Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(TLS): Support certificate authority flag #7

Merged
merged 2 commits into from
Feb 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 35 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,23 @@ jobs:
- name: Install ShellCheck
run: sudo apt-get install shellcheck

- name: Run ShellCheck
- name: Run ShellCheck entrypoint.sh
run: shellcheck -x -s bash entrypoint.sh

- name: Run ShellCheck test script
run: shellcheck -x -s bash .github/workflows/scripts/*.sh

test:
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
strategy:
matrix:
# This matrix allows us to test multiple bindplane versions.
# When writing back to the repo, we write to directories based
# on the bindplane version.
bindplane_versions:
- 1.40.0
- 1.37.0
- 1.45.0
- latest
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -50,6 +55,19 @@ jobs:
- name: Print Runner IP
run: echo $MAIN_IP

- name: Generate TLS Certs
run: ./.github/workflows/scripts/tls.sh
env:
MAIN_IP: ${{ env.MAIN_IP }}
Comment on lines +58 to +61
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This generates the certificates for CI usage. MAIN_IP is required because BindPlane's server certificate is created with IP SANS.


- name: Set CA certificate
run: |
{
echo 'TLS_CA_CERT<<EOF'
cat step/ca.crt
echo EOF
} >> "$GITHUB_ENV"
Comment on lines +63 to +69
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was annoying to figure out. This syntax allows us to output a multi line file to an environment variable. This environment variable will be used to configure the new TLS option on the action, similar to using a secret.

- name: Pull BindPlane
run: docker pull ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }}

Expand All @@ -60,22 +78,27 @@ jobs:
--name bindplane \
-e BINDPLANE_USERNAME=admin \
-e BINDPLANE_PASSWORD=admin \
-e BINDPLANE_REMOTE_URL=http://${MAIN_IP}:3001 \
-e BINDPLANE_REMOTE_URL=https://${MAIN_IP}:3001 \
-e BINDPLANE_SESSION_SECRET=2c23c9d3-850f-4062-a5c8-3f9b814ae144 \
-e BINDPLANE_SECRET_KEY=8a5353f7-bbf4-4eea-846d-a6d54296b781 \
-e BINDPLANE_LOG_OUTPUT=stdout \
-e BINDPLANE_ACCEPT_EULA=true \
-e BINDPLANE_TLS_CERT=/bindplane.crt \
-e BINDPLANE_TLS_KEY=/bindplane.key \
-p 3001:3001 \
-v $(pwd)/step/bindplane.crt:/bindplane.crt \
-v $(pwd)/step/bindplane.key:/bindplane.key \
-v $(pwd)/step/ca.crt:/ca.crt \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CA is mounted inside the container despite not being used by the BindPlane server. This allows docker exec to run cli commands within the container, with the --tls-ca flag.

ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }}
- name: Wait for BindPlane
uses: nick-fields/retry@v2
with:
timeout_minutes: 1
polling_interval_seconds: 5
max_attempts: 10
polling_interval_seconds: 2
max_attempts: 3
shell: bash
command: docker exec bindplane /bindplane get agent
command: docker exec bindplane /bindplane get agent --tls-ca /ca.crt

- name: Run BindPlane Action
# This should be replaced with a release action.
Expand Down Expand Up @@ -103,12 +126,15 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
enable_otel_config_write_back: true
enable_auto_rollout: true
# Generally this would come from a secret, but the certificate
# was created in this workflow.
tls_ca_cert: ${{ env.TLS_CA_CERT }}

- name: Get Resources
if: always()
run: |
docker exec bindplane /bindplane get destinations
docker exec bindplane /bindplane get configurations
docker exec bindplane /bindplane get destinations --tls-ca /ca.crt
docker exec bindplane /bindplane get configurations --tls-ca /ca.crt
- name: Debug Container Logs
if: always()
Expand Down
39 changes: 39 additions & 0 deletions .github/workflows/scripts/tls.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash

set -e

if [ -z "$MAIN_IP" ]; then
echo "MAIN_IP is not set"
exit 1
fi

curl -L -s -o step.tar.gz \
https://dl.step.sm/gh-release/cli/gh-release-header/v0.22.0/step_linux_0.22.0_amd64.tar.gz
tar -xzf step.tar.gz
mv step_0.22.0/bin/step /usr/local/bin/step
rm -f step.tar.gz
rm -rf step_0.22.0

mkdir step/
chmod -R 0755 step/

step certificate create \
ca.internal \
step/ca.crt step/ca.key \
--profile root-ca \
--no-password \
--insecure \
--not-after=8760h

step certificate create \
bindplane.internal \
step/bindplane.crt step/bindplane.key \
--san "${MAIN_IP}" \
--profile leaf \
--not-after 2160h \
--no-password \
--insecure \
--ca step/ca.crt \
--ca-key step/ca.key

chmod 0644 step/*
22 changes: 22 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ server. It also supports exporting the OpenTelemetry configurations back to the
| configuration_output_branch | | The branch to write the OTEL configuration resources to. If unset, target_branch will be used. |
| token | | The Github token that will be used to write to the repo. Usually secrets.GITHUB_TOKEN is sufficient. Requires the `contents.write` permission. |
| enable_auto_rollout | `false` | When enabled, the action will trigger a rollout for any configuration that has been updated. |
| tls_ca_cert | | The contents of a TLS certificate authority, usually from a secret. See the [TLS](#tls) section. |

## Usage

Expand Down Expand Up @@ -95,3 +96,24 @@ otel
├── k8s-gateway.yaml
└── k8s-node.yaml
```

### TLS

TLS can be configured by setting `tls_ca_cert` to a secret that contains
your TLS certificate authority. This should be the contents of an x509 PEM
certificate, not a file path.

This example shows `tls_ca_cert` being set using a secret, and `bindplane_remote_url`
using a TLS endpoint (`https`).

```yaml
- uses: observIQ/bindplane-op-action@main
with:
tls_ca_cert: ${{ secrets.TLS_CA }}
bindplane_remote_url: https://bindplane.mycorp.net
bindplane_username: ${{ secrets.BINDPLANE_USERNAME }}
bindplane_password: ${{ secrets.BINDPLANE_PASSWORD }}
target_branch: main
destination_path: destination.yaml
configuration_path: configuration.yaml
```
3 changes: 3 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ inputs:
enable_auto_rollout:
description: 'When enabled, the action will trigger a rollout for all configurations that have been updated'
default: false
tls_ca_cert:
description: 'The CA certificate to use when connecting to BindPlane OP'

runs:
using: 'docker'
Expand All @@ -49,3 +51,4 @@ runs:
- ${{ inputs.token }}
- ${{ inputs.enable_auto_rollout }}
- ${{ inputs.configuration_output_branch }}
- ${{ inputs.tls_ca_cert }}
9 changes: 8 additions & 1 deletion entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ configuration_output_dir=${9}
token=${10}
enable_auto_rollout=${11}
configuration_output_branch=${12}
tls_ca_cert=${13}

# This branch name will be compared to target_branch to determine if the action
# should apply or write back configurations.
Expand All @@ -24,7 +25,7 @@ echo "Current branch is $BRANCH_NAME"
install_bindplane_cli() {
curl -Ls \
-o bindplane.zip \
https://storage.googleapis.com/bindplane-op-releases/bindplane/latest/bindplane-ee-linux-amd64.zip
https://storage.googleapis.com/bindplane-op-releases/bindplane/1.46.0/bindplane-ee-linux-amd64.zip
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoding the bindplane version in order to pin it to the action release version. Our BindPlane release process has new instructions for updating this hardcoded version.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1.46 contains a fix for TLS.


mkdir -p ~/bin
export PATH=$PATH:~/bin
Expand Down Expand Up @@ -68,6 +69,12 @@ validate() {
profile_args="$profile_args --api-key $bindplane_api_key"
fi

if [ -n "$tls_ca_cert" ]; then
echo "tls_ca_cert is set, adding to profile."
echo "$tls_ca_cert" > ca.pem
profile_args="$profile_args --tls-ca ca.pem"
fi

# configuration_output_dir, target_branch, and token are only required
# when enable_otel_config_write_back is true.
if [ "$enable_otel_config_write_back" = true ]; then
Expand Down
Loading