Skip to content

Commit

Permalink
fix: move localhost TLS secret to configuration (#982)
Browse files Browse the repository at this point in the history
  • Loading branch information
tommartensen authored Sep 13, 2023
1 parent f6aceca commit 2282d91
Show file tree
Hide file tree
Showing 7 changed files with 28 additions and 64 deletions.
5 changes: 5 additions & 0 deletions DEPLOYMENT.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,11 @@ To upload the local configuration which includes the consolidated values back to

`make configuration-upload`

## Regenerating the localhost certificates for the gRPC gateway

The connection for the gRPC gateway is secured by a self-generated "localhost" certificate.
To regenerate the certificate, run: `./scripts/cert/renew.sh <local|development|production>`.

## Creating a Tag for Release

To create a full GitHub release, draft a new release from the console.
Expand Down
12 changes: 4 additions & 8 deletions TROUBLESHOOTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,6 @@ GCP infra.rox.systems Zone

https://console.cloud.google.com/net-services/dns/zones/infra-rox-systems?project=stackrox-infra&organizationId=847401270788

Auth0 Application

https://manage.auth0.com/dashboard/us/sr-dev/applications/AsyLUYxwV2GX2oG0PjwTXhMlxHuI7qmE/settings

Argo Releases and CLI

https://github.com/argoproj/argo/releases
Expand Down Expand Up @@ -64,16 +60,16 @@ Status: Running
Created: Mon Jun 01 13:43:12 -0700 (42 seconds ago)
Started: Mon Jun 01 13:43:12 -0700 (42 seconds ago)
Duration: 42 seconds
Parameters:
Parameters:
name: june1demo1
main-image: stackrox.io/main:3.0.43.1
scanner-image: stackrox.io/scanner:2.2.6
scanner-db-image: stackrox.io/scanner-db:2.2.6
STEP PODNAME DURATION ARTIFACTS MESSAGE
● demo-mxgf9 (start)
├---✔ roxctl (roxctl) demo-mxgf9-522422286 9s roxctl
└---● create (create) demo-mxgf9-3875809567 32s
● demo-mxgf9 (start)
├---✔ roxctl (roxctl) demo-mxgf9-522422286 9s roxctl
└---● create (create) demo-mxgf9-3875809567 32s
```

To get logs from a step, run:
Expand Down
21 changes: 0 additions & 21 deletions chart/infra-server/static/tls-cert.pem

This file was deleted.

27 changes: 0 additions & 27 deletions chart/infra-server/static/tls-key.pem

This file was deleted.

4 changes: 2 additions & 2 deletions chart/infra-server/templates/secrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ data:
{{- tpl (required ".Values.oidc_yaml | b64dec) . | b64enc | nindent 4 is undefined" .Values.oidc_yaml | b64dec) . | b64enc | nindent 4 }}
cert.pem: |-
{{- .Files.Get "static/tls-cert.pem" | b64enc | nindent 4 }}
{{ required ".Values.tls__cert_pem is undefined" .Values.tls__cert_pem | nindent 4 }}
key.pem: |-
{{- .Files.Get "static/tls-key.pem" | b64enc | nindent 4 }}
{{ required ".Values.tls__key_pem is undefined" .Values.tls__key_pem | nindent 4 }}
infra.yaml: |-
{{ required ".Values.infra_yaml is undefined" .Values.infra_yaml }}
Expand Down
12 changes: 12 additions & 0 deletions scripts/cert/renew.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash

ENVIRONMENT="$1"
if [ -z "${ENVIRONMENT:-}" ]; then
echo "Usage: renew.sh <ENVIRONMENT>"
exit 1
fi

path="chart/infra-server/configuration/$ENVIRONMENT/tls"
mkdir -p "$path"
openssl genrsa -out "$path/key.pem" 4096
openssl req -nodes -new -x509 -sha256 -days 3650 -config scripts/cert/tls.cnf -extensions 'req_ext' -key "$path/key.pem" -out "$path/cert.pem"
11 changes: 5 additions & 6 deletions chart/infra-server/static/tls.conf → scripts/cert/tls.cnf
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
# This is the configuration required to build the self signed cert used for SSL
# between the load balancer and infra server. i.e. to create tls-key.pem and
# tls-cert.pem.
# for gRPC gateway.

# To renew:
# openssl genrsa -out tls-key.pem 2048
# openssl genrsa -out tls-key.pem 4096
# openssl req -nodes -new -x509 -sha256 -days 3650 -config tls.conf -extensions 'req_ext' -key tls-key.pem -out tls-cert.pem

[ req ]
Expand All @@ -12,16 +11,16 @@ prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = California
L = Mountain View
O = StackRox
CN = localhost

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost

0 comments on commit 2282d91

Please sign in to comment.