diff --git a/.gitignore b/.gitignore index 45b94a9..fa86c33 100644 --- a/.gitignore +++ b/.gitignore @@ -20,4 +20,4 @@ local_dev/config/key.pem config/ # installed traefik binary -traefik +/traefik diff --git a/README.md b/README.md index 6e44281..e69b077 100644 --- a/README.md +++ b/README.md @@ -170,9 +170,9 @@ We check in self signed certs that are only for local development (and are not s They will periodically expire. You can regenerate them with a compiled helper binary: ``` -target/release/helper keygen --name localhost --tls-key local_dev/config/h1.key --tls-cert local_dev/config/pub/h1.pem --mk-public-key local_dev/config/pub/h1_mk.pub --mk-private-key local_dev/config/h1_mk.key -target/release/helper keygen --name localhost --tls-key local_dev/config/h2.key --tls-cert local_dev/config/pub/h2.pem --mk-public-key local_dev/config/pub/h2_mk.pub --mk-private-key local_dev/config/h2_mk.key -target/release/helper keygen --name localhost --tls-key local_dev/config/h3.key --tls-cert local_dev/config/pub/h3.pem --mk-public-key local_dev/config/pub/h3_mk.pub --mk-private-key local_dev/config/h3_mk.key +target/release/helper keygen --name helper1.draft.test --tls-key local_dev/config/h1.key --tls-cert local_dev/config/pub/h1.pem --mk-public-key local_dev/config/pub/h1_mk.pub --mk-private-key local_dev/config/h1_mk.key +target/release/helper keygen --name helper2.draft.test --tls-key local_dev/config/h2.key --tls-cert local_dev/config/pub/h2.pem --mk-public-key local_dev/config/pub/h2_mk.pub --mk-private-key local_dev/config/h2_mk.key +target/release/helper keygen --name helper3.draft.test --tls-key local_dev/config/h3.key --tls-cert local_dev/config/pub/h3.pem --mk-public-key local_dev/config/pub/h3_mk.pub --mk-private-key local_dev/config/h3_mk.key ``` The public content will also need to be pasted into `local_dev/config/network.toml` for each helper. diff --git a/ansible/deploy.yaml b/ansible/deploy.yaml index 895b8ba..0431743 100644 --- a/ansible/deploy.yaml +++ b/ansible/deploy.yaml @@ -24,7 +24,8 @@ draft start-helper-sidecar --identity {{ identity }} --root_domain {{ root_domain }} - --sidecar_domain sidecar{{ identity }}.{{ root_domain }} + --helper_domain {{ helper_domain }} + --sidecar_domain {{ sidecar_domain }} --config_path {{ ansible_env.HOME }}/draft/config args: chdir: '{{ ansible_env.HOME }}/draft' diff --git a/ansible/inventory.ini b/ansible/inventory.ini index c7c75fe..b1c1cc7 100644 --- a/ansible/inventory.ini +++ b/ansible/inventory.ini @@ -1,8 +1,8 @@ [myhosts] -ipa-dev identity=0 -ipa-1 identity=1 -ipa-2 identity=2 -ipa-3 identity=3 +ipa-dev identity=0 helper_domain=helper0.ipa-helper.dev sidecar_domain=sidecar0.ipa-helper.dev +ipa-1 identity=1 helper_domain=helper1.ipa-helper.dev sidecar_domain=sidecar1.ipa-helper.dev +ipa-2 identity=2 helper_domain=helper2.ipa-helper.dev sidecar_domain=sidecar2.ipa-helper.dev +ipa-3 identity=3 helper_domain=helper3.ipa-helper.dev sidecar_domain=sidecar3.ipa-helper.dev [myhosts:vars] ansible_python_interpreter=/usr/bin/python3 root_domain=ipa-helper.dev diff --git a/ansible/keygen.yaml b/ansible/keygen.yaml new file mode 100644 index 0000000..73235cf --- /dev/null +++ b/ansible/keygen.yaml @@ -0,0 +1,72 @@ +- name: Generate IPA keys + hosts: all + vars: + local_public_key_directory: "{{ lookup('env', 'PWD') }}/.draft/deployed_public_keys" + tasks: + - name: Check if local directory exists + local_action: + module: stat + path: "{{ local_public_key_directory }}" + register: local_directory_status + - name: Fail if local directory does not exist + fail: + msg: "The local directory {{ local_public_key_directory }} does not exist. Please create it." + when: not local_directory_status.stat.exists + - name: Create directories if they do not exist + file: + path: "{{ ansible_env.HOME }}/draft/tmp/sidecar/{{ identity }}" + state: directory + + - name: Define ipa_path + set_fact: + ipa_path: "{{ ansible_env.HOME }}/draft/tmp/sidecar/{{ identity }}/ipa" + + - name: Clone repo (if needed) and pull main + git: + repo: 'https://github.com/private-attribution/ipa' + dest: "{{ ipa_path }}" + version: main + update: yes + + - name: Get the current git hash + command: git rev-parse --short HEAD + args: + chdir: "{{ ipa_path }}" + register: git_hash + + - name: Define target_dir + set_fact: + target_dir: "target-keygen-{{ git_hash.stdout }}" + + - name: Check if binary exists + stat: + path: "{{ ipa_path }}/{{ target_dir }}/helper" + register: binary_status + + - name: Run cargo build + command: cargo build --bin helper --features="web-app real-world-infra compact-gate" --no-default-features --release --target-dir="{{ target_dir }}" + args: + chdir: "{{ ipa_path }}" + when: not binary_status.stat.exists + + - name: Remove old keys if they exist + file: + path: "{{ ansible_env.HOME }}/draft/config/{{ item }}" + state: absent + loop: + - "h{{ identity }}.key" + - "h{{ identity }}_mk.key" + - "pub/h{{ identity }}.pem" + - "pub/h{{ identity }}_mk.pub" + - name: Generate new keys + command: "{{ target_dir }}/release/helper keygen --name {{ helper_domain }} --tls-cert {{ ansible_env.HOME }}/draft/config/pub/h{{ identity }}.pem --tls-key {{ ansible_env.HOME }}/draft/config/h{{ identity }}.key --mk-public-key {{ ansible_env.HOME }}/draft/config/pub/h{{ identity }}_mk.pub --mk-private-key {{ ansible_env.HOME }}/draft/config/h{{ identity }}_mk.key" + args: + chdir: "{{ ipa_path }}" + - name: Fetch the newly created files + fetch: + src: "{{ ansible_env.HOME }}/draft/config/pub/{{ item }}" + dest: "{{ local_public_key_directory }}/" + flat: yes + loop: + - "h{{ identity }}.pem" + - "h{{ identity }}_mk.pub" diff --git a/ansible/provision.yaml b/ansible/provision.yaml index 7f0c214..cd7f70e 100644 --- a/ansible/provision.yaml +++ b/ansible/provision.yaml @@ -114,7 +114,8 @@ draft start-helper-sidecar --identity {{ identity }} --root_domain {{ root_domain }} - --sidecar_domain sidecar{{ identity }}.{{ root_domain }} + --helper_domain {{ helper_domain }} + --sidecar_domain {{ sidecar_domain }} --config_path {{ ansible_env.HOME }}/draft/config args: chdir: '{{ ansible_env.HOME }}/draft' diff --git a/ansible/upload_pub_keys.yaml b/ansible/upload_pub_keys.yaml new file mode 100644 index 0000000..daf32fe --- /dev/null +++ b/ansible/upload_pub_keys.yaml @@ -0,0 +1,49 @@ +- hosts: all + vars: + local_public_key_directory: "{{ lookup('env', 'PWD') }}/.draft/deployed_public_keys" + tasks: + - name: Define remote_directory + set_fact: + remote_directory: "{{ ansible_env.HOME }}/draft/config" + - name: Define keys + local_action: + module: stat + path: "{{ local_public_key_directory }}/{{ item }}" + register: public_keys + loop: + - "h0.pem" + - "h0_mk.pub" + - "h1.pem" + - "h1_mk.pub" + - "h2.pem" + - "h2_mk.pub" + - "h3.pem" + - "h3_mk.pub" + + - name: Define network.toml + local_action: + module: stat + path: "{{ local_public_key_directory }}/network.toml" + register: network_toml + + - name: Fail if any keys are missing + fail: + msg: "Keys not found locally: {{ public_keys.results | selectattr('stat.exists','equalto', False) | map(attribute='item') | list }}" + when: public_keys.results | selectattr('stat.exists','equalto', False) | list | count > 0 + + - name: Fail network.toml is missing + fail: + msg: "Key {{ local_public_key_directory}}/network.toml not found locally." + when: not network_toml.stat.exists + + + - name: Upload keys to remote hosts + copy: + src: "{{ item.stat.path }}" + dest: "{{ remote_directory }}/pub" + loop: "{{ public_keys.results }}" + + - name: Upload network.toml to remote hosts + copy: + src: "{{ network_toml.stat.path }}" + dest: "{{ remote_directory }}/network.toml" diff --git a/etc/start_helper_sidecar.sh b/etc/start_helper_sidecar.sh index 29ab609..fcc54af 100755 --- a/etc/start_helper_sidecar.sh +++ b/etc/start_helper_sidecar.sh @@ -10,9 +10,10 @@ fi config_path=$1 root_path=$2 root_domain=$3 -sidecar_domain=$4 -helper_port=$5 -sidecar_port=$6 -identity=$7 +helper_domain=$4 +sidecar_domain=$5 +helper_port=$6 +sidecar_port=$7 +identity=$8 -nohup draft run-helper-sidecar --config_path "$config_path" --root_path "$root_path" --root_domain "$root_domain" --sidecar_domain "$sidecar_domain" --helper_port "$helper_port" --sidecar_port "$sidecar_port" --identity "$identity" > .draft/logs/helper_sidecar.log 2>&1 & echo $! > $pid_file +nohup draft run-helper-sidecar --config_path "$config_path" --root_path "$root_path" --root_domain "$root_domain" --helper_domain "$helper_domain" --sidecar_domain "$sidecar_domain" --helper_port "$helper_port" --sidecar_port "$sidecar_port" --identity "$identity" > .draft/logs/helper_sidecar.log 2>&1 & echo $! > $pid_file diff --git a/local_dev/config/h1.key b/local_dev/config/h1.key index f5f85a9..67a816f 100644 --- a/local_dev/config/h1.key +++ b/local_dev/config/h1.key @@ -1,5 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNXRbeh+/oz5xv2yY -uSR0EPFuRratsNNVf9BzoBthCZyhRANCAASa4rehLdFG8wIcRyHg04c8Sj7XGHx9 -hwa65bmXgEEsoNph/7uFVdZIgKswWXX/IQU7UTznqWD8WpXGGnbkj+Eo +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYYwbLgxgzjdG7/3V +O50xlJlkcRrqnYd63jG7GDhu9iyhRANCAAQqpG4nFwFbKPqxk1c3BC/QOiRhoHf4 +rlrCdCTJR12SiENGg9+BQBf8NB7OFyqQNw4oxcy4/kGmMQ9iPed3xQR0 -----END PRIVATE KEY----- diff --git a/local_dev/config/h1_mk.key b/local_dev/config/h1_mk.key index 10d9928..e6d739e 100644 --- a/local_dev/config/h1_mk.key +++ b/local_dev/config/h1_mk.key @@ -1 +1 @@ -9e98e12742ca6a1b6f7543b6fbe1e40f6ed946bcfaf94eabd8701b2c21c92773 \ No newline at end of file +b5b6baa31bfdbabbca7c5c4ba0b60ce0f3c78dce20da814dbb9835ab1f920237 \ No newline at end of file diff --git a/local_dev/config/h2.key b/local_dev/config/h2.key index b4f0d21..c707907 100644 --- a/local_dev/config/h2.key +++ b/local_dev/config/h2.key @@ -1,5 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgpj/IkcF3+K5LvYO3 -rFBGXRLQcIDTITGMwrzH48IwdFqhRANCAARE1EvqrvduIUxdaPPxYgVi68qA8uWH -vZVNkjywpBcfQ4vevAov5KWzYkR0aCDI82IziNSv1T5PQipvGHmGBwu5 +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg68yge6rpoo1BuZf3 +jgNKZTire4NXFFp7QB6ZHhUh03qhRANCAASe+M2dMLK5Veao85/jK01vK0xGNm/v +TvXKNjdIohgo7iUteABhRSOEaV24I2+fhIkJ4u1nF5O3XDILN8qFU569 -----END PRIVATE KEY----- diff --git a/local_dev/config/h2_mk.key b/local_dev/config/h2_mk.key index 3ce735c..7ee920b 100644 --- a/local_dev/config/h2_mk.key +++ b/local_dev/config/h2_mk.key @@ -1 +1 @@ -baa3cc11f2cfe092eb86acabc028889438735fc667d0c88214185f8802b316a7 \ No newline at end of file +6bfec84fad7d6793b2da7d897d8b240e1657ce17ae85008ee3929205b10215c0 \ No newline at end of file diff --git a/local_dev/config/h3.key b/local_dev/config/h3.key index c765c43..e2eda27 100644 --- a/local_dev/config/h3.key +++ b/local_dev/config/h3.key @@ -1,5 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPEB0qkkpZ1sp44NS -Ogbiz1MLgvyO/N3uvXgEhEGtKGahRANCAATLqehLL42VKHNmfZtY2BVehHsQNyGq -fmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6GlvM6AqqcjuVc +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQguBEunJTE4p6odXBy +SVFbZmp3f0MIUE/dWwnMFjaU9OGhRANCAAT0ZaJSBZNssVFtl14l38ykfcS8m8Q5 +YWckipUyWV+EcXp8oHpTzVeAKTKP8mOp3zgj/qqsGu9nAOb2R524mR9C -----END PRIVATE KEY----- diff --git a/local_dev/config/h3_mk.key b/local_dev/config/h3_mk.key index 7428a8e..e2b6946 100644 --- a/local_dev/config/h3_mk.key +++ b/local_dev/config/h3_mk.key @@ -1 +1 @@ -a86e0204e38809dbc2ef89db7eeba2bbd6628e96bd0a46133666d667de681773 \ No newline at end of file +045bd3cb9f53394e9a1dd905c8e5dfeab7f3249e105ceca33663f7e078306f5d \ No newline at end of file diff --git a/local_dev/config/network.toml b/local_dev/config/network.toml index d9e5a08..c943517 100644 --- a/local_dev/config/network.toml +++ b/local_dev/config/network.toml @@ -1,17 +1,18 @@ [[peers]] certificate = """ -----BEGIN CERTIFICATE----- -MIIBZTCCAQugAwIBAgIIRxb0DaIIjkkwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTI0MDMxNTAxMTI0M1oXDTI0MDYxNDAxMTI0M1owFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuK3oS3R -RvMCHEch4NOHPEo+1xh8fYcGuuW5l4BBLKDaYf+7hVXWSICrMFl1/yEFO1E856lg -/FqVxhp25I/hKKNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE -AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -SAAwRQIgYgv5V5unp9q0WSnuPttA5fNASFLKrvslL+T0BKfLjRoCIQC4B+fmHpqX -GVYq2Y0sGz79X+evTPmyJo7X3ye5DlSDeg== +MIIBgDCCASagAwIBAgIIJIo0r8LAFEQwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwS +aGVscGVyMS5kcmFmdC50ZXN0MB4XDTI0MDUxOTIwMjc1MFoXDTI0MDgxODIwMjc1 +MFowHTEbMBkGA1UEAwwSaGVscGVyMS5kcmFmdC50ZXN0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEKqRuJxcBWyj6sZNXNwQv0DokYaB3+K5awnQkyUddkohDRoPf +gUAX/DQezhcqkDcOKMXMuP5BpjEPYj3nd8UEdKNQME4wHQYDVR0RBBYwFIISaGVs +cGVyMS5kcmFmdC50ZXN0MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSAAwRQIgGjpC+WFl9MwpBjpn1oJZ +ZvNkhjIzEAPu2HJzE4bgU7QCIQDEfVM2RxnnsXBQdpEq/ANX1xdMpYZi5ZHQP8ZE +5GYNCw== -----END CERTIFICATE----- """ -url = "localhost:7431" +url = "helper1.draft.test" sidecar_url = "sidecar1.draft.test" [peers.hpke] @@ -20,17 +21,18 @@ public_key = "fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e" [[peers]] certificate = """ -----BEGIN CERTIFICATE----- -MIIBZDCCAQugAwIBAgIIIHqS6JxF2+AwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTI0MDMxNTAxMTMyMVoXDTI0MDYxNDAxMTMyMVowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERNRL6q73 -biFMXWjz8WIFYuvKgPLlh72VTZI8sKQXH0OL3rwKL+Sls2JEdGggyPNiM4jUr9U+ -T0Iqbxh5hgcLuaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE -AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -RwAwRAIgUBVQLsrbhfoLfg6a2ATU+ulhYmFNvweQ/Xj1M9QgXaECIEbsLs0h4TRG -loU+/Eo4LOm5CkEd8fPOuSdZTp1s8IGT +MIIBgTCCASagAwIBAgIIc/DMyC/dz4AwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwS +aGVscGVyMi5kcmFmdC50ZXN0MB4XDTI0MDUxOTIwMjgxNVoXDTI0MDgxODIwMjgx +NVowHTEbMBkGA1UEAwwSaGVscGVyMi5kcmFmdC50ZXN0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnvjNnTCyuVXmqPOf4ytNbytMRjZv7071yjY3SKIYKO4lLXgA +YUUjhGlduCNvn4SJCeLtZxeTt1wyCzfKhVOevaNQME4wHQYDVR0RBBYwFIISaGVs +cGVyMi5kcmFmdC50ZXN0MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhALaFcXtFfVXRxmxBWGqU +qLOdmVEBY1UIGzYUrl5maoqXAiEAw4E3sDRsbP5jfgrx235RkVouQSENyC/I6/vQ +gkzBFP0= -----END CERTIFICATE----- """ -url = "localhost:7432" +url = "helper2.draft.test" sidecar_url = "sidecar2.draft.test" [peers.hpke] @@ -39,17 +41,18 @@ public_key = "4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d" [[peers]] certificate = """ -----BEGIN CERTIFICATE----- -MIIBYzCCAQqgAwIBAgIHYwBqW8VtbjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls -b2NhbGhvc3QwHhcNMjQwMzE1MDExMzUyWhcNMjQwNjE0MDExMzUyWjAUMRIwEAYD -VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLqehLL42V -KHNmfZtY2BVehHsQNyGqfmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6G -lvM6AqqcjuVco0cwRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQD -AgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNH -ADBEAiAfszb6imTolbufxqBhMd5gmCRmdxLWVDYCCF3wpa0bLQIgVDzc0X3eqN5U -Ghgnqau5gaGAljARRWQNo8WVu6juWjs= +MIIBgTCCASagAwIBAgIIU3AD7mE7qhMwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwS +aGVscGVyMy5kcmFmdC50ZXN0MB4XDTI0MDUxOTIwMjgzM1oXDTI0MDgxODIwMjgz +M1owHTEbMBkGA1UEAwwSaGVscGVyMy5kcmFmdC50ZXN0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAE9GWiUgWTbLFRbZdeJd/MpH3EvJvEOWFnJIqVMllfhHF6fKB6 +U81XgCkyj/Jjqd84I/6qrBrvZwDm9keduJkfQqNQME4wHQYDVR0RBBYwFIISaGVs +cGVyMy5kcmFmdC50ZXN0MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhAPWMYS6CHXpFhM0z5n1K +QyuFesT47zkYATrYgdbQm/KSAiEA4RDWidGzAeVylaWi8C1sx8/DtJwfKNw7VyqP +BRcMXEI= -----END CERTIFICATE----- """ -url = "localhost:7433" +url = "helper3.draft.test" sidecar_url = "sidecar3.draft.test" [peers.hpke] @@ -60,7 +63,7 @@ ping_interval_secs = 90.0 version = "http2" [coordinator] -url = "localhost:7430" +url = "coordinator.helper.test" sidecar_url = "sidecar0.draft.test" certificate = """ -----BEGIN CERTIFICATE----- diff --git a/local_dev/config/pub/h1.pem b/local_dev/config/pub/h1.pem index 34e7c18..68f1712 100644 --- a/local_dev/config/pub/h1.pem +++ b/local_dev/config/pub/h1.pem @@ -1,10 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBZTCCAQugAwIBAgIIRxb0DaIIjkkwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTI0MDMxNTAxMTI0M1oXDTI0MDYxNDAxMTI0M1owFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuK3oS3R -RvMCHEch4NOHPEo+1xh8fYcGuuW5l4BBLKDaYf+7hVXWSICrMFl1/yEFO1E856lg -/FqVxhp25I/hKKNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE -AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -SAAwRQIgYgv5V5unp9q0WSnuPttA5fNASFLKrvslL+T0BKfLjRoCIQC4B+fmHpqX -GVYq2Y0sGz79X+evTPmyJo7X3ye5DlSDeg== +MIIBgDCCASagAwIBAgIIJIo0r8LAFEQwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwS +aGVscGVyMS5kcmFmdC50ZXN0MB4XDTI0MDUxOTIwMjc1MFoXDTI0MDgxODIwMjc1 +MFowHTEbMBkGA1UEAwwSaGVscGVyMS5kcmFmdC50ZXN0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEKqRuJxcBWyj6sZNXNwQv0DokYaB3+K5awnQkyUddkohDRoPf +gUAX/DQezhcqkDcOKMXMuP5BpjEPYj3nd8UEdKNQME4wHQYDVR0RBBYwFIISaGVs +cGVyMS5kcmFmdC50ZXN0MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSAAwRQIgGjpC+WFl9MwpBjpn1oJZ +ZvNkhjIzEAPu2HJzE4bgU7QCIQDEfVM2RxnnsXBQdpEq/ANX1xdMpYZi5ZHQP8ZE +5GYNCw== -----END CERTIFICATE----- diff --git a/local_dev/config/pub/h1_mk.pub b/local_dev/config/pub/h1_mk.pub index 23ed86d..7ac5e0d 100644 --- a/local_dev/config/pub/h1_mk.pub +++ b/local_dev/config/pub/h1_mk.pub @@ -1 +1 @@ -008eb82d82def11d250243bc06d96637e9fa73e362de92ae729b6a599cc15b5c \ No newline at end of file +a3647267bfe14e702073799600e013e0519192744043e1644a8c697dbb77a102 \ No newline at end of file diff --git a/local_dev/config/pub/h2.pem b/local_dev/config/pub/h2.pem index 0cdc58c..4ff7a56 100644 --- a/local_dev/config/pub/h2.pem +++ b/local_dev/config/pub/h2.pem @@ -1,10 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBZDCCAQugAwIBAgIIIHqS6JxF2+AwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTI0MDMxNTAxMTMyMVoXDTI0MDYxNDAxMTMyMVowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERNRL6q73 -biFMXWjz8WIFYuvKgPLlh72VTZI8sKQXH0OL3rwKL+Sls2JEdGggyPNiM4jUr9U+ -T0Iqbxh5hgcLuaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE -AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -RwAwRAIgUBVQLsrbhfoLfg6a2ATU+ulhYmFNvweQ/Xj1M9QgXaECIEbsLs0h4TRG -loU+/Eo4LOm5CkEd8fPOuSdZTp1s8IGT +MIIBgTCCASagAwIBAgIIc/DMyC/dz4AwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwS +aGVscGVyMi5kcmFmdC50ZXN0MB4XDTI0MDUxOTIwMjgxNVoXDTI0MDgxODIwMjgx +NVowHTEbMBkGA1UEAwwSaGVscGVyMi5kcmFmdC50ZXN0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnvjNnTCyuVXmqPOf4ytNbytMRjZv7071yjY3SKIYKO4lLXgA +YUUjhGlduCNvn4SJCeLtZxeTt1wyCzfKhVOevaNQME4wHQYDVR0RBBYwFIISaGVs +cGVyMi5kcmFmdC50ZXN0MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhALaFcXtFfVXRxmxBWGqU +qLOdmVEBY1UIGzYUrl5maoqXAiEAw4E3sDRsbP5jfgrx235RkVouQSENyC/I6/vQ +gkzBFP0= -----END CERTIFICATE----- diff --git a/local_dev/config/pub/h2_mk.pub b/local_dev/config/pub/h2_mk.pub index 259093d..869c19f 100644 --- a/local_dev/config/pub/h2_mk.pub +++ b/local_dev/config/pub/h2_mk.pub @@ -1 +1 @@ -d7cdae88176fd5ee2bef524b776a15fc52e4b9c3f986d34fe815c7463e7a425b \ No newline at end of file +b309e35605c369194fd04c411ef6b6feda334c5f8f55dcbb15f1484aa6178035 \ No newline at end of file diff --git a/local_dev/config/pub/h3.pem b/local_dev/config/pub/h3.pem index d25c5d7..f3ab40b 100644 --- a/local_dev/config/pub/h3.pem +++ b/local_dev/config/pub/h3.pem @@ -1,10 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBYzCCAQqgAwIBAgIHYwBqW8VtbjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls -b2NhbGhvc3QwHhcNMjQwMzE1MDExMzUyWhcNMjQwNjE0MDExMzUyWjAUMRIwEAYD -VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLqehLL42V -KHNmfZtY2BVehHsQNyGqfmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6G -lvM6AqqcjuVco0cwRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQD -AgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNH -ADBEAiAfszb6imTolbufxqBhMd5gmCRmdxLWVDYCCF3wpa0bLQIgVDzc0X3eqN5U -Ghgnqau5gaGAljARRWQNo8WVu6juWjs= +MIIBgTCCASagAwIBAgIIU3AD7mE7qhMwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwS +aGVscGVyMy5kcmFmdC50ZXN0MB4XDTI0MDUxOTIwMjgzM1oXDTI0MDgxODIwMjgz +M1owHTEbMBkGA1UEAwwSaGVscGVyMy5kcmFmdC50ZXN0MFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAE9GWiUgWTbLFRbZdeJd/MpH3EvJvEOWFnJIqVMllfhHF6fKB6 +U81XgCkyj/Jjqd84I/6qrBrvZwDm9keduJkfQqNQME4wHQYDVR0RBBYwFIISaGVs +cGVyMy5kcmFmdC50ZXN0MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhAPWMYS6CHXpFhM0z5n1K +QyuFesT47zkYATrYgdbQm/KSAiEA4RDWidGzAeVylaWi8C1sx8/DtJwfKNw7VyqP +BRcMXEI= -----END CERTIFICATE----- diff --git a/local_dev/config/pub/h3_mk.pub b/local_dev/config/pub/h3_mk.pub index b5e90a0..05e44d2 100644 --- a/local_dev/config/pub/h3_mk.pub +++ b/local_dev/config/pub/h3_mk.pub @@ -1 +1 @@ -db0edf0d4148340a36a286c5dfcc99fe42fcbfb3a4d491fd961730adc4ca5545 \ No newline at end of file +62d78293debfae7ab0bd9cba453a1d99e71b6fdeeb49761fb425094d48f30241 \ No newline at end of file diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index de910cb..a9d3850 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -74,17 +74,23 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) +# pylint: disable=too-many-arguments def start_traefik_command( config_path: Path, - sidecar_port: int, root_domain: str, - sidecar_domain: str, + helper_domain: str | None, + sidecar_domain: str | None, + helper_port: int, + sidecar_port: int, ): sidecar_domain = sidecar_domain or f"sidecar.{root_domain}" + helper_domain = helper_domain or f"helper.{root_domain}" env = { **os.environ, "SIDECAR_DOMAIN": sidecar_domain, + "HELPER_DOMAIN": helper_domain, "SIDECAR_PORT": str(sidecar_port), + "HELPER_PORT": str(helper_port), "CERT_DIR": config_path, } cmd = "./traefik --configFile=sidecar/traefik/traefik.yaml" @@ -93,9 +99,10 @@ def start_traefik_command( def start_traefik_local_command( config_path: Path, + root_domain: str, + helper_ports: tuple[int, ...], sidecar_ports: tuple[int, ...], server_port: int, - root_domain: str, ): env = { **os.environ, @@ -103,10 +110,18 @@ def start_traefik_local_command( "SERVER_DOMAIN": root_domain, "SERVER_PORT": str(server_port), } - for identity, s_port in enumerate(sidecar_ports): + for identity, (s_port, h_port) in enumerate(zip(sidecar_ports, helper_ports)): sidecar_domain = f"sidecar{identity}.{root_domain}" env[f"SIDECAR_{identity}_DOMAIN"] = sidecar_domain + helper_domain = f"helper{identity}.{root_domain}" + env[f"HELPER_{identity}_DOMAIN"] = helper_domain env[f"SIDECAR_{identity}_PORT"] = str(s_port) + env[f"HELPER_{identity}_PORT"] = str(h_port) + + env["COORDINATOR_DOMAIN"] = f"coordinator.{root_domain}" + del env["HELPER_0_DOMAIN"] + env["COORDINATOR_PORT"] = env["HELPER_0_PORT"] + del env["HELPER_0_PORT"] cmd = "traefik --configFile=sidecar/traefik/traefik-local.yaml" return Command(cmd=cmd, env=env) @@ -122,7 +137,8 @@ def start_traefik_local_command( ) @click.option("--root_path", type=click_pathlib.Path(), default=None) @click.option("--root_domain", type=str, default="ipa-helper.dev") -@click.option("--sidecar_domain", type=str, default="") +@click.option("--helper_domain", type=str, default=None) +@click.option("--sidecar_domain", type=str, default=None) @click.option("--helper_port", type=int, default=7430) @click.option("--sidecar_port", type=int, default=17430) @click.option("--identity", required=True, type=int) @@ -130,7 +146,8 @@ def run_helper_sidecar( config_path: Path, root_path: Path, root_domain: str, - sidecar_domain: str, + helper_domain: str | None, + sidecar_domain: str | None, helper_port: int, sidecar_port: int, identity: int, @@ -144,9 +161,11 @@ def run_helper_sidecar( ) traefik_command = start_traefik_command( config_path=config_path, - sidecar_port=sidecar_port, root_domain=root_domain, + helper_domain=helper_domain, sidecar_domain=sidecar_domain, + helper_port=helper_port, + sidecar_port=sidecar_port, ) start_commands_parallel([sidecar_command, traefik_command]) @@ -161,6 +180,7 @@ def run_helper_sidecar( ) @click.option("--root_path", type=click_pathlib.Path(), default=Path(".")) @click.option("--root_domain", type=str, default="ipa-helper.dev") +@click.option("--helper_domain", type=str, default="") @click.option("--sidecar_domain", type=str, default="") @click.option("--helper_port", type=int, default=7430) @click.option("--sidecar_port", type=int, default=17430) @@ -169,6 +189,7 @@ def start_helper_sidecar( config_path: Path, root_path: Path, root_domain: str, + helper_domain: str, sidecar_domain: str, helper_port: int, sidecar_port: int, @@ -185,7 +206,7 @@ def start_helper_sidecar( start_command = Command( cmd=f"{script_path} {config_path} {root_path} {root_domain} " - f"{sidecar_domain} {helper_port} {sidecar_port} {identity}", + f"{helper_domain} {sidecar_domain} {helper_port} {sidecar_port} {identity}", ) start_command.run_blocking_no_output_capture() print("draft helper_sidecar started") @@ -272,9 +293,10 @@ def run_local_dev( ] traefik_command = start_traefik_local_command( config_path=config_path, + root_domain=root_domain, + helper_ports=tuple(helper_ports.values()), sidecar_ports=tuple(sidecar_ports.values()), server_port=server_port, - root_domain=root_domain, ) commands = sidecar_commands + [npm_run_dev_command, traefik_command] diff --git a/sidecar/traefik/dynamic-local/dynamic.yaml b/sidecar/traefik/dynamic-local/dynamic.yaml index c2c84cf..b48bd7e 100644 --- a/sidecar/traefik/dynamic-local/dynamic.yaml +++ b/sidecar/traefik/dynamic-local/dynamic.yaml @@ -51,3 +51,51 @@ http: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_3_PORT"}}" + +tcp: + routers: + coordinator-router: + entryPoints: + - "web-secure" + rule: "HostSNI(`{{ env "COORDINATOR_DOMAIN"}}`)" + service: "coordinator-service" + tls: + passthrough: true + helper-1-router: + entryPoints: + - "web-secure" + rule: "HostSNI(`{{ env "HELPER_1_DOMAIN"}}`)" + service: "helper-1-service" + tls: + passthrough: true + helper-2-router: + entryPoints: + - "web-secure" + rule: "HostSNI(`{{ env "HELPER_2_DOMAIN"}}`)" + service: "helper-2-service" + tls: + passthrough: true + helper-3-router: + entryPoints: + - "web-secure" + rule: "HostSNI(`{{ env "HELPER_3_DOMAIN"}}`)" + service: "helper-3-service" + tls: + passthrough: true + services: + coordinator-service: + loadBalancer: + servers: + - address: "localhost:{{ env "COORDINATOR_PORT"}}" + helper-1-service: + loadBalancer: + servers: + - address: "localhost:{{ env "HELPER_1_PORT"}}" + helper-2-service: + loadBalancer: + servers: + - address: "localhost:{{ env "HELPER_2_PORT"}}" + helper-3-service: + loadBalancer: + servers: + - address: "localhost:{{ env "HELPER_3_PORT"}}" diff --git a/sidecar/traefik/dynamic/dynamic.yaml b/sidecar/traefik/dynamic/dynamic.yaml index 8db0ebf..7009798 100644 --- a/sidecar/traefik/dynamic/dynamic.yaml +++ b/sidecar/traefik/dynamic/dynamic.yaml @@ -12,3 +12,19 @@ http: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_PORT"}}" + +tcp: + routers: + helper-router: + entryPoints: + - "web-secure" + rule: "HostSNI(`{{ env "HELPER_DOMAIN"}}`)" + service: "helper-service" + tls: + passthrough: true + + services: + helper-service: + loadBalancer: + servers: + - address: "127.0.0.1:{{ env "HELPER_PORT"}}"