software/simpleran: Add TLS mutual authentication for eNB fluentbit

a1f1a937 · Paul Graydon · 06154499 · a1f1a937 · a1f1a937 · a1f1a937
Commit a1f1a937 authored Nov 12, 2024 by Paul Graydon
5 changed files
--- a/software/simpleran/buildout.hash.cfg
+++ b/software/simpleran/buildout.hash.cfg
@@ -16,7 +16,7 @@

 [template]
 filename = instance.cfg
-md5sum = 770fccd0e4c5ad30e9637fd643a126c5
+md5sum = 82d7168d89f7c7b1f66ba3a800547949

 [template-ors]
 filename = instance-ors.cfg
@@ -60,7 +60,7 @@ md5sum = 52da9fe3a569199e35ad89ae1a44c30e

 [template-enb]
 _update_hash_filename_ = instance-enb.jinja2.cfg
-md5sum = a05c6ed1830d77a9faea67ac54cf9c2f
+md5sum = 5e16584e820f187afee806819db9788c

 [template-ors-enb]
 _update_hash_filename_ = instance-ors-enb.jinja2.cfg

--- a/software/simpleran/instance-enb-input-schema.json
+++ b/software/simpleran/instance-enb-input-schema.json
@@ -224,6 +224,11 @@
      "type": "string",
      "default": "wendelin-telecom-enb-shared-instance"
    },
+    "xlog_fluentbit_caucase_url": {
+      "title": "Fluentbit Xlog Caucase URL",
+      "description": "URL of a forward Caucase instance from which to request a certificate to establish TLS mutual authentication",
+      "type": "string"
+    },
    "xlog_fluentbit_forward_host": {
      "title": "Fluentbit Xlog forwarding address",
      "description": "Address of remote Fluentd or Fluentbit server to which Fluentbit should forward Xlog data",

--- a/software/simpleran/instance-enb.jinja2.cfg
+++ b/software/simpleran/instance-enb.jinja2.cfg
@@ -17,6 +17,7 @@
 {%-   do slapparameter_dict.setdefault(k, v) %}
 {%- endfor %}
 {%- set B = xbuildout.encode %}
+{%- import "caucase" as caucase with context %}


 [buildout]
@@ -28,6 +29,10 @@ parts =
  xamari-xlog-service
  request-wendelin-telecom-shared
 {%- if slapparameter_dict.xlog_forwarding_enabled %}
+{%- if slapparameter_dict.get("xlog_fluentbit_caucase_url", "") %}
+  xlog-fluentbit-caucase-updater
+  xlog-fluentbit-caucase-updater-promise
+{%- endif %}
  xlog-fluentbit-service
  check-xlog-fluentbit-forward-host.py
  check-xlog-fluentbit-health.py
@@ -89,6 +94,7 @@ script = ${:etc}/run
 service = ${:etc}/service
 promise = ${:etc}/promise
 log = ${:var}/log
+xlog-fluentbit-certificates = ${:srv}/ssl/xlog-fluentbit
 xlog-fluentbit = ${:var}/xlog-fluentbit

 [enb-sh-wrapper]
@@ -183,6 +189,28 @@ return = gateway-host
 {%- endif %}

 {% if slapparameter_dict.xlog_forwarding_enabled %}
+{%- if slapparameter_dict.get("xlog_fluentbit_caucase_url", "") %}
+[xlog-fluentbit-certificate]
+key-file = ${directory:xlog-fluentbit-certificates}/${:_buildout_section_name_}.pem
+cert-file = ${directory:xlog-fluentbit-certificates}/${:_buildout_section_name_}-crt.pem
+ca-file = ${directory:xlog-fluentbit-certificates}/${:_buildout_section_name_}-ca.pem
+crl-file = ${directory:xlog-fluentbit-certificates}/${:_buildout_section_name_}-crl.pem
+
+{{ caucase.updater(
+  prefix='xlog-fluentbit-caucase-updater',
+  buildout_bin_directory=buildout_bin_directory,
+  updater_path='${directory:service}/xlog-fluentbit-caucase-updater',
+  url=slapparameter_dict.get('xlog_fluentbit_caucase_url'),
+  data_dir='${directory:srv}/caucase-updater',
+  key_path='${xlog-fluentbit-certificate:key-file}',
+  crt_path='${xlog-fluentbit-certificate:cert-file}',
+  ca_path='${xlog-fluentbit-certificate:ca-file}',
+  crl_path='${xlog-fluentbit-certificate:crl-file}',
+  template_csr_pem=None,
+  openssl=openssl_location + '/bin/openssl'
+)}}
+{%- endif %}
+
 [xlog-fluentbit-tag]
 recipe = slapos.recipe.build
 computer = ${slap-connection:computer-id}
@@ -241,7 +269,15 @@ inline =
      Self_Hostname   ${:forward-self-hostname}
      Retry_Limit     50
      tls             on
+{%- if slapparameter_dict.get("xlog_fluentbit_caucase_url", "") %}
+      net.keepalive   on
+      tls.verify      on
+      tls.ca_file     ${xlog-fluentbit-certificate:ca-file}
+      tls.crt_file    ${xlog-fluentbit-certificate:cert-file}
+      tls.key_file    ${xlog-fluentbit-certificate:key-file}
+{%- else %}
      tls.verify      off
+{%- endif %}

 [xlog-fluentbit-service]
 recipe  = slapos.cookbook:wrapper

--- a/software/simpleran/instance.cfg
+++ b/software/simpleran/instance.cfg
@@ -35,6 +35,7 @@ context =
    key eggs_directory buildout:eggs-directory
    key develop_eggs_directory buildout:develop-eggs-directory
    raw buildout_directory ${buildout:directory}
+    raw buildout_bin_directory ${buildout:bin-directory}
    section directory directory
    raw pythonwitheggs ${buildout:bin-directory}/pythonwitheggs
    section slap_connection slap-connection
@@ -43,11 +44,13 @@ context =
    key my_ipv4  slap-configuration:ipv4-random
    key my_ipv6  slap-configuration:ipv6-random
    $${:extra-context}
+caucase-jinja2-library-target = ${caucase-jinja2-library:target}
 import-list =
    rawfile slaplte.jinja2 ${slaplte.jinja2:target}
    rawfile ru_libinstance.jinja2.cfg ${ru_libinstance.jinja2.cfg:target}
    rawfile ru_sdr_libinstance.jinja2.cfg ${ru_sdr_libinstance.jinja2.cfg:target}
    rawfile ru_sunwave_libinstance.jinja2.cfg ${ru_sunwave_libinstance.jinja2.cfg:target}
+    file caucase :caucase-jinja2-library-target

 # activate eggs and modules used in jinja2 templates
 [activate-eggs]

--- a/software/simpleran/software.cfg
+++ b/software/simpleran/software.cfg
@@ -6,6 +6,7 @@
 extends =
  buildout.hash.cfg
  ../../stack/slapos.cfg
+  ../../stack/caucase/buildout.cfg
  ../../stack/monitor/buildout.cfg
  ../../component/logrotate/buildout.cfg
  ../../component/nghttp2/buildout.cfg
@@ -25,6 +26,7 @@ extends =
 parts +=
  template
  slapos-cookbook
+  caucase-eggs
 # copy all configs by default
  mme.jinja2.cfg
  dnsmasq-core-network.jinja2.cfg