Merge pull request #4539 from reasonerjt/trust-admiral-cert

Trust Root CA of VIC appliance when accessing Admiral

src/common/utils/test/adminserver.go

@@ -61,7 +61,7 @@ var adminServerDefaultConfig = map[string]interface{}{
 	common.TokenExpiration:            30,
 	common.CfgExpiration:              5,
 	common.AdminInitialPassword:       "password",
-	common.AdmiralEndpoint:            "http://www.vmware.com",
+	common.AdmiralEndpoint:            "",
 	common.WithNotary:                 false,
 	common.WithClair:                  false,
 	common.ClairDBUsername:            "postgres",
@@ -84,8 +84,13 @@ func NewAdminserver(config map[string]interface{}) (*httptest.Server, error) {
 	m := []*RequestHandlerMapping{}
 	if config == nil {
 		config = adminServerDefaultConfig
+	} else {
+		for k, v := range adminServerDefaultConfig {
+			if _, ok := config[k]; !ok {
+				config[k] = v
+			}
+		}
 	}
-
 	b, err := json.Marshal(config)
 	if err != nil {
 		return nil, err

src/ui/config/config.go

@@ -16,8 +16,10 @@ package config
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"os"
 	"strconv"
@@ -58,6 +60,8 @@ var (
 	TokenReader admiral.TokenReader
 	// GlobalJobserviceClient is a global client for jobservice
 	GlobalJobserviceClient jobservice_client.Client
+
+	defaultCACertPath = "/etc/ui/ca/ca.crt"
 )
 
 // Init configurations
@@ -94,8 +98,12 @@ func InitByURL(adminServerURL string) error {
 	initSecretStore()
 
 	// init project manager based on deploy mode
-	initProjectManager()
+	if err := initProjectManager(); err != nil {
+		log.Errorf("Failed to initialise project manager, error: %v", err)
+		return err
+	}
 
+	//TODO: No longer needed after shifting to the new job service.
 	GlobalJobserviceClient = jobservice_client.NewDefaultClient(InternalJobServiceURL(),
 		&jobservice_client.Config{
 			Secret: UISecret(),
@@ -120,20 +128,28 @@ func initSecretStore() {
 	SecretStore = secret.NewStore(m)
 }
 
-func initProjectManager() {
+func initProjectManager() error {
 	var driver pmsdriver.PMSDriver
 	if WithAdmiral() {
-		// integration with admiral
+		log.Debugf("Initialising Admiral client with certificate: %s", defaultCACertPath)
-		log.Info("initializing the project manager based on PMS...")
+		content, err := ioutil.ReadFile(defaultCACertPath)
-		// TODO read ca/cert file and pass it to the TLS config
+		if err != nil {
+			return err
+		}
+		pool := x509.NewCertPool()
+		if ok := pool.AppendCertsFromPEM(content); !ok {
+			return fmt.Errorf("failed to append cert content into cert pool")
+		}
 		AdmiralClient = &http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: true,
+					RootCAs: pool,
 				},
 			},
 		}
 
+		// integration with admiral
+		log.Info("initializing the project manager based on PMS...")
 		path := os.Getenv("SERVICE_TOKEN_FILE_PATH")
 		if len(path) == 0 {
 			path = defaultTokenFilePath
@@ -149,6 +165,7 @@ func initProjectManager() {
 		driver = local.NewDriver()
 	}
 	GlobalProjectMgr = promgr.NewDefaultProjectManager(driver, true)
+	return nil
 
 }
 

src/ui/config/config_test.go

@@ -15,6 +15,8 @@ package config
 
 import (
 	"os"
+	"path"
+	"runtime"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -24,7 +26,12 @@ import (
 
 // test functions under package ui/config
 func TestConfig(t *testing.T) {
-	server, err := test.NewAdminserver(nil)
+
+	defaultCACertPath = path.Join(currPath(), "test", "ca.crt")
+	c := map[string]interface{}{
+		common.AdmiralEndpoint: "http://www.vmware.com",
+	}
+	server, err := test.NewAdminserver(c)
 	if err != nil {
 		t.Fatalf("failed to create a mock admin server: %v", err)
 	}
@@ -190,3 +197,11 @@ func TestConfig(t *testing.T) {
 	assert.Equal("http://myui:8888/service/token", InternalTokenServiceEndpoint())
 
 }
+
+func currPath() string {
+	_, f, _, ok := runtime.Caller(0)
+	if !ok {
+		panic("Failed to get current directory")
+	}
+	return path.Dir(f)
+}

src/ui/config/test/ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdWgAwIBAgIJAKmFRnILlp3XMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
+BAMMAmNhMB4XDTE3MDkyNDA3MDA1M1oXDTI3MDkyMjA3MDA1M1owDTELMAkGA1UE
+AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr4+HxXkY81j1p
+5OD3htFkbJI+XulBgc7ja5YorU323VB7JfNBnau3rDZS8NdyvkLLEQT4rKw5Dd4p
+phlmdKsmIq9ej1OlDjWnCOGr+HG2jG5POgPYRCf5WgCGoQ4eUIA+IXcVroG8f1YM
+LDzZEBKlEP80W0zyh0ma/BYN8HG4Ica4q/iIjffJc7ob/tWFGt2HobI9wbTSyBgR
+s7JSs6MBIISXGAuOE3cs7vJNzKtWhQSBw4j8FFUZSYCyONFYfOg2OtZG6z1XhpTC
+rfVMm6cEsYla/mf9bJB2AqtRiUdUZwAOWQbalWPFKEO73Bj4/5sVNHKFCd/S6J1z
+LHaWM0W7AgMBAAGjUDBOMB0GA1UdDgQWBBR0jFgTuL9K2iWE0wzU7r4RZT0k+zAf
+BgNVHSMEGDAWgBR0jFgTuL9K2iWE0wzU7r4RZT0k+zAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQCemrfEKHPe5ahb2III89+iuIDmbPgVESXqnf88UUdS
+Iv+htE8hu9CkSemsErXcC0kUbPSM0vWN9IbHINq78cXucVyi+YTzaKJ8zsK01/zf
+x0xYeK5bffYTQzs+BopTCwVqd9zHSs9a2zPnsBVHXCn25j30anQgQH9ODsspXZ3i
+WUAkEOmZDnNuX7tGDesA+7h8BPcZ8zrz94kxsrdneMXuHdT1iHxS/hTxTEUUhOMF
+FntwT6zx3fGL4cNG06d+pdjjp+CuUR+8GRxeASbYBWhXeiY1ykipiptxkp1zhZ3x
+SNandCCdeMRntnNs/+xvRhsEGbhyrvzg2WFL2NrqiKtg
+-----END CERTIFICATE-----