From 1aa8d407ff2a9db4b5bbba5f922d23e5e5272e4b Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Thu, 10 Jun 2021 16:25:02 +0300 Subject: [PATCH] [#90] Enabled tls for s04 Signed-off-by: Denis Kirillov --- .env | 1 + Makefile | 2 +- README.md | 16 ++++++++++++++++ bin/addCert.sh | 6 ++++++ docs/basenet.md | 3 +++ services/storage/.storage.env | 4 ++++ services/storage/artifacts.mk | 15 +++++++++++++++ services/storage/docker-compose.yml | 3 +++ services/storage/prepare.mk | 3 +++ 9 files changed, 52 insertions(+), 1 deletion(-) create mode 100755 bin/addCert.sh create mode 100644 services/storage/artifacts.mk create mode 100644 services/storage/prepare.mk diff --git a/.env b/.env index c1e6359..12cf2d3 100644 --- a/.env +++ b/.env @@ -1,6 +1,7 @@ # Basenet settings LOCAL_DOMAIN=neofs.devenv IPV4_PREFIX=192.168.130 +CA_CERTS_TRUSTED_STORE=/etc/ssl/certs # NeoGo privnet CHAIN_URL="https://github.com/nspcc-dev/neofs-contract/releases/download/v0.9.2/devenv_mainchain_notary_disabled.gz" diff --git a/Makefile b/Makefile index 84a7531..fe2162b 100644 --- a/Makefile +++ b/Makefile @@ -84,7 +84,7 @@ hosts: vendor/hosts .PHONY: clean .ONESHELL: clean: - @rm -rf vendor/* + @rm -rf vendor/* services/storage/s04tls.* @for svc in $(START_SVCS) do vols=`docker-compose -f services/$${svc}/docker-compose.yml config --volumes` diff --git a/README.md b/README.md index 780e8cd..8e07bf4 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,16 @@ Tools to set up local NeoFS network and N3 privnets. Devenv, for short. +## Prerequisites + +Make sure you have installed all of the following prerequisites on your machine: +* docker +* docker-compose +* make +* expect +* openssl + + ## Quick Start ``` @@ -24,6 +34,12 @@ $ make prepare.ir password > fa6ba62bffb04030d303dcc95bda7413e03aa3c7e6ca9c2f999d65db9ec9b82c ``` +Also you should add self-signed node (`s04.neofs.devenv`) certificate to truststore +(default location might be changed using `CA_CERTS_TRUSTED_STORE` variable). +This step is required for client services (neofs-http-gw, neofs-s3-gw) to interact with the node: +``` +$ sudo make prepare.storage +``` Change NeoFS global configuration values with `make update.*` commands. The password of inner ring wallet is `one`. See examples in `make help`. diff --git a/bin/addCert.sh b/bin/addCert.sh new file mode 100755 index 0000000..d4bb142 --- /dev/null +++ b/bin/addCert.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +# Source env settings +. .env + +ln -sf $(pwd)/services/storage/s04tls.crt ${CA_CERTS_TRUSTED_STORE}/s04.${LOCAL_DOMAIN}.tls.crt diff --git a/docs/basenet.md b/docs/basenet.md index 569a641..7883889 100644 --- a/docs/basenet.md +++ b/docs/basenet.md @@ -17,6 +17,9 @@ IPv4 /24 subnet to use for all containers exposed to `basenet_internet`. Last octet will be defined in `docker-compose.yml` file for each container inside service. For simplicity, each service reserves ten host addresses. +### CA_CERTS_TRUSTED_STORE=/usr/local/share/ca-certificates +Trusted store location to add node self-signed tls certificates. + ## bastion container There is a `bastion` container with debian 10 userspace to simplify access to diff --git a/services/storage/.storage.env b/services/storage/.storage.env index fbe9136..ca71b60 100644 --- a/services/storage/.storage.env +++ b/services/storage/.storage.env @@ -21,6 +21,10 @@ NEOFS_METRICS_ADDRESS=:9090 # GRPC Transport Section NEOFS_GRPC_NUM=1 +## 0 server +### TLS config +NEOFS_GRPC_0_TLS_CERTIFICATE=/tls.crt +NEOFS_GRPC_0_TLS_KEY=/tls.key # Morph section ## Endpoints of sidechain RPC nodes (comma-separated) diff --git a/services/storage/artifacts.mk b/services/storage/artifacts.mk new file mode 100644 index 0000000..502e985 --- /dev/null +++ b/services/storage/artifacts.mk @@ -0,0 +1,15 @@ +# Create new tls certs + +STORAGE_DIR=$(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST))))) +SSL_CONFIG := $(shell mktemp) + +get.storage: + @echo "⇒ Creating tls certs to NeoFS node" + @(echo "[req]"; \ + echo "distinguished_name=req"; \ + echo "req_extensions=san"; \ + echo "[san]"; \ + echo "subjectAltName=DNS:s04.${LOCAL_DOMAIN}") > ${SSL_CONFIG} + @openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \ + -subj "/C=RU/ST=SPB/L=St.Petersburg/O=NSPCC/OU=NSPCC/CN=s04.${LOCAL_DOMAIN}" \ + -keyout ${STORAGE_DIR}/s04tls.key -out ${STORAGE_DIR}/s04tls.crt -extensions san -config ${SSL_CONFIG} diff --git a/services/storage/docker-compose.yml b/services/storage/docker-compose.yml index bbda2bb..0dbff6d 100644 --- a/services/storage/docker-compose.yml +++ b/services/storage/docker-compose.yml @@ -114,6 +114,8 @@ services: - storage_s04:/storage - ./../../vendor/neofs-cli:/neofs-cli - ./healthcheck.sh:/healthcheck.sh + - ./s04tls.crt:/tls.crt + - ./s04tls.key:/tls.key stop_signal: SIGKILL env_file: [ ".env", ".storage.env" ] environment: @@ -121,6 +123,7 @@ services: - NEOFS_NODE_ADDRESSES=s04.${LOCAL_DOMAIN}:8080 - NEOFS_GRPC_0_ENDPOINT=s04.${LOCAL_DOMAIN}:8080 - NEOFS_CONTROL_GRPC_ENDPOINT=s04.${LOCAL_DOMAIN}:8081 + - NEOFS_GRPC_0_TLS_ENABLED=true - NEOFS_NODE_ATTRIBUTE_0=UN-LOCODE:FI HEL - NEOFS_NODE_ATTRIBUTE_1=Price:44 healthcheck: diff --git a/services/storage/prepare.mk b/services/storage/prepare.mk new file mode 100644 index 0000000..22c276b --- /dev/null +++ b/services/storage/prepare.mk @@ -0,0 +1,3 @@ +prepare.storage: + @echo "Adding self-signed tls certs to trusted store" + @./bin/addCert.sh