From 66a46b28999284ddec6ccd0b6f9f38347b643426 Mon Sep 17 00:00:00 2001 From: nico_dreylaq Date: Tue, 7 Jan 2025 16:01:44 +0100 Subject: [PATCH] feat: implem tls validation Redis --- Adaptors/Redis/src/ServiceCollectionExt.cs | 5 +- Utils/src/ServerCertificateValidator.cs | 4 +- terraform/main.tf | 10 +- terraform/modules/compute_plane/main.tf | 6 +- .../storage/object/redis/certificates.tf | 66 +++++++++++ .../modules/storage/object/redis/inputs.tf | 17 ++- .../modules/storage/object/redis/main.tf | 112 +++++++++++++++++- .../modules/storage/object/redis/outputs.tf | 28 ++++- terraform/modules/submitter/inputs.tf | 20 +++- terraform/modules/submitter/locals.tf | 13 ++ terraform/modules/submitter/main.tf | 14 ++- terraform/variables.tf | 19 ++- 12 files changed, 296 insertions(+), 18 deletions(-) create mode 100644 terraform/modules/storage/object/redis/certificates.tf diff --git a/Adaptors/Redis/src/ServiceCollectionExt.cs b/Adaptors/Redis/src/ServiceCollectionExt.cs index 0c8b67f01..9895f09f2 100644 --- a/Adaptors/Redis/src/ServiceCollectionExt.cs +++ b/Adaptors/Redis/src/ServiceCollectionExt.cs @@ -74,6 +74,8 @@ public static IServiceCollection AddRedis(this IServiceCollection serviceCollect X509Certificate2? authority = null; if (!string.IsNullOrEmpty(redisOptions.CaPath)) { + logger.LogDebug("Loading Redis certificate from {path}", + redisOptions.CaPath); if (!File.Exists(redisOptions.CaPath)) { logger.LogError("Redis certificate file not found: {path}", @@ -84,7 +86,7 @@ public static IServiceCollection AddRedis(this IServiceCollection serviceCollect (validationCallback, authority) = CertificateValidatorFactory.CreateCallback(redisOptions.CaPath, logger); - logger.LogDebug("Server certificate validation callback set"); + logger.LogDebug("Server certificate Redis validation callback set"); } else { @@ -116,6 +118,7 @@ public static IServiceCollection AddRedis(this IServiceCollection serviceCollect logger.LogDebug("setup connection to Redis at {EndpointUrl} with user {user}", redisOptions.EndpointUrl, redisOptions.User); + config.AbortOnConnectFail = false; var connection = ConnectionMultiplexer.Connect(config); serviceCollection.AddSingleton(connection); diff --git a/Utils/src/ServerCertificateValidator.cs b/Utils/src/ServerCertificateValidator.cs index b818df59e..381b8a8d0 100644 --- a/Utils/src/ServerCertificateValidator.cs +++ b/Utils/src/ServerCertificateValidator.cs @@ -113,7 +113,9 @@ public static bool ValidateServerCertificate(object sender, var isTrusted = certChain.ChainElements.Any(x => x.Certificate.Thumbprint == authority.Thumbprint); if (isTrusted) { - logger.LogInformation("SSL validation succeeded"); + logger.LogInformation("SSL validation succeeded for certificate: {subject}, Thumbprint: {thumbprint}", + cert.Subject, + cert.Thumbprint); } else { diff --git a/terraform/main.tf b/terraform/main.tf index 0a826ea8a..5dcd69d77 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -36,10 +36,12 @@ module "database" { } module "object_redis" { - source = "./modules/storage/object/redis" - count = var.object_storage.name == "redis" ? 1 : 0 - image = var.object_storage.image - network = docker_network.armonik.id + source = "./modules/storage/object/redis" + count = var.object_storage.name == "redis" ? 1 : 0 + image = "redis:latest" + exposed_port = 6380 + network = docker_network.armonik.id + redis_params = var.redis_params } module "object_minio" { diff --git a/terraform/modules/compute_plane/main.tf b/terraform/modules/compute_plane/main.tf index b6202b1b6..3b47f2baf 100644 --- a/terraform/modules/compute_plane/main.tf +++ b/terraform/modules/compute_plane/main.tf @@ -62,7 +62,11 @@ resource "docker_container" "polling_agent" { target = var.polling_agent.shared_socket source = docker_volume.socket_vol.name } - + mounts { + type = "volume" + target = "/redis/certs" + source = "redis_certs" + } restart = "unless-stopped" dynamic "mounts" { diff --git a/terraform/modules/storage/object/redis/certificates.tf b/terraform/modules/storage/object/redis/certificates.tf new file mode 100644 index 000000000..3c87ffa6e --- /dev/null +++ b/terraform/modules/storage/object/redis/certificates.tf @@ -0,0 +1,66 @@ +resource "tls_private_key" "redis_private_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +# Certificat auto-signé pour la CA +resource "tls_self_signed_cert" "redis_ca" { + private_key_pem = tls_private_key.redis_private_key.private_key_pem + is_ca_certificate = true + validity_period_hours = 87600 + allowed_uses = [ + "cert_signing", + "key_encipherment", + "digital_signature" + ] + subject { + organization = "ArmoniK Redis Root CA" + common_name = "ArmoniK Root Certificate Authority" + country = "FR" + } +} + +# Demande de certificat pour Redis +resource "tls_cert_request" "redis_cert_request" { + private_key_pem = tls_private_key.redis_private_key.private_key_pem + subject { + country = "FR" + organization = "ArmoniK" + common_name = "redis" + } + ip_addresses = ["127.0.0.1", "172.20.0.6"] + dns_names = ["localhost", "redis"] +} + +# Certificat signé pour Redis +resource "tls_locally_signed_cert" "redis_cert" { + cert_request_pem = tls_cert_request.redis_cert_request.cert_request_pem + ca_private_key_pem = tls_private_key.redis_private_key.private_key_pem + ca_cert_pem = tls_self_signed_cert.redis_ca.cert_pem + validity_period_hours = 87600 + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + "client_auth" + ] +} + +# Fichiers locaux pour stockage des certificats et clés +resource "local_file" "ca" { + content = tls_self_signed_cert.redis_ca.cert_pem + filename = "${path.module}/generated/redis/certs/ca.pem" + file_permission = "0644" +} + +resource "local_file" "cert" { + content = tls_locally_signed_cert.redis_cert.cert_pem + filename = "${path.module}/generated/redis/certs/redis.crt" + file_permission = "0644" +} + +resource "local_file" "key" { + content = tls_private_key.redis_private_key.private_key_pem + filename = "${path.module}/generated/redis/certs/redis.key" + file_permission = "0600" +} diff --git a/terraform/modules/storage/object/redis/inputs.tf b/terraform/modules/storage/object/redis/inputs.tf index 5d7bfdf9d..092750c87 100644 --- a/terraform/modules/storage/object/redis/inputs.tf +++ b/terraform/modules/storage/object/redis/inputs.tf @@ -8,5 +8,20 @@ variable "network" { variable "exposed_port" { type = number - default = 6379 + default = 6380 +} + +variable "redis_params" { + type = object({ + host = string + port = number + user = string + password = string + tls_enabled = bool + Ssl = bool + ca_path = string + cert_path = string + key_path = string + credentials = string + }) } \ No newline at end of file diff --git a/terraform/modules/storage/object/redis/main.tf b/terraform/modules/storage/object/redis/main.tf index a17392df4..b33cdfed1 100644 --- a/terraform/modules/storage/object/redis/main.tf +++ b/terraform/modules/storage/object/redis/main.tf @@ -3,18 +3,118 @@ resource "docker_image" "object" { keep_locally = true } +resource "docker_volume" "redis_certs" { + name = "redis_certs" +} + +resource "null_resource" "create_dirs" { + provisioner "local-exec" { + command = < Erreur au déploiement + } + + # Montage des certificats depuis le volume Docker + mounts { + target = "/redis/certs" + source = docker_volume.redis_certs.name + type = "volume" + read_only = false } -} \ No newline at end of file + + # Montage du fichier de configuration Redis + mounts { + target = "/etc/redis/redis.conf" + source = abspath("${path.module}/redis.conf") + type = "bind" + read_only = true + } + + # Montage des logs Redis + mounts { + target = "/redis/logs" + source = abspath("${path.module}/logs") + type = "bind" + read_only = false + } + + mounts { + target = "/data" + source = abspath("${path.module}/data") + type = "bind" + read_only = false + } + + depends_on = [ + docker_image.object, + null_resource.prepare_certs, + null_resource.create_dirs, + local_file.redis_conf + ] +} diff --git a/terraform/modules/storage/object/redis/outputs.tf b/terraform/modules/storage/object/redis/outputs.tf index 7ffd47b7f..0333e1ca1 100644 --- a/terraform/modules/storage/object/redis/outputs.tf +++ b/terraform/modules/storage/object/redis/outputs.tf @@ -1,9 +1,35 @@ output "generated_env_vars" { value = ({ + "Redis__User" = var.redis_params.user + "Redis__Password" = var.redis_params.password + "Redis__Host" = var.redis_params.host + "Redis__Port" = var.redis_params.port + "Redis__Ssl" = var.redis_params.tls_enabled + "Redis__Scheme" = "redis" + "Redis__CaPath" = "/redis/certs/ca.pem" + "Redis__CertPath" = "/redis/certs/redis.crt" + "Redis__KeyPath" = "/redis/certs/redis.key" + "Redis_Timeout" = "20000" "Components__ObjectStorage" = "ArmoniK.Adapters.Redis.ObjectStorage", - "Redis__EndpointUrl" = "object:${var.exposed_port}" + "Redis__EndpointUrl" = "${var.redis_params.host}:${var.redis_params.port}" }) } + +output "core_mounts" { + value = { + "/redis/certs/ca.pem" = local_file.ca.filename + "/redis/certs/redis.crt" = local_file.cert.filename + "/redis/certs/redis.key" = local_file.key.filename + } +} + +locals { + redis_endpoints = { + ip = "redis" + port = 6380 + } +} + output "volumes" { description = "Volumes that agents and submitters must mount to access the object storage" value = {} diff --git a/terraform/modules/submitter/inputs.tf b/terraform/modules/submitter/inputs.tf index d16fe058f..665a15b5d 100644 --- a/terraform/modules/submitter/inputs.tf +++ b/terraform/modules/submitter/inputs.tf @@ -22,8 +22,27 @@ variable "mounts" { type = map(string) } +variable "redis_base_path" { + description = "Chemin de base pour les certificats Redis" + type = string + default = "" +} +variable "certs_path" { + description = "Chemin local vers les certificats Redis" + type = string + default = "" +} +variable "default_certs_path" { + description = "Chemin par défaut des certificats Redis" + type = string + default = "/../../storage/object/redis/generated/redis/certs" +} + variable "volumes" { type = map(string) + default = { + "redis-data" = "/data" + } } variable "log_driver" { @@ -32,4 +51,3 @@ variable "log_driver" { log_opts = map(string), }) } - diff --git a/terraform/modules/submitter/locals.tf b/terraform/modules/submitter/locals.tf index 60d5c5bdf..c0ce0ca8c 100644 --- a/terraform/modules/submitter/locals.tf +++ b/terraform/modules/submitter/locals.tf @@ -1,6 +1,19 @@ locals { + effective_certs_path = abspath("${path.module}/../storage/object/redis/generated/redis/certs") + + redis_cert_mounts = { + "${local.effective_certs_path}/ca.pem" = "/redis/certs/ca.pem", + "${local.effective_certs_path}/redis.crt" = "/redis/certs/redis.crt", + "${local.effective_certs_path}/redis.key" = "/redis/certs/redis.key" + } + env = [ "Submitter__DefaultPartition=TestPartition0", + "Redis__Ssl=true", + "Redis__CaPath=/redis/certs/ca.pem", + "Redis__CertPath=/redis/certs/redis.crt", + "Redis__KeyPath=/redis/certs/redis.key", + "Redis__Timeout=20000" ] gen_env = [for k, v in var.generated_env_vars : "${k}=${v}"] } diff --git a/terraform/modules/submitter/main.tf b/terraform/modules/submitter/main.tf index 1ee304e61..ba1c65e7e 100644 --- a/terraform/modules/submitter/main.tf +++ b/terraform/modules/submitter/main.tf @@ -26,17 +26,29 @@ resource "docker_container" "submitter" { external = 5011 } + dynamic "mounts" { + for_each = local.redis_cert_mounts + + content { + type = "bind" + source = mounts.key + target = mounts.value + } + } + dynamic "mounts" { for_each = var.volumes + content { type = "volume" - target = mounts.value source = mounts.key + target = mounts.value } } dynamic "upload" { for_each = var.mounts + content { source = upload.value file = upload.key diff --git a/terraform/variables.tf b/terraform/variables.tf index ea1eb649a..4df733954 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -67,6 +67,23 @@ variable "object_storage" { } default = {} } +variable "redis_params" { + type = object({ + host = optional(string, "redis") + port = optional(number, 6380) + user = optional(string, "admin") + password = optional(string, "admin") + tls_enabled = optional(bool, true) + Ssl = optional(bool, true) + ca_path = optional(string, "/redis/certs/ca.pem") + cert_path = optional(string, "/redis/certs/redis.crt") + key_path = optional(string, "/redis/certs/redis.key") + credentials = optional(string, "") + }) + default = {} +} + + variable "queue_storage" { type = object({ @@ -92,7 +109,7 @@ variable "queue_env_vars" { password = optional(string, "admin"), host = optional(string, "queue") port = optional(number, 5672) - max_priority = optional(number, 10) + max_priority = optional(number, 20) max_retries = optional(number, 10) link_credit = optional(number, 2) partition = optional(string, "TestPartition")