Add ssl (#42)

* save: wip to add ssl, not working yet Signed-off-by: vsoch <[email protected]>
converged-computing · Jun 21, 2024 · ced652c · ced652c
1 parent d3a7688
commit ced652c
Show file tree

Hide file tree

Showing 24 changed files with 448 additions and 84 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,6 @@
 HERE ?= $(shell pwd)
 LOCALBIN ?= $(shell pwd)/bin
+CERTBIN ?= $(LOCALBIN)/certs
 VERSION    :=$(shell cat .version)
 YAML_FILES :=$(shell find . ! -path "./vendor/*" -type f -regex ".*y*ml" -print)
 REGISTRY  ?= ghcr.io/converged-computing
@@ -11,39 +12,47 @@ all: help
 $(LOCALBIN):
 	mkdir -p $(LOCALBIN)
 
+.PHONY: $(CERTBIN)
+$(CERTBIN):
+	mkdir -p $(CERTBIN)
+
 .PHONY: protoc
 protoc: $(LOCALBIN)
 	GOBIN=$(LOCALBIN) go install google.golang.org/protobuf/cmd/[email protected]
 	GOBIN=$(LOCALBIN) go install google.golang.org/grpc/cmd/[email protected]
 
-.PHONY: build
+.PHONY: build ## Build client and server
 build: build-cli build-rainbow
 
 .PHONY: build-cli
-build-cli: $(LOCALBIN)
+build-cli: $(LOCALBIN) ## Build rainbow Go client
 	GO111MODULE="on" go build -o $(LOCALBIN)/rainbow cmd/rainbow/rainbow.go
 
 .PHONY: build-rainbow
-build-rainbow: $(LOCALBIN)
+build-rainbow: $(LOCALBIN) ## Build rainbow scheduler (server)
 	GO111MODULE="on" go build -o $(LOCALBIN)/rainbow-scheduler cmd/server/server.go
 
-.PHONY: docker
+.PHONY: docker ## Make all docker images
 docker: docker-flux docker-ubuntu
 
 .PHONY: docker-flux
-docker-flux:
+docker-flux: ## Make docker ubuntu + flux image
 	docker build --build-arg base=fluxrm/flux-sched:jammy -t $(REGISTRY)/rainbow-flux:latest .
 
 .PHONY: docker-ubuntu
-docker-ubuntu:
+docker-ubuntu: ## Make docker ubuntu images
 	docker build -t $(REGISTRY)/rainbow-scheduler:latest .
 
 .PHONY: docker-arm
 docker-arm:
 	docker buildx build --build-arg arch=arm64 --platform linux/arm64 --tag $(REGISTRY)/rainbow-scheduler:arm --load .
 
+.PHONY: certs
+certs: $(CERTBIN) ## Make self-signed certificates
+	$(HERE)/hack/generate-certs.sh $(CERTBIN)
+
 .PHONY: proto
-proto: protoc ## Generates the API code and documentation
+proto: protoc ## Make protobuf files
 	mkdir -p pkg/api/v1
 	PATH=$(LOCALBIN):${PATH} protoc --proto_path=api/v1 --go_out=pkg/api/v1 --go_opt=paths=source_relative --go-grpc_out=pkg/api/v1 --go-grpc_opt=paths=source_relative rainbow.proto
 	PATH=$(LOCALBIN):${PATH} protoc --proto_path=plugins/backends/memory/service --go_out=plugins/backends/memory/service --go_opt=paths=source_relative --go-grpc_out=plugins/backends/memory/service --go-grpc_opt=paths=source_relative memory.proto
@@ -83,6 +92,10 @@ test: tidy ## Runs unit tests
 server: ## Runs uncompiled version of the server
 	go run cmd/server/server.go --global-token rainbow
 
+.PHONY: server-tls
+server-tls: ## Runs uncompiled version of the server with self-signed certs
+	go run cmd/server/server.go --global-token rainbow -cert $(CERTBIN)/server-cert.pem -ca-cert $(CERTBIN)/ca-cert.pem --key $(CERTBIN)/server-key.pem
+
 .PHONY: server-verbose
 server-verbose: ## Runs uncompiled version of the server
 	go run cmd/server/server.go --loglevel 6 --global-token rainbow

diff --git a/cmd/rainbow/rainbow.go b/cmd/rainbow/rainbow.go
@@ -11,6 +11,8 @@ import (
 	"github.com/converged-computing/rainbow/cmd/rainbow/register"
 	"github.com/converged-computing/rainbow/cmd/rainbow/submit"
 	"github.com/converged-computing/rainbow/cmd/rainbow/update"
+	"github.com/converged-computing/rainbow/pkg/certs"
+	"github.com/converged-computing/rainbow/pkg/client"
 	"github.com/converged-computing/rainbow/pkg/types"
 
 	// Register database backends and selection algorithms
@@ -51,6 +53,11 @@ func main() {
 	configInitCmd := configCmd.NewCommand("init", "Create a new configuration file")
 	cfg := parser.String("", "config-path", &argparse.Options{Help: "Configuration file for cluster credentials"})
 
+	// Credentials for client tls
+	caCertFile := parser.String("", "ca-cert", &argparse.Options{Help: "Client CA cert file"})
+	certFile := parser.String("", "cert", &argparse.Options{Help: "Client cert file"})
+	keyFile := parser.String("", "key", &argparse.Options{Help: "Client key file"})
+
 	// Shared values
 	host := parser.String("", "host", &argparse.Options{Default: "localhost:50051", Help: "Scheduler server address (host:port)"})
 	clusterName := parser.String("", "cluster-name", &argparse.Options{Help: "Name of cluster to register"})
@@ -93,15 +100,30 @@ func main() {
 		return
 	}
 
+	// Generate certificate manager
+	cert, err := certs.NewClientCertificate(*caCertFile, *certFile, *keyFile)
+	if err != nil {
+		log.Fatalf("error creating certificate manager: %v", err)
+	}
+
+	// Config is the only command that doesn't require the client
 	if configCmd.Happened() && configInitCmd.Happened() {
 		err := config.RunInit(*cfg, *clusterName, *selectAlgo, *matchAlgo)
 		if err != nil {
 			log.Fatalf("Issue with config: %s\n", err)
 		}
+		return
+	}
+
+	// Create the client to be used across calls
+	client, err := client.NewClient(*host, cert)
+	if err != nil {
+		log.Fatalf("Issue creating client: %s\n", err)
+	}
 
-	} else if stateCmd.Happened() {
+	if stateCmd.Happened() {
 		err := update.UpdateState(
-			*host,
+			client,
 			*clusterName,
 			*stateFile,
 			*cfg,
@@ -114,7 +136,7 @@ func main() {
 
 		if subsysCmd.Happened() {
 			err := register.RegisterSubsystem(
-				*host,
+				client,
 				*clusterName,
 				*clusterNodes,
 				*subsystem,
@@ -125,7 +147,7 @@ func main() {
 			}
 		} else if registerClusterCmd.Happened() {
 			err := register.Run(
-				*host,
+				client,
 				*clusterName,
 				*clusterNodes,
 				*secret,
@@ -145,7 +167,7 @@ func main() {
 
 	} else if receiveCmd.Happened() {
 		err := receive.Run(
-			*host,
+			client,
 			*clusterName,
 			*clusterSecret,
 			*maxJobs,
@@ -156,7 +178,7 @@ func main() {
 		}
 	} else if submitCmd.Happened() {
 		err := submit.Run(
-			*host,
+			client,
 			*jobName,
 			*command,
 			*nodes,

diff --git a/cmd/rainbow/receive/receive.go b/cmd/rainbow/receive/receive.go
@@ -11,15 +11,12 @@ import (
 // Run will check a manifest list of artifacts against a host machine
 // For now, the host machine parameters will be provided as flags
 func Run(
-	host, cluster, secret string,
+	c client.Client,
+	cluster, secret string,
 	maxJobs int,
 	cfgFile string,
-) error {
 
-	c, err := client.NewClient(host)
-	if err != nil {
-		return nil
-	}
+) error {
 
 	// Note that 0 or below indicates "show all jobs"
 	if maxJobs >= 1 {

diff --git a/cmd/rainbow/register/register.go b/cmd/rainbow/register/register.go
@@ -12,7 +12,7 @@ import (
 
 // Run will register the cluster with rainbow
 func Run(
-	host,
+	c client.Client,
 	clusterName,
 	clusterNodes,
 	secret string,
@@ -22,13 +22,8 @@ func Run(
 	subsystem,
 	selectionAlgorithm string,
 	matchAlgorithm string,
-) error {
-
-	c, err := client.NewClient(host)
-	if err != nil {
-		return err
-	}
 
+) error {
 	if clusterName == "" {
 		return fmt.Errorf("s --cluster-name is required")
 	}

diff --git a/cmd/rainbow/register/subsystem.go b/cmd/rainbow/register/subsystem.go
@@ -11,17 +11,13 @@ import (
 
 // RegisterSubsystem registers a subsystem
 func RegisterSubsystem(
-	host,
+	c client.Client,
 	clusterName,
 	subsystemNodes,
 	subsystem,
 	cfgFile string,
-) error {
 
-	c, err := client.NewClient(host)
-	if err != nil {
-		return err
-	}
+) error {
 
 	// A config file is required here
 	if cfgFile == "" {

diff --git a/cmd/rainbow/submit/submit.go b/cmd/rainbow/submit/submit.go
@@ -14,18 +14,15 @@ import (
 // Run will check a manifest list of artifacts against a host machine
 // For now, the host machine parameters will be provided as flags
 func Run(
-	host, jobName, command string,
+	c client.Client,
+	jobName, command string,
 	nodes, tasks int,
 	token, jobspec, clusterName,
 	database, cfgFile string,
 	selectAlgo, matchAlgo string,
 ) error {
 
-	c, err := client.NewClient(host)
-	if err != nil {
-		return nil
-	}
-
+	var err error
 	jspec := &js.Jobspec{}
 	if jobspec == "" {
 		jspec, err = jscli.JobspecFromCommand(command, jobName, int32(nodes), int32(tasks))

diff --git a/cmd/rainbow/update/state.go b/cmd/rainbow/update/state.go
@@ -11,17 +11,12 @@ import (
 
 // UpdateState updates state for a cluster
 func UpdateState(
-	host,
+	c client.Client,
 	clusterName,
 	stateFile,
 	cfgFile string,
 ) error {
 
-	c, err := client.NewClient(host)
-	if err != nil {
-		return err
-	}
-
 	// A config file is required here
 	if cfgFile == "" {
 		return fmt.Errorf("an existing configuration file is required to update an existing cluster")

diff --git a/cmd/server/server.go b/cmd/server/server.go
@@ -5,6 +5,7 @@ import (
 	"flag"
 	"log"
 
+	"github.com/converged-computing/rainbow/pkg/certs"
 	"github.com/converged-computing/rainbow/pkg/config"
 	rlog "github.com/converged-computing/rainbow/pkg/logger"
 	"github.com/converged-computing/rainbow/pkg/server"
@@ -26,6 +27,9 @@ var (
 	loggingLevel = 3
 	name         = "rainbow"
 	sqliteFile   = "rainbow.db"
+	caCertFile   = ""
+	certFile     = ""
+	keyFile      = ""
 	configFile   = ""
 	matchAlgo    = "match"
 	selectAlgo   = "random"
@@ -44,9 +48,13 @@ func main() {
 	flag.StringVar(&database, "graph-database", database, "graph database backend (defaults to memory)")
 	flag.StringVar(&selectAlgo, "select-algorithm", selectAlgo, "selection algorithm for final cluster selection (defaults to random)")
 	flag.StringVar(&matchAlgo, "match-algorithm", matchAlgo, "match algorithm for graph (defaults to random)")
+	flag.StringVar(&caCertFile, "ca-cert", caCertFile, "Server certificate file for TLS (e.g., ca-cert.pem)")
+	flag.StringVar(&certFile, "cert", certFile, "Server certificate file for TLS (e.g., server-cert.pem)")
+	flag.StringVar(&keyFile, "key", keyFile, "Server key file for TLS (e.g., server-key.pem)")
 	flag.StringVar(&configFile, "config", configFile, "rainbow config file")
 	flag.IntVar(&loggingLevel, "loglevel", loggingLevel, "rainbow logging level (0 to 5)")
 	flag.BoolVar(&cleanup, "cleanup", cleanup, "cleanup previous sqlite database (default: false)")
+
 	flag.Parse()
 
 	// If the logging level isn't the default, set it
@@ -55,14 +63,35 @@ func main() {
 	}
 
 	// Load (or generate a default)  config file here, if provided
-	cfg, err := config.NewRainbowClientConfig(configFile, name, secret, database, selectAlgo, matchAlgo)
+	cfg, err := config.NewRainbowClientConfig(
+		configFile,
+		name,
+		secret,
+		database,
+		selectAlgo,
+		matchAlgo,
+	)
 	if err != nil {
 		log.Fatalf("error while creating server: %v", err)
 	}
 
+	// Generate certificate manager
+	cert, err := certs.NewServerCertificate(caCertFile, certFile, keyFile)
+	if err != nil {
+		log.Fatalf("error creating certificate manager: %v", err)
+	}
+
 	// create server
 	log.Print("creating 🌈️ server...")
-	s, err := server.NewServer(cfg, types.Version, sqliteFile, cleanup, globalToken, host)
+	s, err := server.NewServer(
+		cfg,
+		types.Version,
+		sqliteFile,
+		cleanup,
+		globalToken,
+		host,
+		cert,
+	)
 	if err != nil {
 		log.Fatalf("error while creating server: %v", err)
 	}