Add support for SSL access to the Pbench Server

PBENCH-1149

Author: webbnh

.gitleaks.toml

@@ -8,6 +8,10 @@
     # instance inside the created ephemeral container.
     '''server\/pbenchinacan\/etc\/pbench-server\/pbench-server\.cfg$''',
 
+    # Ignore the CA private key which is used only to generate ephemeral certs
+    # for SSL access to the containerized Server for functional testing.
+    '''server\/pbenchinacan\/etc\/pki\/tls\/private\/pbench_CA\.key$''',
+
     # Ignore the .gitleaks.toml (this file).
     '''\.gitleaks\.toml$''',
   ]

server/lib/config/nginx.conf

@@ -72,7 +72,11 @@ http {
     server {
         listen       8080;
         listen       [::]:8080;
+        listen       8443 ssl;
+        listen       [::]:8443 ssl;
         server_name  _;
+        ssl_certificate     /etc/pki/tls/certs/pbench-server.crt;
+        ssl_certificate_key /etc/pki/tls/private/pbench-server.key;
         root         /srv/pbench/public_html;
         index        index.html;
 

server/pbenchinacan/deploy

@@ -42,14 +42,16 @@ GITTOP=${GITTOP:-$(git rev-parse --show-toplevel)}
 PB_DASHBOARD_DIR=${PB_DASHBOARD_DIR:-${GITTOP}/dashboard/build}
 PB_DEPLOY_FILES=${PB_DEPLOY_FILES:-${HOME}/Deploy}
 SRV_PBENCH=${SRV_PBENCH:-/srv/pbench}
+PB_SSL_CERT_FILE=${PB_SSL_CERT_FILE:-${PB_DEPLOY_FILES}/pbench-server.crt}
+PB_SSL_KEY_FILE=${PB_SSL_KEY_FILE:-${PB_DEPLOY_FILES}/pbench-server.key}
 
 # Locations inside the container
 #
 # The value of ${NGINX_FAVICON} points to the location where the file will be
 # found inside the container and is used to create a symbolic link; by default,
 # it refers to a file in the Dashboard deployment relative to
 # /srv/pbench/public_html.
-NGINX_FAVICON=${NGINX_FAVICON:-"./dashboard/src/assets/logo/color-square.16x16.ico"}
+NGINX_FAVICON=${NGINX_FAVICON:-./dashboard/$(realpath --relative-to "${PB_DASHBOARD_DIR}" "${PB_DASHBOARD_DIR}"/static/media/color-square.256x256*.ico)}
 
 #+
 # Deployment
@@ -110,6 +112,8 @@ podman run \
     --rm \
     --volume ${PB_DEPLOY_FILES}/etc/rsyslog.conf:/etc/rsyslog.conf:Z \
     --volume ${PB_DEPLOY_FILES}/etc/rsyslog.d:/etc/rsyslog.d:Z \
+    --volume ${PB_SSL_CERT_FILE}:/etc/pki/tls/certs/pbench-server.crt:Z \
+    --volume ${PB_SSL_KEY_FILE}:/etc/pki/tls/private/pbench-server.key:Z \
     --volume ${PB_DEPLOY_FILES}/pbench-server.cfg:/opt/pbench-server/lib/config/pbench-server.cfg:Z \
     --volume ${SRV_PBENCH}:/srv/pbench:Z \
     ${PB_SERVER_PODMAN_SWITCHES} \

server/pbenchinacan/etc/pki/tls/certs/pbench_CA.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYTCCAkmgAwIBAgIUUtVXi1qMBbg1wLVBmeUM/tMuWsMwDQYJKoZIhvcNAQEL
+BQAwQDEaMBgGA1UEAwwRcGJlbmNoLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRUw
+EwYDVQQHDAxXZXN0Zm9yZCwgTUEwHhcNMjMwNTA1MjEzNzU0WhcNMjQwNDI1MjEz
+NzU0WjBAMRowGAYDVQQDDBFwYmVuY2gucmVkaGF0LmNvbTELMAkGA1UEBhMCVVMx
+FTATBgNVBAcMDFdlc3Rmb3JkLCBNQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAJVWR8CY3cvtLu5Ss9XAWBp5PNE/X0zWJtRrph/Xz0qtQsxpqn9fhEjF
+kLr36AkewbOoW8HmqKzSrS9bgCrdglH1oqefLntt6q9F10SOCXF2jbQA3r63f9Kb
+co0Sa8NkV60E5zOvS+cEz+g3ZQVWoYhPnE3h2QTZ6rei41k1TvE/vcPUfjcR4uaD
+Xxtl6vUi9zoM7b3I1I0Cztg23e86ZsEVd+OZVDQbYLd4A3uBmzcmepHP6mwNc+Gm
+yhNeQ0ovu03Zz8j9W64Jau8Tpaja90s48pk0VRdfQX//N4mntAo3vYwd3Ab4Pq4o
+2c2GGpihLURlOCk9fNGo/s9atP/0+NsCAwEAAaNTMFEwHQYDVR0OBBYEFMz+SX+d
+JyWELuNukm1Szpz+l7qiMB8GA1UdIwQYMBaAFMz+SX+dJyWELuNukm1Szpz+l7qi
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACxI0EXHjJtPhPkX
+1gLDxeID1+HMSmQVfnEd0zcBz/DhACVPnAPHF+lQ0QLfqJobmSKRei9s0pa5XEfo
+vIVcBvzKE7tuEM7ZeCKx0PBftp7poMEQyIEPezoaD9j20rXE14KS2fCOnFkahGjp
+CeYqHjnnf+LMkYf1nXM3Yhxz4w3uzFQmYO+pRVAE6Vjeftz2d3s2w+1G/bNPKgEu
+8NbG/6T25ZNe0T+wE8rxvB1+tDuPbIc83or7SrpiaxbSo1wqAm/ajxW6bdXftP0l
+aLLlVemlt3oWE9lkVDtuMJTbt0noCjb3FlWrDVwm5Zm3ilVf8L2JOsG7LYjYUAQs
+5VgnCv8=
+-----END CERTIFICATE-----

server/pbenchinacan/etc/pki/tls/private/pbench_CA.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCVVkfAmN3L7S7u
+UrPVwFgaeTzRP19M1ibUa6Yf189KrULMaap/X4RIxZC69+gJHsGzqFvB5qis0q0v
+W4Aq3YJR9aKnny57beqvRddEjglxdo20AN6+t3/Sm3KNEmvDZFetBOczr0vnBM/o
+N2UFVqGIT5xN4dkE2eq3ouNZNU7xP73D1H43EeLmg18bZer1Ivc6DO29yNSNAs7Y
+Nt3vOmbBFXfjmVQ0G2C3eAN7gZs3JnqRz+psDXPhpsoTXkNKL7tN2c/I/VuuCWrv
+E6Wo2vdLOPKZNFUXX0F//zeJp7QKN72MHdwG+D6uKNnNhhqYoS1EZTgpPXzRqP7P
+WrT/9PjbAgMBAAECggEAJW9iAD0xyFd2Hsb7jrcvPr+qh7evn5bFWBV+KNhT/d/N
+8WkBlPlwMz/XRo8zium7W9p12fcEzIHpaQgyakxpyTreoc9M+yL0JCjJTEWgx2EV
+J4zaSYu9TqGqBwQZoHrsYZJrlLC6Qbial5cfS0XKq11tjLZzTPyFkrAR9sBewCm8
+tnh2FF/ktSgfZ4TfSWCgL0NwCbFNFHr7AeEii4vwJmZp0Yus/2OkdHxLFU/+yiOG
+Aa9Sa0xw4mFeQisjU7WOMbiozC3vaEOM+m2diNkxirvKAinEISEqAAcVO1+meKb+
+7GUNTsHj5jFSLebyJvZtmQAgkm8JwT2FUFxlCwr+NQKBgQC6Mw2gilx0Ne3zc9Q+
+qpINEdxxPWbDJz8aTzXFWmIdNCiv61RgGNYMNZTulU6pjZDcE/zs8kwqODi0nMsZ
+JLRyB/Zi0qeCQXs5xkoZSax3Oj+wrZQZeay704mUETStchs+LI6NgZNBVFozeVch
+aDXehKRrZaWQy/g+fu5w4EQ9dwKBgQDNUaoNghspoGdZcaoMHu+aElE0i+S1eI5l
+pmoT42G/L8dLKTbxrLOmbGsEG3OaS8uUZAOfPsrYSPojhqZmye1qTdCAC7YOLxMb
+xb4KhZzdxB1f1wN3coNf7+5keG2DDF3LqvL8Z0EnpBIh61tcHAEuTJn3eabk247x
+mp/Wpg8ovQKBgE3HZbnaEiS5Ily/1bkXp0quW1cyPurmSgXDcMKvrqxkTVqvAt/h
+gAg5mazP0bwh1pEYCF8yF37LXWSU2oH2QyofCVzegfp3P/IyUmGd1N05B8HVwDek
+C/OpuZ6QUWDieV7PXfzeU5TGl6dI2Iyr61S4M7ZpD3Acw+XXP+MGy3qhAoGAQA0y
+7MXi7WiB9VBVSTS5cKo4NRlTPx2d5q40t4Ge88LW/GaeImTLIqb996kMtlzg5KkS
+zDINm82gY0bVUIm8DAa8fcWphOFAp9BXifbGyhQtScHM7g2GWH6EM0myeEh6Vlg9
+N2qK0/AGTBidRq3h3Gy/N4n2+7xW6p5fMNpbLk0CgYEAmXUgGU+IcppI9i7IiQFg
+Yxv409dB2AqnMa97FUonHchE7S4EL8nlnDX2ROB5laNE9CzXEf0HBUG7gmf/DT+L
+ULvGGa63mCrcPb+QwNbMhxELj4pSOEniWHJk+xXcROMbqj1h3+eDvhlY5SXonuN2
+INuieGa13VZLOCSs0ERxuts=
+-----END PRIVATE KEY-----

server/pbenchinacan/run-pbench-in-a-can

@@ -1,4 +1,5 @@
 #!/bin/bash -e
+# shellcheck disable=SC2086,2174
 
 #
 # Run a local containerized deployment of the Pbench Server, together with its
@@ -26,6 +27,10 @@ export PB_DASHBOARD_DIR="${PB_DASHBOARD_DIR:-${PWD}/dashboard/build/}"
 export KEYCLOAK_REALM=${KEYCLOAK_REALM:-"pbench-server"}
 export KEYCLOAK_CLIENT=${KEYCLOAK_CLIENT:-"pbench-client"}
 
+host_name=${PB_HOST_NAME:-$(hostname --fqdn)}
+host_ip_list=${PB_HOST_IP:-$(hostname -I)}
+host_ip=${host_ip_list%% *}
+
 # Set up TMP_DIR, if it's not already defined, to point to WORKSPACE_TMP, if it
 # is defined (e.g., by the CI), or to `/var/tmp/pbench` as a fallback.
 #
@@ -45,7 +50,7 @@ export PB_DEPLOY_FILES=${PB_DEPLOY_FILES:-${TMP_DIR}/pbench_server_deployment}
 
 # Copy the deployment files to the deployment files directory
 pbiac_etc=server/pbenchinacan/etc
-rm -rf ${PB_DEPLOY_FILES}/etc ${PB_DEPLOY_FILES}/pbench-server.cfg
+rm -rf ${PB_DEPLOY_FILES:?}/etc ${PB_DEPLOY_FILES}/pbench-server.cfg
 mkdir -p -m 755 ${PB_DEPLOY_FILES}/etc
 cp -r ${pbiac_etc}/rsyslog.d ${pbiac_etc}/rsyslog.conf ${PB_DEPLOY_FILES}/etc/
 cp ${pbiac_etc}/pbench-server/pbench-server.cfg ${PB_DEPLOY_FILES}/
@@ -91,6 +96,30 @@ podman run \
     ${PB_SERVER_IMAGE} \
     -c "chown -R pbench:pbench /srv/pbench/*"
 
+# Create a private key and certificate, signed by our own, private CA, for the
+# Pbench Server to use to provide SSL connections.  The certificate has to
+# match the host that the container is running on, so we generate it on the fly
+# and place it in the deployment files directory.
+#
+# We do this in the Pbench Server container so that we get a known version of
+# openssl (the native one on the Jenkins executors appears to be ancient).
+podman run \
+    --rm \
+    --volume ${PB_DEPLOY_FILES}:/data:Z \
+    --volume ${PWD}/${pbiac_etc}/pki/tls:/pki_tls:Z \
+    --entrypoint /usr/bin/openssl \
+    ${PB_SERVER_IMAGE} \
+    req -batch -new -noenc -sha256 -days 365 -newkey rsa:2048 \
+    -out /data/pbench-server.crt \
+    -keyout /data/pbench-server.key \
+    -subj "/C=US/ST=Massachusetts/L=Westford/O=Red Hat/OU=Performance & Scale/CN=${host_name}" \
+    -CA /pki_tls/certs/pbench_CA.crt \
+    -CAkey /pki_tls/private/pbench_CA.key \
+    -addext "authorityKeyIdentifier = keyid,issuer" \
+    -addext "basicConstraints=CA:FALSE" \
+    -addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" \
+    -addext "subjectAltName = IP.2:${host_ip}"
+
 #+
 # Start the services which the Pbench Server depends upon and then start the
 # Pbench Server itself.