vvraskin closed pull request #3968: Secure the invoker with ssl.
URL: https://github.com/apache/incubator-openwhisk/pull/3968
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/.gitignore b/.gitignore
index 426c27382a..e4cc77d728 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,10 +67,8 @@ ansible/roles/nginx/files/*.p12
ansible/roles/nginx/files/*cert.pem
ansible/roles/nginx/files/*p12
ansible/roles/kafka/files/*
-ansible/roles/controller/files/*.csr
-ansible/roles/controller/files/*.pem
-ansible/roles/controller/files/*.key
-ansible/roles/controller/files/*.p12
+ansible/roles/controller/files/*
+ansible/roles/invoker/files/*
# .zip files must be explicited whitelisted
*.zip
diff --git a/ansible/README.md b/ansible/README.md
index b1fd2365fb..eeca95ff2c 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -81,16 +81,12 @@ directory before deploying OpenWhisk.
The following step must be executed once per development environment.
It will generate the `hosts` configuration file based on your environment
settings.
-```
-ansible-playbook -i environments/<environment> setup.yml
-```
-
The default configuration does not run multiple instances of core components
(e.g., controller, invoker, kafka).
You may elect to enable high-availability (HA) mode by passing tne ansible
option `-e mode=HA` when executing this playbook.
This will configure your deployment with multiple instances (e.g., two kafka
instancess, and two invokers).
In addition to the host file generation, you need to configure the database
for your deployment. This is done
-by creating a file `ansible/db_local.ini` to provide the following properties.
+by modifying the file `ansible/db_local.ini` to provide the following
properties.
```bash
[db_creds]
@@ -102,7 +98,7 @@ db_host=
db_port=
```
-This file is generated automatically if you are using an ephermeral CouchDB
instance. Otherwise, you must create it explicitly.
+This file is generated automatically for an ephermeral CouchDB instance during
`setup.yml`. If you want to use Cloudant, you have to modify the file.
For convenience, you can use shell environment variables that are read by the
playbook to generate the required `db_local.ini` file as shown below.
```
@@ -113,7 +109,7 @@ export OW_DB_PROTOCOL=<your couchdb protocol>
export OW_DB_HOST=<your couchdb host>
export OW_DB_PORT=<your couchdb port>
-ansible-playbook -i environments/<environment> couchdb.yml --tags ini
+ansible-playbook -i environments/<environment> setup.yml
```
Alternatively, if you want to use Cloudant as your datastore:
@@ -126,7 +122,7 @@ export OW_DB_PROTOCOL=https
export OW_DB_HOST=<your cloudant user>.cloudant.com
export OW_DB_PORT=443
-ansible-playbook -i environments/<environment> couchdb.yml --tags ini
+ansible-playbook -i environments/<environment> setup.yml
```
#### Install Prerequisites
diff --git a/ansible/couchdb.yml b/ansible/couchdb.yml
index bcdea9bf7f..3c739ff280 100644
--- a/ansible/couchdb.yml
+++ b/ansible/couchdb.yml
@@ -3,18 +3,6 @@
---
# This playbook deploys a CouchDB for Openwhisk.
-- hosts: localhost
- tasks:
- - name: check if db_local.ini exists?
- tags: ini
- stat: path="{{ playbook_dir }}/db_local.ini"
- register: db_check
-
- - name: prepare db_local.ini
- tags: ini
- local_action: template src="db_local.ini.j2" dest="{{ playbook_dir
}}/db_local.ini"
- when: not db_check.stat.exists
-
- hosts: db
roles:
- couchdb
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index ad7e441937..4229701b43 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -56,6 +56,9 @@ limits:
firesPerMinute: "{{ limit_fires_per_minute | default(60) }}"
sequenceMaxLength: "{{ limit_sequence_max_length | default(50) }}"
+# Moved here to avoid recursions. Please do not use outside of controller-dict.
+__controller_ssl_keyPrefix: "controller-"
+
# port means outer port
controller:
dir:
@@ -83,28 +86,19 @@ controller:
loglevel: "{{ controller_loglevel | default(whisk_loglevel) |
default('INFO') }}"
entitlement:
spi: "{{ controller_entitlement_spi | default('') }}"
- protocol: "{{ controllerProtocolForSetup }}"
+ protocol: "{{ controller_protocol | default('https') }}"
ssl:
cn: openwhisk-controllers
- cert: "{{ controller_ca_cert |
default('controller-openwhisk-server-cert.pem') }}"
- key: "{{ controller_key | default('controller-openwhisk-server-key.pem')
}}"
- clientAuth: "{{ controller_client_auth | default('true') }}"
+ keyPrefix: "{{ __controller_ssl_keyPrefix }}"
storeFlavor: PKCS12
+ clientAuth: "{{ controller_client_auth | default('true') }}"
+ cert: "{{ __controller_ssl_keyPrefix }}openwhisk-server-cert.pem"
+ key: "{{ __controller_ssl_keyPrefix }}openwhisk-server-key.pem"
keystore:
- password: "{{ controllerKeystorePassword }}"
- path: "/conf/{{ controllerKeystoreName }}"
-# keystore and truststore are the same as long as controller and nginx share
the certificate
- truststore:
- password: "{{ controllerKeystorePassword }}"
- path: "/conf/{{ controllerKeystoreName }}"
+ password: "openwhisk"
+ name: "{{ __controller_ssl_keyPrefix }}openwhisk-keystore.p12"
extraEnv: "{{ controller_extraEnv | default({}) }}"
-# move controller protocol outside to not evaluate controller variables during
execution of setup.yml
-controllerProtocolForSetup: "{{ controller_protocol | default('https') }}"
-controllerKeystoreName: "{{ controllerKeyPrefix }}openwhisk-keystore.p12"
-controllerKeyPrefix: "controller-"
-controllerKeystorePassword: openwhisk
-
jmx:
basePortController: 15000
rmiBasePortController: 16000
@@ -166,6 +160,9 @@ zookeeper_connect_string: "{% set ret = [] %}\
invokerHostnameFromMap: "{{ groups['invokers'] | map('extract', hostvars,
'ansible_host') | list | first }}"
invokerHostname: "{{ invokerHostnameFromMap | default(inventory_hostname) }}"
+# Moved here to avoid recursions. Please do not use outside of invoker-dict.
+__invoker_ssl_keyPrefix: "invoker-"
+
invoker:
dir:
become: "{{ invoker_dir_become | default(false) }}"
@@ -187,6 +184,17 @@ invoker:
{{ jmx.jvmCommonArgs }} -Djava.rmi.server.hostname={{ invokerHostname }}
-Dcom.sun.management.jmxremote.rmi.port={{ jmx.rmiBasePortInvoker +
groups['invokers'].index(inventory_hostname) }}
-Dcom.sun.management.jmxremote.port={{ jmx.basePortInvoker +
groups['invokers'].index(inventory_hostname) }}
{% endif %}"
extraEnv: "{{ invoker_extraEnv | default({}) }}"
+ protocol: "{{ invoker_protocol | default('https') }}"
+ ssl:
+ cn: "openwhisk-invokers"
+ keyPrefix: "{{ __invoker_ssl_keyPrefix }}"
+ storeFlavor: "PKCS12"
+ clientAuth: "{{ invoker_client_auth | default('true') }}"
+ cert: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-cert.pem"
+ key: "{{ __invoker_ssl_keyPrefix }}openwhisk-server-key.pem"
+ keystore:
+ password: "{{ invoker_keystore_password | default('openwhisk') }}"
+ name: "{{ __invoker_ssl_keyPrefix }}openwhisk-keystore.p12"
userLogs:
spi: "{{ userLogs_spi |
default('whisk.core.containerpool.logging.DockerToActivationLogStoreProvider')
}}"
diff --git a/ansible/roles/controller/tasks/deploy.yml
b/ansible/roles/controller/tasks/deploy.yml
index a34bb9b39b..de2d71f704 100644
--- a/ansible/roles/controller/tasks/deploy.yml
+++ b/ansible/roles/controller/tasks/deploy.yml
@@ -58,7 +58,7 @@
- name: copy nginx certificate keystore
when: controller.protocol == 'https'
copy:
- src: files/{{ controllerKeystoreName }}
+ src: files/{{ controller.ssl.keystore.name }}
mode: 0666
dest: "{{ controller.confdir }}/{{ controller_name }}"
become: "{{ controller.dir.become }}"
@@ -207,17 +207,11 @@
"METRICS_LOG": "{{ metrics.log.enabled }}"
"CONFIG_whisk_controller_protocol": "{{ controller.protocol }}"
"CONFIG_whisk_controller_https_keystorePath":
- "{{ controller.ssl.keystore.path }}"
+ "/conf/{{ controller.ssl.keystore.name }}"
"CONFIG_whisk_controller_https_keystorePassword":
"{{ controller.ssl.keystore.password }}"
"CONFIG_whisk_controller_https_keystoreFlavor":
"{{ controller.ssl.storeFlavor }}"
- "CONFIG_whisk_controller_https_truststorePath":
- "{{ controller.ssl.truststore.path }}"
- "CONFIG_whisk_controller_https_truststorePassword":
- "{{ controller.ssl.truststore.password }}"
- "CONFIG_whisk_controller_https_truststoreFlavor":
- "{{ controller.ssl.storeFlavor }}"
"CONFIG_whisk_controller_https_clientAuth":
"{{ controller.ssl.clientAuth }}"
"CONFIG_whisk_loadbalancer_invokerUserMemory":
diff --git a/ansible/roles/invoker/tasks/deploy.yml
b/ansible/roles/invoker/tasks/deploy.yml
index 706d5dcf7e..145febf2a8 100644
--- a/ansible/roles/invoker/tasks/deploy.yml
+++ b/ansible/roles/invoker/tasks/deploy.yml
@@ -86,6 +86,18 @@
src: "{{ openwhisk_home }}/ansible/roles/kafka/files/{{
kafka.ssl.keystore.name }}"
dest: "{{ invoker.confdir }}/{{ invoker_name }}"
+- name: copy keystore, key and cert
+ when: invoker.protocol == "https"
+ copy:
+ src: "{{ item }}"
+ mode: 0666
+ dest: "{{ invoker.confdir }}/{{ invoker_name }}"
+ become: "{{ invoker.dir.become }}"
+ with_items:
+ - "files/{{ invoker.ssl.keystore.name }}"
+ - "files/{{ invoker.ssl.key }}"
+ - "files/{{ invoker.ssl.cert }}"
+
- name: check, that required databases exist
include_tasks: "{{ openwhisk_home }}/ansible/tasks/db/checkDb.yml"
vars:
@@ -224,6 +236,11 @@
"CONFIG_whisk_timeLimit_std": "{{ limit_action_time_std | default() }}"
"CONFIG_whisk_activation_payload_max": "{{ limit_activation_payload |
default() }}"
"CONFIG_whisk_transactions_header": "{{ transactions.header }}"
+ "CONFIG_whisk_invoker_protocol": "{{ invoker.protocol }}"
+ "CONFIG_whisk_invoker_https_keystorePath": "/conf/{{
invoker.ssl.keystore.name }}"
+ "CONFIG_whisk_invoker_https_keystorePassword": "{{
invoker.ssl.keystore.password }}"
+ "CONFIG_whisk_invoker_https_keystoreFlavor": "{{ invoker.ssl.storeFlavor
}}"
+ "CONFIG_whisk_invoker_https_clientAuth": "{{ invoker.ssl.clientAuth }}"
- name: extend invoker dns env
set_fact:
@@ -290,7 +307,10 @@
- name: wait until Invoker is up and running
uri:
- url: "http://{{ ansible_host }}:{{ invoker.port + (invoker_index | int)
}}/ping"
+ url: "{{ invoker.protocol }}://{{ ansible_host }}:{{ invoker.port +
(invoker_index | int) }}/ping"
+ validate_certs: "no"
+ client_key: "{{ invoker.confdir }}/{{ invoker_name }}/{{ invoker.ssl.key
}}"
+ client_cert: "{{ invoker.confdir }}/{{ invoker_name }}/{{ invoker.ssl.cert
}}"
register: result
until: result.status == 200
retries: 12
diff --git a/ansible/setup.yml b/ansible/setup.yml
index b6a43cd1ad..a550389939 100644
--- a/ansible/setup.yml
+++ b/ansible/setup.yml
@@ -5,6 +5,7 @@
- hosts: localhost
tasks:
+ # Generate hosts files
- name: gen hosts if 'local' env is used
local_action: template
src="{{playbook_dir}}/environments/local/hosts.j2.ini" dest="{{ playbook_dir
}}/environments/local/hosts"
when: "'environments/local' in hosts_dir"
@@ -23,6 +24,21 @@
local_action: template
src="{{playbook_dir}}/environments/docker-machine/hosts.j2.ini" dest="{{
playbook_dir }}/environments/docker-machine/hosts"
when: "'environments/docker-machine' in hosts_dir"
+ - name: Refresh inventory to ensure generated hosts files are used
+ meta: refresh_inventory
+
+ # Generate db_local.ini
+ - name: check if db_local.ini exists?
+ tags: ini
+ stat: path="{{ playbook_dir }}/db_local.ini"
+ register: db_check
+
+ - name: prepare db_local.ini
+ tags: ini
+ local_action: template src="db_local.ini.j2" dest="{{ playbook_dir
}}/db_local.ini"
+ when: not db_check.stat.exists
+
+ # Generate nginx certificates
- name: gen untrusted server certificate for host
local_action: shell "{{ playbook_dir }}/files/genssl.sh" "*.{{
whisk_api_localhost_name | default(whisk_api_host_name) |
default(whisk_api_localhost_name_default) }}" "server" "{{ playbook_dir
}}/roles/nginx/files"
when: nginx.ssl.cert == "openwhisk-server-cert.pem"
@@ -31,6 +47,7 @@
local_action: shell "{{ playbook_dir }}/files/genssl.sh" "*.{{
whisk_api_localhost_name | default(whisk_api_host_name) |
default(whisk_api_localhost_name_default) }}" "client" "{{ playbook_dir
}}/roles/nginx/files"
when: nginx.ssl.client_ca_cert == "openwhisk-client-ca-cert.pem"
+ # Generate Kafka certificates
- name: clean up old kafka keystore
file:
path: "{{ playbook_dir }}/roles/kafka/files"
@@ -46,19 +63,32 @@
become: "{{ logs.dir.become }}"
when: kafka_protocol_for_setup == 'SSL'
-
- name: generate kafka certificates
local_action: shell "{{ playbook_dir }}/files/genssl.sh" "openwhisk-kafka"
"server_with_JKS_keystore" "{{ playbook_dir }}/roles/kafka/files" openwhisk
"kafka-" "generateKey"
when: kafka_protocol_for_setup == 'SSL'
+ # Generate Controller certificates
- name: ensure controller files directory exists
file:
path: "{{ playbook_dir }}/roles/controller/files/"
state: directory
mode: 0777
become: "{{ logs.dir.become }}"
- when: controllerProtocolForSetup == 'https'
+ when: controller.protocol == 'https'
- name: generate controller certificates
- when: controllerProtocolForSetup == 'https'
- local_action: shell "{{ playbook_dir }}/files/genssl.sh"
"openwhisk-controllers" "server" "{{ playbook_dir }}/roles/controller/files" {{
controllerKeystorePassword }} {{ controllerKeyPrefix }} "generateKey"
+ when: controller.protocol == 'https'
+ local_action: shell "{{ playbook_dir }}/files/genssl.sh" "{{
controller.ssl.cn }}" "server" "{{ playbook_dir }}/roles/controller/files" {{
controller.ssl.keystore.password }} {{ controller.ssl.keyPrefix }} "generateKey"
+
+ # Generate Invoker certificates
+ - name: ensure invoker files directory exists
+ file:
+ path: "{{ playbook_dir }}/roles/invoker/files/"
+ state: directory
+ mode: 0777
+ become: "{{ logs.dir.become }}"
+ when: invoker.protocol == 'https'
+
+ - name: generate invoker certificates
+ when: invoker.protocol == 'https'
+ local_action: shell "{{ playbook_dir }}/files/genssl.sh" "{{
invoker.ssl.cn }}" "server" "{{ playbook_dir }}/roles/invoker/files" {{
invoker.ssl.keystore.password }} {{ invoker.ssl.keyPrefix }} "generateKey"
diff --git a/common/scala/src/main/scala/whisk/common/Https.scala
b/common/scala/src/main/scala/whisk/common/Https.scala
index 2751498144..4f2fb4d430 100644
--- a/common/scala/src/main/scala/whisk/common/Https.scala
+++ b/common/scala/src/main/scala/whisk/common/Https.scala
@@ -24,28 +24,18 @@ import javax.net.ssl.{KeyManagerFactory, SSLContext,
TrustManagerFactory}
import akka.http.scaladsl.ConnectionContext
import akka.stream.TLSClientAuth
import com.typesafe.sslconfig.akka.AkkaSSLConfig
-import whisk.core.WhiskConfig
-import pureconfig._
object Https {
- case class HttpsConfig(keystorePassword: String,
- keystoreFlavor: String,
- keystorePath: String,
- truststorePath: String,
- truststorePassword: String,
- truststoreFlavor: String,
- clientAuth: String)
- private val httpsConfig =
loadConfigOrThrow[HttpsConfig]("whisk.controller.https")
+ case class HttpsConfig(keystorePassword: String, keystoreFlavor: String,
keystorePath: String, clientAuth: String)
def getCertStore(password: Array[Char], flavor: String, path: String):
KeyStore = {
- val certStorePassword: Array[Char] = password
val cs: KeyStore = KeyStore.getInstance(flavor)
val certStore: InputStream = new FileInputStream(path)
- cs.load(certStore, certStorePassword)
+ cs.load(certStore, password)
cs
}
- def connectionContext(config: WhiskConfig, sslConfig: Option[AkkaSSLConfig]
= None) = {
+ def connectionContext(httpsConfig: HttpsConfig, sslConfig:
Option[AkkaSSLConfig] = None) = {
val keyFactoryType = "SunX509"
val clientAuth = {
@@ -55,17 +45,21 @@ object Https {
Some(TLSClientAuth.none)
}
-// configure keystore
val keystorePassword = httpsConfig.keystorePassword.toCharArray
- val ks: KeyStore = getCertStore(keystorePassword,
httpsConfig.keystoreFlavor, httpsConfig.keystorePath)
+
+ val keyStore: KeyStore = KeyStore.getInstance(httpsConfig.keystoreFlavor)
+ val keyStoreStream: InputStream = new
FileInputStream(httpsConfig.keystorePath)
+ keyStore.load(keyStoreStream, keystorePassword)
+
val keyManagerFactory: KeyManagerFactory =
KeyManagerFactory.getInstance(keyFactoryType)
- keyManagerFactory.init(ks, keystorePassword)
+ keyManagerFactory.init(keyStore, keystorePassword)
-// configure truststore
- val truststorePassword = httpsConfig.truststorePassword.toCharArray
- val ts: KeyStore = getCertStore(truststorePassword,
httpsConfig.truststoreFlavor, httpsConfig.keystorePath)
+ // Currently, we are using the keystore as truststore as well, because the
clients use the same keys as the
+ // server for client authentication (if enabled).
+ // So this code is guided by
https://doc.akka.io/docs/akka-http/10.0.9/scala/http/server-side-https-support.html
+ // This needs to be reworked, when we fix the keys and certificates.
val trustManagerFactory: TrustManagerFactory =
TrustManagerFactory.getInstance(keyFactoryType)
- trustManagerFactory.init(ts)
+ trustManagerFactory.init(keyStore)
val sslContext: SSLContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagerFactory.getKeyManagers,
trustManagerFactory.getTrustManagers, new SecureRandom)
diff --git a/common/scala/src/main/scala/whisk/http/BasicHttpService.scala
b/common/scala/src/main/scala/whisk/http/BasicHttpService.scala
index 38d2e3d099..9fa2c76e91 100644
--- a/common/scala/src/main/scala/whisk/http/BasicHttpService.scala
+++ b/common/scala/src/main/scala/whisk/http/BasicHttpService.scala
@@ -21,15 +21,15 @@ import java.util.concurrent.ThreadLocalRandom
import akka.actor.ActorSystem
import akka.event.Logging
-import akka.http.scaladsl.Http
+import akka.http.scaladsl.{Http, HttpConnectionContext}
import akka.http.scaladsl.model.{HttpRequest, _}
import akka.http.scaladsl.server.RouteResult.Rejected
import akka.http.scaladsl.server._
import akka.http.scaladsl.server.directives._
import akka.stream.ActorMaterializer
import spray.json._
+import whisk.common.Https.HttpsConfig
import whisk.common._
-import whisk.core.WhiskConfig
import scala.collection.immutable.Seq
import scala.concurrent.duration.DurationInt
@@ -163,23 +163,13 @@ trait BasicHttpService extends Directives {
object BasicHttpService {
/**
- * Starts an HTTPS route handler on given port and registers a shutdown hook.
+ * Starts an HTTP(S) route handler on given port and registers a shutdown
hook.
*/
- def startHttpsService(route: Route, port: Int, config: WhiskConfig)(implicit
actorSystem: ActorSystem,
-
materializer: ActorMaterializer): Unit = {
-
- implicit val executionContext = actorSystem.dispatcher
-
- val httpsBinding = Http().bindAndHandle(route, "0.0.0.0", port,
connectionContext = Https.connectionContext(config))
- addShutdownHook(httpsBinding)
- }
-
- /**
- * Starts an HTTP route handler on given port and registers a shutdown hook.
- */
- def startHttpService(route: Route, port: Int)(implicit actorSystem:
ActorSystem,
- materializer:
ActorMaterializer): Unit = {
- val httpBinding = Http().bindAndHandle(route, "0.0.0.0", port)
+ def startHttpService(route: Route, port: Int, config: Option[HttpsConfig] =
None)(
+ implicit actorSystem: ActorSystem,
+ materializer: ActorMaterializer): Unit = {
+ val connectionContext =
config.map(Https.connectionContext(_)).getOrElse(HttpConnectionContext)
+ val httpBinding = Http().bindAndHandle(route, "0.0.0.0", port,
connectionContext = connectionContext)
addShutdownHook(httpBinding)
}
diff --git
a/core/controller/src/main/scala/whisk/core/controller/Controller.scala
b/core/controller/src/main/scala/whisk/core/controller/Controller.scala
index c130727635..5c6cd03811 100644
--- a/core/controller/src/main/scala/whisk/core/controller/Controller.scala
+++ b/core/controller/src/main/scala/whisk/core/controller/Controller.scala
@@ -17,38 +17,34 @@
package whisk.core.controller
-import scala.concurrent.Await
-import scala.concurrent.duration.DurationInt
-import scala.concurrent.Future
-import scala.util.{Failure, Success}
import akka.Done
-import akka.actor.ActorSystem
-import akka.actor.CoordinatedShutdown
+import akka.actor.{ActorSystem, CoordinatedShutdown}
+import akka.event.Logging.InfoLevel
import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
import akka.http.scaladsl.model.Uri
import akka.http.scaladsl.server.Route
import akka.stream.ActorMaterializer
-import spray.json._
-import spray.json.DefaultJsonProtocol._
import kamon.Kamon
-import whisk.common.AkkaLogging
-import whisk.common.Logging
-import whisk.common.LoggingMarkers
-import whisk.common.TransactionId
+import pureconfig.loadConfigOrThrow
+import spray.json.DefaultJsonProtocol._
+import spray.json._
+import whisk.common.Https.HttpsConfig
+import whisk.common.{AkkaLogging, Logging, LoggingMarkers, TransactionId}
import whisk.core.WhiskConfig
import whisk.core.connector.MessagingProvider
+import whisk.core.containerpool.logging.LogStoreProvider
import whisk.core.database.{ActivationStoreProvider, CacheChangeNotification,
RemoteCacheInvalidation}
import whisk.core.entitlement._
-import whisk.core.entity._
import whisk.core.entity.ActivationId.ActivationIdGenerator
import whisk.core.entity.ExecManifest.Runtimes
+import whisk.core.entity._
import whisk.core.loadBalancer.{InvokerState, LoadBalancerProvider}
-import whisk.http.BasicHttpService
-import whisk.http.BasicRasService
+import whisk.http.{BasicHttpService, BasicRasService}
import whisk.spi.SpiLoader
-import whisk.core.containerpool.logging.LogStoreProvider
-import akka.event.Logging.InfoLevel
-import pureconfig.loadConfigOrThrow
+
+import scala.concurrent.duration.DurationInt
+import scala.concurrent.{Await, Future}
+import scala.util.{Failure, Success}
/**
* The Controller is the service that provides the REST API for OpenWhisk.
@@ -262,10 +258,11 @@ object Controller {
actorSystem,
ActorMaterializer.create(actorSystem),
logger)
- if (Controller.protocol == "https")
- BasicHttpService.startHttpsService(controller.route, port,
config)(actorSystem, controller.materializer)
- else
- BasicHttpService.startHttpService(controller.route,
port)(actorSystem, controller.materializer)
+
+ val httpsConfig =
+ if (Controller.protocol == "https")
Some(loadConfigOrThrow[HttpsConfig]("whisk.controller.https")) else None
+
+ BasicHttpService.startHttpService(controller.route, port,
httpsConfig)(actorSystem, controller.materializer)
case Failure(t) =>
abort(s"Invalid runtimes manifest: $t")
diff --git
a/core/controller/src/main/scala/whisk/core/controller/Triggers.scala
b/core/controller/src/main/scala/whisk/core/controller/Triggers.scala
index d3192a2aeb..18892415df 100644
--- a/core/controller/src/main/scala/whisk/core/controller/Triggers.scala
+++ b/core/controller/src/main/scala/whisk/core/controller/Triggers.scala
@@ -37,6 +37,7 @@ import spray.json.DefaultJsonProtocol._
import com.typesafe.sslconfig.akka.AkkaSSLConfig
import pureconfig.loadConfigOrThrow
import spray.json._
+import whisk.common.Https.HttpsConfig
import whisk.common.{Https, TransactionId}
import whisk.core.controller.RestApiCommons.{ListLimit, ListSkip}
import whisk.core.database.{ActivationStore, CacheChangeNotification}
@@ -64,7 +65,8 @@ trait WhiskTriggersApi extends WhiskCollectionAPI {
val sslConfig = AkkaSSLConfig().mapSettings { s =>
s.withLoose(s.loose.withDisableHostnameVerification(true))
}
- Https.connectionContext(whiskConfig, Some(sslConfig))
+ val httpsConfig = loadConfigOrThrow[HttpsConfig]("whisk.controller.https")
+ Https.connectionContext(httpsConfig, Some(sslConfig))
}
diff --git a/core/invoker/src/main/scala/whisk/core/invoker/Invoker.scala
b/core/invoker/src/main/scala/whisk/core/invoker/Invoker.scala
index 572d04ef44..198710f5e6 100644
--- a/core/invoker/src/main/scala/whisk/core/invoker/Invoker.scala
+++ b/core/invoker/src/main/scala/whisk/core/invoker/Invoker.scala
@@ -22,6 +22,8 @@ import akka.actor.{ActorSystem, CoordinatedShutdown}
import akka.stream.ActorMaterializer
import com.typesafe.config.ConfigValueFactory
import kamon.Kamon
+import pureconfig.loadConfigOrThrow
+import whisk.common.Https.HttpsConfig
import whisk.common._
import whisk.core.WhiskConfig
import whisk.core.WhiskConfig._
@@ -39,6 +41,8 @@ case class CmdLineArgs(uniqueName: Option[String] = None, id:
Option[Int] = None
object Invoker {
+ protected val protocol = loadConfigOrThrow[String]("whisk.invoker.protocol")
+
/**
* An object which records the environment variables required for this
component to run.
*/
@@ -157,7 +161,10 @@ object Invoker {
})
val port = config.servicePort.toInt
- BasicHttpService.startHttpService(new BasicRasService {}.route, port)(
+ val httpsConfig =
+ if (Invoker.protocol == "https")
Some(loadConfigOrThrow[HttpsConfig]("whisk.invoker.https")) else None
+
+ BasicHttpService.startHttpService(new BasicRasService {}.route, port,
httpsConfig)(
actorSystem,
ActorMaterializer.create(actorSystem))
}
diff --git a/tests/src/test/resources/application.conf.j2
b/tests/src/test/resources/application.conf.j2
index c1cec8c4cd..ec40eb17e2 100644
--- a/tests/src/test/resources/application.conf.j2
+++ b/tests/src/test/resources/application.conf.j2
@@ -59,14 +59,20 @@ whisk {
protocol = {{ controller.protocol }}
https {
keystore-flavor = "{{ controller.ssl.storeFlavor }}"
- keystore-path = "{{ openwhisk_home
}}/ansible/roles/controller/files/{{ controllerKeystoreName }}"
+ keystore-path = "{{ openwhisk_home
}}/ansible/roles/controller/files/{{ controller.ssl.keystore.name }}"
keystore-password = "{{ controller.ssl.keystore.password }}"
- truststore-flavor = "{{ controller.ssl.storeFlavor }}"
- truststore-path = "{{ openwhisk_home
}}/ansible/roles/controller/files/{{ controllerKeystoreName }}"
- truststore-password = "{{ controller.ssl.keystore.password }}"
client-auth = "{{ controller.ssl.clientAuth }}"
}
}
+ invoker {
+ protocol = {{ invoker.protocol }}
+ https {
+ keystore-flavor = "{{ invoker.ssl.storeFlavor }}"
+ keystore-path = "{{ openwhisk_home }}/ansible/roles/invoker/files/{{
invoker.ssl.keystore.name }}"
+ keystore-password = "{{ invoker.ssl.keystore.password }}"
+ client-auth = "{{ invoker.ssl.clientAuth }}"
+ }
+ }
user-events {
enabled = {{ user_events }}
}
diff --git a/tools/vagrant/README.md b/tools/vagrant/README.md
index 127ec27248..1dce73d7f0 100644
--- a/tools/vagrant/README.md
+++ b/tools/vagrant/README.md
@@ -227,7 +227,7 @@ Do not restart the VM using Virtual Box tools, and always
use `vagrant` from the
command line: `vagrant up` to start the VM and `vagrant reload` to restart it.
This allows the `$HOME/openwhisk` folder to be available inside the VM.
-**Tip** If you have problems with data stores check that
`ansible/db_local.ini`.
+**Tip** If you have problems with data stores check that
`ansible/db_local.ini` exists.
**Tip**
To initialize the data store from scratch run `ansible-playbook -i
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
