Use kube-lego for TLS certs for clarin(-dev).eurac.edu

So far, we have used TLS certs from eurac's IT. Now, we (re-)use k8s infrastructure (in particular the kube-lego add-on) and let kube-lego - request/renew TLS certificates - manage the certificate within a k8s secret We then make this k8s secret available to our nginx and configure nginx to use it. We also got rid of internal TLS communication between ingress and the apps avoiding the necessity to (re-)create valid/self-signed certs. The overhead seemed unnecessary. Note: using HTTP(!) over port 443 for internal communication (Shibboleth mishap) Fix #62

Use kube-lego for TLS certs for clarin(-dev).eurac.edu
d6a64be5 · egon w. stemle · a0b878c6 · d6a64be5 · d6a64be5 · d6a64be5
Commit d6a64be5 authored 5 years ago by egon w. stemle
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,9 +9,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Added
 ### Changed
+
+- use kube-lego for TLS certs for clarin(-dev).eurac.edu
+- disable k8s-internal secure TLS communication: getting rid of the necessity
+  to (re-)create valid/self-signed certs
+  Note: using HTTP over port 443 for internal communication (Shibboleth mishap)
+
 ### Removed
 ### Fixed

+- #62
+
 ## [1.3.3] - 2019-07-23

 ### Changed

--- a/clarin-dev2clarin.sh
+++ b/clarin-dev2clarin.sh
@@ -3,7 +3,7 @@
 # outside the docker
 perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/shibboleth2.xml
 perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/local.properties
-perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/default-ssl
+perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/nginx.default.conf

 perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/aai.js
 perl -pi -e 's/clarin-dev/clarin/g' dockerfiles/commul-customization/aai_config.js

--- a/dockerfiles/Dockerfile.nginx
+++ b/dockerfiles/Dockerfile.nginx
@@ -101,7 +101,7 @@ COPY commul-customization/php-fpm.conf /etc/php/7.0/fpm/
 COPY commul-customization/php.ini /etc/php/7.0/fpm/

 # copy over config files
-COPY commul-customization/default-ssl /opt/nginx/conf/
+COPY commul-customization/nginx.default.conf /opt/nginx/conf/
 COPY commul-customization/nginx.conf /opt/nginx/conf/
 COPY commul-customization/repository_auth /opt/nginx/conf/
 COPY commul-customization/shibboleth2.xml /opt/shibboleth-sp-fastcgi/etc/shibboleth/

--- a/dockerfiles/commul-customization/nginx.conf
+++ b/dockerfiles/commul-customization/nginx.conf
@@ -65,5 +65,5 @@ http {
        text/xml
        text/x-component;

-    include	 default-ssl;
+    include	 nginx.default.conf;
 }
--- a/dockerfiles/commul-customization/default-ssl
+++ b/dockerfiles/commul-customization/default-ssl
@@ -4,9 +4,11 @@ upstream tomcats {
 }

 server {
-  listen 80;
-  listen [::]:80;
-  server_name clarin-dev.eurac.edu;
+  listen 443;
+  listen [::]:443;
+  server_name clarin-dev.eurac.edu localhost;
+
+  root  /opt/nginx/html;

  location /repository/oai {

@@ -22,29 +24,6 @@ server {

  }

-  location / {
-    return 301 https://$server_name$request_uri;
-  }
-}
-
-server {
-  listen 443;
-  server_name clarin-dev.eurac.edu localhost;
-
-  root  /opt/nginx/html;
-  index index.html index.htm;
-
-  ssl on;
-  ssl_certificate /etc/ssl/clarin/clarin-dev_eurac_edu.crt;
-  ssl_certificate_key /etc/ssl/clarin/clarin-dev.key;
-
-  ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers RC4:HIGH:!aNULL:!MD5;
-  ssl_prefer_server_ciphers on;
-  keepalive_timeout    70;
-  ssl_session_cache    shared:SSL:10m;
-  ssl_session_timeout  10m;
-
  add_header 'Access-Control-Allow-Origin' "*";
  add_header 'Access-Control-Allow-Credentials' 'true';

@@ -81,10 +60,6 @@ server {

  location / {
    index index.html index.htm;
-
-    if ($HTTP_X_SCHEME = "http") {
-        rewrite ^ https://$http_host$request_uri permanent;
-    }
  }

  location /php/aa-statistics.php {

--- a/dockerfiles/commul-customization/repository_auth
+++ b/dockerfiles/commul-customization/repository_auth
@@ -19,9 +19,11 @@ more_clear_input_headers
 more_clear_input_headers 'affiliation' 'assurance' 'cn' 'eduPersonOrgUnitDN' 'eduPersonStudyiProgramme' 'eduPersonStudySubject' 'entitlement' 'eppn' 'givenName' 'mail' 'o' 'ou' 'persistent-id' 'sn' 'telephoneNumber' 'unscoped-affiliation';

 # Require https and will redirect
-if ($https != "on") {
-  return 301 https://$http_host$request_uri;
-}
+#if ($https != "on") {
+#  return 301 https://$http_host$request_uri;
+#}
+# FIXME: reverse proxy-ing -> check connection params to revproxy and enforce
+# http->https i if *there* is no https.

 shib_request /shibauthorizer;
 shib_request_use_headers on;
--- a/dockerfiles/commul-customization/shibboleth2.xml
+++ b/dockerfiles/commul-customization/shibboleth2.xml
@@ -24,10 +24,10 @@
    <RequestMapper type="XML">
    <RequestMap>
        <Host name="clarin-dev.eurac.edu"
-                authType="shibboleth"
-                requireSession="true"
-		exportAssertion="true"
-                redirectToSSL="443">
+            authType="shibboleth"
+            requireSession="true"
+            exportAssertion="true"
+            redirectToSSL="443">
            <Path name="/secure" />
        </Host>

@@ -36,9 +36,9 @@

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://clarin-dev.eurac.edu/Shibboleth.sso/Metadata"
-                         REMOTE_USER="eppn persistent-id targeted-id"
-			 sessionHook="/php/aa-statistics.php"
-                         cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
+        REMOTE_USER="eppn persistent-id targeted-id"
+        sessionHook="/php/aa-statistics.php"
+        cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">

        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
@@ -50,13 +50,13 @@
        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
        -->
        <Sessions lifetime="28800"
-		  timeout="3600"
-		  relayState="ss:mem"
-                  checkAddress="false"
-                  handlerSSL="true"
-		  cookieProps="https"
-		  exportLocation="/GetAssertion"
-                  exportACL="127.0.0.1">
+            timeout="3600"
+            relayState="ss:mem"
+            checkAddress="false"
+            handlerSSL="false"
+            cookieProps="https"
+            exportLocation="/GetAssertion"
+            exportACL="127.0.0.1">

            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
@@ -65,8 +65,8 @@
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO
-		discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/discojuice">
-              SAML2 SAML1
+                discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/discojuice">
+                SAML2 SAML1
            </SSO>

 <!--            <SSO entityID="https://idp.eurac.edu/idp/shibboleth">

--- a/kubernetes/dspace-deployment.yaml
+++ b/kubernetes/dspace-deployment.yaml
@@ -56,7 +56,7 @@ spec:
            secretKeyRef:
              key: mail.pass
              name: dspace-secrets
-        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/dspace:1.3.3-RC1
+        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/dspace:1.3.4-RC4
        name: clarin-dspace
        imagePullPolicy: Always
        ports:

--- a/kubernetes/dspace-ingress.yaml
+++ b/kubernetes/dspace-ingress.yaml
@@ -17,7 +17,7 @@ metadata:
      if ($rewrite_https = 1) {
        return 301 https://$server_name$request_uri;
      }
-    ingress.kubernetes.io/secure-backends: "true"
+    kubernetes.io/tls-acme: "true"
  name: dspace-ingress
  namespace: dspace-dev
 spec:
@@ -26,10 +26,19 @@ spec:
    http:
      paths:
      - backend:
+        # we are deliberately misusing port:443 *without* SSL, i.e. *NO*
+        # ingress.kubernetes.io/secure-backends: "true"
+        # This will result in https:// redirectes generated from shibboleth
+        # later on (without the need to change http:// to https://)
+        # see https://github.com/nginx-shib/nginx-http-shibboleth/issues/22
+        #
+        # For a general overview for SP reverse proxy-ing
+        # see https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy
+        #
          serviceName: nginx
          servicePort: 443
        path: /
  tls:
  - hosts:
    - clarin-dev.eurac.edu
-    secretName: host-tls-cert
+    secretName: clarin-dev-eurac-edu-tls
--- a/kubernetes/nginx-deployment.yaml
+++ b/kubernetes/nginx-deployment.yaml
@@ -20,18 +20,18 @@ spec:
        io.kompose.service: nginx
    spec:
      containers:
-      - image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/nginx:1.3.3-RC1
+      - image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/nginx:1.3.4-RC4
        imagePullPolicy: Always
        name: clarin-nginx
        ports:
-        - containerPort: 80
        - containerPort: 443
        resources: {}
        volumeMounts:
        - mountPath: /opt/shibboleth-sp-fastcgi/etc/shibboleth/certs
          name: nginx-shib-certs
-        - mountPath: /etc/ssl/clarin
+        - mountPath: /etc/ssl/nginx
          name: nginx-ssl-certs
+          readOnly: true
        livenessProbe:
          httpGet:
            host: clarin-dev.eurac.edu
@@ -44,18 +44,9 @@ spec:
      imagePullSecrets:
        - name: gitlab-scientificnet-org-registry
      volumes:
-        - cephfs:
-            monitors:
-            - 10.8.55.201:6789
-            - 10.8.55.202:6789
-            - 10.8.55.203:6789
-            - 10.7.55.201:6789
-            - 10.7.55.202:6789
-            path: /eurac/commul/projects/clarin/kubernetes/dspace-dev/ssl-certs
-            secretRef:
-              name: client.fs.commul.admin
-            user: fs.commul.admin
-          name: nginx-ssl-certs
+        - name: nginx-ssl-certs
+          secret:
+            secretName: clarin-dev-eurac-edu-tls
        - cephfs:
            monitors:
            - 10.8.55.201:6789

--- a/kubernetes/nginx-service.yaml
+++ b/kubernetes/nginx-service.yaml
@@ -11,9 +11,6 @@ metadata:
  namespace: dspace-dev
 spec:
  ports:
-  - name: "80"
-    port: 80
-    targetPort: 80
  - name: "443"
    port: 443
    targetPort: 443

--- a/kubernetes/postgres-deployment.yaml
+++ b/kubernetes/postgres-deployment.yaml
@@ -48,7 +48,7 @@ spec:
            secretKeyRef:
              key: dspace.utils.name
              name: dspace-secrets
-        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/postgres:1.3.3-RC1
+        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/staging/postgres:1.3.4-RC4
        imagePullPolicy: Always
        name: clarin-postgres
        resources: {}