This PR adds support for TLS in nginx using a self-signed certificate that's unique to each robot, along with additional changes needed for other components to work when TLS is enabled.
Moves the nginx config to /etc/blueos/nginx/ instead of the current tools path in the container so we have persistence.
Updates the bootstrap container's version-chooser reachability check to accept the self-signed cert so it doesn't kill the core container.
Adds a checkbox to the vehicle configuration wizard to enable the TLS feature.
Generates a certificate (when needed) that includes the alternate hostname(s) and IPs for the robot. This feature shells out to openssl to do the crypto operations, but attempts to mitigate any command injection risk by escaping parameters (like hostname) with the shlex.quote function. The cert and key files are stored alongside the nginx config.
There are two "template" nginx configs, one with TLS and one without, that are shipped with the core. The code moves the correct one into place depending on whether or not TLS should be enabled.
How to test this
Manually choose the TLS-aware bootstrap and core images from CI (or from the correct tag on DockerHub)
This PR adds support for TLS in nginx using a self-signed certificate that's unique to each robot, along with additional changes needed for other components to work when TLS is enabled.
/etc/blueos/nginx/
instead of the current tools path in the container so we have persistence.openssl
to do the crypto operations, but attempts to mitigate any command injection risk by escaping parameters (like hostname) with theshlex.quote
function. The cert and key files are stored alongside the nginx config.core
. The code moves the correct one into place depending on whether or not TLS should be enabled.How to test this
Enable TLS
box on theCustomize
stephttps://<your robot hostname>