enbable TLS

Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> add advertise-url-https Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> sabakan url Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> remove http crypts API endpoint Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> skip booting sabakan server when certs not exist Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> fix test Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> update sabactl Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> fix actions Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> fix ignition Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> rename ca cert Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> add advertise-url-https in test Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> rename TLSEnabled Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp> add docs Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp>
cybozu-go · Oct 13, 2023 · b079c8a · b079c8a
1 parent 5bc211e
commit b079c8a
Show file tree

Hide file tree

Showing 24 changed files with 448 additions and 175 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -39,7 +39,10 @@ jobs:
         run: |
           sudo ./sabakan -dhcp-bind 0.0.0.0:10067 \
           -etcd-endpoints http://localhost:2379 \
-          -advertise-url http://localhost:10080 &
+          -advertise-url http://localhost:10080 \
+          -advertise-url-https https://localhost:10443 \
+          -sabakan-tls-cert ./e2e/certs/server.crt \
+          -sabakan-tls-key ./e2e/certs/server.key.insecure &
 
       - name: Run test
         run: make test

diff --git a/Makefile b/Makefile
@@ -4,6 +4,8 @@
 ETCD_VERSION = 3.5.7
 GO_FILES=$(shell find -name '*.go' -not -name '*_test.go')
 BUILT_TARGET=sabakan sabactl sabakan-cryptsetup
+IMAGE ?= quay.io/cybozu/sabakan
+TAG ?= latest
 
 .PHONY: all
 all: build
@@ -61,3 +63,9 @@ etcd:
 		$(SUDO) mv /tmp/etcd/etcd /usr/local/bin/; \
 		rm -rf /tmp/etcd-v${ETCD_VERSION}-linux-amd64.tar.gz /tmp/etcd; \
 	fi
+
+.PHONY: docker-build
+docker-build:build
+	cp sabactl sabakan sabakan-cryptsetup LICENSE ./docker/
+	docker build -t $(IMAGE):$(TAG) ./docker
+	rm ./docker/sabactl ./docker/sabakan ./docker/sabakan-cryptsetup ./docker/LICENSE
diff --git a/docs/api.md b/docs/api.md
@@ -3,6 +3,7 @@ REST API
 
 For GraphQL API, see [graphql.md](graphql.md).
 
+## HTTP API
 * [PUT /api/v1/config/ipam](#putipam)
 * [GET /api/v1/config/ipam](#getipam)
 * [PUT /api/v1/config/dhcp](#putdhcp)
@@ -34,16 +35,18 @@ For GraphQL API, see [graphql.md](graphql.md).
 * [GET /api/v1/ignitions/\<role\>/\<id\>](#getignitiontemplate)
 * [PUT /api/v1/ignitions/\<role\>/\<id\>](#putignitiontemplate)
 * [DELETE /api/v1/ignitions/\<role\>/\<id\>](#deleteignitiontemplate)
-* [PUT /api/v1/crypts](#putcrypts)
-* [GET /api/v1/crypts](#getcrypts)
-* [DELETE /api/v1/crypts](#deletecrypts)
 * [GET /api/v1/cryptsetup](#getcryptsetup)
 * [GET /api/v1/logs](#getlogs)
 * [PUT /api/v1/kernel_params/coreos](#putkernelparams)
 * [GET /api/v1/kernel_params/coreos](#getkernelparams)
 * [GET /version](#version)
 * [GET /health](#health)
 
+## HTTPS APIs
+* [PUT /api/v1/crypts](#putcrypts)
+* [GET /api/v1/crypts](#getcrypts)
+* [DELETE /api/v1/crypts](#deletecrypts)
+
 ## Access control
 
 The following requets URLs are allowed for all remote hosts.  The other URLs
@@ -842,101 +845,6 @@ Delete CoreOS ignition by role and id.
 $ curl -s -XDELETE localhost:10080/api/v1/boot/ignitions/worker/1527731687
 ```
 
-## <a name="putcrypts" />`PUT /api/v1/crypts/<serial>/<path>`
-
-Register disk encryption key. The request body is raw binary format of the key.
-
-**Successful response**
-
-- HTTP status code: 201 Created
-- HTTP response header: `Content-Type: application/json`
-- HTTP response body: Registered path of the disk in JSON.
-
-**Failure responses**
-
-- The machine is not found.
-
-    HTTP status code: 404 Not Found
-
-- The state of the machine is `retiring` or `retired`.
-
-    HTTP status code: 500 Internal Server Error
-
-- `/<prefix>/crypts/<serial>/<path>` already exists in etcd.
-
-    HTTP status code: 409 Conflict
-
-- The request body is empty.
-
-  HTTP status code: 400 Bad Request
-
-**Example**
-
-```console
-$ head -c256 /dev/urandom | curl -s -i -X PUT -d - 'localhost:10080/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
-HTTP/1.1 201 Created
-Content-Type: application/json
-Date: Tue, 10 Apr 2018 09:12:12 GMT
-Content-Length: 31
-
-{"status": 201, "path":"pci-0000:00:17.0-ata-1"}
-```
-
-## <a name="getcrypts" />`GET /api/v1/crypts/<serial>/<path>`
-
-Get an encryption key of the particular disk.
-
-**Successful response**
-
-- HTTP status code: 200 OK
-- HTTP response header: `Content-Type: application/octet-stream`
-- HTTP response body: A raw key data
-
-**Failure responses**
-
-- No specified `/<prefix>/crypts/<serial>/<path>` found in etcd in etcd.
-
-  HTTP status code: 404 Not Found
-
-**Example**
-
-```console
-$ curl -s -i 'localhost:10080/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
-HTTP/1.1 200 OK
-Content-Type: application/octet-stream
-Date: Tue, 10 Apr 2018 09:15:59 GMT
-Content-Length: 64
-
-.....
-```
-
-## <a name="deletecrypts" />`DELETE /api/v1/crypts/<serial>`
-
-Delete all disk encryption keys of the specified machine. This request does not delete `/api/v1/machines/<serial>`, User can re-register encryption keys using `<serial>`.
-
-**Successful response**
-
-- HTTP status code: 200 OK
-- HTTP response header: `Content-Type: application/json`
-- HTTP response body: Array of the `<path>` which are deleted successfully in JSON.
-
-**Example**
-
-```console
-$ curl -s -X DELETE 'localhost:10080/api/v1/crypts/1'
-["abdef", "aaaaa"]
-```
-
-**Failure responses**
-
-- The machine's state is not `retiring`.
-
-    HTTP status code: 500 Internal Server Error
-
-- The machine is not found.
-
-    HTTP status code: 404 Not Found
-
 ## <a name="getcryptsetup" />`GET /api/v1/cryptsetup`
 
 Download `sabakan-cryptsetup` utility.
@@ -1067,3 +975,99 @@ get sabakan health status
 $ curl -s -XGET localhost:10080/health
 {"health":"healthy"}
 ```
+
+
+## <a name="putcrypts" />`PUT /api/v1/crypts/<serial>/<path>`
+
+Register disk encryption key. The request body is raw binary format of the key.
+
+**Successful response**
+
+- HTTP status code: 201 Created
+- HTTP response header: `Content-Type: application/json`
+- HTTP response body: Registered path of the disk in JSON.
+
+**Failure responses**
+
+- The machine is not found.
+
+    HTTP status code: 404 Not Found
+
+- The state of the machine is `retiring` or `retired`.
+
+    HTTP status code: 500 Internal Server Error
+
+- `/<prefix>/crypts/<serial>/<path>` already exists in etcd.
+
+    HTTP status code: 409 Conflict
+
+- The request body is empty.
+
+  HTTP status code: 400 Bad Request
+
+**Example**
+
+```console
+$ head -c256 /dev/urandom | curl -s -i -X PUT -d - 'localhost:10080/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
+HTTP/1.1 201 Created
+Content-Type: application/json
+Date: Tue, 10 Apr 2018 09:12:12 GMT
+Content-Length: 31
+
+{"status": 201, "path":"pci-0000:00:17.0-ata-1"}
+```
+
+## <a name="getcrypts" />`GET /api/v1/crypts/<serial>/<path>`
+
+Get an encryption key of the particular disk.
+
+**Successful response**
+
+- HTTP status code: 200 OK
+- HTTP response header: `Content-Type: application/octet-stream`
+- HTTP response body: A raw key data
+
+**Failure responses**
+
+- No specified `/<prefix>/crypts/<serial>/<path>` found in etcd in etcd.
+
+  HTTP status code: 404 Not Found
+
+**Example**
+
+```console
+$ curl -s -i 'localhost:10080/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
+HTTP/1.1 200 OK
+Content-Type: application/octet-stream
+Date: Tue, 10 Apr 2018 09:15:59 GMT
+Content-Length: 64
+
+.....
+```
+
+## <a name="deletecrypts" />`DELETE /api/v1/crypts/<serial>`
+
+Delete all disk encryption keys of the specified machine. This request does not delete `/api/v1/machines/<serial>`, User can re-register encryption keys using `<serial>`.
+
+**Successful response**
+
+- HTTP status code: 200 OK
+- HTTP response header: `Content-Type: application/json`
+- HTTP response body: Array of the `<path>` which are deleted successfully in JSON.
+
+**Example**
+
+```console
+$ curl -s -X DELETE 'localhost:10080/api/v1/crypts/1'
+["abdef", "aaaaa"]
+```
+
+**Failure responses**
+
+- The machine's state is not `retiring`.
+
+    HTTP status code: 500 Internal Server Error
+
+- The machine is not found.
+
+    HTTP status code: 404 Not Found
diff --git a/docs/ignition_template.md b/docs/ignition_template.md
@@ -59,6 +59,7 @@ For example, `{{ .Spec.Serial }}` will be replaced with the serial number of the
 Following additional template functions are defined and can be used:
 
 * `MyURL`: returns the URL of the sabakan server.
+* `MyURLHTTPS`: returns the URL of the sabakan TLS server.
 * `Metadata`: takes a key to retrieve metadata value saved along with the template.
 * `json`: renders the argument as JSON.
 * `add`, `sub`, `mul`, `div`: do arithmetic on parameters.

diff --git a/docs/sabactl.md b/docs/sabactl.md
@@ -8,9 +8,11 @@ Usage
 $ sabactl [--server http://localhost:10080] <subcommand> <args>...
 ```
 
-| Option     | Default value            | Description    |
-| ---------- | ------------------------ | -------------- |
-| `--server` | `http://localhost:10080` | URL of sabakan |
+| Option         | Default value            | Description                          |
+| -------------- | ------------------------ | ------------------------------------ |
+| `--server`     | `http://localhost:10080` | URL of sabakan server                |
+| `--tls-server` | `https://localhost:10443`| URL of sabakan TLS server            |
+| `--insecure`   | `false`                  | Disable TLS certificate verification |
 
 `sabactl ipam set -f FILE`
 --------------------------

diff --git a/docs/sabakan.md b/docs/sabakan.md
@@ -9,8 +9,10 @@ See [specification of etcdutil](https://github.com/cybozu-go/etcdutil/blob/main/
 ```console
 $ sabakan -h
 Usage of sabakan:
-  -advertise-url string
+ -advertise-url string
         public URL of this server
+  -advertise-url-https string
+        public URL of this server(https)
   -allow-ips string
         comma-separated IPs allowed to change resources (default "127.0.0.1,::1")
   -config-file string
@@ -21,8 +23,26 @@ Usage of sabakan:
         bound ip addresses and port for dhcp server (default "0.0.0.0:10067")
   -enable-playground
         enable GraphQL playground
+  -etcd-endpoints string
+        comma-separated URLs of the backend etcd endpoints (default "http://127.0.0.1:2379")
+  -etcd-password string
+        password for etcd authentication
+  -etcd-prefix string
+        etcd prefix (default "/sabakan/")
+  -etcd-timeout string
+        dial timeout to etcd (default "2s")
+  -etcd-tls-ca string
+        path to CA bundle used to verify certificates of etcd servers
+  -etcd-tls-cert string
+        path to my certificate used to identify myself to etcd servers
+  -etcd-tls-key string
+        path to my key used to identify myself to etcd servers
+  -etcd-username string
+        username for etcd authentication
   -http string
         <Listen IP>:<Port number> (default "0.0.0.0:10080")
+  -https string
+        <Listen IP>:<Port number> (default "0.0.0.0:10443")
   -ipxe-efi-path string
         path to ipxe.efi (default "/usr/lib/ipxe/ipxe.efi")
   -logfile string
@@ -33,19 +53,36 @@ Usage of sabakan:
         Log level [critical,error,warning,info,debug]
   -metrics string
         <Listen IP>:<Port number> (default "0.0.0.0:10081")
+  -sabakan-tls-cert string
+        path to server TLS certificate of sabakan (default "/etc/sabakan/sabakan-tls.crt")
+  -sabakan-tls-key string
+        path to server TLS key of sabakan (default "/etc/sabakan/sabakan-tls.key")
 ```
 
-| Option              | Default value            | Description                                        |
-| ------------------- | ------------------------ | -------------------------------------------------- |
-| `advertise-url`     | ""                       | Public URL to access this server.  Required.       |
-| `allow-ips`         | `127.0.0.1,::1`          | Comma-separated IPs allowed to change resources.   |
-| `config-file`       | ""                       | If given, configurations are read from the file.   |
-| `data-dir`          | `/var/lib/sabakan`       | Directory to store files.                          |
-| `dhcp-bind`         | `0.0.0.0:10067`          | IP address and port number of DHCP server.         |
-| `enable-playground` | false                    | Enable GraphQL playground service.                 |
-| `http`              | `0.0.0.0:10080`          | IP address and port number of HTTP server.         |
-| `ipxe-efi-path`     | `/usr/lib/ipxe/ipxe.efi` | Path to ipxe.efi .                                 |
-| `metrics`           | `0.0.0.0:10081`          | IP address and port number of metrics HTTP server. |
+| Option               | Default value                      | Description                                                     |
+| -------------------- | ---------------------------------- | --------------------------------------------------------------- |
+| `advertise-url`      | ""                                 | Public URL to access this server.  Required.                    |
+| `advertise-url-https`| ""                                 | Public URL to access this server.  Required.                    |
+| `allow-ips`          | `127.0.0.1,::1`                    | Comma-separated IPs allowed to change resources.                |
+| `config-file`        | ""                                 | If given, configurations are read from the file.                |
+| `data-dir`           | `/var/lib/sabakan`                 | Directory to store files.                                       |
+| `dhcp-bind`          | `0.0.0.0:10067`                    | IP address and port number of DHCP server.                      |
+| `enable-playground`  | false                              | Enable GraphQL playground service.                              |
+| `etcd-endpoints`     | `http://127.0.0.1:2379`            | Comma-separated URLs of the backend etcd endpoints.             |
+| `etcd-password`      | ""                                 | Password for etcd authentication.                               |
+| `etcd-prefix`        | `/sabakan/`                        | etcd prefix.                                                    |
+| `etcd-timeout`       | `2s`                               | Dial timeout to etcd.                                           |
+| `etcd-tls-ca`        | ""                                 | Path to CA bundle used to verify certificates of etcd servers.  |
+| `etcd-tls-cert`      | ""                                 | Path to my certificate used to identify myself to etcd servers. |
+| `etcd-tls-key`       | ""                                 | Path to my key used to identify myself to etcd servers.         |
+| `etcd-username`      | ""                                 | Username for etcd authentication.                               |
+| `http`               | `0.0.0.0:10080`                    | IP address and port number of HTTP server.                      |
+| `https`              | `0.0.0.0:10443`                    | IP address and port number of HTTPS server.                     |
+| `ipxe-efi-path`      | `/usr/lib/ipxe/ipxe.efi`           | Path to ipxe.efi .                                              |
+| `metrics`            | `0.0.0.0:10081`                    | IP address and port number of metrics HTTP server.              |
+| `sabakan-tls-cert`   | `/etc/sabakan/sabakan-tls.crt`     | Path to server TLS certificate of sabakan.                      |
+| `sabakan-tls-key`    | `/etc/sabakan/sabakan-tls.key`     | Path to server TLS key of sabakan.                              |
+
 
 Config file
 -----------