New features to demo ota-community-edition

ota-ce.yaml

@@ -1,44 +1,94 @@
 # version: '3.8'
 
-# TODO: Some proxy for reposerver.ota.ce and such so don't have to use proxies
+# TODO: Some proxy for reposerver.uptanedemo.org and such so don't have to use proxies
 
 # TODO: Kafka
 
 services:
   reverse-proxy:
     # The official v2 Traefik docker image
-    image: traefik:v2.3
+    image: traefik:v2.8
     # Enables the web UI and tells Traefik to listen to docker
-    command: --api.insecure=true --providers.docker --providers.docker.exposedbydefault=false
+    command:
+      #- "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
       # The HTTP port
       - "80:80"
+      - "443:443"
       # The Web UI (enabled by --api.insecure=true)
       - "8080:8080"
     volumes:
+      - "./letsencrypt:/letsencrypt"
       # So that Traefik can listen to the Docker events
-      - /var/run/docker.sock:/var/run/docker.sock
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  landing-page:
+    # to host the landing page for uptanedemo.org
+    image: nginx
+    restart: always
+    command: ["nginx-debug", "-g", "daemon off;"]
+    expose:
+      - '80'
+      - '443'
+      - '7443'
+    ports:
+      - '80'
+      - '7443'
+      - '20443:7443'
+    depends_on:
+      - reverse-proxy
+      - ota-lith
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing-page.rule=Host(`uptanedemo.org`)"
+      - "traefik.http.routers.landing-page.entrypoints=websecure"
+      - "traefik.http.routers.landing-page.tls.certresolver=myresolver"
+    volumes:
+      - ./ota-ce/landing-page.conf:/etc/nginx/conf.d/landing-page.conf:ro
+      - ./ota-ce-gen/server.chain.pem:/etc/ssl/gateway/server.chain.pem:ro
+      - ./ota-ce-gen/server.key:/etc/ssl/gateway/server.key:ro
+      - ./ota-ce-gen/devices/ca.crt:/etc/ssl/gateway/ca.crt:ro
 
   gateway:
     image: nginx:1.13.7
     restart: always
-    command: ["nginx-debug", "-g", "daemon off;"]      
+    command: ["nginx-debug", "-g", "daemon off;"]
     expose:
       - '80'
       - '443'
       - '8443'
     ports:
-#      - '80'
+      - '80'
       - '8443'
       - '30443:8443'
     depends_on:
       - ota-lith
       - reverse-proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gateway.rule=Host(`dgw.uptanedemo.org`)"
+      - "traefik.http.routers.gateway.entrypoints=websecure"
+      - "traefik.http.routers.gateway.tls.certresolver=myresolver"
     volumes:
       - ./ota-ce/gateway.conf:/etc/nginx/conf.d/gateway.conf:ro
       - ./ota-ce-gen/server.chain.pem:/etc/ssl/gateway/server.chain.pem:ro
       - ./ota-ce-gen/server.key:/etc/ssl/gateway/server.key:ro
       - ./ota-ce-gen/devices/ca.crt:/etc/ssl/gateway/ca.crt:ro
+      - ./ota-ce-gen/devices/ca.crt:/usr/share/nginx/html/ca.crt
+      - ./ota-ce-gen/devices/ca.key:/usr/share/nginx/html/ca.key
+      - ./ota-ce-gen/server_ca.pem:/usr/share/nginx/html/server_ca.pem
+      - ./scripts/certs/client.ext:/usr/share/nginx/html/client.ext
+      - ./scripts/certs/client.cnf:/usr/share/nginx/html/client.cnf
 
   db:
     image: mariadb:10.4
@@ -70,27 +120,39 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.reposerver.service=reposerver
-      - traefik.http.routers.reposerver.rule=Host(`reposerver.ota.ce`)
+      - traefik.http.routers.reposerver.rule=Host(`reposerver.uptanedemo.org`)
+      - traefik.http.routers.reposerver.entrypoints=websecure
+      - traefik.http.routers.reposerver.tls.certresolver=myresolver
       - traefik.http.services.reposerver.loadbalancer.server.port=7100
       - traefik.http.routers.keyserver.service=keyserver
-      - traefik.http.routers.keyserver.rule=Host(`keyserver.ota.ce`)
+      - traefik.http.routers.keyserver.rule=Host(`keyserver.uptanedemo.org`)
+      - traefik.http.routers.keyserver.entrypoints=websecure
+      - traefik.http.routers.keyserver.tls.certresolver=myresolver
       - traefik.http.services.keyserver.loadbalancer.server.port=7200
       - traefik.http.routers.director.service=director
-      - traefik.http.routers.director.rule=Host(`director.ota.ce`)
+      - traefik.http.routers.director.rule=Host(`director.uptanedemo.org`)
+      - traefik.http.routers.director.entrypoints=websecure
+      - traefik.http.routers.director.tls.certresolver=myresolver
       - traefik.http.services.director.loadbalancer.server.port=7300
       - traefik.http.routers.treehub.service=treehub
-      - traefik.http.routers.treehub.rule=Host(`treehub.ota.ce`)
+      - traefik.http.routers.treehub.rule=Host(`treehub.uptanedemo.org`)
+      - traefik.http.routers.treehub.entrypoints=websecure
+      - traefik.http.routers.treehub.tls.certresolver=myresolver
       - traefik.http.services.treehub.loadbalancer.server.port=7400
       - traefik.http.routers.deviceregistry.service=deviceregistry
-      - traefik.http.routers.deviceregistry.rule=Host(`deviceregistry.ota.ce`)
+      - traefik.http.routers.deviceregistry.rule=Host(`deviceregistry.uptanedemo.org`)
+      - traefik.http.routers.deviceregistry.entrypoints=websecure
+      - traefik.http.routers.deviceregistry.tls.certresolver=myresolver
       - traefik.http.services.deviceregistry.loadbalancer.server.port=7500
       - traefik.http.routers.campaigner.service=campaigner
-      - traefik.http.routers.campaigner.rule=Host(`campaigner.ota.ce`)
+      - traefik.http.routers.campaigner.rule=Host(`campaigner.uptanedemo.org`)
+      - traefik.http.routers.campaigner.entrypoints=websecure
+      - traefik.http.routers.campaigner.tls.certresolver=myresolver
       - traefik.http.services.campaigner.loadbalancer.server.port=7600
     volumes:
       - ./ota-lith-ce.conf:/tmp/ota-lith.conf
       - objects:/var/lib/ota-lith
-     
+
   ota-lith-daemons:
     image: uptane/ota-lith:latest
     restart: always

ota-ce/gateway.conf

@@ -1,7 +1,7 @@
 server {
     error_log  /var/log/nginx/error.log info;
     listen       8443 ssl;
-    server_name ota.ce;
+    server_name dgw.uptanedemo.org;
     ssl_certificate     /etc/ssl/gateway/server.chain.pem;
     ssl_certificate_key /etc/ssl/gateway/server.key;
     ssl_verify_client on;
@@ -17,7 +17,7 @@ server {
     set $deviceNamespace "default";
 
 
-    # TODO: use proxying through traefik/nginx instea of port numbers 
+    # TODO: use proxying through traefik/nginx instea of port numbers
 
     location /treehub/ {
         rewrite ^/treehub/(.*)$ /api/v2/$1 break;
@@ -36,7 +36,7 @@ server {
     location /director/ {
         rewrite ^/director/(.*)$ /api/v1/device/${deviceUuid}/$1 break;
         proxy_set_header x-ats-namespace $deviceNamespace;
-        proxy_set_header Host director.ota.ce;
+        proxy_set_header Host director.uptanedemo.org;
         proxy_pass http://reverse-proxy;
     }
 

ota-ce/landing-page.conf

@@ -0,0 +1,19 @@
+server {
+    error_log  /var/log/nginx/error.log info;
+    listen       7443 ssl;
+    server_name uptanedemo.org;
+    ssl_certificate     /etc/ssl/gateway/server.chain.pem;
+    ssl_certificate_key /etc/ssl/gateway/server.key;
+    ssl_verify_client on;
+    ssl_verify_depth 10;
+    ssl_client_certificate /etc/ssl/gateway/ca.crt;
+
+    if ($ssl_client_s_dn ~ "CN=(.*)$") {
+        set $deviceUuid $1;
+    }
+    if ($ssl_client_s_dn !~ "CN=(.*)$") {
+        set $deviceUuid $ssl_client_s_dn;
+    }
+    set $deviceNamespace "default";
+
+}

scripts/gen-device.sh

@@ -18,7 +18,7 @@ openssl pkcs8 -topk8 -nocrypt -in "${device_dir}/pkey.ec.pem" -out "${device_dir
 openssl req -new -key "${device_dir}/pkey.pem" \
           -config <(sed "s/\$ENV::DEVICE_UUID/${DEVICE_UUID}/g" "${CWD}/certs/client.cnf") \
           -out "${device_dir}/${device_id}.csr"
-  
+
 openssl x509 -req -days 365 -extfile "${CWD}/certs/client.ext" -in "${device_dir}/${device_id}.csr" \
         -CAkey "${DEVICES_DIR}/ca.key" -CA "${DEVICES_DIR}/ca.crt" -CAcreateserial -out "${device_dir}/client.pem"
 
@@ -60,6 +60,6 @@ tls_clientcert_path = "client.pem"
 tls_pkey_path = "pkey.pem"
 EOF
 
-curl -X PUT -d "${body}" http://deviceregistry.ota.ce/api/v1/devices -s -S -v -H "Content-Type: application/json" -H "Accept: application/json, */*"
+curl -X PUT -d "${body}" https://deviceregistry.uptanedemo.org/api/v1/devices -s -S -v -H "Content-Type: application/json" -H "Accept: application/json, */*"
 
-echo "https://ota.ce:30443" > ${device_dir}/gateway.url
+echo "https://uptanedemo.org:30443" > ${device_dir}/gateway.url

scripts/gen-server-certs.sh

@@ -5,7 +5,7 @@ set -euo pipefail
 SERVER_DIR=ota-ce-gen
 DEVICES_DIR=ota-ce-gen/devices
 CWD=$(dirname $0)
-SERVER_NAME=ota.ce
+SERVER_NAME=dgw.uptanedemo.org
 
 if [ -d "$SERVER_DIR" ] || [ -d "$DEVICES_DIR" ] ; then
     echo "${SERVER_DIR} or ${DEVICES_DIR} exists, aborting"
@@ -37,4 +37,3 @@ openssl ecparam -genkey -name prime256v1 | openssl ec -out "${DEVICES_DIR}/ca.ke
 
 openssl req -new -x509 -days 3650 -key "${DEVICES_DIR}/ca.key" -config "${CWD}/certs/device_ca.cnf" \
     -out "${DEVICES_DIR}/ca.crt"
-

scripts/get-credentials.sh

@@ -5,13 +5,13 @@ set -euox pipefail
 SERVER_DIR=ota-ce-gen
 
 namespace="x-ats-namespace:default"
-keyserver="keyserver.ota.ce"
-reposerver="reposerver.ota.ce"
-director="director.ota.ce"
+keyserver="https://keyserver.uptanedemo.org"
+reposerver="https://reposerver.uptanedemo.org"
+director="https://director.uptanedemo.org"
 
-curl --silent --fail ${director}/health || echo "$director not running"
-curl --silent --fail ${keyserver}/health || echo "$keyserver not running"
-curl --silent --fail ${reposerver}/health || echo "$reposerver not running"
+curl --silent --fail ${director}/health/version || echo "$director not running"
+curl --silent --fail ${keyserver}/health/version || echo "$keyserver not running"
+curl --silent --fail ${reposerver}/health/version || echo "$reposerver not running"
 
 curl -X POST "${reposerver}/api/v1/user_repo" -H "${namespace}"
 
@@ -29,14 +29,14 @@ keys=$(curl -s -f "${keyserver}/api/v1/root/${id}/keys/targets/pairs")
 echo ${keys} | jq '.[0] | {keytype, keyval: {public: .keyval.public}}'   > "${SERVER_DIR}/targets.pub"
 echo ${keys} | jq '.[0] | {keytype, keyval: {private: .keyval.private}}' > "${SERVER_DIR}/targets.sec"
 
-echo "http://reposerver.ota.ce" > "${SERVER_DIR}/tufrepo.url"
-echo "http://ota.ce:30443" > "${SERVER_DIR}/autoprov.url"
+echo "http://reposerver.uptanedemo.org" > "${SERVER_DIR}/tufrepo.url"
+echo "http://uptanedemo.org:30443" > "${SERVER_DIR}/autoprov.url"
 
 cat > "${SERVER_DIR}/treehub.json" <<END
 {
     "no_auth": true,
     "ostree": {
-        "server": "http://treehub.ota.ce/api/v3/"
+        "server": "http://treehub.uptanedemo.org/api/v3/"
     }
 }
 END