Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 31
fleet/tools/test-orbit-mtls/README.md
Lucas Manuel Rodriguez 7dadec3ecf
Add mTLS support to fleetd (#11319) 
#7970

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-27 08:44:39 -03:00

99 lines
No EOL
3.4 KiB
Markdown
Raw Blame History

# Test Orbit mTLS
> WARNING: All of these scripts are for testing only, they are not safe for production use.
Following is a guide to help you run and test Orbit with TLS client certificate authentication.
All commands are executed in the repository's root directory.
All commands were tested on an Intel macOS.
## Diagram of components
```mermaid
graph LR;
tuf[TUF file server<br>http://host.docker.internal:8081];
fleet_server[Fleet Server<br>https://host.docker.internal:8080];
subgraph nginx[<b>nginx</b> https://host.docker.internal:8888]
client_ca[client_ca.crt];
server_certificate_nginx[fleet.pem];
end
nginx -- TLS Fleet --> fleet_server;
nginx -- HTTP /tuf --> tuf;
subgraph fleetd
subgraph orbit
fleet_client_certificate_orbit[fleet_client.crt<br>fleet_client.key];
update_client_certificate_orbit[update_client.crt<br>update_client.key];
fleet_server_certificate_orbit[fleet.pem];
update_server_certificate_orbit[update.pem];
end
subgraph desktop [Fleet Desktop]
client_certificate_desktop["(from env)<br>fleet_client.crt<br>fleet_client.key"];
server_certificate_desktop["(from env)<br>fleet.pem"];
end
subgraph osquery[osquery];
client_certificate_osquery[--tls_client_cert=fleet_client.crt<br>--tls_client_key=fleet_client.key];
server_certificate_osquery[--tls_server_certs=fleet.pem];
end
desktop_browser[Fleet Desktop<br> from Browser];
end
orbit -- "Fleet Orbit API (TLS)" --> nginx;
desktop -- "Fleet Desktop API (TLS)" --> nginx;
osquery -- "osquery<br>remote API (TLS)" --> nginx;
desktop_browser -- "My Device URL (TLS)" --> fleet_server;
orbit -- TUF TLS --> nginx;
subgraph fleetctl[fleetctl package command]
update_client_certificate_fleetctl[update_client.crt<br>update_client.key];
end
fleetctl -- TUF TLS --> nginx;
```
The nginx proxy is configured to authenticate all TLS requests with the provided `client_ca.crt`.
## 1. Setup
This guide assumes the following [Local TUF setup](../tuf/test/README.md#setup).
## 2. Start nginx proxy with client certificate verification
```sh
docker compose -f ./tools/test-orbit-mtls/docker-compose.yml up
```
The proxy will listen to port 8888 and use TLS client certificates for authentication.
## 3. Generate Orbit installers with custom flags
```sh
rm -rf test_tuf
SYSTEMS="macos windows linux" \
PKG_FLEET_URL=https://host.docker.internal:8888 \
PKG_TUF_URL=https://host.docker.internal:8888/tuf \
DEB_FLEET_URL=https://host.docker.internal:8888 \
DEB_TUF_URL=https://host.docker.internal:8888/tuf \
RPM_FLEET_URL=https://host.docker.internal:8888 \
RPM_TUF_URL=https://host.docker.internal:8888/tuf \
MSI_FLEET_URL=https://host.docker.internal:8888 \
MSI_TUF_URL=https://host.docker.internal:8888/tuf \
GENERATE_PKG=1 \
GENERATE_DEB=1 \
GENERATE_RPM=1 \
GENERATE_MSI=1 \
ENROLL_SECRET=OokY/M85nibwa3WjDtC091QzXqkoVCwX \
FLEET_DESKTOP=1 \
USE_FLEET_SERVER_CERTIFICATE=1 \
USE_FLEET_CLIENT_CERTIFICATE=1 \
USE_UPDATE_SERVER_CERTIFICATE=1 \
USE_UPDATE_CLIENT_CERTIFICATE=1 \
FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST=host.docker.internal:8080 \
./tools/tuf/test/main.sh
```
We need to define `FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST` because we are not expecting users to configure client certificates on their browser.
Once the packages are generated, they are ready to be installed on devices for testing.
Reference in a new issue View git blame Copy permalink