feat(service): switch to using https (remove http)

The service provide a self-signed certificate file (.crt) so clients can use secure.  Insecure is also available.

cmd/cfm-service/main.go

@@ -4,10 +4,12 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
+	"os/exec"
 	"strings"
 	"sync"
 
@@ -16,6 +18,7 @@ import (
 	"cfm/pkg/common/datastore"
 	"cfm/pkg/openapi"
 	"cfm/pkg/redfishapi"
+	"cfm/pkg/security"
 	"cfm/services"
 
 	"github.com/rs/cors"
@@ -88,7 +91,59 @@ func main() {
 		}
 	}
 
+	server, err := GenerateCfmServer(ctx, &settings, &handler)
+	if err != nil {
+		logger.Error(err, ", failed to generate cfm server: %s", err)
+		os.Exit(1)
+	}
+
 	// Start the main service
 	logger.V(0).Info("cfm-service web server", "port", settings.Port)
-	log.Fatal(http.ListenAndServe(":"+settings.Port, handler))
+	log.Fatal(server.ListenAndServeTLS("", ""))
+}
+
+// GenerateCfmServer - Generates the primary cfm server using a runtine-generated self-signed certificate.
+// Updates environmenetal variable SEAGATE_CFM_SERVICE_CRT_PATH.
+// Saves the certificate to the SEAGATE_CFM_SERVICE_CRT_PATH location so that it can be shared with a local client.
+func GenerateCfmServer(ctx context.Context, settings *common.Settings, handler *http.Handler) (*http.Server, error) {
+	logger := klog.FromContext(ctx)
+
+	// Set environment variable (visible to webui but not cli (runs in different shell))
+	err := os.Setenv("SEAGATE_CFM_SERVICE_CRT_PATH", security.SEAGATE_CFM_SERVICE_CRT_FILEPATH)
+	if err != nil {
+		return nil, fmt.Errorf("failure: setting environment variable: %v", err)
+	}
+
+	// Generate the keys
+	cert, certPEM, err := security.GenerateSelfSignedCert()
+	if err != nil {
+		return nil, fmt.Errorf("failure: tls (self-signed) certificate generation: %v", err)
+	}
+
+	// Write the certificate to a file
+	err = os.WriteFile(security.SEAGATE_CFM_SERVICE_CRT_FILEPATH, []byte(certPEM), 0644)
+	if err != nil {
+		return nil, fmt.Errorf("failure: tls cert file save: %v", err)
+	}
+
+	logger.V(2).Info(fmt.Sprintf("cfm tls (self-signed) cert file saved to: %s ", security.SEAGATE_CFM_SERVICE_CRT_FILEPATH))
+
+	// Update CA certificates
+	cmd := exec.Command("update-ca-certificates") // This assumes the above self-signed .crt file is written to the correct location
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return nil, fmt.Errorf("failure: update CA certificates: %v", err)
+	}
+
+	// Configure the server
+	server := &http.Server{
+		Addr: ":" + settings.Port,
+		TLSConfig: &tls.Config{
+			Certificates: []tls.Certificate{*cert},
+		},
+		Handler: *handler,
+	}
+
+	return server, nil
 }

docker/Dockerfile

@@ -46,7 +46,7 @@ RUN git apply api/patch/*.redfish.patch
 # build the excutable
 RUN make build-go
 
-FROM node:alpine as npm
+FROM node:alpine AS npm
 ENV BASEPATH=/cfm
 
 # copy source code with generated files to go image
@@ -60,14 +60,17 @@ RUN npm run build
 FROM alpine:latest
 ENV BASEPATH=/cfm
 
+# Install packages
+RUN apk add --no-cache ca-certificates openssl bash curl jq
+
 # copy source code with generated files to go image
 COPY --from=go ${BASEPATH}/cfm-service ${BASEPATH}/cfm-service
 COPY --from=go ${BASEPATH}/cfm-cli ${BASEPATH}/cfm-cli
 COPY --from=npm ${BASEPATH}/webui/dist ${BASEPATH}/webui/dist
 
 RUN ln -s /local/cfmdatastore.json ${BASEPATH}/cfmdatastore.json
 
-LABEL org.opencontainers.image.source https://github.com/seagate/cfm
+LABEL org.opencontainers.image.source=https://github.com/seagate/cfm
 
 WORKDIR ${BASEPATH}
 # Start the service

pkg/security/certificates.go

@@ -0,0 +1,74 @@
+// Copyright (c) 2024 Seagate Technology LLC and/or its Affiliates
+package security
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"time"
+)
+
+const (
+	SEAGATE_CFM_SERVICE_CRT_FILEPATH = "/usr/local/share/ca-certificates/github_com_seagate_cfm-self-signed.crt"
+)
+
+// GenerateSelfSignedCert - Generates the self-signed SSL/TLS certificate and private key at runtime.
+func GenerateSelfSignedCert() (*tls.Certificate, []byte, error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(365 * 24 * time.Hour)
+
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Country:            []string{"US"},
+			Organization:       []string{"SEAGATE TECHNOLOGY LLC"},
+			OrganizationalUnit: []string{"MAG"},
+			Locality:           []string{"Longmont"},
+			Province:           []string{"Colorado"},
+			CommonName:         "localhost", // Set CommonName to a valid hostname
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")}, // Add IP SAN
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	keyPEM, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	keyPEMBytes := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyPEM})
+
+	cert, err := tls.X509KeyPair(certPEM, keyPEMBytes)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &cert, certPEM, nil
+}