software/fluentd: WIP Add TLS mutual authentication

01222e66 · Paul Graydon · 0c26fb80 · 01222e66 · 01222e66 · 01222e66
Commit 01222e66 authored Feb 05, 2025 by Paul Graydon
5 changed files
--- a/software/fluentd/buildout.hash.cfg
+++ b/software/fluentd/buildout.hash.cfg
@@ -14,12 +14,12 @@
 # not need these here).
 [instance-profile]
 filename = instance.cfg
-md5sum = 9bb912ccc58047cbefe449f9d3783358
+md5sum = 0d1374e9b94ab486d309a9bd9e9c201f

 [template-fluentd]
-filename = instance-fluentd.cfg
-md5sum = 1b6f5b4fb0ec9e961e3c0a1ba0075a38
+filename = instance-fluentd.cfg.in
+md5sum = f063f19a49efa278ea91d2bd4ba947a6

 [template-fluentd-wendelin-telecom-gateway]
-filename = instance-fluentd-wendelin-telecom-gateway.cfg
-md5sum = 1dbc57f07a7d697c296611f4b889bea3
+filename = instance-fluentd-wendelin-telecom-gateway.cfg.in
+md5sum = d6fcf8649242fc705323dceb22ea956f
--- a/software/fluentd/instance-fluentd-wendelin-telecom-gateway.cfg
+++ b/software/fluentd/instance-fluentd-wendelin-telecom-gateway.cfg
-[fluentd-cert]
+{% import "caucase" as caucase with context %}
+
+[directory]
+tmp = ${buildout:directory}/tmp
+certificates = ${:etc}/certificates
+backup = ${:srv}/backup
+caucased = ${:srv}/caucased
+backup-caucased = ${:backup}/caucased
+
+[fluentd-certificate]
+key-file = ${directory:certificates}/${:_buildout_section_name_}.pem
+cert-file = ${directory:certificates}/${:_buildout_section_name_}-crt.pem
+ca-file = ${directory:certificates}/${:_buildout_section_name_}-ca.pem
+crl-file = ${directory:certificates}/${:_buildout_section_name_}-crl.pem
+
+{{
+caucase.updater(
+  prefix='fluentd-certificate',
+  buildout_bin_directory=bin_directory,
+  updater_path='${directory:services}/fluentd-certificate-updater',
+  url='${caucased:url}',
+  data_dir='${directory:srv}/caucase-updater',
+  crt_path='${fluentd-certificate:cert-file}',
+  ca_path='${fluentd-certificate:ca-file}',
+  crl_path='${fluentd-certificate:crl-file}',
+  key_path='${fluentd-certificate:key-file}',
+  openssl=openssl,
+)}}
+
+[caucased]
+ip = {{ ipv6_random }}
+port = 19980
+netloc = [${:ip}]:${:port}
+url = http://${:netloc}/
+
+{{
+caucase.caucased(
+  prefix='caucased-backend',
+  buildout_bin_directory=bin_directory,
+  caucased_path='${directory:services}/caucased',
+  backup_dir='${directory:backup-caucased}',
+  data_dir='${directory:caucased}',
+  netloc='${caucased:netloc}',
+  tmp='${directory:tmp}',
+  service_auto_approve_count=1,
+  user_auto_approve_count=1,
+  key_len=2048,
+)}}
+
+[fluentd-conf-tls]
 recipe = slapos.recipe.build
 fluentd-agent-conf = {{ fluentd_agent_conf }}
-key-file = $${ca-directory:certs}/fluentd.key
-cert-file = $${ca-directory:certs}/fluentd.crt
+key-file = ${fluentd-certificate:key-file}
+cert-file = ${fluentd-certificate:cert-file}
+ca-file = ${fluentd-certificate:ca-file}
+ca-key-file = ${caucased-backend-directory:data-dir}/server.key.pem
 init =
  import os

  fluentd_agent_conf = options['fluentd-agent-conf']
  tls_config_text = (
    "  <transport tls>\n"
+    "    version TLSv1_2\n"
    "    cert_path %s\n"
    "    private_key_path %s\n"
    "    private_key_passphrase\n"
+    "    client_cert_auth true\n"
+    "    ca_path %s\n"
    "  </transport>\n"
-  ) % (options['cert-file'], options['key-file'])
+  ) % (options['cert-file'], options['key-file'], options['ca-file'])
  tls_tag = "<transport tls>"
  add_tls_section = True
  insert_index = 5
@@ -31,18 +85,10 @@ init =

 [service-fluentd]
 recipe = slapos.cookbook:wrapper
-wrapper-path = {{ directory['bin'] }}/fluentd-service
-command-line = ${fluentd:location}/bin/fluentd -v -c {{ fluentd_agent_conf }}
+wrapper-path = {{ directory['service'] }}/fluentd-service
+command-line = {{ fluentd_location }}/bin/fluentd -v -c {{ fluentd_agent_conf }}
 environment =
-  GEM_PATH=${fluentd:location}/lib/ruby/gems/
-
-[ca-fluentd]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-key-file = $${fluentd-cert:key-file}
-cert-file = $${fluentd-cert:cert-file}
-executable = $${service-fluentd:wrapper-path}
-wrapper = {{ directory['service'] }}/fluentd-service
+  GEM_PATH={{ fluentd_location }}/lib/ruby/gems/

 {% set part_list = [] -%}

@@ -53,16 +99,26 @@ wrapper = {{ directory['service'] }}/fluentd-service
 <= monitor-promise-base
 promise = check_socket_listening
 name = {{ promise_section_title }}.py
-config-host = $${slap-configuration:ipv6-random}
+config-host = {{ ipv6_random }}
 config-port = {{ port }}
 {% endfor %}

+[publish-information]
+recipe = slapos.cookbook:publish
+backend-client-caucase-url = ${caucased:url}
+
 [buildout]
-extends = ${monitor-template:output}
+extends =
+  {{ template_monitor }}

 parts =
-  certificate-authority-service
-  ca-fluentd
+  caucased-backend
+  caucased-backend-promise
+  fluentd-certificate-backend
+  fluentd-certificate-backend-promise
+  fluentd-conf-tls
+  service-fluentd
+  publish-information
 {%- for part in part_list %}
  {{ part }}
 {%- endfor %}
--- a/software/fluentd/instance-fluentd.cfg
+++ b/software/fluentd/instance-fluentd.cfg
 [service-fluentd]
 recipe = slapos.cookbook:wrapper
 wrapper-path = {{ directory['service'] }}/fluentd-service
-command-line = ${fluentd:location}/bin/fluentd -v -c {{ fluentd_agent_conf }}
+command-line = {{ fluentd_location }}/bin/fluentd -v -c {{ fluentd_agent_conf }}
 environment =
-  GEM_PATH=${fluentd:location}/lib/ruby/gems/
+  GEM_PATH={{ fluentd_location }}/lib/ruby/gems/

 {% set part_list = [] -%}

@@ -14,16 +14,16 @@ environment =
 <= monitor-promise-base
 promise = check_socket_listening
 name = {{ promise_section_title }}.py
-config-host = $${slap-configuration:ipv6-random}
+config-host = {{ ipv6_random }}
 config-port = {{ port }}
 {% endfor %}

 [buildout]
+extends =
+  {{ template_monitor }}
+
 parts =
  service-fluentd
 {%- for part in part_list %}
  {{ part }}
 {%- endfor %}
-
-extends = ${monitor-template:output}
-
--- a/software/fluentd/instance.cfg
+++ b/software/fluentd/instance.cfg
 [buildout]
+
 parts =
  switch-softwaretype

@@ -33,20 +34,28 @@ recipe = slapos.recipe.template:jinja2
 extra-context =
 context =
    section directory directory
+    key ipv6_random slap-configuration:ipv6-random
    key fluentd_agent_conf fluentd-agent-conf:output
    key port_list fluentd-conf:port-list
+    raw bin_directory ${buildout:bin-directory}
+    raw openssl ${openssl:location}/bin/openssl
+    raw fluentd_location ${fluentd:location}
+    raw template_monitor ${monitor-template:output}
    $${:extra-context}
+caucase-jinja2-library-target = ${caucase-jinja2-library:target}
+import-list =
+  file caucase :caucase-jinja2-library-target

 [dynamic-template-fluentd]
 <= jinja2-template-base
-url = ${template-fluentd:output}
+url = ${template-fluentd:target}
 output = instance-fluentd.cfg
 extensions = jinja2.ext.do
 extra-context =

 [dynamic-template-fluentd-wendelin-telecom-gateway]
 <= jinja2-template-base
-url = ${template-fluentd-wendelin-telecom-gateway:output}
+url = ${template-fluentd-wendelin-telecom-gateway:target}
 output = instance-fluentd-wendelin-telecom-gateway.cfg
 extensions = jinja2.ext.do
 extra-context =
@@ -59,9 +68,9 @@ buffer-file-dir = $${directory:fluentd-buffer}
 init =
  import re

-  software_type = options['software-type'] or 'RootSoftwareInstance'
+  software_type = options['software-type'] or 'default'

-  if software_type in ['RootSoftwareInstance', 'default']:
+  if software_type == 'default':
    options['conf-text'] = options['slapparameter-dict'].get('conf-text') or ' '

  elif software_type == 'wendelin-telecom-gateway':

--- a/software/fluentd/software.cfg
+++ b/software/fluentd/software.cfg
@@ -3,27 +3,31 @@ extends =
  buildout.hash.cfg
  ../../component/fluentd/buildout.cfg
  ../../stack/slapos.cfg
+  ../../stack/caucase/buildout.cfg
  ../../stack/monitor/buildout.cfg

 parts =
-  instance-profile
  slapos-cookbook
+  instance-profile
+  caucase-eggs

 [template-base]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/${:filename}

 [instance-profile]
-< = template-base
+<= template-base
 output = ${buildout:directory}/template.cfg

+[download-base]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/${:filename}
+
 [template-fluentd]
-< = template-base
-output = ${buildout:directory}/template-fluentd.cfg
+<= download-base

 [template-fluentd-wendelin-telecom-gateway]
-< = template-base
-output = ${buildout:directory}/template-fluentd-wendelin-telecom-gateway.cfg
+<= download-base

 [fluentd]
 gems +=