From b6c83e06d540a7e0c8c0f0541d53e1b219c72c3c Mon Sep 17 00:00:00 2001 From: Hans Hasselberg Date: Fri, 17 Jan 2020 23:25:26 +0100 Subject: [PATCH] auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR --- agent/agent.go | 2 ++ agent/cache-types/connect_ca_leaf.go | 9 ++++++++- agent/config/builder.go | 16 ++++++++++++++++ agent/config/config.go | 6 ++++++ agent/config/runtime.go | 8 ++++++++ agent/config/runtime_test.go | 8 ++++++++ agent/connect/ca/provider_consul.go | 2 ++ agent/connect/csr.go | 11 +++++++---- agent/consul/auto_encrypt.go | 5 ++++- agent/consul/auto_encrypt_endpoint_test.go | 10 +++++++++- website/source/docs/agent/options.html.md | 4 ++++ 11 files changed, 74 insertions(+), 7 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index ca44d1c9f..e4ea4de50 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -592,6 +592,8 @@ func (a *Agent) setupClientAutoEncryptCache(reply *structs.SignedResponse) (*str Datacenter: a.config.Datacenter, Token: a.tokens.AgentToken(), Agent: a.config.NodeName, + DNSSAN: a.config.AutoEncryptDNSSAN, + IPSAN: a.config.AutoEncryptIPSAN, } // prepolutate leaf cache diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go index 7c402ee2e..e5fb8c891 100644 --- a/agent/cache-types/connect_ca_leaf.go +++ b/agent/cache-types/connect_ca_leaf.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "net" "sync" "sync/atomic" "time" @@ -508,6 +509,8 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest, // Build the cert uri var id connect.CertURI var commonName string + var dnsNames []string + var ipAddresses []net.IP if req.Service != "" { id = &connect.SpiffeIDService{ Host: roots.TrustDomain, @@ -523,6 +526,8 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest, Agent: req.Agent, } commonName = connect.ServiceCN(req.Agent, roots.TrustDomain) + dnsNames = append([]string{"localhost"}, req.DNSSAN...) + ipAddresses = append([]net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::")}, req.IPSAN...) } else { return result, errors.New("URI must be either service or agent") } @@ -545,7 +550,7 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest, } // Create a CSR. - csr, err := connect.CreateCSR(id, commonName, pk) + csr, err := connect.CreateCSR(id, commonName, pk, dnsNames, ipAddresses) if err != nil { return result, err } @@ -636,6 +641,8 @@ type ConnectCALeafRequest struct { Datacenter string Service string // Service name, not ID Agent string // Agent name, not ID + DNSSAN []string + IPSAN []net.IP MinQueryIndex uint64 MaxQueryTime time.Duration } diff --git a/agent/config/builder.go b/agent/config/builder.go index 667bddc4b..13ec76698 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -651,6 +651,20 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { } autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS) + autoEncryptDNSSAN := []string{} + for _, d := range c.AutoEncrypt.DNSSAN { + autoEncryptDNSSAN = append(autoEncryptDNSSAN, d) + } + autoEncryptIPSAN := []net.IP{} + for _, i := range c.AutoEncrypt.IPSAN { + ip := net.ParseIP(i) + if ip == nil { + b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i)) + continue + } + autoEncryptIPSAN = append(autoEncryptIPSAN, ip) + + } autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS) if autoEncryptAllowTLS { @@ -856,6 +870,8 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { ClientAddrs: clientAddrs, ConfigEntryBootstrap: configEntries, AutoEncryptTLS: autoEncryptTLS, + AutoEncryptDNSSAN: autoEncryptDNSSAN, + AutoEncryptIPSAN: autoEncryptIPSAN, AutoEncryptAllowTLS: autoEncryptAllowTLS, ConnectEnabled: connectEnabled, ConnectCAProvider: connectCAProvider, diff --git a/agent/config/config.go b/agent/config/config.go index f5cac9401..d177bd8f2 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -568,6 +568,12 @@ type AutoEncrypt struct { // TLS enables receiving certificates for clients from servers TLS *bool `json:"tls,omitempty" hcl:"tls" mapstructure:"tls"` + // Additional DNS SAN entries that clients request for their certificates. + DNSSAN []string `json:"dns_san,omitempty" hcl:"dns_san" mapstructure:"dns_san"` + + // Additional IP SAN entries that clients request for their certificates. + IPSAN []string `json:"ip_san,omitempty" hcl:"ip_san" mapstructure:"ip_san"` + // AllowTLS enables the RPC endpoint on the server to answer // AutoEncrypt.Sign requests. AllowTLS *bool `json:"allow_tls,omitempty" hcl:"allow_tls" mapstructure:"allow_tls"` diff --git a/agent/config/runtime.go b/agent/config/runtime.go index f23226446..ec00f6d3b 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -529,6 +529,14 @@ type RuntimeConfig struct { // servers. AutoEncryptTLS bool + // Additional DNS SAN entries that clients request during auto_encrypt + // flow for their certificates. + AutoEncryptDNSSAN []string + + // Additional IP SAN entries that clients request during auto_encrypt + // flow for their certificates. + AutoEncryptIPSAN []net.IP + // AutoEncryptAllowTLS enables the server to respond to // AutoEncrypt.Sign requests. AutoEncryptAllowTLS bool diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 2901072ec..8fec5ded5 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -3758,6 +3758,8 @@ func TestFullConfig(t *testing.T) { }, "auto_encrypt": { "tls": true, + "dns_san": ["a.com", "b.com"], + "ip_san": ["192.168.4.139", "192.168.4.140"], "allow_tls": true }, "connect": { @@ -4357,6 +4359,8 @@ func TestFullConfig(t *testing.T) { } auto_encrypt = { tls = true + dns_san = ["a.com", "b.com"] + ip_san = ["192.168.4.139", "192.168.4.140"] allow_tls = true } connect { @@ -5065,6 +5069,8 @@ func TestFullConfig(t *testing.T) { }, }, AutoEncryptTLS: true, + AutoEncryptDNSSAN: []string{"a.com", "b.com"}, + AutoEncryptIPSAN: []net.IP{net.ParseIP("192.168.4.139"), net.ParseIP("192.168.4.140")}, AutoEncryptAllowTLS: true, ConnectEnabled: true, ConnectSidecarMinPort: 8888, @@ -5907,6 +5913,8 @@ func TestSanitize(t *testing.T) { "ClientAddrs": [], "ConfigEntryBootstrap": [], "AutoEncryptTLS": false, + "AutoEncryptDNSSAN": [], + "AutoEncryptIPSAN": [], "AutoEncryptAllowTLS": false, "ConnectCAConfig": {}, "ConnectCAProvider": "", diff --git a/agent/connect/ca/provider_consul.go b/agent/connect/ca/provider_consul.go index 898792386..d95ff6819 100644 --- a/agent/connect/ca/provider_consul.go +++ b/agent/connect/ca/provider_consul.go @@ -403,6 +403,8 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) { NotBefore: effectiveNow, AuthorityKeyId: keyId, SubjectKeyId: keyId, + DNSNames: csr.DNSNames, + IPAddresses: csr.IPAddresses, } // Create the certificate, PEM encode it and return that value. diff --git a/agent/connect/csr.go b/agent/connect/csr.go index cfe37b78a..4ba0f1a9f 100644 --- a/agent/connect/csr.go +++ b/agent/connect/csr.go @@ -9,6 +9,7 @@ import ( "crypto/x509/pkix" "encoding/asn1" "encoding/pem" + "net" "net/url" ) @@ -41,15 +42,17 @@ func SigAlgoForKeyType(keyType string) x509.SignatureAlgorithm { } } -// CreateCSR returns a CSR to sign the given service along with the PEM-encoded -// private key for this certificate. +// CreateCSR returns a CSR to sign the given service with SAN entries +// along with the PEM-encoded private key for this certificate. func CreateCSR(uri CertURI, commonName string, privateKey crypto.Signer, - extensions ...pkix.Extension) (string, error) { + dnsNames []string, ipAddresses []net.IP, extensions ...pkix.Extension) (string, error) { template := &x509.CertificateRequest{ URIs: []*url.URL{uri.URI()}, SignatureAlgorithm: SigAlgoForKey(privateKey), ExtraExtensions: extensions, Subject: pkix.Name{CommonName: commonName}, + DNSNames: dnsNames, + IPAddresses: ipAddresses, } // Create the CSR itself @@ -75,7 +78,7 @@ func CreateCACSR(uri CertURI, commonName string, privateKey crypto.Signer) (stri return "", err } - return CreateCSR(uri, commonName, privateKey, ext) + return CreateCSR(uri, commonName, privateKey, nil, nil, ext) } // CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints diff --git a/agent/consul/auto_encrypt.go b/agent/consul/auto_encrypt.go index 183aed5dd..fd0a3611f 100644 --- a/agent/consul/auto_encrypt.go +++ b/agent/consul/auto_encrypt.go @@ -64,12 +64,15 @@ func (c *Client) RequestAutoEncryptCerts(servers []string, port int, token strin return errFn(err) } + dnsNames := []string{"localhost"} + ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::")} + // Create a CSR. // // The Common Name includes the dummy trust domain for now but Server will // override this when it is signed anyway so it's OK. cn := connect.AgentCN(string(c.config.NodeName), dummyTrustDomain) - csr, err := connect.CreateCSR(id, cn, pk) + csr, err := connect.CreateCSR(id, cn, pk, dnsNames, ipAddresses) if err != nil { return errFn(err) } diff --git a/agent/consul/auto_encrypt_endpoint_test.go b/agent/consul/auto_encrypt_endpoint_test.go index 93bf8f2ec..b9098b21c 100644 --- a/agent/consul/auto_encrypt_endpoint_test.go +++ b/agent/consul/auto_encrypt_endpoint_test.go @@ -3,6 +3,7 @@ package consul import ( "crypto/x509" "fmt" + "net" "os" "strings" "testing" @@ -77,7 +78,9 @@ func TestAutoEncryptSign(t *testing.T) { // Create a CSR. cn, err := connect.CNForCertURI(id) require.NoError(t, err) - csr, err := connect.CreateCSR(id, cn, pk) + dnsNames := []string{"localhost"} + ipAddresses := []net.IP{net.ParseIP("127.0.0.1")} + csr, err := connect.CreateCSR(id, cn, pk, dnsNames, ipAddresses) require.NoError(t, err, info) require.NotEmpty(t, csr, info) args := &structs.CASignRequest{ @@ -119,6 +122,11 @@ func TestAutoEncryptSign(t *testing.T) { }) require.NoError(t, err, info) + // Verify SANs + require.Equal(t, dnsNames, leaf.DNSNames) + require.Len(t, leaf.IPAddresses, 1) + require.True(t, ipAddresses[0].Equal(leaf.IPAddresses[0])) + // Verify other fields require.Equal(t, "uuid", reply.IssuedCert.Agent, info) require.Len(t, reply.ManualCARoots, 1, info) diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 7b3e6097d..2f00562a1 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -836,6 +836,10 @@ default will automatically work with some tooling. * `tls` (Defaults to `false`) Allows the client to request the Connect CA and certificates from the servers, for encrypting RPC communication. The client will make the request to any servers listed in the `-join` or `-retry-join` option. This requires that every server to have `auto_encrypt.allow_tls` enabled. When both `auto_encrypt` options are used, it allows clients to receive certificates that are generated on the servers. If the `-server-port` is not the default one, it has to be provided to the client as well. Usually this is discovered through LAN gossip, but `auto_encrypt` provision happens before the information can be distributed through gossip. The most secure `auto_encrypt` setup is when the client is provided with the built-in CA, `verify_server_hostname` is turned on, and when an ACL token with `node.write` permissions is setup. It is also possible to use `auto_encrypt` with a CA and ACL, but without `verify_server_hostname`, or only with a ACL enabled, or only with CA and `verify_server_hostname`, or only with a CA, or finally without a CA and without ACL enabled. In any case, the communication to the `auto_encrypt` endpoint is always TLS encrypted. + * `dns_san` (Defaults to `[]`) When this option is being used, the certificates requested by `auto_encrypt` from the server have these `dns_san` set as DNS SAN. + + * `ip_san` (Defaults to `[]`) When this option is being used, the certificates requested by `auto_encrypt` from the server have these `ip_san` set as IP SAN. + * `bootstrap` Equivalent to the [`-bootstrap` command-line flag](#_bootstrap).