docker: separate CLIENT_* and LAPI_* variables for tls certificates (#1929)

Dockerfile

@@ -32,7 +32,7 @@ COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
 COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
 COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
 
-# NOTE: setting default values here will overwrite the ones set in config.yaml
+# NOTE: setting default values here would overwrite the ones set in config.yaml
 #       every time the container is started. We set the default in docker/config.yaml
 #       and document them in docker/README.md, but keep the variables empty here.
 
@@ -68,11 +68,23 @@ ENV AGENT_PASSWORD=
 # TLS setup ----------------------------------- #
 
 ENV USE_TLS=false
+
+ENV LAPI_CACERT_FILE=
+ENV LAPI_CERT_FILE=
+ENV LAPI_KEY_FILE=
+
+ENV CLIENT_CACERT_FILE=
+ENV CLIENT_CERT_FILE=
+ENV CLIENT_KEY_FILE=
+
+# deprecated in favor of LAPI_*
 ENV CACERT_FILE=
 ENV CERT_FILE=
 ENV KEY_FILE=
+
 # comma-separated list of allowed OU values for TLS bouncer certificates
 ENV BOUNCERS_ALLOWED_OU=
+
 # comma-separated list of allowed OU values for TLS agent certificates
 ENV AGENTS_ALLOWED_OU=
 

Dockerfile.debian

@@ -46,7 +46,7 @@ COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
 COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
 RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml
 
-# NOTE: setting default values here will overwrite the ones set in config.yaml
+# NOTE: setting default values here would overwrite the ones set in config.yaml
 #       every time the container is started. We set the default in docker/config.yaml
 #       and document them in docker/README.md, but keep the variables empty here.
 
@@ -82,11 +82,23 @@ ENV AGENT_PASSWORD=
 # TLS setup ----------------------------------- #
 
 ENV USE_TLS=false
+
+ENV LAPI_CACERT_FILE=
+ENV LAPI_CERT_FILE=
+ENV LAPI_KEY_FILE=
+
+ENV CLIENT_CACERT_FILE=
+ENV CLIENT_CERT_FILE=
+ENV CLIENT_KEY_FILE=
+
+# deprecated in favor of LAPI_*
 ENV CACERT_FILE=
 ENV CERT_FILE=
 ENV KEY_FILE=
+
 # comma-separated list of allowed OU values for TLS bouncer certificates
 ENV BOUNCERS_ALLOWED_OU=
+
 # comma-separated list of allowed OU values for TLS agent certificates
 ENV AGENTS_ALLOWED_OU=
 

docker/README.md

@@ -226,16 +226,19 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
 |                         | | |
 | __TLS Auth/encryption   | | |
 | `USE_TLS`               | false | Enable TLS on the LAPI |
-| `CERT_FILE`             | /etc/ssl/cert.pem | TLS Certificate path |
-| `KEY_FILE`              | /etc/ssl/key.pem | TLS Key path |
-| `CACERT_FILE`           | | CA certificate bundle |
+| `CLIENT_CERT_FILE`      | /etc/ssl/cert.pem | Client TLS Certificate path |
+| `CLIENT_KEY_FILE`       | /etc/ssl/key.pem | Client TLS Key path |
+| `CLIENT_CACERT_FILE`    | | Client CA certificate bundle |
+| `LAPI_CERT_FILE`        | /etc/ssl/cert.pem | LAPI TLS Certificate path |
+| `LAPI_KEY_FILE`         | /etc/ssl/key.pem | LAPI TLS Key path |
+| `LAPI_CACERT_FILE`      | | LAPI CA certificate bundle |
 | `AGENTS_ALLOWED_OU`     | agent-ou | OU values allowed for agents, separated by comma |
 | `BOUNCERS_ALLOWED_OU`   | bouncer-ou | OU values allowed for bouncers, separated by comma |
 |                         | | |
 | __Hub management__      | | |
 | `COLLECTIONS`           | | Collections to install, separated by space: `-e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"` |
-| `SCENARIOS`             | | Scenarios to install, separated by space |
 | `PARSERS`               | | Parsers to install, separated by space |
+| `SCENARIOS`             | | Scenarios to install, separated by space |
 | `POSTOVERFLOWS`         | | Postoverflows to install, separated by space |
 | `DISABLE_COLLECTIONS`   | | Collections to remove, separated by space: `-e DISABLE_COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx"` |
 | `DISABLE_PARSERS`       | | Parsers to remove, separated by space |

docker/config.yaml

@@ -42,8 +42,6 @@ api:
     online_client: # Central API credentials (to push signals and receive bad IPs)
       #credentials_path: /etc/crowdsec/online_api_credentials.yaml
     tls:
-      cert_file: /etc/ssl/cert.pem
-      key_file: /etc/ssl/key.pem
       agents_allowed_ou:
         - agent-ou
       bouncers_allowed_ou:

docker/docker_start.sh

@@ -90,6 +90,17 @@ cscli_if_clean() {
 
 #-----------------------------------#
 
+if [ -n "$CERT_FILE" ] || [ -n "$KEY_FILE" ] || [ -n "$CACERT_FILE" ]; then
+    printf '%b' '\033[0;33m'
+    echo "Warning: the variables CERT_FILE, KEY_FILE and CACERT_FILE have been deprecated." >&2
+    echo "Please use LAPI_CERT_FILE, LAPI_KEY_FILE and LAPI_CACERT_FILE insted." >&2
+    echo "The old variables will be removed in a future release." >&2
+    printf '%b' '\033[0m'
+    LAPI_CERT_FILE=${LAPI_CERT_FILE:-$CERT_FILE}
+    LAPI_KEY_FILE=${LAPI_KEY_FILE:-$KEY_FILE}
+    LAPI_CACERT_FILE=${LAPI_CACERT_FILE:-$CACERT_FILE}
+fi
+
 # Check and prestage databases
 for geodb in GeoLite2-ASN.mmdb GeoLite2-City.mmdb; do
     # We keep the pre-populated geoip databases in /staging instead of /var,
@@ -122,37 +133,39 @@ elif [ -n "$USE_WAL" ] && isfalse "$USE_WAL"; then
     conf_set '.db_config.use_wal = false'
 fi
 
-# regenerate local agent credentials (ignore if agent is disabled)
-if isfalse "$DISABLE_AGENT"; then
-    if isfalse "$DISABLE_LOCAL_API"; then
-        echo "Regenerate local agent credentials"
-        cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
-        cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL"
-    fi
+# regenerate local agent credentials (even if agent is disabled, cscli needs a
+# connection to the API)
+cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
+if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then
+    echo "Regenerate local agent credentials"
+    cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL"
+fi
+
+lapi_credentials_path=$(conf_get '.api.client.credentials_path')
 
-    lapi_credentials_path=$(conf_get '.api.client.credentials_path')
+# we only use the envvars that are actually defined
+# in case of persistent configuration
+conf_set '
+    with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) |
+    with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) |
+    with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD))
+    ' "$lapi_credentials_path"
 
-    # we only use the envvars that are actually defined
-    # in case of persistent configuration
+if istrue "$USE_TLS"; then
     conf_set '
-        with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) |
-        with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) |
-        with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD))
-        ' "$lapi_credentials_path"
-
-    if istrue "$USE_TLS"; then
-        conf_set '
-            with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) |
-            with(select(strenv(KEY_FILE)!=""); .key_path = strenv(KEY_FILE)) |
-            with(select(strenv(CERT_FILE)!=""); .cert_path = strenv(CERT_FILE))
-        ' "$lapi_credentials_path"
-    else
-        conf_set '
-            del(.ca_cert_path) |
-            del(.key_path) |
-            del(.cert_path)
-        ' "$lapi_credentials_path"
-    fi
+        with(select(strenv(CLIENT_CACERT_FILE)!=""); .ca_cert_path = strenv(CLIENT_CACERT_FILE)) |
+        with(select(.ca_cert_path=="" or .ca_cert_path==null); .ca_cert_path = "/etc/ssl/crowdsec-client/ca.pem") |
+        with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) |
+        with(select(.key_path=="" or .key_path==null); .key_path = "/etc/ssl/crowdsec-client/key.pem") |
+        with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE)) |
+        with(select(.cert_path=="" or .cert_path==null); .cert_path = "/etc/ssl/crowdsec-client/cert.pem")
+    ' "$lapi_credentials_path"
+else
+    conf_set '
+        del(.ca_cert_path) |
+        del(.key_path) |
+        del(.cert_path)
+    ' "$lapi_credentials_path"
 fi
 
 if isfalse "$DISABLE_LOCAL_API"; then
@@ -204,9 +217,12 @@ if istrue "$USE_TLS"; then
     agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \
     bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \
     conf_set '
-        with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) |
-        with(select(strenv(CERT_FILE)!=""); .api.server.tls.cert_file = strenv(CERT_FILE)) |
-        with(select(strenv(KEY_FILE)!=""); .api.server.tls.key_file = strenv(KEY_FILE)) |
+        with(select(strenv(LAPI_CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(LAPI_CACERT_FILE)) |
+        with(select(.api.server.tls.ca_cert_path=="" or .api.server.tls.ca_cert_path==null); .api.server.tls.ca_cert_path = "/etc/ssl/crowdsec-lapi/ca.pem") |
+        with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) |
+        with(select(.api.server.tls.cert_file=="" or .api.server.tls.cert_file==null); .api.server.tls.cert_file = "/etc/ssl/crowdsec-lapi/cert.pem") |
+        with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) |
+        with(select(.api.server.tls.key_file=="" or .api.server.tls.key_file==null); .api.server.tls.key_file = "/etc/ssl/crowdsec-lapi/key.pem") |
         with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) |
         with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) |
         ... comments=""