell: default
networks:
- name: default
azs:
- z1
jobs:
- name: syslog_storer
release: syslog
properties:
syslog:
tls:
ca: ((syslog_server.ca))
certificate: ((syslog_server.certificate))
private_key: ((syslog_server.private_key))
authmode: x509/certvalid
variables:
- name: syslog_ca
type: certificate
update_mode: converge
options:
common_name: test
is_ca: true
- name: syslog_server
type: certificate
update_mode: converge
options:
extended_key_usage:
- client_auth
ca: syslog_ca
common_name: '*.storer.default.((deployment)).bosh'
alternative_names:
- '*.storer.default.((deployment)).bosh'
- name: syslog_client
type: certificate
update_mode: converge
options:
extended_key_usage:
- client_auth
ca: syslog_ca
common_name: '*.forwarder.default.((deployment)).bosh'

update:
canaries: 1
max_in_flight: 1
canary_watch_time: 1000-60000
update_watch_time: 1000-60000

0 comments on commit 132efe5

Please sign in to comment.