Merge pull request #6177 from tenevdev/feat-tls-options-self-signed

[WIP] feat: configure traefik self-signed TLS

Author: madhavajay

.github/workflows/stack-integration_tests.yml

@@ -81,6 +81,81 @@ jobs:
         run: |
           tox -e stack.test.integration
 
+  stack-integration-tests-tls:
+    strategy:
+      max-parallel: 3
+      matrix:
+        os: [ubuntu-latest]
+        python-version: [3.9]
+
+    runs-on: ${{matrix.os}}
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Check for file changes
+        uses: dorny/paths-filter@v2
+        id: changes
+        with:
+          token: ${{ github.token }}
+          filters: .github/file-filters.yml
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v2
+        if: steps.changes.outputs.stack == 'true'
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Get pip cache dir
+        if: steps.changes.outputs.stack == 'true'
+        id: pip-cache
+        run: |
+          echo "::set-output name=dir::$(pip cache dir)"
+
+      - name: pip cache
+        uses: actions/cache@v2
+        if: steps.changes.outputs.stack == 'true'
+        with:
+          path: ${{ steps.pip-cache.outputs.dir }}
+          key: ${{ runner.os }}-pip-py${{ matrix.python-version }}
+          restore-keys: |
+            ${{ runner.os }}-pip-py${{ matrix.python-version }}
+
+      - name: Upgrade pip
+        if: steps.changes.outputs.stack == 'true'
+        run: |
+          pip install --upgrade --user pip
+
+      - name: Install tox
+        if: steps.changes.outputs.stack == 'true'
+        run: |
+          pip install tox --upgrade
+
+      - name: Install Docker Compose
+        if: runner.os == 'Linux'
+        shell: bash
+        run: |
+          mkdir -p ~/.docker/cli-plugins
+          DOCKER_COMPOSE_VERSION=v2.1.1
+          curl -sSL https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
+          chmod +x ~/.docker/cli-plugins/docker-compose
+
+      - name: Install mkcert
+        if: runner.os == 'Linux'
+        shell: bash
+        run: |
+          sudo apt install libnss3-tools -y
+          MKCERT_VERSION=v1.4.3
+          curl -sSL https://github.com/FiloSottile/mkcert/releases/download/${MKCERT_VERSION}/mkcert-${MKCERT_VERSION}-linux-amd64 -o /usr/local/bin/mkcert
+          chmod +x /usr/local/bin/mkcert
+          which mkcert
+
+      - name: Run integration tests
+        if: steps.changes.outputs.stack == 'true'
+        timeout-minutes: 30
+        run: |
+          tox -e stack.test.integration.tls
+
   stack-integration-tests-windows:
     strategy:
       max-parallel: 3
@@ -155,7 +230,7 @@ jobs:
           pip install -e packages/hagrid
           set HAGRID_ART=false
           hagrid launch test_network_1 network to docker:9081 --tail=false --headless=true
-          hagrid launch test_domain_1 domain to docker:9082 --tail=false --build=false --headless=true
+          hagrid launch test_domain_1 domain to docker:9082 --tail=false --headless=true
           hagrid launch test_domain_2 domain to docker:9083 --tail=false --build=false --headless=true
           bash -c "(docker logs test_domain_1-backend_stream-1 -f &) | grep -q 'Application startup complete' || true"
           bash -c "(docker logs test_domain_2-backend_stream-1 -f &) | grep -q 'Application startup complete' || true"

packages/grid/.env

@@ -1,10 +1,12 @@
 #!/bin/bash
 DOMAIN=localhost
-DOMAIN_NAME=grid.openmined.org
+DOMAIN_NAME=default_node_name
 NODE_TYPE=domain
-DOMAIN_PORT=80
+HTTP_PORT=80
+HTTPS_PORT=443
 HEADSCALE_PORT=8080
 NETWORK_NAME=omnet
+IGNORE_TLS_ERRORS=False
 
 STACK_NAME=grid-openmined-org
 TRAEFIK_PUBLIC_NETWORK=traefik-public
@@ -15,6 +17,7 @@ DOCKER_IMAGE_BACKEND=openmined/grid-backend
 DOCKER_IMAGE_FRONTEND=openmined/grid-frontend
 DOCKER_IMAGE_HEADSCALE=openmined/grid-vpn-headscale
 DOCKER_IMAGE_TAILSCALE=openmined/grid-vpn-tailscale
+DOCKER_IMAGE_TRAEFIK=traefik:v2.5
 VERSION=latest
 VERSION_HASH=unknown
 STACK_API_KEY=hex_key_value
@@ -31,7 +34,7 @@ SMTP_HOST=
 SMTP_USER=
 SMTP_PASSWORD=
 EMAILS_FROM_EMAIL=[email protected]
-SERVER_HOST="http://${DOMAIN}"
+SERVER_HOST="https://${DOMAIN}"
 
 USERS_OPEN_REGISTRATION=False
 

packages/grid/.gitignore

@@ -9,6 +9,7 @@ packer/output/*
 packer/packer_cache/*
 packer/base-manifest.json
 packer/azure_vars.json
+tls/
 
 # devspace
-.devspace/
+.devspace/

packages/grid/.gitlab-ci.yml

@@ -11,6 +11,7 @@
 
 # syft absolute
 from syft.core.node.common.node_service.ping.ping_messages import PingMessageWithReply
+from syft.grid import GridURL
 
 # grid absolute
 from grid.api.dependencies.current_user import get_current_user
@@ -27,7 +28,7 @@ def remote_ping(
 
     # Build Syft Message
     msg = (
-        PingMessageWithReply(kwargs={"host_or_ip": host_or_ip})
+        PingMessageWithReply(kwargs={"grid_url": GridURL.from_url(host_or_ip)})
         .to(address=node.address, reply_to=node.address)
         .sign(signing_key=user_key)
     )

packages/grid/backend/grid/api/meta/ping.py

@@ -21,6 +21,7 @@
     VPNStatusMessageWithReply,
 )
 from syft.core.node.common.node_service.vpn.vpn_messages import VPNJoinMessageWithReply
+from syft.grid import GridURL
 from syft.lib.python.util import upcast
 
 # grid absolute
@@ -44,7 +45,7 @@ def connect(
     msg = (
         VPNConnectMessageWithReply(
             kwargs={
-                "host_or_ip": host_or_ip,
+                "grid_url": GridURL.from_url(host_or_ip),
                 "vpn_auth_key": vpn_auth_key,
             }
         )
@@ -72,7 +73,7 @@ def join(
 ) -> Dict[str, Any]:
     user_key = SigningKey(current_user.private_key.encode(), encoder=HexEncoder)
     msg = (
-        VPNJoinMessageWithReply(kwargs={"host_or_ip": host_or_ip})
+        VPNJoinMessageWithReply(kwargs={"grid_url": GridURL.from_url(host_or_ip)})
         .to(address=node.address, reply_to=node.address)
         .sign(signing_key=user_key)
     )

packages/grid/backend/grid/api/vpn/vpn.py

@@ -20,7 +20,6 @@ class Settings(BaseSettings):
     SECRET_KEY: str = secrets.token_urlsafe(32)
     # 60 minutes * 24 hours * 8 days = 8 days
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 60 * 24 * 8
-    SERVER_NAME: str = "unconfigured"
     SERVER_HOST: str = "https://localhost"
     # BACKEND_CORS_ORIGINS is a JSON-formatted list of origins
     # e.g: '["http://localhost", "http://localhost:4200", "http://localhost:3000", \
@@ -93,7 +92,7 @@ def get_emails_enabled(cls, v: bool, values: Dict[str, Any]) -> bool:
     FIRST_SUPERUSER_PASSWORD: str = "changethis"
     USERS_OPEN_REGISTRATION: bool = False
 
-    DOMAIN_NAME: str = "grid_domain"
+    DOMAIN_NAME: str = "default_node_name"
     STREAM_QUEUE: bool = False
     NODE_TYPE: str = "Domain"
 

packages/grid/backend/grid/core/config.py

@@ -1,6 +1,5 @@
 # stdlib
 import logging
-import os
 from typing import Generator
 
 # third party
@@ -56,17 +55,3 @@ def emit(self, record: logging.LogRecord) -> None:
     sink_handler_id = logger.add(PropagateHandler(), format=log_handler.format_record)
     yield caplog
     logger.remove(sink_handler_id)
-
-
-# patch windows to use uft-8 output
-if os.name == "nt":
-    try:
-        print("Patching Windows Default Locale to use UTF-8")
-        # third party
-        import _locale
-
-        _locale._gdl_bak = _locale._getdefaultlocale
-        _locale._getdefaultlocale = lambda *args: (_locale._gdl_bak()[0], "utf8")
-        print("Finished Patching Windows Default Locale to use UTF-8")
-    except Exception as e:
-        print(f"Failed to patch Windows Default Locale. {e}")

packages/grid/backend/grid/tests/conftest.py

@@ -148,8 +148,6 @@ deployments:
               successThreshold: 1
               failureThreshold: 3
             env:
-              - name: SYFT_USE_UVLOOP
-                value: "0"
               - name: DOMAIN_NAME
                 value: ${DOMAIN_NAME}
               - name: POSTGRES_SERVER
@@ -164,14 +162,14 @@ deployments:
                 value: ${VERSION}
               - name: VERSION_HASH
                 value: ${VERSION_HASH}
-              - name: SERVER_NAME
-                value: ${DOMAIN}
               - name: SERVER_HOST
                 value: ${SERVER_HOST}
               - name: LOG_LEVEL
                 value: debug
               - name: NODE_TYPE
                 value: ${NODE_TYPE}
+              - name: STACK_API_KEY
+                value: ${STACK_API_KEY}
         service:
           name: ${SERVICE_NAME_BACKEND}
           ports:
@@ -209,8 +207,6 @@ deployments:
               successThreshold: 1
               failureThreshold: 3
             env:
-              - name: SYFT_USE_UVLOOP
-                value: "0"
               - name: DOMAIN_NAME
                 value: ${DOMAIN_NAME}
               - name: POSTGRES_SERVER
@@ -225,8 +221,6 @@ deployments:
                 value: ${VERSION}
               - name: VERSION_HASH
                 value: ${VERSION_HASH}
-              - name: SERVER_NAME
-                value: ${DOMAIN}
               - name: SERVER_HOST
                 value: ${SERVER_HOST}
               - name: LOG_LEVEL
@@ -235,6 +229,8 @@ deployments:
                 value: "1"
               - name: NODE_TYPE
                 value: ${NODE_TYPE}
+              - name: STACK_API_KEY
+                value: ${STACK_API_KEY}
         service:
           name: ${SERVICE_NAME_BACKEND_STREAM}
           ports:
@@ -256,8 +252,6 @@ deployments:
                 "/worker-start.sh",
               ]
             env:
-              - name: SYFT_USE_UVLOOP
-                value: "0"
               - name: DOMAIN_NAME
                 value: ${DOMAIN_NAME}
               - name: POSTGRES_SERVER
@@ -272,8 +266,6 @@ deployments:
                 value: ${VERSION}
               - name: VERSION_HASH
                 value: ${VERSION_HASH}
-              - name: SERVER_NAME
-                value: ${DOMAIN}
               - name: SERVER_HOST
                 value: ${SERVER_HOST}
               - name: CELERY_WORKER
@@ -284,6 +276,8 @@ deployments:
                 value: ${NODE_TYPE}
               - name: C_FORCE_ROOT
                 value: "1"
+              - name: STACK_API_KEY
+                value: ${STACK_API_KEY}
   - name: frontend
     helm:
       componentChart: true
@@ -295,7 +289,7 @@ deployments:
                 value: ${VERSION}
               - name: VERSION_HASH
                 value: ${VERSION_HASH}
-              - name: TYPE
+              - name: NODE_TYPE
                 value: ${NODE_TYPE}
         service:
           name: ${SERVICE_NAME_FRONTEND}
@@ -310,6 +304,8 @@ deployments:
             env:
               - name: NETWORK_NAME
                 value: ${NETWORK_NAME}
+              - name: STACK_API_KEY
+                value: ${STACK_API_KEY}
             volumeMounts:
               - containerPath: /headscale/data
                 volume:
@@ -339,6 +335,8 @@ deployments:
             env:
               - name: HOSTNAME
                 value: ${DOMAIN_NAME}
+              - name: STACK_API_KEY
+                value: ${STACK_API_KEY}
             volumeMounts:
               - containerPath: /var/lib/tailscale
                 volume: