Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup HTTPS on the frontend #96

Closed
4 of 5 tasks
tomwilkie opened this issue Aug 15, 2015 · 16 comments
Closed
4 of 5 tasks

Setup HTTPS on the frontend #96

tomwilkie opened this issue Aug 15, 2015 · 16 comments
Milestone

Comments

@tomwilkie
Copy link

  • make it work in local/dev too (self-signed, probably)
  • buy some certificates for scope.weave.works
  • update the react app to use ssl
  • deploy it to prod

Edit:

@pidster pidster modified the milestone: Sprint w42-w43 Oct 9, 2015
@paulbellamy
Copy link

Slightly blocked on how new deployment works

@paulbellamy
Copy link

We can redirect-to-ssl on all urls except POST /app/report, because the probe won't follow redirects.

Current thinking is there are three options for loading the certs:

  1. compile the certs into the frontend image: means we need a separate image for each env
  2. have a cert-container and do volumes-from: means we have to colocate containers
  3. have the certs on the host, and mount them from there: means we have the certs sitting on every host

@tomwilkie
Copy link
Author

  1. have the certs on the host, and mount them from there: means we have the certs sitting on every host

We currently deploy the frontend on every host, so this is pretty much equivalent.

  1. compile the certs into the frontend image: means we need a separate image for each env

Do we only need SSL on the prod image? In which case, we could get away with only having one image (the prod one), and have ssl just-not-work in other environments.

@paulbellamy
Copy link

Having thought about it, I prefer 3, as it means the certs only have to be setup and handled once (when the infra is created), but mean we will have to recreate all the infrastructure to deploy it. vs 1, where they have to be handled every time you want to make a new frontend image.

Edit: Upon reflection, I've decided for option 1. To just check in the prod certs, and compile them into the image. It will be incorrect hostname in dev/local, but it always would be anyway.

@paulbellamy
Copy link

We will not be able to use Strict-Transport-Security yet, until the scope client supports secure websockets.

Edit: And furthermore Chrome (and possibly others) block the insecure websocket when the page was loaded via https, so we can't do this at all until scope is fixed.

@paulbellamy
Copy link

And, even when scope is fixed we have no way to upgrade the scope-app-* nodes to 0.9 to support this. This is blocked on #202

@peterbourgon peterbourgon modified the milestones: sprint-w42, end-2015 Nov 30, 2015
@2opremio
Copy link

  1. compile the certs into the frontend image: means we need a separate image for each env
  2. have a cert-container and do volumes-from: means we have to colocate containers
  3. have the certs on the host, and mount them from there: means we have the certs sitting on every host

With kubernetes we have
4) Use a k8s secret

which I think is what we should go for.

@paulbellamy I vaguely recall discussions with jim about buying certificates for scope.weave.works. Did this happen?

@paulbellamy
Copy link

Nope. Hasn't happened yet, as you'll have to fiddle with DNS (or do a deploy) to prove you own the domain.

@2opremio
Copy link

you'll have to fiddle with DNS (or do a deploy) to prove you own the domain.

How specifically? Please elaborate

@paulbellamy
Copy link

afaik most cert issuers have you add a dns record (rapidssl), or upload a file (comodo), to verify you own the domain.

@2opremio
Copy link

I bought a certificate in rapidssl through namecheap as @paulbellamy recommended. Now I am going through the exciting process of activating it.

@2opremio 2opremio assigned 2opremio and unassigned paulbellamy Dec 11, 2015
@2opremio
Copy link

Do you guys think it's acceptable to keep the private key/csr in the respository? I don't feel like it is, but I don't see any good alternatives.

@paulbellamy
Copy link

For lack of a better option, that was the plan.

@2opremio
Copy link

OK, I have bought the certificate, if everything went well @apperly should receive it in his inbox soon.

@2opremio
Copy link

Got the certificate

@2opremio
Copy link

#176 is deployed, so the service now supports https, but there are a few things left which are reflected in following issues:

Closing

leth pushed a commit that referenced this issue Jul 28, 2017
35679ee5 Merge pull request #110 from weaveworks/parallel-push-errors
3ae41b6f Remove unneeded if block
51ff31a5 Exit on first error
0faad9f7 Check for errors when pushing images in parallel
74dc626b Merge pull request #108 from weaveworks/disable-apt-daily
b4f1d918 Merge pull request #107 from weaveworks/docker-17-update
7436aa14 Override apt daily job to not run immediately on boot
7980f152 Merge pull request #106 from weaveworks/document-docker-install-role
f741e533 Bump to Docker 17.06 from CE repo
61796a1b Update Docker CE Debian repo details
0d86f5e1 Allow for Docker package to be named docker-ce
065c68d4 Document selection of Docker installation role.
38090539 Just --porcelain; it defaults to v1
11400eaa Merge pull request #105 from weaveworks/remove-weaveplugin-remnants
b8b4d64c remove weaveplugin remnants
35099c93 Merge pull request #104 from weaveworks/pull-docker-py
cdd48fc3 Pull docker-py to speed tests/builds up.
e1c6c24b Merge pull request #103 from weaveworks/test-build-tags
d5d71e06 Add -tags option so callers can pass in build tags
8949b2b5 Merge pull request #98 from weaveworks/git-status-tag
ac30687f Merge pull request #100 from weaveworks/python_linting
4b125b55 Pin yapf & flake8 versions
7efb4853 Lint python linting function
444755b7 Swap diff direction to reflect changes required
c5b24346 Install flake8 & yapf
5600eac5 Lint python in build-tools repo
0b02ca93 Add python linting
c011c0dc Merge pull request #79 from kinvolk/schu/python-shebang
6577d078 Merge pull request #99 from weaveworks/shfmt-version
00ce0dcd Use git status instead of diff to add 'WIP' tag
411fd13a Use shfmt v1.3.0 instead of latest from master.
0d6d4da9 Run shfmt 1.3 on the code.
5cdba320 Add sudo
c322ca83 circle.yml: Install shfmt binary.
e59c2251 Install shfmt 1.3 binary.
30706e6b Install pyhcl in the build container.
960d2228 Merge pull request #97 from kinvolk/alban/update-shfmt-3
1d535c7b shellcheck: fix escaping issue
55424986 Merge pull request #96 from kinvolk/alban/update-shfmt-2
32f7cc51 shfmt: fix coding style
09f72af0 lint: print the diff in case of error
571c7d71 Merge pull request #95 from kinvolk/alban/update-shfmt
bead6edd Update for latest shfmt
b08dc4d6 Update for latest shfmt (#94)
2ed8aaa8 Add no-race argument to test script (#92)
80dd78e6 Merge pull request #91 from weaveworks/upgrade-go-1.8.1
08dcd0df Please ./lint as shfmt changed its rules between 1.0.0 and 1.3.0.
a8bc9ab0 Upgrade default Go version to 1.8.1.
41c56221 Merge pull request #90 from weaveworks/build-golang-service-conf
e8ebdd5e broaden imagetag regex to fix haskell build image
ba3fbfa6 Merge pull request #89 from weaveworks/build-golang-service-conf
e506f1b9 Fix up test script for updated shfmt
9216db86 Add stuff for service-conf build to build-goland image
66a9a93c Merge pull request #88 from weaveworks/haskell-image
cb3e3a25 shfmt
74a5239e Haskell build image
4ccd42b9 Trying circle quay login
b2c295fc Merge branch 'common-build'
0ac746fa Trim quay prefix in circle script
c405b311 Merge pull request #87 from weaveworks/common-build
9672d7cb Push build images to quay as they have sane robot accounts
a2bf1123 Review feedback
fef9b7dd Add protobuf tools
10a77ead Update readme
254f2660 Don't need the image name in
ffb59fcb Adding a weaveworks/build-golang image with tags
b8173683 Update min Weave Net docker version
cf87ca33 Merge pull request #86 from weaveworks/lock-kubeadm-version
3ae69196 Add example of custom SSH private key to tf_ssh's usage.
cf8bd8af Add example of custom SSH private key to tf_ansi's usage.
c7d33700 Lock kubeadm's Kubernetes version.
faaaa6f2 Merge pull request #84 from weaveworks/centos-rhel
ef552e7d Select weave-kube YAML URL based on K8S version.
b4c11982 Upgrade default kubernetes_version to 1.6.1.
b82805ef Use a fixed version of kubeadm.
f33888bc Factorise and make kubeconfig option optional.
f7b8b897 Install EPEL repo for CentOS.
615917a6 Fix error in decrypting AWS access key and secret.
86f97b42 Add CentOS 7 AMI and username for AWS via Terraform.
eafd810e Add tf_ansi example with Ansible variables.
2b05787f Skip setup of Docker over TCP for CentOS/RHEL.
84c420b6 Add docker-ce role for CentOS/RHEL.
00a820cd Add setup_weave-net_debug.yml playbook for user issues' debugging.
3eae480b Upgrade default kubernetes_version to 1.5.4.
753921cf Allow injection of Docker installation role.
e1ff90d2 Fix kubectl taint command for 1.5.
b989e97a Fix typo in kubectl taint for single node K8S cluster.
541f58d2 Remove 'install_recommends: no' for ethtool.
c3f97115 Make Ansible role docker-from-get.docker.com work on RHEL/CentOS.
038c0ae8 Add frequently used OS images, for convenience.
d30649f0 Add --insecure-registry to docker.conf
1dd92188 shfmt -i 4 -w push-images
6de96ac7 Add option to not push docker hub images
310f53dc Add push-images script from cortex
8641381b Add port 6443 to kubeadm join commands for K8S 1.6+.
50bf0bc6 Force type of K8S token to string.
08ab1c0c Remove trailing whitespaces.
ae9efb83 Enable testing against K8S release candidates.
9e32194c Secure GCP servers for Scope: open port 80.
a22536ac Secure GCP servers for Scope.
89c3a29b Merge pull request #78 from weaveworks/lint-merge-rebase-issue-in-docs
73ad56d7 Add linter function to avoid bad merge/rebase artefact
31d069d6 Change Python shebang to `#!/usr/bin/env python`
52d695cc Merge pull request #77 from kinvolk/schu/fix-relative-weave-path
77aed016 Merge pull request #73 from weaveworks/mike/sched/fix-unicode-issue
7c080f45 integration/sanity_check: disable SC1090
d6d360a1 integration/gce.sh: update gcloud command
e8def2c4 provisioning/setup: fix shellcheck SC2140
cc022241 integration/config: fix weave path
9c0d6a55 Fix config_management/README.md
334708ca Merge pull request #75 from kinvolk/alban/external-build-1
da2505d6 gce.sh: template: print creation date
e6768547 integration tests: fix user account
85308369 host nameing: add repo name
b556c0ad gce.sh: fix deletion of gce instances
2ecd1c2c integration: fix GCE --zones/--zone parameter
3e863df9 sched: Fix unicode encoding issues
51785b5f Use rm -f and set current dir using BASH_SOURCE.
f5c6d68c Merge pull request #71 from kinvolk/schu/fix-linter-warnings
0269628e Document requirement for `lint_sh`
9a3f09e6 Fix linter warnings
efcf9d21 Merge pull request #53 from weaveworks/2647-testing-mvp
d31ea574 Weave Kube playbook now works with multiple nodes.
27868dd5 Add GCP firewall rule for FastDP crypto.
edc8bb3a Differentiated name of dev and test playbooks, to avoid confusion.
efa3df7c Moved utility Ansible Yaml to library directory.
fcd2769e Add shorthands to run Ansible playbooks against Terraform-provisioned virtual machines.
f7946fbb Add shorthands to SSH into Terraform-provisioned virtual machines.
aad5c6f1 Mention Terraform and Ansible in README.md.
dddabf0e Add Terraform output required for templates' creation.
dcc7d025 Add Ansible configuration playbooks for development environments.
f86481ca Add Ansible configuration playbooks for Docker, K8S and Weave-Net.
efedd258 Git-ignore Ansible retry files.
765c4ca1 Add helper functions to setup Terraform programmatically.
801dd1d1 Add Terraform cloud provisioning scripts.
b8017e19 Install hclfmt on CircleCI.
4815e19b Git-ignore Terraform state files.
0aaebc7d Add script to generate cartesian product of dependencies of cross-version testing.
007d90ab Add script to list OS images from GCP, AWS and DO.
ca65cc02 Add script to list relevant versions of Go, Docker and Kubernetes.
aa66f447 Scripts now source dependencies using absolute path (previously breaking make depending on current directory).
7865e86d Add -p option to parallelise lint.
36c1835b Merge pull request #69 from weaveworks/mflag
98575686 Use mflag and mflagext package from weaveworks/common.
97991128 Quote bash variable.
10a36b33 Merge pull request #67 from weaveworks/shfmt-ignore
a59884f3 Add support for .lintignore.
03cc5989 Don't lint generated protobuf code.
2b55c2df Merge pull request #66 from weaveworks/reduce-test-timeout
d4e163cc Make timeout a flag
49a86091 Reduce test timeout
8fa15cba Merge pull request #63 from weaveworks/test-defaults
b783528b Tweak test script so it can be run on a mca
a3b18bfe Merge pull request #65 from weaveworks/fix-integration-tests
ecb56021 Fix integration tests
f9dcbf62 ... without tab (clearly not my day)
a6215c38 Add break I forgot
0e6832d6 Remove incorrectly added tab
eb26c685 Merge pull request #64 from weaveworks/remove-test-package-linting
f088e83f Review feedback
2c6e83e9 Remove test package linting
2b3a1bbf Merge pull request #62 from weaveworks/revert-61-test-defaults
8c3883a4 Revert "Make no-go-get the default, and don't assume -tags netgo"
e75c226b Fix bug in GC of firewall rules.
e49754e1 Merge pull request #51 from weaveworks/gc-firewall-rules
191f487a Add flag to enale/disable firewall rules' GC.
567905ce Add GC of firewall rules for weave-net-tests to scheduler.
03119e1e Fix typo in GC of firewall rules.
bbe38443 Fix regular expression for firewall rules.
c5c23ce2 Pre-change refactoring: splitted gc_project function into smaller methods for better readability.
ed5529ff GC firewall rules
ed8e7574 Merge pull request #61 from weaveworks/test-defaults
57856e64 Merge pull request #56 from weaveworks/remove-wcloud
dd5f3e63 Add -p flag to test, run test in parallel
62f6f947 Make no-go-get the default, and don't assume -tags netgo
89465886 Merge pull request #60 from weaveworks/2647-gc-weave-net-tests
4085df97 Scheduler now also garbage-collects VMs from weave-net-tests.
4b7d5c61 Merge pull request #59 from weaveworks/57-fix-lint-properly
b7f0e692 Merge pull request #58 from weaveworks/fix-lint
794702c7 Pin version of shfmt
ab1b11de Fix lint
d1a5e46f Remove wcloud cli tool
81d80f35 Merge pull request #55 from weaveworks/lint-tf
05ad5f27 Review feedback
4c0d0469 Use hclfmt to lint terraform.
fd875e27 Fix test wrt shellcheck
54ec2d92 Don't capitalise error messages
19d3b6e2 Merge pull request #49 from weaveworks/pin-shfmt
fea98f66 Go get from the vendor dir
1d867b06 Try and vendor a specific version of shfmt
76619c2d Merge pull request #48 from weaveworks/revert-41-user-tokens
4f96c519 Revert "Add experimental support for user tokens"
d00033fd Merge pull request #41 from weaveworks/user-tokens
245ed267 Merge pull request #47 from weaveworks/46-shfmt
c1d7815a Fix shfmt error
cb397466 Don't overright lint_result with 0 when shellcheck succeeds
8ab80e87 Merge pull request #45 from weaveworks/lint
83d5bd1f getting integration/config and test shellcheck-compliant
cff9ec36 Fix some shellcheck errors
7a843d6d run shellcheck as part of lint if it is installed
31552a0e removing spurious space from test
6ca7c5f0 Merge pull request #44 from weaveworks/shfmt
952356d8 Allow lint to lint itself
b7ac59c3 Run shfmt on all shell files in this repo
5570b0e9 Add shfmt formatting of shell files in lint
0a675941 fix circle build by splatting gopath permissions
b990f488 Merge pull request #42 from kinvolk/lorenzo/fix-git-diff
224a145b Check if SHA1 exists before calling `git diff`
1c3000d1 Add auto_apply config for wcloud
0ebf5c0f Fix wcloud -serivice
354e0838 Fixing lint
586060b2 Add experimental support for user tokens
4fe078a7 Merge pull request #39 from weaveworks/fix-wrong-subtree-use
3f4934d9 Remove generate_latest_map
48beb60b Sync changes done directly in scope/tools
45dcdd58 Merge pull request #37 from weaveworks/fix-mflag-missing
b895344d Use mflag package from weaveworks fork until we find a better solution
e0300081 Merge pull request #36 from weaveworks/wcloud-service-flags
9cbab402 Add wcloud Makefile
ef559010 Review feedback, and build wcloud in circle.
3fe92f50 Add wcloud deploy --service flag
3527b56b Merge pull request #34 from weaveworks/repo-branch
92cd0b84 [wcloud] Add support for repo_branch option
9f760ab1 Allow wcloud users to override username
38037f8b Merge pull request #33 from weaveworks/wcloud-templates
7acfbd70 Propagate the local username
e6876d1c Add template fields to wcloud config.
f1bb537a Merge pull request #30 from weaveworks/mike/shell-lint/dont-error-if-empty
e60f5dfc Merge pull request #31 from weaveworks/mike/fix-shell-lint-errors
e8e2b698 integrations: Fix a shellcheck linter error
a7815756 shell-lint: Don't fail if no shell scripts found
db5efc05 Merge pull request #28 from weaveworks/mike/add-image-tag
5312c400 Import image-tag script into build tools so it can be shared
7e850f87 Fix logs path
dda97857 Update deploy api
f2f4e5bf Fix the wcloud client
3925eb67 Merge pull request #27 from weaveworks/wcloud-events
77355b9f Lint
d9a1c6cf Add wcloud events, update flags and error nicely when there is no config
e9e7e6b0 Merge pull request #26 from weaveworks/this-time-for-sure
df494d6a Remove dependencies
c045d165 Properly exclude vendor from lint
2cfcf087 Add blacklist to wcloud client

git-subtree-dir: tools
git-subtree-split: 35679ee5ff17c4edf864b7c43dc70a40337fcd80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants