Merge pull request #156 from dod-ccpo/add-cac-certs

Add cac certs

.travis.yml

@@ -1,14 +1,17 @@
 sudo: required
-language: python
+language: minimal
-python: "3.6"
 services:
   - docker
 git:
     submodules: false
 env:
   global:
-    - TESTER_IMAGE_NAME=atst-tester
     - PROD_IMAGE_NAME=atst-prod
+    - TESTER_IMAGE1_NAME=atst-tester-nocrls
+    - TESTER_IMAGE2_NAME=atst-tester
+cache:
+  directories:
+    - crl
 
 before_install:
   # Use sed to replace the SSH URL with the public URL
@@ -17,16 +20,22 @@ before_install:
   - git submodule update --init --recursive
 
 before_script:
+  - rm -rf ./crl/*
   - docker run -d --name postgres96 postgres:9.6-alpine
   - docker run -d --name redis redis:4.0.10-alpine
   - docker run --link postgres96:postgres96 --link redis:redis waisbrot/wait
   - export postgres_ip="$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" postgres96)"
   - export redis_ip="$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" redis)"
   - docker login -u $ATAT_DOCKER_REGISTRY_USERNAME -p $ATAT_DOCKER_REGISTRY_PASSWORD $ATAT_DOCKER_REGISTRY_URL
-  - docker build --tag "${TESTER_IMAGE_NAME}" --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" . -f deploy/docker/tester/Dockerfile
+  - docker build --tag "${TESTER_IMAGE1_NAME}" --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" . -f deploy/docker/tester/Dockerfile
 
 script:
-  - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE_NAME}"
+  - docker run -d --entrypoint='/bin/sh' -t --name current-atst-tester "${TESTER_IMAGE1_NAME}"
+  - docker container exec -t current-atst-tester script/sync-crls
+  - docker commit current-atst-tester "${TESTER_IMAGE2_NAME}"
+  - docker cp current-atst-tester:/opt/atat/atst/crl/. ./crl/
+  - docker container stop current-atst-tester
+  - docker run --add-host "postgreshost:${postgres_ip}" --add-host "redishost:${redis_ip}" "${TESTER_IMAGE2_NAME}"
 
 before_deploy:
   - docker build --tag "${PROD_IMAGE_NAME}" . -f deploy/docker/prod/Dockerfile

deploy/kubernetes/atst-debugger.yml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: atst-debugger
+  namespace: atat
+spec:
+  securityContext:
+    fsGroup: 101
+  containers:
+    - name: atst-debugger
+      image: registry.atat.codes:443/atst-prod:a1916b1
+      args: ["/bin/bash", "-c", "while true; do date; sleep 45; done"]
+      envFrom:
+      - configMapRef:
+          name: atst-envvars
+      volumeMounts:
+        - name: atst-config
+          mountPath: "/opt/atat/atst/atst-overrides.ini"
+          subPath: atst-overrides.ini
+        - name: uwsgi-config
+          mountPath: "/opt/atat/atst/uwsgi-config.ini"
+          subPath: uwsgi-config.ini
+        - name: uwsgi-socket-dir
+          mountPath: "/var/run/uwsgi"
+  volumes:
+    - name: atst-config
+      secret:
+        secretName: atst-config-ini
+        items:
+        - key: atst-overrides.ini
+          path: atst-overrides.ini
+          mode: 0644
+    - name: uwsgi-config
+      configMap:
+        name: atst-config
+        items:
+        - key: uwsgi-config
+          path: uwsgi-config.ini
+          mode: 0644
+    - name: uwsgi-socket-dir
+      emptyDir:
+        medium: Memory
+  restartPolicy: Never

deploy/kubernetes/atst-nginx-configmap.yml

@@ -55,9 +55,9 @@ data:
         ssl_stapling_verify on;
         resolver 8.8.8.8 8.8.4.4;
         # Request and validate client certificate
-        #ssl_verify_client on;
+        ssl_verify_client on;
-        #ssl_verify_depth 10;
+        ssl_verify_depth 10;
-        #ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem;
+        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
         # Guard against HTTPS -> HTTP downgrade
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
         location / {

deploy/kubernetes/atst.yml

@@ -24,7 +24,10 @@ spec:
         fsGroup: 101
       containers:
         - name: atst
-          image: registry.atat.codes:443/atst-prod:e9b6f76
+          image: registry.atat.codes:443/atst-prod:a1916b1
+          resources:
+            requests:
+               memory: "2500Mi"
           envFrom:
           - configMapRef:
               name: atst-envvars
@@ -32,6 +35,9 @@ spec:
             - name: atst-config
               mountPath: "/opt/atat/atst/atst-overrides.ini"
               subPath: atst-overrides.ini
+            - name: nginx-client-ca-bundle
+              mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
+              subPath: client-ca-bundle.pem
             - name: uwsgi-config
               mountPath: "/opt/atat/atst/uwsgi-config.ini"
               subPath: uwsgi-config.ini
@@ -47,6 +53,9 @@ spec:
           volumeMounts:
             - name: nginx-auth-tls
               mountPath: "/etc/ssl/private"
+            - name: nginx-client-ca-bundle
+              mountPath: "/etc/ssl/client-ca-bundle.pem"
+              subPath: client-ca-bundle.pem
             - name: nginx-config
               mountPath: "/etc/nginx/conf.d/atst.conf"
               subPath: atst.conf
@@ -78,6 +87,13 @@ spec:
             - key: tls.key
               path: auth.atat.key
               mode: 0640
+        - name: nginx-client-ca-bundle
+          secret:
+            secretName: nginx-client-ca-bundle
+            items:
+            - key: client-ca-bundle.pem
+              path: client-ca-bundle.pem
+              mode: 0666
         - name: nginx-config
           configMap:
             name: atst-nginx

deploy/kubernetes/set_clientca_secret.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+kubectl -n atat delete secret atst-config-ini
+kubectl -n atat create secret generic nginx-client-ca-bundle --from-file="${1}"

script/alpine_setup

@@ -10,7 +10,7 @@ APP_USER="atst"
 APP_UID="8010"
 
 # Add additional packages required by app dependencies
-ADDITIONAL_PACKAGES="postgresql-libs python3 uwsgi uwsgi-python3"
+ADDITIONAL_PACKAGES="postgresql-libs python3 rsync uwsgi uwsgi-python3"
 
 # Run the shared alpine setup script
 source ./script/include/run_alpine_setup