bugfix/ncproxy: write of the tls config on a file (#551)

* bugfix/ncproxy: write of the tls config on a file * bugfix/ncproxy: add missing dh_param
next-hat · Oct 4, 2023 · 232ca2f · 232ca2f
1 parent b887d1a
commit 232ca2f
Show file tree

Hide file tree

Showing 7 changed files with 149 additions and 37 deletions.
diff --git a/bin/nanocld/specs/swagger.yaml b/bin/nanocld/specs/swagger.yaml
@@ -4763,7 +4763,7 @@ components:
           description: The locations to handle multiple paths
         Ssl:
           allOf:
-          - $ref: '#/components/schemas/ProxySslConfig'
+          - $ref: '#/components/schemas/ProxySsl'
           nullable: true
         Includes:
           type: array
@@ -4792,7 +4792,7 @@ components:
           minimum: 0
         Ssl:
           allOf:
-          - $ref: '#/components/schemas/ProxySslConfig'
+          - $ref: '#/components/schemas/ProxySsl'
           nullable: true
         Target:
           $ref: '#/components/schemas/StreamTarget'

diff --git a/bin/ncproxy/src/utils.rs b/bin/ncproxy/src/utils.rs
@@ -365,10 +365,27 @@ async fn get_ssl_config(
     ProxySsl::Config(ssl_config) => Ok(ssl_config.clone()),
     ProxySsl::Secret(secret) => {
       let secret = client.inspect_secret(secret).await?;
-      let ssl_config = serde_json::from_value::<ProxySslConfig>(secret.data)
-        .map_err(|err| {
-          err.map_err_context(|| "Unable to deserialize ProxySslConfig")
-        })?;
+      let mut ssl_config =
+        serde_json::from_value::<ProxySslConfig>(secret.data).map_err(
+          |err| err.map_err_context(|| "Unable to deserialize ProxySslConfig"),
+        )?;
+      let cert_path = format!("/opt/secrets/{}.cert", secret.key);
+      tokio::fs::write(&cert_path, ssl_config.certificate.clone()).await?;
+      let key_path = format!("/opt/secrets/{}.key", secret.key);
+      tokio::fs::write(&key_path, ssl_config.certificate_key.clone()).await?;
+      if let Some(certificate_client) = ssl_config.certificate_client {
+        let certificate_client_path =
+          format!("/opt/secrets/{}.client.cert", secret.key);
+        tokio::fs::write(&certificate_client_path, certificate_client).await?;
+        ssl_config.certificate_client = Some(certificate_client_path);
+      }
+      if let Some(dh_param) = ssl_config.dh_param {
+        let dh_param_path = format!("/opt/secrets/{}.pem", secret.key);
+        tokio::fs::write(&dh_param_path, dh_param).await?;
+        ssl_config.dh_param = Some(dh_param_path);
+      }
+      ssl_config.certificate = cert_path;
+      ssl_config.certificate_key = key_path;
       Ok(ssl_config)
     }
   }
@@ -392,41 +409,43 @@ async fn gen_http_server_block(
   };
 
   let ssl = if let Some(ssl) = &rule.ssl {
-    let ssl = get_ssl_config(ssl, client).await?;
-    let certificate = &ssl.certificate;
-    let certificate_key = &ssl.certificate_key;
-    let ssl_dh_param = match &ssl.dh_param {
-      Some(ssl_dh_param) => {
-        format!("\n  ssl_dhparam          {ssl_dh_param};\n")
-      }
-      None => String::default(),
-    };
-    let listen_https = get_listen(&rule.network, 443, client).await?;
-    let mut base = format!(
-      "
-  listen {listen_https} http2 ssl;
-
-  if ($scheme != https) {{
-    return 301 https://$host$request_uri;
-  }}
+    if let Ok(ssl) = get_ssl_config(ssl, client).await {
+      let certificate = &ssl.certificate;
+      let certificate_key = &ssl.certificate_key;
+      let ssl_dh_param = match &ssl.dh_param {
+        Some(ssl_dh_param) => {
+          format!("\n  ssl_dhparam          {ssl_dh_param};\n")
+        }
+        None => String::default(),
+      };
+      let listen_https = get_listen(&rule.network, 443, client).await?;
+      let mut base = format!(
+        "
+    listen {listen_https} http2 ssl;
+
+    if ($scheme != https) {{
+      return 301 https://$host$request_uri;
+    }}
 
-  ssl_certificate      {certificate};
-  ssl_certificate_key  {certificate_key};{ssl_dh_param}
-"
-    );
+    ssl_certificate      {certificate};
+    ssl_certificate_key  {certificate_key};{ssl_dh_param}
+  "
+      );
 
-    if let Some(certificate_client) = &ssl.certificate_client {
-      base += &format!("  ssl_client_certificate {certificate_client};\n");
-    }
+      if let Some(certificate_client) = &ssl.certificate_client {
+        base += &format!("  ssl_client_certificate {certificate_client};\n");
+      }
 
-    if let Some(client_verification) = &ssl.verify_client {
-      base += &format!(
-        "  ssl_verify_client {};\n",
-        if *client_verification { "on" } else { "off" }
-      );
+      if let Some(client_verification) = &ssl.verify_client {
+        base += &format!(
+          "  ssl_verify_client {};\n",
+          if *client_verification { "on" } else { "off" }
+        );
+      }
+      base
+    } else {
+      String::default()
     }
-
-    base
   } else {
     String::default()
   };

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -100,6 +100,7 @@ services:
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/run}:/run
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/letsencrypt}:/etc/letsencrypt
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/certs}:/etc/nginx/certs
+      - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/secrets}:/opt/secrets
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/logs}:/var/log/nginx/access
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/html}:/usr/share/nginx/html
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/conf.d}:/etc/nginx/conf.d
@@ -133,6 +134,7 @@ services:
         target: /project
       - /project/target
       - //run/guest-services/nanocl:/run/nanocl:/run/nanocl
+      - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/secrets}:/opt/secrets
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/logs}:/var/log/nginx/access
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/conf.d}:/etc/nginx/conf.d
       - ${STATE_DIR:-${HOME}/.nanocl/state/proxy/sites-enabled}:/etc/nginx/sites-enabled

diff --git a/examples/deploy_ssl.yml b/examples/deploy_ssl.yml
@@ -0,0 +1,87 @@
+Kind: Deployment
+ApiVersion: v0.10
+
+Namespace: global
+
+Secrets:
+  - Key: secret-tls
+    Kind: Tls
+    Data:
+      Certificate: |
+        -----BEGIN CERTIFICATE-----
+        MIIDETCCAfkCFFOJVQs8PxWlcJQDn/AQpSopkhISMA0GCSqGSIb3DQEBCwUAMEUx
+        CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+        cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjMwNTI5MDM0MDQwWhcNMjQwNTI4MDM0
+        MDQwWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+        CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
+        AQ8AMIIBCgKCAQEAyH+TAzIAxxrMKh88p1emIxsttpjqCHdlQuboves+0vI6ORwU
+        BI3HP7gTMQpgK+QnEZw1XIs6/Zdg2VfUiNgQXyh72/0cdurIIqRbF2fLAMSaYElA
+        RRT9F60eHqQ12bXf6ITWB/0ZSnacbLIsic1HcVwr0Awx+xu1YsB9ojssXyIIU/yx
+        d6FjPtiqJTPT9RhVb6Vmfpclse21qGek8tg88U+TrrJZ/Eg5cZojnQTyxhMGHeQf
+        F71nb7no1v5hdki3p50Ik//9lvY/5onWrBUCuAsHi8OkSSyElTQ/JYzuMBjqOaMw
+        PYLZf3d2eRqpiEC/5WI8OJDAk3/y83nG3zy3+QIDAQABMA0GCSqGSIb3DQEBCwUA
+        A4IBAQAz8b7U0jbgBVEen1vd15V6DAxTmg768OkMRoNqK/y0oSK0qHn3IYSADK6M
+        fl6qPnTY3xts+j8ohvNRGR5rJiv25b8koQs6K/ACzMgVlvXeSBVgjBArxgyp3K3q
+        Tpeqg11R5YuJLaMKjWTzOzSq6shLO5/TscLGpkDbZ12HElc5hXyLrEZmsdCb1Wg7
+        RCaMqsmgD/bYTOgP41DN6MVaSmxCshCGcL78enStPDheCmkk7eLMetMrJZLkf5Ch
+        YWs3OUPos4v9GN40VyNWtbrz9g8TzmD4QOfuhuj9nUg9Psa2c22rgr3XaJEU8nyp
+        rSHTKorbCvimz1/m0crjE91CP9JE
+        -----END CERTIFICATE-----
+      CertificateKey: |
+        -----BEGIN PRIVATE KEY-----
+        MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIf5MDMgDHGswq
+        HzynV6YjGy22mOoId2VC5ui96z7S8jo5HBQEjcc/uBMxCmAr5CcRnDVcizr9l2DZ
+        V9SI2BBfKHvb/Rx26sgipFsXZ8sAxJpgSUBFFP0XrR4epDXZtd/ohNYH/RlKdpxs
+        siyJzUdxXCvQDDH7G7ViwH2iOyxfIghT/LF3oWM+2KolM9P1GFVvpWZ+lyWx7bWo
+        Z6Ty2DzxT5Ousln8SDlxmiOdBPLGEwYd5B8XvWdvuejW/mF2SLennQiT//2W9j/m
+        idasFQK4CweLw6RJLISVND8ljO4wGOo5ozA9gtl/d3Z5GqmIQL/lYjw4kMCTf/Lz
+        ecbfPLf5AgMBAAECggEAHK2Su5xFXDVLCqNZK55v1wmmKj4JC5j4VO9uTuv9GnMn
+        PM/1VQlqfIS5ygPv6ZdCt1QeldQcZfVnFu9nKQOuo83ImZjEn4XJhpr3pItmEAAP
+        DMKtfLQZ128dpchbI37OPhXx/0aGfY4lpa5+jF9eXqqOYb280GwQL8XUsoXAPQMC
+        MwAOHbgHH5lYxD9fizjrWIFIC9jfHjVM3qjOfmz+NujKs+nmVI5AQRCd6C66hbgr
+        2EJe/8ZlDaZX3bfDnRPxhQN8T3VZcwHGj3zqGPnfkr8Ut9nqDhOcqGuTjNdqGEIi
+        meDmKzPsssZg5+sPjgzMsPVf/XQ+v4dLQ2GSYuehOQKBgQDTfzD+K5/rR382HWHX
+        VnL+KXD7cTA7DQq4ma/7UlJMaxhuA11w/4wF/lRiXKNUTfpUSyIybT8IP23fgFDV
+        zLq2G36+mpUXbxPjlFaJfxNOlcr35xvsIC3HMBqOKYm74B9rJbLIwsMZcPi/BuJS
+        ve7pj9blvjf8ZUXw8erhFFoGUwKBgQDyr+u7OQyIhqhCOpy9Is/DtYBg3MQSDLTO
+        TfmqaaUcDvRNy4pgJ2B5Kbs20yAqgBtGDEP+MdtBo3NgIHOA7xjU5biNSz8R12WR
+        UmDrdxIvAo2iixN8TDvIs0EEmE5hrRgPRaf6WP3o1okaWnYuq2VC7HSJJFCtWx9V
+        Aj7VEOgnAwKBgGAXWdshVvc+9L1RfDKqRHTVv09+jbtGoahdq2c0b8/omKDjRoEg
+        mi3e79gA3vReuW2y9UaT/B9zMihp1FBPREWZGGzhLvwGq7Kqoua1pb/+rskTZ8xQ
+        knv9jxMoLDwACEZWSnSMiLf2bA3ewtV1FidoAus/EZDLMovWXjEFXiGhAoGBAIGb
+        YhGCzia7g3CbTMnVpY+nhwAz5qKdFpJ3IjbYZM0vT1mcsjHX1bXfi5Qj/LG16Nro
+        AgfnKGlNmXhk3EqnZmOMq5sJ7Izis+OAUzJtTNC+VFXSYH2pWOQ+lyKVFIclogvF
+        74fLrw6CRIZGeYdDEblD/pifRFbQq1MC9/tiJBlxAoGAAo/XDJSTRlcrJuutk5jG
+        CZPG5LBlxvdUbsuu2vZ7XIoWp3BvuK+yM8m9kEQgl3x8F3bqRjoQmMN6cImMYC2W
+        F02Hw2EcWWx4w+liGjDy8/rcb9KfYTht3Q3W9RYYPZwn+hg4pmGVb4+yOqd183QQ
+        Ug0MvH79P7CUpecFPJliDME=
+        -----END PRIVATE KEY-----
+
+
+# See all options:
+# https://docs.next-hat.com/references/nanocl/resource
+Resources:
+  - Name: secret-tls.com
+    Kind: ProxyRule
+    Version: v0.7
+    Metadata:
+      Cert: certbot
+    Data:
+      Rules:
+        - Domain: secret-tls.com
+          Network: All
+          Ssl: secret-tls
+          Locations:
+            - Path: /
+              Target:
+                Key: secret-tls.global.c
+                Port: 9000
+
+# See all options:
+# https://docs.next-hat.com/references/nanocl/cargo
+Cargoes:
+  - Name: secret-tls
+    Container:
+      Image: nexthat/nanocl-get-started:latest
+      Env:
+        - APP=GET_STARTED
diff --git a/examples/secrets.yml → examples/secret_env.yml b/examples/secrets.yml → examples/secret_env.yml
diff --git a/installer.nightly.yml b/installer.nightly.yml
@@ -42,6 +42,7 @@ Cargoes:
           - /run:/run
           # {% endif %}
           - ${{ state_dir }}/proxy/certs:/etc/nginx/certs
+          - ${{ state_dir }}/proxy/secrets:/opt/secrets
           - ${{ state_dir }}/proxy/logs:/var/log/nginx/access
           - ${{ state_dir }}/proxy/letsencrypt:/etc/letsencrypt
           - ${{ state_dir }}/proxy/conf.d:/etc/nginx/conf.d
@@ -63,6 +64,7 @@ Cargoes:
           # {% else %}
           - /run/nanocl:/run/nanocl
           # {% endif %}
+          - ${{ state_dir }}/proxy/secrets:/opt/secrets
           - ${{ state_dir }}/proxy/conf.d:/etc/nginx/conf.d
           - ${{ state_dir }}/proxy/logs:/var/log/nginx/access
           - ${{ state_dir }}/proxy/sites-enabled:/etc/nginx/sites-enabled

diff --git a/installer.yml b/installer.yml
@@ -42,6 +42,7 @@ Cargoes:
           - /run:/run
           # {% endif %}
           - ${{ state_dir }}/proxy/certs:/etc/nginx/certs
+          - ${{ state_dir }}/proxy/secrets:/opt/secrets
           - ${{ state_dir }}/proxy/logs:/var/log/nginx/access
           - ${{ state_dir }}/proxy/letsencrypt:/etc/letsencrypt
           - ${{ state_dir }}/proxy/conf.d:/etc/nginx/conf.d
@@ -63,6 +64,7 @@ Cargoes:
           # {% else %}
           - /run/nanocl:/run/nanocl
           # {% endif %}
+          - ${{ state_dir }}/proxy/secrets:/opt/secrets
           - ${{ state_dir }}/proxy/conf.d:/etc/nginx/conf.d
           - ${{ state_dir }}/proxy/logs:/var/log/nginx/access
           - ${{ state_dir }}/proxy/sites-enabled:/etc/nginx/sites-enabled