Merge pull request #444 from qlik-oss/fix_crds

Fix crds
retain old qliksense-init func
2020-09-30 10:07:41 -04:00 · 2020-09-30 09:07:01 -04:00 · 2020-09-30 09:03:56 -04:00 · 2020-06-25 16:50:51 -04:00 · 2020-06-25 09:17:12 +02:00 · 2020-06-24 10:28:22 -04:00
8 changed files with 202 additions and 4 deletions
--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -16,6 +16,6 @@ jobs:
        uses: actions/checkout@v1

      - name: Deploy docs
-        uses: mhausenblas/mkdocs-deploy-gh-pages@1.11
+        uses: mhausenblas/mkdocs-deploy-gh-pages@1.12
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/cmd/qliksense/preflight.go
+++ b/cmd/qliksense/preflight.go
@@ -472,3 +472,42 @@ func pfCleanupCmd(q *qliksense.Qliksense) *cobra.Command {
 	f.BoolVarP(&preflightOpts.Verbose, "verbose", "v", false, "verbose mode")
 	return pfCleanCmd
 }
+
+func pfVerifyCAChainCmd(q *qliksense.Qliksense) *cobra.Command {
+	out := ansi.NewColorableStdout()
+	preflightOpts := &preflight.PreflightOptions{
+		MongoOptions: &preflight.MongoOptions{},
+	}
+
+	var pfVerifyCAChainCmd = &cobra.Command{
+		Use:     "verify-ca-chain",
+		Short:   "verify-ca-chain using openssl verify",
+		Long:    `verify the CA chain using openssl verify to ensure that mongodb certificate is valid`,
+		Example: `qliksense preflight verify-ca-chain`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			qp := &preflight.QliksensePreflight{Q: q, P: preflightOpts, CG: &api.ClientGoUtils{Verbose: preflightOpts.Verbose}}
+
+			// Preflight service check
+			namespace, kubeConfigContents, err := qp.CG.LoadKubeConfigAndNamespace()
+			if err != nil {
+				fmt.Fprintf(out, "%s\n", Red("FAILED"))
+				fmt.Printf("Error: %v\n", err)
+				return nil
+			}
+
+			if namespace == "" {
+				namespace = "default"
+			}
+			if err = qp.VerifyCAChain(kubeConfigContents, namespace, preflightOpts, false); err != nil {
+				fmt.Fprintf(out, "%s\n", Red("FAILED"))
+				fmt.Printf("Error: %v\n", err)
+				return nil
+			}
+			fmt.Fprintf(out, "%s\n", Green("PASSED"))
+			return nil
+		},
+	}
+	f := pfVerifyCAChainCmd.Flags()
+	f.BoolVarP(&preflightOpts.Verbose, "verbose", "v", false, "verbose mode")
+	return pfVerifyCAChainCmd
+}
--- a/cmd/qliksense/root.go
+++ b/cmd/qliksense/root.go
@@ -209,6 +209,7 @@ func rootCmd(p *qliksense.Qliksense) *cobra.Command {
 	preflightCmd.AddCommand(pfCreateRoleBindingCheckCmd(p))
 	preflightCmd.AddCommand(pfCreateServiceAccountCheckCmd(p))
 	preflightCmd.AddCommand(pfCreateAuthCheckCmd(p))
+	preflightCmd.AddCommand(pfVerifyCAChainCmd(p))
 	preflightCmd.AddCommand(pfCleanupCmd(p))

 	cmd.AddCommand(preflightCmd)
--- a/docs/preflight_checks.md
+++ b/docs/preflight_checks.md
@@ -305,3 +305,21 @@ Removing mongo check components...
 Preflight cleanup complete

 ```
+
+### Verify-ca-chain check
+We use the command below to verify the ca certificate chain and server certificate. We run this check over mongodbUrl and discoveryUrl we inferred from idpconfigs in the CR.
+```shell
+$ qliksense preflight preflight verify-ca-chain -v
+
+Preflight verify-ca-chain check... 
+----------------------------------- 
+Openssl verify mongodbUrl:
+Mongodb url inferred form CR: <mongodbUrl_from_CR>
+Host: <host extracted from mongodbUrl>
+
+Openssl verify discoveryUrl:
+Discovery url: <discoveryUrl_from_CR>
+Host: <host extracted from discoveryUrl>
+Completed preflight verify-CA-chain check
+PASSED
+```
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -1,11 +1,13 @@
 site_name: Qlik Sense on Kubernetes CLI
 repo_url: 'https://github.com/qlik-oss/sense-installer'
 strict: true
+
 theme:
  name: "material"
  palette:
    primary: 'green'
    accent: 'indigo'
+
 markdown_extensions:
  - toc:
      permalink: true
@@ -15,6 +17,7 @@ markdown_extensions:
  - pymdownx.superfences
  - pymdownx.details
  - pymdownx.tabbed
+
 nav:
  - Overview: index.md
  - getting_started.md
--- a/pkg/preflight/all_checks.go
+++ b/pkg/preflight/all_checks.go
@@ -103,6 +103,16 @@ func (qp *QliksensePreflight) RunAllPreflightChecks(kubeConfigContents []byte, n
 	}
 	totalCount++

+	// Preflight verify ca chain check
+	if err := qp.VerifyCAChain(kubeConfigContents, namespace, preflightOpts, false); err != nil {
+		fmt.Fprintf(out, "%s\n", Red("FAILED"))
+		fmt.Printf("Error: %v\n\n", err)
+	} else {
+		fmt.Fprintf(out, "%s\n\n", Green("PASSED"))
+		checkCount++
+	}
+	totalCount++
+
 	if checkCount == totalCount {
 		// All preflight checks were successful
 		return nil
--- a/pkg/preflight/verify_ca.go
+++ b/pkg/preflight/verify_ca.go
@@ -0,0 +1,123 @@
+package preflight
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+
+	qapi "github.com/qlik-oss/sense-installer/pkg/api"
+)
+
+func (qp *QliksensePreflight) VerifyCAChain(kubeConfigContents []byte, namespace string, preflightOpts *PreflightOptions, cleanup bool) error {
+
+	var currentCR *qapi.QliksenseCR
+	var err error
+	qConfig := qapi.NewQConfig(qp.Q.QliksenseHome)
+	qConfig.SetNamespace(namespace)
+
+	fmt.Print("Preflight verify-ca-chain check... ")
+	qp.CG.LogVerboseMessage("\n----------------------------------- \n")
+
+	currentCR, err = qConfig.GetCurrentCR()
+	if err != nil {
+		qp.CG.LogVerboseMessage("Unable to retrieve current CR: %v\n", err)
+		return err
+	}
+	decryptedCR, err := qConfig.GetDecryptedCr(currentCR)
+	if err != nil {
+		qp.CG.LogVerboseMessage("An error occurred while retrieving mongodbUrl from current CR: %v\n", err)
+		return err
+	}
+
+	// infer ca certs form CR
+	caCertificates := strings.TrimSpace(decryptedCR.Spec.GetFromSecrets("qliksense", "caCertificates"))
+
+	fmt.Println("Openssl verify mongodbUrl:")
+	// infer mongodb url from CR
+	mongodbUrl := strings.TrimSpace(decryptedCR.Spec.GetFromSecrets("qliksense", "mongodbUri"))
+	qp.CG.LogVerboseMessage("Mongodb url inferred form CR: %s\n", mongodbUrl)
+
+	// parse out server and port from mongodb url and execute openssl verify
+	if err := qp.extractCertAndVerify(mongodbUrl, caCertificates); err != nil {
+		return err
+	}
+
+	fmt.Printf("\nOpenssl verify discoveryUrl:\n")
+	// infer idpConfigs form CR
+	idpConfigs := strings.TrimSpace(decryptedCR.Spec.GetFromSecrets("identity-providers", "idpConfigs"))
+
+	data := []map[string]interface{}{}
+	if err := json.Unmarshal([]byte(idpConfigs), &data); err != nil {
+		panic(err)
+	}
+
+	var discoveryUrl string
+	for _, idpData := range data {
+		discoveryUrl = idpData["discoveryUrl"].(string)
+		qp.CG.LogVerboseMessage("Discovery url: %s\n", discoveryUrl)
+	}
+	if err := qp.extractCertAndVerify(discoveryUrl, caCertificates); err != nil {
+		return err
+	}
+
+	qp.CG.LogVerboseMessage("Completed preflight verify-ca-chain check\n")
+	return nil
+}
+
+func (qp *QliksensePreflight) extractCertAndVerify(server string, caCertificates string) error {
+	u, err := url.Parse(server)
+	if err != nil {
+		return fmt.Errorf("unable to parse url: %v", err)
+	}
+
+	switch strings.ToLower(u.Scheme) {
+	case "http":
+		return fmt.Errorf("http url is not supported for this operation")
+	case "https":
+		if u.Port() == "" {
+			u.Host += ":443"
+		}
+	}
+
+	qp.CG.LogVerboseMessage("Host: %s, port: %s\n", u.Host, u.Port())
+	conn, err := tls.Dial("tcp", u.Host, &tls.Config{})
+	qp.CG.LogVerboseMessage("Host: %s\n", u.Host)
+	if err != nil {
+		return fmt.Errorf("failed to connect: " + err.Error())
+	}
+	defer conn.Close()
+
+	// Get the ConnectionState struct as that's the one which gives us x509.Certificate struct
+	x509Certificates := conn.ConnectionState().PeerCertificates
+
+	var serverCert *x509.Certificate
+	if len(x509Certificates) == 0 {
+		return fmt.Errorf("no server certificates retrieved from the server")
+	}
+	// we retrieve and verify the server certificate, we ignore intermediate certificates at this point.
+	for _, x509Cert := range x509Certificates {
+		if !x509Cert.IsCA {
+			serverCert = x509Cert
+			break
+		}
+	}
+	if serverCert == nil {
+		return fmt.Errorf("no valid server certificates retrieved from the server")
+	}
+	roots := x509.NewCertPool()
+	if ok := roots.AppendCertsFromPEM([]byte(caCertificates)); !ok {
+		return fmt.Errorf("failed to parse root certificate.")
+	}
+
+	opts := x509.VerifyOptions{
+		Roots:   roots,
+		DNSName: u.Hostname(),
+	}
+	if _, err := serverCert.Verify(opts); err != nil {
+		return fmt.Errorf("failed to verify certificate: " + err.Error())
+	}
+	return nil
+}
--- a/pkg/qliksense/crds.go
+++ b/pkg/qliksense/crds.go
@@ -93,11 +93,15 @@ func getQliksenseInitCrds(qcr *qapi.QliksenseCR) (string, error) {
 		}
 	}

-	qInitMsPath := filepath.Join(repoPath, Q_INIT_CRD_PATH)
+	qInitMsPath := filepath.Join(repoPath, "manifests", qcr.Spec.Profile, "crds")
 	if _, err := os.Lstat(qInitMsPath); err != nil {
-		// older version of qliksense-init used
-		qInitMsPath = filepath.Join(repoPath, "manifests/base/manifests/qliksense-init")
+		qInitMsPath = filepath.Join(repoPath, Q_INIT_CRD_PATH)
+		if _, err := os.Lstat(qInitMsPath); err != nil {
+			// older version of qliksense-init used
+			qInitMsPath = filepath.Join(repoPath, "manifests/base/manifests/qliksense-init")
+		}
 	}
+
 	qInitByte, err := ExecuteKustomizeBuild(qInitMsPath)
 	if err != nil {
 		fmt.Println("cannot generate crds for qliksense-init", err)
Author	SHA1	Message	Date
Boris Kuschel	6ab9317638	Merge pull request #444 from qlik-oss/fix_crds Fix crds	2020-09-30 10:07:41 -04:00
Boris Kuschel	5899760c16	retain old qliksense-init func Signed-off-by: Boris Kuschel <boris.kuschel@qlik.com>	2020-09-30 09:07:01 -04:00
Boris Kuschel	a63c400106	Use crds in profile, if exists Signed-off-by: Boris Kuschel <boris.kuschel@qlik.com>	2020-09-30 09:03:56 -04:00
Ashwathi Shiva	568012edd8	Preflight openssl verify (#438 ) * verify only server cert, not intermediate certs at this point	2020-06-25 16:50:51 -04:00
Ilir Bekteshi	34f702b183	Bump mkdocs deploy workflow version (#437 ) * Bump mkdocs deploy workflow version * Dummy commit (to trigger wf)	2020-06-25 09:17:12 +02:00
Ashwathi Shiva	d8cdbb30bb	Preflight openssl verify (#436 ) * qliksense preflight verify-ca-chain, included into all preflight checks and doc updates	2020-06-24 10:28:22 -04:00
Andriy Bulynko	616e759089	Rotate keys overhaul (#432 )	2020-06-23 09:38:45 -04:00