Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS support #2697

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
Open

Add TLS support #2697

wants to merge 22 commits into from

Conversation

matt-bathyscope
Copy link
Contributor

This PR adds support for TLS in nginx using a self-signed certificate that's unique to each robot, along with additional changes needed for other components to work when TLS is enabled.

  • Moves the nginx config to /etc/blueos/nginx/ instead of the current tools path in the container so we have persistence.
  • Updates the bootstrap container's version-chooser reachability check to accept the self-signed cert so it doesn't kill the core container.
  • Adds a checkbox to the vehicle configuration wizard to enable the TLS feature.
  • Generates a certificate (when needed) that includes the alternate hostname(s) and IPs for the robot. This feature shells out to openssl to do the crypto operations, but attempts to mitigate any command injection risk by escaping parameters (like hostname) with the shlex.quote function. The cert and key files are stored alongside the nginx config.
  • There are two "template" nginx configs, one with TLS and one without, that are shipped with the core. The code moves the correct one into place depending on whether or not TLS should be enabled.

How to test this

  1. Manually choose the TLS-aware bootstrap and core images from CI (or from the correct tag on DockerHub)
  2. Re-run the vehicle setup wizard
  3. Check the Enable TLS box on the Customize step
    Screenshot 2024-06-16 at 13 09 11
  4. Complete the wizard
    Screenshot 2024-06-16 at 13 09 26
  5. Navigate to https://<your robot hostname>
  6. Accept the cert warning
  7. You should have TLS now

@CLAassistant
Copy link

CLAassistant commented Jun 16, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

patrickelectric
patrickelectric requested changes Jun 16, 2024
View reviewed changes
Copy link
Member

@patrickelectric patrickelectric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll check it more deeply during the week

core/frontend/src/components/wizard/Wizard.vue Outdated Show resolved Hide resolved
core/services/beacon/main.py Show resolved Hide resolved
@patrickelectric patrickelectric added the merge-after-stable Should be merged only after next stable release label Jun 19, 2024
@patrickelectric
Copy link
Member

Hi @matt-bathyscope can you sign the CLA ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrickelectric patrickelectric patrickelectric requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
merge-after-stable Should be merged only after next stable release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@matt-bathyscope @CLAassistant @patrickelectric