[#90] Enabled tls for s04

Signed-off-by: Denis Kirillov <denis@nspcc.ru>

.env

@@ -1,6 +1,7 @@
 # Basenet settings
 LOCAL_DOMAIN=neofs.devenv
 IPV4_PREFIX=192.168.130
+CA_CERTS_TRUSTED_STORE=/etc/ssl/certs
 
 # NeoGo privnet
 CHAIN_URL="https://github.com/nspcc-dev/neofs-contract/releases/download/v0.9.2/devenv_mainchain_notary_disabled.gz"

Makefile

@@ -84,7 +84,7 @@ hosts: vendor/hosts
 .PHONY: clean
 .ONESHELL:
 clean:
-	@rm -rf vendor/*
+	@rm -rf vendor/* services/storage/s04tls.*
 	@for svc in $(START_SVCS)
 	do
 		vols=`docker-compose -f services/$${svc}/docker-compose.yml config --volumes`

README.md

@@ -10,6 +10,16 @@
 
 Tools to set up local NeoFS network and N3 privnets. Devenv, for short.
 
+## Prerequisites
+
+Make sure you have installed all of the following prerequisites on your machine:
+* docker
+* docker-compose
+* make
+* expect
+* openssl
+
+
 ## Quick Start
 
 ```
@@ -24,6 +34,12 @@ $ make prepare.ir
 password >
 fa6ba62bffb04030d303dcc95bda7413e03aa3c7e6ca9c2f999d65db9ec9b82c
 ```
+Also you should add self-signed node (`s04.neofs.devenv`) certificate to truststore 
+(default location might be changed using `CA_CERTS_TRUSTED_STORE` variable). 
+This step is required for client services (neofs-http-gw, neofs-s3-gw) to interact with the node:
+```
+$ sudo make prepare.storage
+```
 
 Change NeoFS global configuration values with `make update.*` commands. The
 password of inner ring wallet is `one`. See examples in `make help`.

bin/addCert.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# Source env settings
+. .env
+
+ln -sf $(pwd)/services/storage/s04tls.crt ${CA_CERTS_TRUSTED_STORE}/s04.${LOCAL_DOMAIN}.tls.crt

docs/basenet.md

@@ -17,6 +17,9 @@ IPv4 /24 subnet to use for all containers exposed to `basenet_internet`. Last
 octet will be defined in `docker-compose.yml` file for each container inside
 service. For simplicity, each service reserves ten host addresses.
 
+### CA_CERTS_TRUSTED_STORE=/usr/local/share/ca-certificates
+Trusted store location to add node self-signed tls certificates.
+
 ## bastion container
 
 There is a `bastion` container with debian 10 userspace to simplify access to

services/storage/.storage.env

@@ -21,6 +21,10 @@ NEOFS_METRICS_ADDRESS=:9090
 
 # GRPC Transport Section
 NEOFS_GRPC_NUM=1
+## 0 server
+### TLS config
+NEOFS_GRPC_0_TLS_CERTIFICATE=/tls.crt
+NEOFS_GRPC_0_TLS_KEY=/tls.key
 
 # Morph section
 ## Endpoints of sidechain RPC nodes (comma-separated)

services/storage/artifacts.mk

@@ -0,0 +1,15 @@
+# Create new tls certs
+
+STORAGE_DIR=$(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
+SSL_CONFIG := $(shell mktemp)
+
+get.storage:
+	@echo "⇒ Creating tls certs to NeoFS node"
+	@(echo "[req]"; \
+      echo "distinguished_name=req"; \
+      echo "req_extensions=san"; \
+      echo "[san]"; \
+      echo "subjectAltName=DNS:s04.${LOCAL_DOMAIN}") > ${SSL_CONFIG}
+	@openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
+		-subj "/C=RU/ST=SPB/L=St.Petersburg/O=NSPCC/OU=NSPCC/CN=s04.${LOCAL_DOMAIN}" \
+		-keyout ${STORAGE_DIR}/s04tls.key -out ${STORAGE_DIR}/s04tls.crt -extensions san -config ${SSL_CONFIG}

services/storage/docker-compose.yml

@@ -114,6 +114,8 @@ services:
       - storage_s04:/storage
       - ./../../vendor/neofs-cli:/neofs-cli
       - ./healthcheck.sh:/healthcheck.sh
+      - ./s04tls.crt:/tls.crt
+      - ./s04tls.key:/tls.key
     stop_signal: SIGKILL
     env_file: [ ".env", ".storage.env" ]
     environment:
@@ -121,6 +123,7 @@ services:
       - NEOFS_NODE_ADDRESSES=s04.${LOCAL_DOMAIN}:8080
       - NEOFS_GRPC_0_ENDPOINT=s04.${LOCAL_DOMAIN}:8080
       - NEOFS_CONTROL_GRPC_ENDPOINT=s04.${LOCAL_DOMAIN}:8081
+      - NEOFS_GRPC_0_TLS_ENABLED=true
       - NEOFS_NODE_ATTRIBUTE_0=UN-LOCODE:FI HEL
       - NEOFS_NODE_ATTRIBUTE_1=Price:44
     healthcheck:

services/storage/prepare.mk

@@ -0,0 +1,3 @@
+prepare.storage:
+	@echo "Adding self-signed tls certs to trusted store"
+	@./bin/addCert.sh