-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(TLS): Support certificate authority flag #7
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,18 +26,23 @@ jobs: | |
- name: Install ShellCheck | ||
run: sudo apt-get install shellcheck | ||
|
||
- name: Run ShellCheck | ||
- name: Run ShellCheck entrypoint.sh | ||
run: shellcheck -x -s bash entrypoint.sh | ||
|
||
- name: Run ShellCheck test script | ||
run: shellcheck -x -s bash .github/workflows/scripts/*.sh | ||
|
||
test: | ||
runs-on: ubuntu-latest | ||
runs-on: ubuntu-20.04 | ||
strategy: | ||
matrix: | ||
# This matrix allows us to test multiple bindplane versions. | ||
# When writing back to the repo, we write to directories based | ||
# on the bindplane version. | ||
bindplane_versions: | ||
- 1.40.0 | ||
- 1.37.0 | ||
- 1.45.0 | ||
- latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
@@ -50,6 +55,19 @@ jobs: | |
- name: Print Runner IP | ||
run: echo $MAIN_IP | ||
|
||
- name: Generate TLS Certs | ||
run: ./.github/workflows/scripts/tls.sh | ||
env: | ||
MAIN_IP: ${{ env.MAIN_IP }} | ||
|
||
- name: Set CA certificate | ||
run: | | ||
{ | ||
echo 'TLS_CA_CERT<<EOF' | ||
cat step/ca.crt | ||
echo EOF | ||
} >> "$GITHUB_ENV" | ||
Comment on lines
+63
to
+69
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This was annoying to figure out. This syntax allows us to output a multi line file to an environment variable. This environment variable will be used to configure the new TLS option on the action, similar to using a secret. |
||
- name: Pull BindPlane | ||
run: docker pull ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }} | ||
|
||
|
@@ -60,22 +78,27 @@ jobs: | |
--name bindplane \ | ||
-e BINDPLANE_USERNAME=admin \ | ||
-e BINDPLANE_PASSWORD=admin \ | ||
-e BINDPLANE_REMOTE_URL=http://${MAIN_IP}:3001 \ | ||
-e BINDPLANE_REMOTE_URL=https://${MAIN_IP}:3001 \ | ||
-e BINDPLANE_SESSION_SECRET=2c23c9d3-850f-4062-a5c8-3f9b814ae144 \ | ||
-e BINDPLANE_SECRET_KEY=8a5353f7-bbf4-4eea-846d-a6d54296b781 \ | ||
-e BINDPLANE_LOG_OUTPUT=stdout \ | ||
-e BINDPLANE_ACCEPT_EULA=true \ | ||
-e BINDPLANE_TLS_CERT=/bindplane.crt \ | ||
-e BINDPLANE_TLS_KEY=/bindplane.key \ | ||
-p 3001:3001 \ | ||
-v $(pwd)/step/bindplane.crt:/bindplane.crt \ | ||
-v $(pwd)/step/bindplane.key:/bindplane.key \ | ||
-v $(pwd)/step/ca.crt:/ca.crt \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The CA is mounted inside the container despite not being used by the BindPlane server. This allows docker exec to run cli commands within the container, with the --tls-ca flag. |
||
ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }} | ||
- name: Wait for BindPlane | ||
uses: nick-fields/retry@v2 | ||
with: | ||
timeout_minutes: 1 | ||
polling_interval_seconds: 5 | ||
max_attempts: 10 | ||
polling_interval_seconds: 2 | ||
max_attempts: 3 | ||
shell: bash | ||
command: docker exec bindplane /bindplane get agent | ||
command: docker exec bindplane /bindplane get agent --tls-ca /ca.crt | ||
|
||
- name: Run BindPlane Action | ||
# This should be replaced with a release action. | ||
|
@@ -103,12 +126,15 @@ jobs: | |
token: ${{ secrets.GITHUB_TOKEN }} | ||
enable_otel_config_write_back: true | ||
enable_auto_rollout: true | ||
# Generally this would come from a secret, but the certificate | ||
# was created in this workflow. | ||
tls_ca_cert: ${{ env.TLS_CA_CERT }} | ||
|
||
- name: Get Resources | ||
if: always() | ||
run: | | ||
docker exec bindplane /bindplane get destinations | ||
docker exec bindplane /bindplane get configurations | ||
docker exec bindplane /bindplane get destinations --tls-ca /ca.crt | ||
docker exec bindplane /bindplane get configurations --tls-ca /ca.crt | ||
- name: Debug Container Logs | ||
if: always() | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
if [ -z "$MAIN_IP" ]; then | ||
echo "MAIN_IP is not set" | ||
exit 1 | ||
fi | ||
|
||
curl -L -s -o step.tar.gz \ | ||
https://dl.step.sm/gh-release/cli/gh-release-header/v0.22.0/step_linux_0.22.0_amd64.tar.gz | ||
tar -xzf step.tar.gz | ||
mv step_0.22.0/bin/step /usr/local/bin/step | ||
rm -f step.tar.gz | ||
rm -rf step_0.22.0 | ||
|
||
mkdir step/ | ||
chmod -R 0755 step/ | ||
|
||
step certificate create \ | ||
ca.internal \ | ||
step/ca.crt step/ca.key \ | ||
--profile root-ca \ | ||
--no-password \ | ||
--insecure \ | ||
--not-after=8760h | ||
|
||
step certificate create \ | ||
bindplane.internal \ | ||
step/bindplane.crt step/bindplane.key \ | ||
--san "${MAIN_IP}" \ | ||
--profile leaf \ | ||
--not-after 2160h \ | ||
--no-password \ | ||
--insecure \ | ||
--ca step/ca.crt \ | ||
--ca-key step/ca.key | ||
|
||
chmod 0644 step/* |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,6 +15,7 @@ configuration_output_dir=${9} | |
token=${10} | ||
enable_auto_rollout=${11} | ||
configuration_output_branch=${12} | ||
tls_ca_cert=${13} | ||
|
||
# This branch name will be compared to target_branch to determine if the action | ||
# should apply or write back configurations. | ||
|
@@ -24,7 +25,7 @@ echo "Current branch is $BRANCH_NAME" | |
install_bindplane_cli() { | ||
curl -Ls \ | ||
-o bindplane.zip \ | ||
https://storage.googleapis.com/bindplane-op-releases/bindplane/latest/bindplane-ee-linux-amd64.zip | ||
https://storage.googleapis.com/bindplane-op-releases/bindplane/1.46.0/bindplane-ee-linux-amd64.zip | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hardcoding the bindplane version in order to pin it to the action release version. Our BindPlane release process has new instructions for updating this hardcoded version. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 1.46 contains a fix for TLS. |
||
|
||
mkdir -p ~/bin | ||
export PATH=$PATH:~/bin | ||
|
@@ -68,6 +69,12 @@ validate() { | |
profile_args="$profile_args --api-key $bindplane_api_key" | ||
fi | ||
|
||
if [ -n "$tls_ca_cert" ]; then | ||
echo "tls_ca_cert is set, adding to profile." | ||
echo "$tls_ca_cert" > ca.pem | ||
profile_args="$profile_args --tls-ca ca.pem" | ||
fi | ||
|
||
# configuration_output_dir, target_branch, and token are only required | ||
# when enable_otel_config_write_back is true. | ||
if [ "$enable_otel_config_write_back" = true ]; then | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This generates the certificates for CI usage. MAIN_IP is required because BindPlane's server certificate is created with IP SANS.