add: rootCA and clientCA in grpc server

Signed-off-by: Arvindh <arvindh91@gmail.com> add: rootCA and client certificate in grpc client Signed-off-by: Arvindh <arvindh91@gmail.com> add: docker-compose for grpc-mtls and make target for mtls cert generation Signed-off-by: Arvindh <arvindh91@gmail.com>
absmach · Jul 10, 2023 · 46ed2f9 · 46ed2f9
1 parent 7ffc14b
commit 46ed2f9
Show file tree

Hide file tree

Showing 21 changed files with 784 additions and 37 deletions.
diff --git a/Makefile b/Makefile
@@ -13,6 +13,13 @@ GOARCH ?= amd64
 VERSION ?= $(shell git describe --abbrev=0 --tags)
 COMMIT ?= $(shell git rev-parse HEAD)
 TIME ?= $(shell date +%F_%T)
+USER_REPO ?= $(shell git remote get-url origin | sed -e 's/.*\/\([^/]*\)\/\([^/]*\).*/\1_\2/' )
+BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
+BRANCH_SHORT_HASH ?= $(shell git rev-parse --short HEAD)
+empty:=
+space:= $(empty) $(empty)
+DOCKER_PROJECT ?= $(subst $(space),,$(USER_REPO)_/$(BRANCH)_$(BRANCH_SHORT_HASH))
+DOCKER_PROJECT := $(subst /,_,$(DOCKER_PROJECT))
 
 ifneq ($(MF_BROKER_TYPE),)
     MF_BROKER_TYPE := $(MF_BROKER_TYPE)
@@ -120,4 +127,10 @@ rundev:
 run:
 	sed -i "s,file: brokers/.*.yml,file: brokers/${MF_BROKER_TYPE}.yml," docker/docker-compose.yml
 	sed -i "s,MF_BROKER_URL=.*,MF_BROKER_URL=$$\{MF_$(shell echo ${MF_BROKER_TYPE} | tr 'a-z' 'A-Z')_URL\}," docker/.env
-	docker-compose -f docker/docker-compose.yml up
+	docker-compose -f docker/docker-compose.yml -p $(DOCKER_PROJECT) up
+
+run_mtls_grpc:
+	sed -i "s,file: brokers/.*.yml,file: brokers/${MF_BROKER_TYPE}.yml," docker/docker-compose.yml
+	sed -i "s,MF_BROKER_URL=.*,MF_BROKER_URL=$$\{MF_$(shell echo ${MF_BROKER_TYPE} | tr 'a-z' 'A-Z')_URL\}," docker/.env
+	make -C docker/ssl users_grpc_certs things_grpc_certs
+	docker-compose -f docker/docker-compose.yml -f docker/ssl/docker-compose.grpc-mtls.yaml -p $(DOCKER_PROJECT) up
diff --git a/docker/.env b/docker/.env
@@ -48,8 +48,9 @@ MF_USERS_DB_SSL_KEY=
 MF_USERS_DB_SSL_ROOT_CERT=
 MF_USERS_HTTP_PORT=9002
 MF_USERS_GRPC_PORT=7001
-MF_USERS_GRPC_URL=users:7001
-MF_USERS_GRPC_TIMEOUT=1s
+MF_USERS_GRPC_SERVER_CERT=./ssl/certs/users-grpc-server.crt
+MF_USERS_GRPC_SERVER_KEY=./ssl/certs/users-grpc-server.key
+MF_USERS_GRPC_SERVER_CA_CERTS=./ssl/certs/ca.crt
 MF_USERS_SERVER_CERT=
 MF_USERS_SERVER_KEY=
 MF_USERS_SECRET_KEY=HyE2D4RUt9nnKG6v8zKEqAp6g6ka8hhZsqUpzgKvnwpXrNVQSH
@@ -61,6 +62,15 @@ MF_USERS_RESET_PWD_TEMPLATE=users.tmpl
 MF_USERS_PASS_REGEX=^.{8,}$$
 MF_USERS_INSTANCE_ID=
 
+### Users gRPC Client
+MF_USERS_GRPC_URL=users:7001
+MF_USERS_GRPC_TIMEOUT=1s
+MF_USERS_GRPC_CLIENT_TLS=true
+MF_USERS_GRPC_CLIENT_MTLS=true
+MF_USERS_GRPC_CLIENT_CERT=./ssl/certs/users-grpc-client.crt
+MF_USERS_GRPC_CLIENT_KEY=./ssl/certs/users-grpc-client.key
+MF_USERS_GRPC_CLIENT_CA_CERTS=./ssl/certs/ca.crt
+
 ### Email utility
 MF_EMAIL_HOST=smtp.mailtrap.io
 MF_EMAIL_PORT=2525
@@ -79,8 +89,9 @@ MF_THINGS_LOG_LEVEL=debug
 MF_THINGS_HTTP_PORT=9000
 MF_THINGS_AUTH_HTTP_PORT=9001
 MF_THINGS_AUTH_GRPC_PORT=7000
-MF_THINGS_AUTH_GRPC_URL=things:7000
-MF_THINGS_AUTH_GRPC_TIMEOUT=1s
+MF_THINGS_AUTH_GRPC_SERVER_CERT=./ssl/certs/things-grpc-server.crt
+MF_THINGS_AUTH_GRPC_SERVER_KEY=./ssl/certs/things-grpc-server.key
+MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS=./ssl/certs/ca.crt
 MF_THINGS_DB_HOST=things-db
 MF_THINGS_DB_PORT=5432
 MF_THINGS_DB_USER=mainflux
@@ -98,6 +109,15 @@ MF_THINGS_ES_PASS=
 MF_THINGS_ES_DB=
 MF_THINGS_INSTANCE_ID=
 
+### Things gRPC Client
+MF_THINGS_AUTH_GRPC_URL=things:7000
+MF_THINGS_AUTH_GRPC_TIMEOUT=1s
+MF_THINGS_AUTH_GRPC_CLIENT_TLS=true
+MF_THINGS_AUTH_GRPC_CLIENT_MTLS=true
+MF_THINGS_AUTH_GRPC_CLIENT_CERT=./ssl/certs/things-grpc-client.crt
+MF_THINGS_AUTH_GRPC_CLIENT_KEY=./ssl/certs/things-grpc-client.key
+MF_THINGS_AUTH_GRPC_CLIENT_CA_CERTS=./ssl/certs/ca.crt
+
 ### HTTP
 MF_HTTP_ADAPTER_PORT=8008
 MF_HTTP_ADAPTER_INSTANCE_ID=

diff --git a/docker/addons/bootstrap/docker-compose.grpc-mtls.yaml b/docker/addons/bootstrap/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,14 @@
+services:
+  bootstrap:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
diff --git a/docker/addons/cassandra-reader/docker-compose.grpc-mtls.yaml b/docker/addons/cassandra-reader/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,24 @@
+services:
+  cassandra-reader:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+      # Things gRPC client environmental varaibles
+      MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt
+      MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key
+      MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
+      # Things gRPC client certificates
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key
+      - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt
diff --git a/docker/addons/certs/docker-compose.grpc-mtls.yaml b/docker/addons/certs/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,14 @@
+services:
+  certs:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
diff --git a/docker/addons/influxdb-reader/docker-compose.grpc-mtls.yaml b/docker/addons/influxdb-reader/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,24 @@
+services:
+  influxdb-reader:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+      # Things gRPC client environmental varaibles
+      MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt
+      MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key
+      MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
+      # Things gRPC client certificates
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key
+      - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt
diff --git a/docker/addons/mongodb-reader/docker-compose.grpc-mtls.yaml b/docker/addons/mongodb-reader/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,24 @@
+services:
+  mongodb-reader:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+      # Things gRPC client environmental varaibles
+      MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt
+      MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key
+      MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
+      # Things gRPC client certificates
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key
+      - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt
diff --git a/docker/addons/postgres-reader/docker-compose.grpc-mtls.yaml b/docker/addons/postgres-reader/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,24 @@
+services:
+  postgres-reader:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+      # Things gRPC client environmental varaibles
+      MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt
+      MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key
+      MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
+      # Things gRPC client certificates
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key
+      - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt
diff --git a/docker/addons/smpp-notifier/docker-compose.grpc-mtls.yaml b/docker/addons/smpp-notifier/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,14 @@
+services:
+  smpp-notifier:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
diff --git a/docker/addons/smtp-notifier/docker-compose.grpc-mtls.yaml b/docker/addons/smtp-notifier/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,14 @@
+services:
+  smtp-notifier:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
diff --git a/docker/addons/timescale-reader/docker-compose.grpc-mtls.yaml b/docker/addons/timescale-reader/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,24 @@
+services:
+  timescale-reader:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+      # Things gRPC client environmental varaibles
+      MF_THINGS_AUTH_GRPC_CLIENT_MTLS: ${MF_THINGS_AUTH_GRPC_CLIENT_MTLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_TLS: ${MF_THINGS_AUTH_GRPC_CLIENT_TLS}
+      MF_THINGS_AUTH_GRPC_CLIENT_CERT: /client.crt
+      MF_THINGS_AUTH_GRPC_CLIENT_KEY: /client.key
+      MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS: /server_ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
+      # Things gRPC client certificates
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_CERT}:/client.crt
+      - ${MF_THINGS_AUTH_GRPC_CLIENT_KEY}:/client.key
+      - ${MF_THINGS_AUTH_GRPC_SERVER_CA_CERTS}:/server_ca.crt
diff --git a/docker/addons/twins/docker-compose.grpc-mtls.yaml b/docker/addons/twins/docker-compose.grpc-mtls.yaml
@@ -0,0 +1,14 @@
+services:
+  twins:
+    environment:
+      # Users gRPC client environmental varaibles
+      MF_AUTH_GRPC_CLIENT_MTLS: ${MF_USERS_GRPC_CLIENT_MTLS}
+      MF_AUTH_GRPC_CLIENT_TLS: ${MF_USERS_GRPC_CLIENT_TLS}
+      MF_AUTH_GRPC_CLIENT_CERT: /users-grpc-client.crt
+      MF_AUTH_GRPC_CLIENT_KEY: /users-grpc-client.key
+      MF_AUTH_GRPC_SERVER_CA_CERTS: /users-grpc-server-ca.crt
+    volumes:
+      # Users gRPC client certificates
+      - ${MF_USERS_GRPC_CLIENT_CERT}:/users-grpc-client.crt
+      - ${MF_USERS_GRPC_CLIENT_KEY}:/users-grpc-client.key
+      - ${MF_USERS_GRPC_SERVER_CA_CERTS}:/users-grpc-server-ca.crt
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -172,8 +172,8 @@ services:
     networks:
       - mainflux-base-net
     volumes:
-      - ./templates/${MF_USERS_RESET_PWD_TEMPLATE}:/email.tmpl     
-  
+      - ./templates/${MF_USERS_RESET_PWD_TEMPLATE}:/email.tmpl
+
   jaeger:
     image: jaegertracing/all-in-one:1.38.0
     container_name: mainflux-jaeger

diff --git a/docker/ssl/.gitignore b/docker/ssl/.gitignore
@@ -0,0 +1,4 @@
+*grpc-server*
+*grpc-client*
+*srl
+*conf