3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-31 18:07:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

tls: fallback to self-signed certificate (#2760)

Browse source 
* tls: fallback to self-signed certificate

* remove unknown domain because certs are no longer valid

* update multi-deployment to use service-specific certificates
This commit is contained in:
Caleb Doxsey 2021-11-15 14:11:53 -07:00 committed by GitHub
parent 9b3d574d48
commit ca48052551
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 46 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/envoyconfig/listeners.go
View file

@ -532,7 +532,7 @@ func (b *Builder) buildGRPCListener(ctx context.Context, cfg *config.Config) (*e
return li, nil return li, nil
} }
chains, err := b.buildFilterChains(cfg.Options, cfg.Options.Addr, chains, err := b.buildFilterChains(cfg.Options, cfg.Options.GRPCAddr,
func(tlsDomain string, httpDomains []string) (*envoy_config_listener_v3.FilterChain, error) { func(tlsDomain string, httpDomains []string) (*envoy_config_listener_v3.FilterChain, error) {
filterChain := &envoy_config_listener_v3.FilterChain{ filterChain := &envoy_config_listener_v3.FilterChain{
Filters: []*envoy_config_listener_v3.Filter{filter}, Filters: []*envoy_config_listener_v3.Filter{filter},

12
integration/clusters/auth0-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/azure-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/github-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/gitlab-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/google-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/oidc-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/okta-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/onelogin-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

12
integration/clusters/ping-multi/compose.yml
View file

File diff suppressed because one or more lines are too long

1
integration/control_plane_test.go
View file

@ -75,7 +75,6 @@ func TestHealth(t *testing.T) {
"https://authenticate.localhost.pomerium.io", "https://authenticate.localhost.pomerium.io",
"https://httpdetails.localhost.pomerium.io", "https://httpdetails.localhost.pomerium.io",
"https://restricted-httpdetails.localhost.pomerium.io", "https://restricted-httpdetails.localhost.pomerium.io",
"https://unknown.localhost.pomerium.io",
} }
endpoints := []string{"healthz", "ping"} endpoints := []string{"healthz", "ping"}

5
integration/tpl/backends/pomerium.libsonnet
View file

@ -102,7 +102,6 @@ local Environment(mode, idp, dns_suffix) =
DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443', DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
GRPC_ADDRESS: ':5443', GRPC_ADDRESS: ':5443',
GRPC_INSECURE: 'false', GRPC_INSECURE: 'false',
OVERRIDE_CERTIFICATE_NAME: '*.localhost.pomerium.io',
} else if mode == 'traefik' then { } else if mode == 'traefik' then {
FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io', FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
} else if mode == 'nginx' then { } else if mode == 'nginx' then {
@ -141,6 +140,8 @@ function(mode, idp, dns_suffix='') {
image: image, image: image,
environment: environment { environment: environment {
SERVICES: 'authorize', SERVICES: 'authorize',
CERTIFICATE: std.base64(importstr '../files/pomerium-authorize.pem'),
CERTIFICATE_KEY: std.base64(importstr '../files/pomerium-authorize-key.pem'),
}, },
ports: [ ports: [
'9904:9901/tcp', '9904:9901/tcp',
@ -161,6 +162,8 @@ function(mode, idp, dns_suffix='') {
image: image, image: image,
environment: environment { environment: environment {
SERVICES: 'databroker', SERVICES: 'databroker',
CERTIFICATE: std.base64(importstr '../files/pomerium-databroker.pem'),
CERTIFICATE_KEY: std.base64(importstr '../files/pomerium-databroker-key.pem'),
}, },
ports: [ ports: [
'9902:9901/tcp', '9902:9901/tcp',

7
pkg/cryptutil/tls.go
View file

@ -55,10 +55,9 @@ func GetCertificateForDomain(certificates []tls.Certificate, domain string) (*tl
} }
} }
// next use the first cert log.Error(context.Background()).
if len(certificates) > 0 { Str("domain", domain).
return &certificates[0], nil Msg("cryptutil: no TLS certificate found for domain, using self-signed certificate")
}
// finally fall back to a generated, self-signed certificate // finally fall back to a generated, self-signed certificate
return GenerateSelfSignedCertificate(domain) return GenerateSelfSignedCertificate(domain)

3
pkg/cryptutil/tls_test.go
View file

@ -49,7 +49,8 @@ func TestGetCertificateForDomain(t *testing.T) {
if !assert.NoError(t, err) { if !assert.NoError(t, err) {
return return
} }
assert.Equal(t, &certs[0], found) assert.NotNil(t, found)
assert.NotEqual(t, &certs[0], found)
}) })
t.Run("generate", func(t *testing.T) { t.Run("generate", func(t *testing.T) {
certs := []tls.Certificate{} certs := []tls.Certificate{}