diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md index 3e9b70333..f6a0ac718 100644 --- a/DEPLOYMENT.md +++ b/DEPLOYMENT.md @@ -71,6 +71,11 @@ To upload the local configuration which includes the consolidated values back to `make configuration-upload` +## Regenerating the localhost certificates for the gRPC gateway + +The connection for the gRPC gateway is secured by a self-generated "localhost" certificate. +To regenerate the certificate, run: `./scripts/cert/renew.sh `. + ## Creating a Tag for Release To create a full GitHub release, draft a new release from the console. diff --git a/TROUBLESHOOTING.md b/TROUBLESHOOTING.md index 028b16d12..16c804632 100644 --- a/TROUBLESHOOTING.md +++ b/TROUBLESHOOTING.md @@ -10,10 +10,6 @@ GCP infra.rox.systems Zone https://console.cloud.google.com/net-services/dns/zones/infra-rox-systems?project=stackrox-infra&organizationId=847401270788 -Auth0 Application - -https://manage.auth0.com/dashboard/us/sr-dev/applications/AsyLUYxwV2GX2oG0PjwTXhMlxHuI7qmE/settings - Argo Releases and CLI https://github.com/argoproj/argo/releases @@ -64,16 +60,16 @@ Status: Running Created: Mon Jun 01 13:43:12 -0700 (42 seconds ago) Started: Mon Jun 01 13:43:12 -0700 (42 seconds ago) Duration: 42 seconds -Parameters: +Parameters: name: june1demo1 main-image: stackrox.io/main:3.0.43.1 scanner-image: stackrox.io/scanner:2.2.6 scanner-db-image: stackrox.io/scanner-db:2.2.6 STEP PODNAME DURATION ARTIFACTS MESSAGE - ● demo-mxgf9 (start) - ├---✔ roxctl (roxctl) demo-mxgf9-522422286 9s roxctl - └---● create (create) demo-mxgf9-3875809567 32s + ● demo-mxgf9 (start) + ├---✔ roxctl (roxctl) demo-mxgf9-522422286 9s roxctl + └---● create (create) demo-mxgf9-3875809567 32s ``` To get logs from a step, run: diff --git a/chart/infra-server/static/tls-cert.pem b/chart/infra-server/static/tls-cert.pem deleted file mode 100644 index 349e06ccd..000000000 --- a/chart/infra-server/static/tls-cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDaDCCAlCgAwIBAgIUHNR2H++vx1ox3n6i1rvtV6B5wIQwDQYJKoZIhvcNAQEL -BQAwYTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM -DU1vdW50YWluIFZpZXcxETAPBgNVBAoMCFN0YWNrUm94MRIwEAYDVQQDDAlsb2Nh -bGhvc3QwHhcNMjAxMjE3MDEwNDQ4WhcNMzAxMjE1MDEwNDQ4WjBhMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmll -dzERMA8GA1UECgwIU3RhY2tSb3gxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJlHDmh4itw/qFuB5fgFWaTr+wwbvjuo -pImv+q2RAom3vbmFq5+qhPcp2pP6eXYgHgsBNHtBoUH6zAT4hjhg/vUbtiWRHrKT -LZp6UjK0a2dhO2ch/cY6ulkLVp/Gyh4RlptfFWVaCcSZRM8qk2gsPFHCScnTKLPA -a82KY3SscrblJFhlgJzYnVEBe3bCxc2E0UjglRNlZAso6m3EuPTDRaYj7AOefeqP -9w3LBg7xeBxVVqwcunxfLlvPCel77xOPYJaHR/tA6bY+D6dbFrpGRbbuLIyOOpE6 -malS9JHS29nGsfvcYcdPe5U6v/U1zfj4BOyPcDTyxToC4MKtEMLkmZMCAwEAAaMY -MBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBVAXWD -337rC1+8xIgmGQlWh6/rJYteHfIKMxMdhaZG1B17IzmUfOzLCH5Ruk24jGgcsqDY -CIlPK4VWBJIDOJVySGI9Gswqszjs/RjBy0DCniJKDczBj1FGADbgICzkATyoUM3I -w1eNSxzTuNbjfeVbz65iVIrXoiXbqxCbEi2BrsGdECvu7gzfEr2XU9v3s2l14mmF -WWPg30dj7an96cFnc5xjiaIs/tAJp/uZRaaoTXILbprCpRtowhx1ej4xRgImPpfY -PpHfjfVSue+G5TpEDdIT49sQBhUBL/BgE+4oIzKaZmcKneUFdHWDoWD3h11PukAa -GidtNWc8OPYZMC9D ------END CERTIFICATE----- diff --git a/chart/infra-server/static/tls-key.pem b/chart/infra-server/static/tls-key.pem deleted file mode 100644 index 31fccc4e6..000000000 --- a/chart/infra-server/static/tls-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAmUcOaHiK3D+oW4Hl+AVZpOv7DBu+O6ikia/6rZECibe9uYWr -n6qE9ynak/p5diAeCwE0e0GhQfrMBPiGOGD+9Ru2JZEespMtmnpSMrRrZ2E7ZyH9 -xjq6WQtWn8bKHhGWm18VZVoJxJlEzyqTaCw8UcJJydMos8BrzYpjdKxytuUkWGWA -nNidUQF7dsLFzYTRSOCVE2VkCyjqbcS49MNFpiPsA5596o/3DcsGDvF4HFVWrBy6 -fF8uW88J6XvvE49glodH+0Dptj4Pp1sWukZFtu4sjI46kTqZqVL0kdLb2cax+9xh -x097lTq/9TXN+PgE7I9wNPLFOgLgwq0QwuSZkwIDAQABAoIBAQCWg1sXpX8eJniJ -WzZa5c4QkBXW3wtgBAuGlUNA2wu19rMckbFlOYoWN4hHFYfeQk2eGtHRUzIp20Aq -hW0vwbe7MzobC7UsQDBg6Er9NYPeYXF2pb9Qv+yrceHfRdLF0hmleqpE+zRqVONn -13QmsIGO+41/3ZWzZXm2vXVKZejDxRxmv7W1ol1COyHgi7blIoTPJNLmZqEynRTN -xjDn+M6hF1XogyicIToyBnWBED3gK0QNWVb4AG+FjuMXYJjNFopPx+dGjIUWepG2 -dIFi76erc0foVxYMxOng5RpZi9nykwsjtsgVNEAQBkQXfrAGfOkAa2OxTFMz3E7U -sOt7lgpBAoGBAMjyl3fC5OZj8q+qlxZMkzVA7xsJWJt4HTMkvbmR5nP1DKtwJemD -vStUVMQiH5TZ1tVjW6ZQpQxJz9EH+TBJQzn7gIjfEtqpGr4fYEqJ0RFuv6C5wdGx -DpPA21+B7FceeNqSrkqZmf5QSCnJMcyOiOZCQsgxH2OKNwaopQUVVRNhAoGBAMNF -Izhg3QZb6MtgjZ/iCBbKm+QqapGiWQeJZPIdegJANYhEWoWdUVtCYDnBnNB6cHQ9 -+PKXec3HI3h0iE9IMZq9d2nRP5VCRs4MY2r9nJhl8OH+tf8WSLGGYBNf97BzkevE -VKxgAjPnNtbs+29bcw5VoasWT6Rviuvd/U3zzAVzAoGATk3KHE8D54tXDIELMxNP -4daV1hFESAD8T+unSuLBzLnW4A9plp9RXcsU5QDvEY/5mVmIYzzVs/4nTysuPVSv -L68DnVJgBHkVBLUxTpp5r7NaVQVNs6qtJYJnecYlFKW5LmMuK7/DNEiQdkgCcdWx -Hxj+8QfDVYSMgLnC5EI1zsECgYEAjvwwVxcuoXppk4rnCZ0kmTPRRRj+IhgEIy2r -WlLVRZKo4FhVBKP2r+GBvqkUX+BYOfYrNdBPY6wfQBPswEk38XwtVbHgYjY+zKBr -qCt/IGT9Jy8xK1Gw9zVTYrySDYYC4uZHrlU7J7B2CplLX/ZR4Lw5fqL+vITk7+QE -mLEdwxsCgYA5jA7e6F90EbkH7eTpQfpUoUT0O+uw4E8m3EiV8+fHBzeaqn5MO3o/ -zQLYbGtiA4ZcZ1IzXsv8h8lmcNo68UeLExFaZlLR2RCx48WnGry9lDYiGvN4o9i+ -mFubz5csKMmptiLSSNEUJG9ZutpOS0LiIwDxVD9W2DDiRQt293ElyA== ------END RSA PRIVATE KEY----- diff --git a/chart/infra-server/templates/secrets.yaml b/chart/infra-server/templates/secrets.yaml index f54826a5f..5f6b38194 100644 --- a/chart/infra-server/templates/secrets.yaml +++ b/chart/infra-server/templates/secrets.yaml @@ -20,10 +20,10 @@ data: {{- tpl (required ".Values.oidc_yaml | b64dec) . | b64enc | nindent 4 is undefined" .Values.oidc_yaml | b64dec) . | b64enc | nindent 4 }} cert.pem: |- - {{- .Files.Get "static/tls-cert.pem" | b64enc | nindent 4 }} + {{ required ".Values.tls__cert_pem is undefined" .Values.tls__cert_pem | nindent 4 }} key.pem: |- - {{- .Files.Get "static/tls-key.pem" | b64enc | nindent 4 }} + {{ required ".Values.tls__key_pem is undefined" .Values.tls__key_pem | nindent 4 }} infra.yaml: |- {{ required ".Values.infra_yaml is undefined" .Values.infra_yaml }} diff --git a/scripts/cert/renew.sh b/scripts/cert/renew.sh new file mode 100755 index 000000000..3a09dc837 --- /dev/null +++ b/scripts/cert/renew.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +ENVIRONMENT="$1" +if [ -z "${ENVIRONMENT:-}" ]; then + echo "Usage: renew.sh " + exit 1 +fi + +path="chart/infra-server/configuration/$ENVIRONMENT/tls" +mkdir -p "$path" +openssl genrsa -out "$path/key.pem" 4096 +openssl req -nodes -new -x509 -sha256 -days 3650 -config scripts/cert/tls.cnf -extensions 'req_ext' -key "$path/key.pem" -out "$path/cert.pem" diff --git a/chart/infra-server/static/tls.conf b/scripts/cert/tls.cnf similarity index 77% rename from chart/infra-server/static/tls.conf rename to scripts/cert/tls.cnf index 04a708572..f9bf23d9f 100644 --- a/chart/infra-server/static/tls.conf +++ b/scripts/cert/tls.cnf @@ -1,9 +1,8 @@ # This is the configuration required to build the self signed cert used for SSL -# between the load balancer and infra server. i.e. to create tls-key.pem and -# tls-cert.pem. +# for gRPC gateway. # To renew: -# openssl genrsa -out tls-key.pem 2048 +# openssl genrsa -out tls-key.pem 4096 # openssl req -nodes -new -x509 -sha256 -days 3650 -config tls.conf -extensions 'req_ext' -key tls-key.pem -out tls-cert.pem [ req ] @@ -12,16 +11,16 @@ prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn - + [ dn ] C = US ST = California L = Mountain View O = StackRox CN = localhost - + [ req_ext ] subjectAltName = @alt_names - + [ alt_names ] DNS.1 = localhost