From dcabac6c71ec5169cf0a6eda5d7f02a5e3bf7d2f Mon Sep 17 00:00:00 2001 From: jsirianni Date: Wed, 28 Feb 2024 11:58:07 -0500 Subject: [PATCH 1/2] Support TLS CA --- .github/workflows/ci.yml | 44 +++++++++++++++++++++++++------- .github/workflows/scripts/tls.sh | 39 ++++++++++++++++++++++++++++ action.yml | 3 +++ entrypoint.sh | 9 ++++++- 4 files changed, 85 insertions(+), 10 deletions(-) create mode 100755 .github/workflows/scripts/tls.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f471d29..56008da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,18 +26,23 @@ jobs: - name: Install ShellCheck run: sudo apt-get install shellcheck - - name: Run ShellCheck + - name: Run ShellCheck entrypoint.sh run: shellcheck -x -s bash entrypoint.sh + - name: Run ShellCheck test script + run: shellcheck -x -s bash .github/workflows/scripts/*.sh + test: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 strategy: matrix: # This matrix allows us to test multiple bindplane versions. # When writing back to the repo, we write to directories based # on the bindplane version. bindplane_versions: - - 1.40.0 + - 1.37.0 + - 1.45.0 + - latest steps: - name: Checkout uses: actions/checkout@v4 @@ -50,6 +55,19 @@ jobs: - name: Print Runner IP run: echo $MAIN_IP + - name: Generate TLS Certs + run: ./.github/workflows/scripts/tls.sh + env: + MAIN_IP: ${{ env.MAIN_IP }} + + - name: Set CA certificate + run: | + { + echo 'TLS_CA_CERT<> "$GITHUB_ENV" + - name: Pull BindPlane run: docker pull ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }} @@ -60,22 +78,27 @@ jobs: --name bindplane \ -e BINDPLANE_USERNAME=admin \ -e BINDPLANE_PASSWORD=admin \ - -e BINDPLANE_REMOTE_URL=http://${MAIN_IP}:3001 \ + -e BINDPLANE_REMOTE_URL=https://${MAIN_IP}:3001 \ -e BINDPLANE_SESSION_SECRET=2c23c9d3-850f-4062-a5c8-3f9b814ae144 \ -e BINDPLANE_SECRET_KEY=8a5353f7-bbf4-4eea-846d-a6d54296b781 \ -e BINDPLANE_LOG_OUTPUT=stdout \ -e BINDPLANE_ACCEPT_EULA=true \ + -e BINDPLANE_TLS_CERT=/bindplane.crt \ + -e BINDPLANE_TLS_KEY=/bindplane.key \ -p 3001:3001 \ + -v $(pwd)/step/bindplane.crt:/bindplane.crt \ + -v $(pwd)/step/bindplane.key:/bindplane.key \ + -v $(pwd)/step/ca.crt:/ca.crt \ ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }} - name: Wait for BindPlane uses: nick-fields/retry@v2 with: timeout_minutes: 1 - polling_interval_seconds: 5 - max_attempts: 10 + polling_interval_seconds: 2 + max_attempts: 3 shell: bash - command: docker exec bindplane /bindplane get agent + command: docker exec bindplane /bindplane get agent --tls-ca /ca.crt - name: Run BindPlane Action # This should be replaced with a release action. @@ -103,12 +126,15 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} enable_otel_config_write_back: true enable_auto_rollout: true + # Generally this would come from a secret, but the certificate + # was created in this workflow. + tls_ca_cert: ${{ env.TLS_CA_CERT }} - name: Get Resources if: always() run: | - docker exec bindplane /bindplane get destinations - docker exec bindplane /bindplane get configurations + docker exec bindplane /bindplane get destinations --tls-ca /ca.crt + docker exec bindplane /bindplane get configurations --tls-ca /ca.crt - name: Debug Container Logs if: always() diff --git a/.github/workflows/scripts/tls.sh b/.github/workflows/scripts/tls.sh new file mode 100755 index 0000000..063800e --- /dev/null +++ b/.github/workflows/scripts/tls.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +set -e + +if [ -z "$MAIN_IP" ]; then + echo "MAIN_IP is not set" + exit 1 +fi + +curl -L -s -o step.tar.gz \ + https://dl.step.sm/gh-release/cli/gh-release-header/v0.22.0/step_linux_0.22.0_amd64.tar.gz +tar -xzf step.tar.gz +mv step_0.22.0/bin/step /usr/local/bin/step +rm -f step.tar.gz +rm -rf step_0.22.0 + +mkdir step/ +chmod -R 0755 step/ + +step certificate create \ + ca.internal \ + step/ca.crt step/ca.key \ + --profile root-ca \ + --no-password \ + --insecure \ + --not-after=8760h + +step certificate create \ + bindplane.internal \ + step/bindplane.crt step/bindplane.key \ + --san "${MAIN_IP}" \ + --profile leaf \ + --not-after 2160h \ + --no-password \ + --insecure \ + --ca step/ca.crt \ + --ca-key step/ca.key + +chmod 0644 step/* diff --git a/action.yml b/action.yml index 71727b5..7f6e2e1 100644 --- a/action.yml +++ b/action.yml @@ -30,6 +30,8 @@ inputs: enable_auto_rollout: description: 'When enabled, the action will trigger a rollout for all configurations that have been updated' default: false + tls_ca_cert: + description: 'The CA certificate to use when connecting to BindPlane OP' runs: using: 'docker' @@ -49,3 +51,4 @@ runs: - ${{ inputs.token }} - ${{ inputs.enable_auto_rollout }} - ${{ inputs.configuration_output_branch }} + - ${{ inputs.tls_ca_cert }} diff --git a/entrypoint.sh b/entrypoint.sh index baaa5ec..81db5d1 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -15,6 +15,7 @@ configuration_output_dir=${9} token=${10} enable_auto_rollout=${11} configuration_output_branch=${12} +tls_ca_cert=${13} # This branch name will be compared to target_branch to determine if the action # should apply or write back configurations. @@ -24,7 +25,7 @@ echo "Current branch is $BRANCH_NAME" install_bindplane_cli() { curl -Ls \ -o bindplane.zip \ - https://storage.googleapis.com/bindplane-op-releases/bindplane/latest/bindplane-ee-linux-amd64.zip + https://storage.googleapis.com/bindplane-op-releases/bindplane/1.46.0/bindplane-ee-linux-amd64.zip mkdir -p ~/bin export PATH=$PATH:~/bin @@ -68,6 +69,12 @@ validate() { profile_args="$profile_args --api-key $bindplane_api_key" fi + if [ -n "$tls_ca_cert" ]; then + echo "tls_ca_cert is set, adding to profile." + echo "$tls_ca_cert" > ca.pem + profile_args="$profile_args --tls-ca ca.pem" + fi + # configuration_output_dir, target_branch, and token are only required # when enable_otel_config_write_back is true. if [ "$enable_otel_config_write_back" = true ]; then From 2c4d75c37f4c0e65e9e954caaa8f7f636ce829d2 Mon Sep 17 00:00:00 2001 From: jsirianni Date: Wed, 28 Feb 2024 12:04:40 -0500 Subject: [PATCH 2/2] doc new tls option --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index 4a95faf..094180f 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ server. It also supports exporting the OpenTelemetry configurations back to the | configuration_output_branch | | The branch to write the OTEL configuration resources to. If unset, target_branch will be used. | | token | | The Github token that will be used to write to the repo. Usually secrets.GITHUB_TOKEN is sufficient. Requires the `contents.write` permission. | | enable_auto_rollout | `false` | When enabled, the action will trigger a rollout for any configuration that has been updated. | +| tls_ca_cert | | The contents of a TLS certificate authority, usually from a secret. See the [TLS](#tls) section. | ## Usage @@ -95,3 +96,24 @@ otel ├── k8s-gateway.yaml └── k8s-node.yaml ``` + +### TLS + +TLS can be configured by setting `tls_ca_cert` to a secret that contains +your TLS certificate authority. This should be the contents of an x509 PEM +certificate, not a file path. + +This example shows `tls_ca_cert` being set using a secret, and `bindplane_remote_url` +using a TLS endpoint (`https`). + +```yaml +- uses: observIQ/bindplane-op-action@main + with: + tls_ca_cert: ${{ secrets.TLS_CA }} + bindplane_remote_url: https://bindplane.mycorp.net + bindplane_username: ${{ secrets.BINDPLANE_USERNAME }} + bindplane_password: ${{ secrets.BINDPLANE_PASSWORD }} + target_branch: main + destination_path: destination.yaml + configuration_path: configuration.yaml +```