Generate self signed certificates instead of importing them

DataDog · Dec 11, 2024 · 6df5c1b · 6df5c1b
1 parent 6e03aed
commit 6df5c1b
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 52 deletions.
diff --git a/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/Dockerfile b/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/Dockerfile
@@ -1,18 +1,33 @@
 # Build stage
 FROM golang:1.23-alpine AS builder
 ENV CGO_ENABLED=1
+
 WORKDIR /app
 COPY . .
-RUN apk add --no-cache --update git build-base
+
+RUN apk add --no-cache --update git build-base openssl
+
+# Generate SSL self-signed localhost certificate
+RUN openssl genrsa -out localhost.key 3072
+RUN openssl req -new \
+  -key localhost.key \
+  -subj "/C=US/ST=New York/O=Datadog/OU=gRPC/CN=localhost" \
+  -out request.csr 
+RUN openssl x509 -req -days 3660 \
+  -in request.csr \
+  -signkey localhost.key \
+  -out localhost.crt
+
+# Build the serviceextensions binary
 RUN go build -tags=appsec -o ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions/serviceextensions ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions
 
 # Runtime stage
 FROM alpine:3.20.3
 RUN apk --no-cache add ca-certificates tzdata libc6-compat libgcc libstdc++
 WORKDIR /app
 COPY --from=builder /app/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/serviceextensions /app/serviceextensions
-COPY ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.crt /app/localhost.crt
-COPY ./contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.key /app/localhost.key
+COPY --from=builder /app/localhost.crt /app/localhost.crt
+COPY --from=builder /app/localhost.key /app/localhost.key
 
 EXPOSE 80
 EXPOSE 443

diff --git a/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.crt b/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.crt
diff --git a/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.key b/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/localhost.key
diff --git a/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/main.go b/contrib/envoyproxy/go-control-plane/cmd/serviceextensions/main.go
@@ -51,7 +51,7 @@ func loadConfig() serviceExtensionConfig {
 
 	extensionHost := internal.IpEnv("DD_SERVICE_EXTENSION_HOST", "0.0.0.0")
 	extensionPortStr := strconv.FormatInt(int64(extensionPortInt), 10)
-	healthcheckPortStr := strconv.FormatInt(int64(extensionPortInt), 10)
+	healthcheckPortStr := strconv.FormatInt(int64(healthcheckPortInt), 10)
 
 	// check if the ports are free
 	l, err := net.Listen("tcp", extensionHost+":"+extensionPortStr)
@@ -129,20 +129,25 @@ func StartGPRCSsl(service extproc.ExternalProcessorServer, config serviceExtensi
 	cert, err := tls.LoadX509KeyPair("localhost.crt", "localhost.key")
 	if err != nil {
 		log.Error("service_extension: failed to load key pair: %v\n", err)
+		os.Exit(1)
+		return
 	}
 
 	lis, err := net.Listen("tcp", config.extensionHost+":"+config.extensionPort)
 	if err != nil {
 		log.Error("service_extension: gRPC server failed to listen: %v\n", err)
+		os.Exit(1)
+		return
 	}
 
 	si := go_control_plane.StreamServerInterceptor()
-	creds := credentials.NewServerTLSFromCert(&cert)
-	grpcServer := grpc.NewServer(grpc.StreamInterceptor(si), grpc.Creds(creds))
+	grpcCredentials := credentials.NewServerTLSFromCert(&cert)
+	grpcServer := grpc.NewServer(grpc.StreamInterceptor(si), grpc.Creds(grpcCredentials))
 
 	extproc.RegisterExternalProcessorServer(grpcServer, service)
 	reflection.Register(grpcServer)
 	if err := grpcServer.Serve(lis); err != nil {
 		log.Error("service_extension: error starting gRPC server: %v\n", err)
+		os.Exit(1)
 	}
 }