Skip to content

Commit

Permalink
docker: separate CLIENT_* and LAPI_* variables for tls certificates (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
mmetc authored Dec 16, 2022
1 parent 579cecd commit f68bc11
Show file tree
Hide file tree
Showing 5 changed files with 80 additions and 39 deletions.
14 changes: 13 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml

# NOTE: setting default values here will overwrite the ones set in config.yaml
# NOTE: setting default values here would overwrite the ones set in config.yaml
# every time the container is started. We set the default in docker/config.yaml
# and document them in docker/README.md, but keep the variables empty here.

Expand Down Expand Up @@ -68,11 +68,23 @@ ENV AGENT_PASSWORD=
# TLS setup ----------------------------------- #

ENV USE_TLS=false

ENV LAPI_CACERT_FILE=
ENV LAPI_CERT_FILE=
ENV LAPI_KEY_FILE=

ENV CLIENT_CACERT_FILE=
ENV CLIENT_CERT_FILE=
ENV CLIENT_KEY_FILE=

# deprecated in favor of LAPI_*
ENV CACERT_FILE=
ENV CERT_FILE=
ENV KEY_FILE=

# comma-separated list of allowed OU values for TLS bouncer certificates
ENV BOUNCERS_ALLOWED_OU=

# comma-separated list of allowed OU values for TLS agent certificates
ENV AGENTS_ALLOWED_OU=

Expand Down
14 changes: 13 additions & 1 deletion Dockerfile.debian
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml

# NOTE: setting default values here will overwrite the ones set in config.yaml
# NOTE: setting default values here would overwrite the ones set in config.yaml
# every time the container is started. We set the default in docker/config.yaml
# and document them in docker/README.md, but keep the variables empty here.

Expand Down Expand Up @@ -82,11 +82,23 @@ ENV AGENT_PASSWORD=
# TLS setup ----------------------------------- #

ENV USE_TLS=false

ENV LAPI_CACERT_FILE=
ENV LAPI_CERT_FILE=
ENV LAPI_KEY_FILE=

ENV CLIENT_CACERT_FILE=
ENV CLIENT_CERT_FILE=
ENV CLIENT_KEY_FILE=

# deprecated in favor of LAPI_*
ENV CACERT_FILE=
ENV CERT_FILE=
ENV KEY_FILE=

# comma-separated list of allowed OU values for TLS bouncer certificates
ENV BOUNCERS_ALLOWED_OU=

# comma-separated list of allowed OU values for TLS agent certificates
ENV AGENTS_ALLOWED_OU=

Expand Down
11 changes: 7 additions & 4 deletions docker/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -226,16 +226,19 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
| | | |
| __TLS Auth/encryption | | |
| `USE_TLS` | false | Enable TLS on the LAPI |
| `CERT_FILE` | /etc/ssl/cert.pem | TLS Certificate path |
| `KEY_FILE` | /etc/ssl/key.pem | TLS Key path |
| `CACERT_FILE` | | CA certificate bundle |
| `CLIENT_CERT_FILE` | /etc/ssl/cert.pem | Client TLS Certificate path |
| `CLIENT_KEY_FILE` | /etc/ssl/key.pem | Client TLS Key path |
| `CLIENT_CACERT_FILE` | | Client CA certificate bundle |
| `LAPI_CERT_FILE` | /etc/ssl/cert.pem | LAPI TLS Certificate path |
| `LAPI_KEY_FILE` | /etc/ssl/key.pem | LAPI TLS Key path |
| `LAPI_CACERT_FILE` | | LAPI CA certificate bundle |
| `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma |
| `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma |
| | | |
| __Hub management__ | | |
| `COLLECTIONS` | | Collections to install, separated by space: `-e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"` |
| `SCENARIOS` | | Scenarios to install, separated by space |
| `PARSERS` | | Parsers to install, separated by space |
| `SCENARIOS` | | Scenarios to install, separated by space |
| `POSTOVERFLOWS` | | Postoverflows to install, separated by space |
| `DISABLE_COLLECTIONS` | | Collections to remove, separated by space: `-e DISABLE_COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx"` |
| `DISABLE_PARSERS` | | Parsers to remove, separated by space |
Expand Down
2 changes: 0 additions & 2 deletions docker/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,6 @@ api:
online_client: # Central API credentials (to push signals and receive bad IPs)
#credentials_path: /etc/crowdsec/online_api_credentials.yaml
tls:
cert_file: /etc/ssl/cert.pem
key_file: /etc/ssl/key.pem
agents_allowed_ou:
- agent-ou
bouncers_allowed_ou:
Expand Down
78 changes: 47 additions & 31 deletions docker/docker_start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,17 @@ cscli_if_clean() {

#-----------------------------------#

if [ -n "$CERT_FILE" ] || [ -n "$KEY_FILE" ] || [ -n "$CACERT_FILE" ]; then
printf '%b' '\033[0;33m'
echo "Warning: the variables CERT_FILE, KEY_FILE and CACERT_FILE have been deprecated." >&2
echo "Please use LAPI_CERT_FILE, LAPI_KEY_FILE and LAPI_CACERT_FILE insted." >&2
echo "The old variables will be removed in a future release." >&2
printf '%b' '\033[0m'
LAPI_CERT_FILE=${LAPI_CERT_FILE:-$CERT_FILE}
LAPI_KEY_FILE=${LAPI_KEY_FILE:-$KEY_FILE}
LAPI_CACERT_FILE=${LAPI_CACERT_FILE:-$CACERT_FILE}
fi

# Check and prestage databases
for geodb in GeoLite2-ASN.mmdb GeoLite2-City.mmdb; do
# We keep the pre-populated geoip databases in /staging instead of /var,
Expand Down Expand Up @@ -122,37 +133,39 @@ elif [ -n "$USE_WAL" ] && isfalse "$USE_WAL"; then
conf_set '.db_config.use_wal = false'
fi

# regenerate local agent credentials (ignore if agent is disabled)
if isfalse "$DISABLE_AGENT"; then
if isfalse "$DISABLE_LOCAL_API"; then
echo "Regenerate local agent credentials"
cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL"
fi
# regenerate local agent credentials (even if agent is disabled, cscli needs a
# connection to the API)
cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then
echo "Regenerate local agent credentials"
cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL"
fi

lapi_credentials_path=$(conf_get '.api.client.credentials_path')

lapi_credentials_path=$(conf_get '.api.client.credentials_path')
# we only use the envvars that are actually defined
# in case of persistent configuration
conf_set '
with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) |
with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) |
with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD))
' "$lapi_credentials_path"

# we only use the envvars that are actually defined
# in case of persistent configuration
if istrue "$USE_TLS"; then
conf_set '
with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) |
with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) |
with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD))
' "$lapi_credentials_path"

if istrue "$USE_TLS"; then
conf_set '
with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) |
with(select(strenv(KEY_FILE)!=""); .key_path = strenv(KEY_FILE)) |
with(select(strenv(CERT_FILE)!=""); .cert_path = strenv(CERT_FILE))
' "$lapi_credentials_path"
else
conf_set '
del(.ca_cert_path) |
del(.key_path) |
del(.cert_path)
' "$lapi_credentials_path"
fi
with(select(strenv(CLIENT_CACERT_FILE)!=""); .ca_cert_path = strenv(CLIENT_CACERT_FILE)) |
with(select(.ca_cert_path=="" or .ca_cert_path==null); .ca_cert_path = "/etc/ssl/crowdsec-client/ca.pem") |
with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) |
with(select(.key_path=="" or .key_path==null); .key_path = "/etc/ssl/crowdsec-client/key.pem") |
with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE)) |
with(select(.cert_path=="" or .cert_path==null); .cert_path = "/etc/ssl/crowdsec-client/cert.pem")
' "$lapi_credentials_path"
else
conf_set '
del(.ca_cert_path) |
del(.key_path) |
del(.cert_path)
' "$lapi_credentials_path"
fi

if isfalse "$DISABLE_LOCAL_API"; then
Expand Down Expand Up @@ -204,9 +217,12 @@ if istrue "$USE_TLS"; then
agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \
bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \
conf_set '
with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) |
with(select(strenv(CERT_FILE)!=""); .api.server.tls.cert_file = strenv(CERT_FILE)) |
with(select(strenv(KEY_FILE)!=""); .api.server.tls.key_file = strenv(KEY_FILE)) |
with(select(strenv(LAPI_CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(LAPI_CACERT_FILE)) |
with(select(.api.server.tls.ca_cert_path=="" or .api.server.tls.ca_cert_path==null); .api.server.tls.ca_cert_path = "/etc/ssl/crowdsec-lapi/ca.pem") |
with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) |
with(select(.api.server.tls.cert_file=="" or .api.server.tls.cert_file==null); .api.server.tls.cert_file = "/etc/ssl/crowdsec-lapi/cert.pem") |
with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) |
with(select(.api.server.tls.key_file=="" or .api.server.tls.key_file==null); .api.server.tls.key_file = "/etc/ssl/crowdsec-lapi/key.pem") |
with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) |
with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) |
... comments=""
Expand Down

0 comments on commit f68bc11

Please sign in to comment.