Add ability to specify CA certs to use for TLS authentication. (#1112)

* Add ability to specify CA certs to use for TLS authentication.
Modify ups-broker walkthrough example to support using TLS.

* Validate InsecureSkipTLSVerify and CABundle are not both present in a broker spec.

* Add comments in ups-broker.yaml explaining TLS optional values.

* Fix incorrect case in btroker validation error message

Author: staebler

charts/ups-broker/templates/broker-deployment.yaml

@@ -27,6 +27,14 @@ spec:
         args:
         - --port
         - "8080"
+        {{- if .Values.tls.cert}}
+        - --tlsCert
+        - "{{ .Values.tls.cert }}"
+        {{- end}}
+        {{- if .Values.tls.key}}
+        - --tlsKey
+        - "{{ .Values.tls.key }}"
+        {{- end}}
         ports:
         - containerPort: 8080
         readinessProbe:

charts/ups-broker/values.yaml

@@ -3,3 +3,9 @@
 image: quay.io/kubernetes-service-catalog/user-broker:v0.0.16
 # ImagePullPolicy; valid values are "IfNotPresent", "Never", and "Always"
 imagePullPolicy: Always
+# Certificate details to use for TLS. Leave blank to not use TLS
+tls:
+  # base-64 encoded PEM data for the TLS certificate
+  cert:
+  # base-64 encoded PEM data for the private key matching the certificate
+  key:

contrib/cmd/user-broker/user-broker.go

@@ -33,11 +33,15 @@ import (
 )
 
 var options struct {
-	Port int
+	Port    int
+	TLSCert string
+	TLSKey  string
 }
 
 func init() {
 	flag.IntVar(&options.Port, "port", 8005, "use '--port' option to specify the port for broker to listen on")
+	flag.StringVar(&options.TLSCert, "tlsCert", "", "base-64 encoded PEM block to use as the certificate for TLS. If '--tlsCert' is used, then '--tlsKey' must also be used. If '--tlsCert' is not used, then TLS will not be used.")
+	flag.StringVar(&options.TLSKey, "tlsKey", "", "base-64 encoded PEM block to use as the private key matching the TLS certificate. If '--tlsKey' is used, then '--tlsCert' must also be used")
 	flag.Parse()
 }
 
@@ -60,9 +64,22 @@ func runWithContext(ctx context.Context) error {
 		fmt.Printf("%s/%s\n", path.Base(os.Args[0]), pkg.VERSION)
 		return nil
 	}
+	if (options.TLSCert != "" || options.TLSKey != "") &&
+		(options.TLSCert == "" || options.TLSKey == "") {
+		fmt.Println("To use TLS, both --tlsCert and --tlsKey must be used")
+		return nil
+	}
 
 	addr := ":" + strconv.Itoa(options.Port)
-	return server.Run(ctx, addr, controller.CreateController())
+	ctrlr := controller.CreateController()
+
+	var err error
+	if options.TLSCert == "" && options.TLSKey == "" {
+		err = server.Run(ctx, addr, ctrlr)
+	} else {
+		err = server.RunTLS(ctx, addr, options.TLSCert, options.TLSKey, ctrlr)
+	}
+	return err
 }
 
 // cancelOnInterrupt calls f when os.Interrupt or SIGTERM is received.

contrib/examples/walkthrough/ups-broker-test-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIQaAAvrIN4pJqdJ86zwvHsATANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTE3MDgwODE3MDczMloYDzIxMzEwOTA3MDgw
+NzMyWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA0DZDZywpAJydy0wzOtqOITtO9K+AWgQ4LN4TNyWIdWiVqMm3y8iJ
+CbaaleUJp9e1+uXhQfkSjzIkbVflxjItQrchgV2qM8eyrecQ9cGyUk+rbjjwPfbc
+kgQ4LRCqB7GmgSYmB/UB1aSIWAM/tNVSWYpTzobAqSBe1g2hHA0gVsBMNC8Bd83k
+ozuTUAM+QmMMi24vRoz0/kxnTvyEHV2a2rE+wsNxZt0gXb6SZ9+r/aAzBItB1C7f
+0jndkts42qSmhkJm+nDsxSHFrFHwoB9QriDAtitje3ZTFiPtAkuzUGrrzNbgvLg+
+K2GX7dzOoIb8qlWjJ1GSxigDIxuvcvQRzwIDAQABo3cwdTAOBgNVHQ8BAf8EBAMC
+AqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zA9BgNVHREE
+NjA0gjJ1cHMtYnJva2VyLXVwcy1icm9rZXIudXBzLWJyb2tlci5zdmMuY2x1c3Rl
+ci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAgFjXewXfM507ctvVP+IpHMFl184J
+VoWeOt0p8A1Y6JOkZohb4kguDyMsDZy3UHy1AtOHcrfOYa9qvDB2xbCsv5cMY8cn
+nk67LyPNWje/ESwCrPyB684uUOwqG7fOanjYW7AwmXiNm8i4tJRY9QkausEFZZoy
+hk6gJYT7PPcV/nyyHcFEWAGOQZookKwJtBvDNTNsz59twjpQFBi7aHdplTT6l+ML
+cThTArnoXK2A6u1LtsuW5Rz3/ar3t9h+1UHs8/3/abYaPVm7CWfmz5oyvLWA5wqd
+8fhvWCxJojRVhaZRcQFjtygGSOVFaMlvuzYqBBrjXrzcLQ6oqpzdOVIevQ==
+-----END CERTIFICATE-----

contrib/examples/walkthrough/ups-broker-test-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA0DZDZywpAJydy0wzOtqOITtO9K+AWgQ4LN4TNyWIdWiVqMm3
+y8iJCbaaleUJp9e1+uXhQfkSjzIkbVflxjItQrchgV2qM8eyrecQ9cGyUk+rbjjw
+PfbckgQ4LRCqB7GmgSYmB/UB1aSIWAM/tNVSWYpTzobAqSBe1g2hHA0gVsBMNC8B
+d83kozuTUAM+QmMMi24vRoz0/kxnTvyEHV2a2rE+wsNxZt0gXb6SZ9+r/aAzBItB
+1C7f0jndkts42qSmhkJm+nDsxSHFrFHwoB9QriDAtitje3ZTFiPtAkuzUGrrzNbg
+vLg+K2GX7dzOoIb8qlWjJ1GSxigDIxuvcvQRzwIDAQABAoIBACJp1Zon4l8Hg80m
+OxFvLi6v7szidQRrzh0cV3C182f0cUgEjyxPaNcCJ2q/AGmNbbaaaDDPShIA56Rq
+8r9fa7urKQ6IvKjySMYVeugjq6WPJXaCUrLrKmm36NEKABBlfG+8Lm0CQdtd5msl
+nlH1MDc8db2c6BsMDqCyf/5y7PVpZtuhPXBmzs330SWrLLLM//v6U2XCAVEJtSzE
+Qe3XO35VRFN8D3rumx+kITrLUf5S9GZA2mx0jRX+bXSWeFPI7WY6lqMg5MBMkaCp
+BhdSQ6u2jyKkHXLK9KuqSlz1fiesY97jQF0sdjlipTISZUa3oM9wHCobhrKmK5e0
+KZF34wECgYEA6fdJPA2ead4AAAD9BZdGI2+4PxwRd5+TJur3d9Q2/wZ/8f+DyDIC
+PI/KTnb7Bz3nDdu4YzevVC78qrMYxHvIIC1KlJm8q52VWv8uiBMR+WmM5DEfzq6R
+C8Tc03sRt1ZoEyvhB0A69/1R+pvsMUey4H7jy84WMXry3W5RTXUPUSkCgYEA49IS
+LV06duBNXm29kBD7ML4RFZmHC3pyA7xIAmeQRFjmvmAqyxLeJmX7zr5N15HZ+pcd
+uZ4I9mbXxqezx7JmhHoONL9wYaVwAsDtjZm2G/KoZxRIdaE2Bh8Cg50pdi6zitgA
+E7Wp0HDILgkoZ9BkwmJAyX58ZqF/TdbULzAm0jcCgYBxDeEBd8M4fOGbHt8kuHhX
+30A0nqeCGkXM5HU4Hf+FM+rXURSoxCF4ijLDv5KFaVAgzi9HIj1CfIHzKh+psfZ+
+NeR38eHNO5RUKEKf1jc1Qd+m1GX+RTQpb7MVLb7dzI711JokGtFjy7C1XGrBVVgG
+SspgTPFEb5izjv8SYqJIIQKBgDFoTKLj9hrz2DOjbxoAZMmUXtYlXqFBo9plieRj
+m2kHMruU1ZMG+4CuW2bh5LXcnr526W5o9J6jfSZLFnU3nn4ajlwoLHIw09L1Dk/I
+RzNWc+ku/+vq03GOZhgvDF/iDvQMli+wFSzsWK2LNOUWz9NMRaqtMMN9QMOb1JaL
+RdAPAoGARZxy64AOq4Bx8Iig+ZLckyuYq9v70DNee/z6+fqtOje+IQO65doXZ/WG
+tDUDRAXUR6HSBcLybEf2rJJOGFY4Nf41E/2lQfB6qaKn4v/q7HN5zh2u8D8Dr9xs
+Fo45Jbsxk4nKHaoHrnWJNDMC6uBs3SG6p+vIsA0u9+kLIIvt09Q=
+-----END RSA PRIVATE KEY-----

contrib/examples/walkthrough/ups-broker.yaml

@@ -4,3 +4,18 @@ metadata:
   name: ups-broker
 spec:
   url: http://ups-broker-ups-broker.ups-broker.svc.cluster.local
+  #####
+  # Values below are useful if you are using TLS to communicate with the broker.
+  # TLS can be enabled by setting the tls.cert and tls.key values when running the helm chart.
+  #
+  # If TLS is enabled, then the https url below should be used instead of the http url above.
+  #
+  # If the TLS cert at contrib/examples/walkthrough/ups-broker-test-cert.pem is used, then
+  # the caBundle below can be used so that the broker client will accept that certificate.
+  #
+  # If you want to ignore all TLS verification, then the insecureSkipTLSVerify below can be used.
+  # Note that caBundle and insecureSkipTLSVerify cannot be used together.
+  #####
+  ##url: https://ups-broker-ups-broker.ups-broker.svc.cluster.local:80
+  ##caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lRYUFBdnJJTjRwSnFkSjg2end2SHNBVEFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFLRXdkQlkyMWxJRU52TUNBWERURTNNRGd3T0RFM01EY3pNbG9ZRHpJeE16RXdPVEEzTURndwpOek15V2pBU01SQXdEZ1lEVlFRS0V3ZEJZMjFsSUVOdk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTBEWkRaeXdwQUp5ZHkwd3pPdHFPSVR0TzlLK0FXZ1E0TE40VE55V0lkV2lWcU1tM3k4aUoKQ2JhYWxlVUpwOWUxK3VYaFFma1NqeklrYlZmbHhqSXRRcmNoZ1YycU04ZXlyZWNROWNHeVVrK3Jiamp3UGZiYwprZ1E0TFJDcUI3R21nU1ltQi9VQjFhU0lXQU0vdE5WU1dZcFR6b2JBcVNCZTFnMmhIQTBnVnNCTU5DOEJkODNrCm96dVRVQU0rUW1NTWkyNHZSb3owL2t4blR2eUVIVjJhMnJFK3dzTnhadDBnWGI2U1o5K3IvYUF6Qkl0QjFDN2YKMGpuZGt0czQycVNtaGtKbStuRHN4U0hGckZId29COVFyaURBdGl0amUzWlRGaVB0QWt1elVHcnJ6TmJndkxnKwpLMkdYN2R6T29JYjhxbFdqSjFHU3hpZ0RJeHV2Y3ZRUnp3SURBUUFCbzNjd2RUQU9CZ05WSFE4QkFmOEVCQU1DCkFxUXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekE5QmdOVkhSRUUKTmpBMGdqSjFjSE10WW5KdmEyVnlMWFZ3Y3kxaWNtOXJaWEl1ZFhCekxXSnliMnRsY2k1emRtTXVZMngxYzNSbApjaTVzYjJOaGJEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFnRmpYZXdYZk01MDdjdHZWUCtJcEhNRmwxODRKClZvV2VPdDBwOEExWTZKT2tab2hiNGtndUR5TXNEWnkzVUh5MUF0T0hjcmZPWWE5cXZEQjJ4YkNzdjVjTVk4Y24Kbms2N0x5UE5XamUvRVN3Q3JQeUI2ODR1VU93cUc3Zk9hbmpZVzdBd21YaU5tOGk0dEpSWTlRa2F1c0VGWlpveQpoazZnSllUN1BQY1Yvbnl5SGNGRVdBR09RWm9va0t3SnRCdkROVE5zejU5dHdqcFFGQmk3YUhkcGxUVDZsK01MCmNUaFRBcm5vWEsyQTZ1MUx0c3VXNVJ6My9hcjN0OWgrMVVIczgvMy9hYllhUFZtN0NXZm16NW95dkxXQTV3cWQKOGZodldDeEpvalJWaGFaUmNRRmp0eWdHU09WRmFNbHZ1ellxQkJyalhyemNMUTZvcXB6ZE9WSWV2UT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  ##insecureSkipTLSVerify: true

contrib/pkg/broker/server/server.go

@@ -18,6 +18,8 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"time"
@@ -56,8 +58,41 @@ func createHandler(c controller.Controller) http.Handler {
 // Run creates the HTTP handler based on an implementation of a
 // controller.Controller interface, and begins to listen on the specified address.
 func Run(ctx context.Context, addr string, c controller.Controller) error {
+	listenAndServe := func(srv *http.Server) error {
+		return srv.ListenAndServe()
+	}
+	return run(ctx, addr, listenAndServe, c)
+}
+
+// RunTLS creates the HTTPS handler based on an implementation of a
+// controller.Controller interface, and begins to listen on the specified address.
+func RunTLS(ctx context.Context, addr string, cert string, key string, c controller.Controller) error {
+	var decodedCert, decodedKey []byte
+	var tlsCert tls.Certificate
+	var err error
+	decodedCert, err = base64.StdEncoding.DecodeString(cert)
+	if err != nil {
+		return err
+	}
+	decodedKey, err = base64.StdEncoding.DecodeString(key)
+	if err != nil {
+		return err
+	}
+	tlsCert, err = tls.X509KeyPair(decodedCert, decodedKey)
+	if err != nil {
+		return err
+	}
+	listenAndServe := func(srv *http.Server) error {
+		srv.TLSConfig = new(tls.Config)
+		srv.TLSConfig.Certificates = []tls.Certificate{tlsCert}
+		return srv.ListenAndServeTLS("", "")
+	}
+	return run(ctx, addr, listenAndServe, c)
+}
+
+func run(ctx context.Context, addr string, listenAndServe func(srv *http.Server) error, c controller.Controller) error {
 	glog.Infof("Starting server on %d\n", addr)
-	srv := http.Server{
+	srv := &http.Server{
 		Addr:    addr,
 		Handler: createHandler(c),
 	}
@@ -69,7 +104,7 @@ func Run(ctx context.Context, addr string, c controller.Controller) error {
 			srv.Close()
 		}
 	}()
-	return srv.ListenAndServe()
+	return listenAndServe(srv)
 }
 
 func (s *server) catalog(w http.ResponseWriter, r *http.Request) {

glide.lock

@@ -64,4 +64,4 @@ import:
 - package: code.cloudfoundry.org/lager
   version: dfcbcba2dd4a5228c43b0292d219d5c010daed3a
 - package: github.com/pmorie/go-open-service-broker-client
-  version: a15af7d9e6c264f61daf883b78ed3f13a0b53de6
+  version: 48d1e069bbc4a7ec3fe52dee77a48046fbbf48e4

glide.yaml

@@ -77,6 +77,8 @@ func TestBrokerSpecChecksum(t *testing.T) {
 				},
 			},
 		},
+		InsecureSkipTLSVerify: true,
+		CABundle:              []byte{13, 24, 35, 46},
 	}
 
 	unversionedChecksum := unversioned.BrokerSpecChecksum(spec)

pkg/apis/servicecatalog/checksum/checksum_test.go

@@ -86,6 +86,8 @@ func BindingSpecChecksum(spec servicecatalog.BindingSpec) string {
 func BrokerSpecChecksum(spec servicecatalog.BrokerSpec) string {
 	specString := fmt.Sprintf("URL: %v\n", spec.URL)
 	specString += fmt.Sprintf("AuthInfo: %v\n", spec.AuthInfo)
+	specString += fmt.Sprintf("InsecureSkipTLSVerify: %v\n", spec.InsecureSkipTLSVerify)
+	specString += fmt.Sprintf("CABundle: %v\n", spec.CABundle)
 	glog.V(5).Infof("specString: %v", specString)
 	sum := sha256.Sum256([]byte(specString))
 	return fmt.Sprintf("%x", sum)

pkg/apis/servicecatalog/checksum/unversioned/checksum.go

@@ -86,6 +86,8 @@ func BindingSpecChecksum(spec v1alpha1.BindingSpec) string {
 func BrokerSpecChecksum(spec v1alpha1.BrokerSpec) string {
 	specString := fmt.Sprintf("URL: %v\n", spec.URL)
 	specString += fmt.Sprintf("AuthInfo: %v\n", spec.AuthInfo)
+	specString += fmt.Sprintf("InsecureSkipTLSVerify: %v\n", spec.InsecureSkipTLSVerify)
+	specString += fmt.Sprintf("CABundle: %v\n", spec.CABundle)
 	glog.V(5).Infof("specString: %v", specString)
 	sum := sha256.Sum256([]byte(specString))
 	return fmt.Sprintf("%x", sum)

pkg/apis/servicecatalog/checksum/versioned/v1alpha1/checksum.go

@@ -52,6 +52,14 @@ type BrokerSpec struct {
 	// AuthInfo contains the data that the service catalog should use to authenticate
 	// with the Broker.
 	AuthInfo *BrokerAuthInfo
+
+	// InsecureSkipTLSVerify disables TLS certificate verification when communicating with this Broker.
+	// This is strongly discouraged.  You should use the CABundle instead.
+	// +optional
+	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
+	// CABundle is a PEM encoded CA bundle which will be used to validate a Broker's serving certificate.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // BrokerAuthInfo is a union type that contains information on one of the authentication methods