Skip to content

Commit

Permalink
Provide CA Certificates via cloud-init's ca_certs module
Browse files Browse the repository at this point in the history
  • Loading branch information
AlexVulaj committed Aug 5, 2024
1 parent 87b6710 commit 786977a
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 15 deletions.
37 changes: 26 additions & 11 deletions pkg/probes/curl/curl_json.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package curl
import (
_ "embed"
"fmt"
"gopkg.in/yaml.v3"
"os"
"strconv"
"strings"
Expand Down Expand Up @@ -104,17 +105,31 @@ func (clp Probe) GetExpandedUserData(userDataVariables map[string]string) (strin
return "", fmt.Errorf("invalid userdata variable DELAY: %w", err)
}

// For compatibility reasons, we expect CACERT to be either empty or a base64-encoded
// PEM-formatted CA certicate. When one is provided, we "render" it with a cloud-init
// preamble that writes the file to disk, and we tell curl about the cert file via flag
if userDataVariables["CACERT"] != "" {
cloudInitPreamble := `write_files:
- path: /proxy.pem
permissions: '0755'
encoding: b64
content: `
userDataVariables["CACERT_RENDERED"] = cloudInitPreamble + userDataVariables["CACERT"]
userDataVariables["CURLOPT"] += " --cacert /proxy.pem "
// We expect CACERT to be either empty or a PEM-formatted CA certificate string.
// When a CA certificate is provided, we add it to the system's CA store via cloud-init.
// Docs: https://cloudinit.readthedocs.io/en/latest/reference/modules.html#ca-certificates
if cacert := userDataVariables["CACERT"]; cacert != "" {
type CaCert struct {
Trusted []string `yaml:"trusted"`
}
type CloudConfig struct {
CaCerts CaCert `yaml:"ca_certs"`
}

cloudInit := CloudConfig{
CaCerts: CaCert{
Trusted: []string{
strings.TrimSpace(cacert),
},
},
}

cloudInitYamlBytes, cloudInitMarshalErr := yaml.Marshal(&cloudInit)
if cloudInitMarshalErr != nil {
return "", fmt.Errorf("unable to create cloud init config: %w", cloudInitMarshalErr)
}

userDataVariables["CACERT_RENDERED"] = strings.TrimSpace(string(cloudInitYamlBytes))
}

// Also for compatibility reasons, we map the NOTLS variable to curl's "insecure" flag
Expand Down
4 changes: 2 additions & 2 deletions pkg/probes/curl/curl_json_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,9 @@ func TestCurlJSONProbe_GetExpandedUserData(t *testing.T) {
"TIMEOUT": "1",
"DELAY": "2",
"URLS": "http://example.com:80 https://example.org:443",
"CACERT": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNiakNDQWZPZ0F3SUJBZ0lRWXZZeWJPWEU0MmhjRzJMZG5DNmRsVEFLQmdncWhrak9QUVFEQXpCNE1Rc3cKQ1FZRFZRUUdFd0pGVXpFUk1BOEdBMVVFQ2d3SVJrNU5WQzFTUTAweERqQU1CZ05WQkFzTUJVTmxjbVZ6TVJndwpGZ1lEVlFSaERBOVdRVlJGVXkxUk1qZ3lOakF3TkVveExEQXFCZ05WQkFNTUkwRkRJRkpCU1ZvZ1JrNU5WQzFTClEwMGdVMFZTVmtsRVQxSkZVeUJUUlVkVlVrOVRNQjRYRFRFNE1USXlNREE1TXpjek0xb1hEVFF6TVRJeU1EQTUKTXpjek0xb3dlREVMTUFrR0ExVUVCaE1DUlZNeEVUQVBCZ05WQkFvTUNFWk9UVlF0VWtOTk1RNHdEQVlEVlFRTApEQVZEWlhKbGN6RVlNQllHQTFVRVlRd1BWa0ZVUlZNdFVUSTRNall3TURSS01Td3dLZ1lEVlFRRERDTkJReUJTClFVbGFJRVpPVFZRdFVrTk5JRk5GVWxaSlJFOVNSVk1nVTBWSFZWSlBVekIyTUJBR0J5cUdTTTQ5QWdFR0JTdUIKQkFBaUEySUFCUGE2VjFQSXlxdmZOa3BTSWVTWDBvTm5udkJsVWRCZWg4ZEhzVm55VjBlYkFBS1RSQmRwMjBMSApzYkk2R0E2MFhZeXpabDJoTlBrMkxFbmI4MGI4czBScFJCTm0vZGZGL2E4MlRjNERUUWR4ejY5cUJkS2lRMW9LClVtOEJBMDZPaTZOQ01FQXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU9CZ05WSFE4QkFmOEVCQU1DQVFZd0hRWUQKVlIwT0JCWUVGQUc1TCsrL0VZWmc4ay9RUVc2cmN4L24wbTVKTUFvR0NDcUdTTTQ5QkFNREEya0FNR1lDTVFDdQpTdU1yUU1OMEVmS1ZyUllqM2s0TUd1WmRwU1JlYTBSNy9EamlUOHVjUlJjUlRCUW5KbFU1ZFVvRHpCT1FuNUlDCk1RRDZTbXhnaUhQejdyaVlZcW5PSzhMWmlxWndNUjJ2c0pSTTYwL0c0OUh6WXFjOC81TXVCMXhKQVdkcEVnSnkKditjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
"CACERT": "-----BEGIN CERTIFICATE-----\nMIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw\nCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw\nFgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S\nQ00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5\nMzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL\nDAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS\nQUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB\nBAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH\nsbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK\nUm8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD\nVR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu\nSuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC\nMQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy\nv+c=\n-----END CERTIFICATE-----\n",
},
wantRegex: `#cloud-config[\s\S]*proxy.pem[\s\S]*encoding: b64[\s\S]*LS0tLS1CRUd\w*Cg==\n[\s\S]*https://example.org:443`,
wantRegex: `#cloud-config[\s\S]*ca_certs[\s\S]*trusted:[\s\S]*BEGIN CERTIFICATE[\s\S]*END CERTIFICATE`,
},
{
name: "set NOTLS",
Expand Down
2 changes: 1 addition & 1 deletion pkg/probes/legacy/userdata-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ write_files:
fi
echo "Using IMAGE: $IMAGE" >> /var/log/userdata-output
if [[ "${CACERT}" != "" ]]; then
echo "${CACERT}" | base64 --decode > /proxy.pem
echo "${CACERT}" > /proxy.pem
sudo docker run -v /proxy.pem:/proxy.pem:Z -e "HTTP_PROXY=${HTTP_PROXY}" -e "HTTPS_PROXY=${HTTPS_PROXY}" -e "AWS_REGION=${AWS_REGION}" -e "START_VERIFIER=${VALIDATOR_START_VERIFIER}" -e "END_VERIFIER=${VALIDATOR_END_VERIFIER}" ${IMAGE} --timeout=${TIMEOUT} --config=${CONFIG_PATH} --cacert=/proxy.pem --no-tls=${NOTLS} >> /var/log/userdata-output || echo "Failed to successfully run the docker container"
else
sudo docker run -e "AWS_REGION=${AWS_REGION}" -e "HTTP_PROXY=${HTTP_PROXY}" -e "HTTPS_PROXY=${HTTPS_PROXY}" -e "START_VERIFIER=${VALIDATOR_START_VERIFIER}" -e "END_VERIFIER=${VALIDATOR_END_VERIFIER}" ${IMAGE} --timeout=${TIMEOUT} --config=${CONFIG_PATH} >> /var/log/userdata-output || echo "Failed to successfully run the docker container"
Expand Down
2 changes: 1 addition & 1 deletion pkg/verifier/aws/entry_point.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ func (a *AwsVerifier) ValidateEgress(vei verifier.ValidateEgressInput) *output.O
"TIMEOUT": vei.Timeout.String(),
"HTTP_PROXY": vei.Proxy.HttpProxy,
"HTTPS_PROXY": vei.Proxy.HttpsProxy,
"CACERT": base64.StdEncoding.EncodeToString([]byte(vei.Proxy.Cacert)),
"CACERT": vei.Proxy.Cacert,
"NOTLS": strconv.FormatBool(vei.Proxy.NoTls),
"CONFIG_PATH": configPath,
"DELAY": "5",
Expand Down

0 comments on commit 786977a

Please sign in to comment.