0.1.5 • Published 3 years ago

@t9tlai/traner-endpoint v0.1.5

Weekly downloads
-
License
-
Repository
-
Last release
3 years ago

Trainer Endpoint

A Team Space internal service that allows the trainer job to pull the data collected for the the team.

The service exposes the following endpoints:

  • /db - Provides a clone of the team database.
  • /version - Prints the current version of the service

Security

The service requires mTLS on all endpoints.

When deployed, the (m)TLS credentials are automatically provisioned by Kubernetes and Cert Manager.

Setup

For local development, setup your own PKI using the following steps (src):

MAC USERS! use openssl from /opt/homebrew/opt/openssl@3/bin/openssl in the below commands, or run alias openssl=/opt/homebrew/opt/openssl@3/bin/openssl

Root CA

mkdir -p ./certs/ca

openssl genrsa 2048 > ./certs/ca/ca-key.pem
openssl req -new -x509 -nodes -days 365000 \
   -key ./certs/ca/ca-key.pem \
   -out ./certs/ca/ca.crt

Server Certificate

# 2. Create server creds
mkdir -p ./certs/server
cp ./certs/ca/ca.crt ./certs/server
openssl req -newkey rsa:4096  -v3 \
    -subj "/CN=localhost" \
    -addext "subjectAltName=DNS:localhost" \
    -addext 'extendedKeyUsage=serverAuth,clientAuth' \
    -sha256  -batch -nodes -days 365 \
    -keyout ./certs/server/tls.key \
    -out ./certs/server/req.pem
   
openssl x509 -req -days 365 -set_serial 01 -sha256  \
    -extfile <(printf "subjectAltName=DNS:localhost") \
   -in ./certs/server/req.pem \
   -out ./certs/server/tls.crt \
   -CA ./certs/ca/ca.crt \
   -CAkey ./certs/ca/ca-key.pem

Client Certificate

# 3. Create cleint creds
mkdir -p ./certs/client
cp ./certs/ca/ca.crt ./certs/cleint

openssl req -newkey rsa:4096  -v3 \
    -subj "/CN=client" \
    -addext 'extendedKeyUsage=serverAuth,clientAuth' \
    -sha256  -batch -nodes -days 365  -sha256\
    -keyout ./certs/client/tls.key \
    -out ./certs/client/req.pem
   
openssl x509 -req -days 365 -set_serial 01 -sha256\
   -in ./certs/client/req.pem \
   -out ./certs/client/tls.crt \
   -CA ./certs/ca/ca.crt \
   -CAkey ./certs/ca/ca-key.pem

.ENV configuration

# 4. Set the cert path in `.env`
echo "TLS_ROOT_PATH=$PWD/certs/server" >> .env

Test config

curl --cacert  ./certs/ca/ca.crt  --cert ./certs/client/tls.crt  --key ./certs/client/tls.key   https://localhost:8000/version

Optional - Trust CA

As the above example generates valid TLS certificates, you can (optionally) trust the CA (on OSX) :

 openssl x509 -in ./certs/ca/ca.crt -out ca.der -outform DER && open ca.der

Other platforms have their own way of adding trusted CA certificates. Once added, you can use chrome, and curl without getting security errors or passing the CA as param (curl) The file names and structure is constant with how TLS certificates are exposed in Kubernetes.

@t9tlai/host-runner-utilscorsdebugexpressexpress-winstonforever-monitorhelmetprom-clientwinstonwinston-transport
@infinitebrahmanuniverse/nolb-_t9@everything-registry/sub-chunk-891@zalastax/nolb-_t9
0.1.5

3 years ago

0.1.4-dev

3 years ago