feat: auto ssl renewal (#424)

Author: tanmoysrt

ssl_manager/utils.go

@@ -24,7 +24,6 @@ func decodePrivateKey(key string) (*rsa.PrivateKey, error) {
 	return privateKey, nil
 }
 
-// Fetch SSL Issuer's Name
 func (s Manager) FetchIssuerName() string {
 	if s.options.IsStaging {
 		return "Let's Encrypt (Staging)"

swiftwave_service/cmd/auto-service-tls-renew.go

@@ -110,8 +110,9 @@ var initCmd = &cobra.Command{
 		newConfig := &local_config.Config{
 			IsDevelopmentMode: false,
 			ServiceConfig: local_config.ServiceConfig{
-				UseTLS:                false,
-				ManagementNodeAddress: domainName,
+				UseTLS:                      false,
+				ManagementNodeAddress:       domainName,
+				AutoRenewManagementNodeCert: false,
 			},
 			PostgresqlConfig: local_config.PostgresqlConfig{
 				Host:             defaultString(currentPostgresHost, "127.0.0.1"),

swiftwave_service/cmd/init.go

@@ -28,7 +28,6 @@ func init() {
 	tlsCmd.AddCommand(tlsDisableCmd)
 	tlsCmd.AddCommand(generateCertificateCommand)
 	tlsCmd.AddCommand(renewCertificateCommand)
-	tlsCmd.AddCommand(autoServiceTLSRenewCmd)
 }
 
 var tlsCmd = &cobra.Command{
@@ -59,6 +58,7 @@ var tlsEnableCmd = &cobra.Command{
 			return
 		}
 		config.LocalConfig.ServiceConfig.UseTLS = true
+		config.LocalConfig.ServiceConfig.AutoRenewManagementNodeCert = true
 		err := local_config.Update(config.LocalConfig)
 		if err != nil {
 			printError("Failed to update config")
@@ -83,6 +83,7 @@ var tlsDisableCmd = &cobra.Command{
 			return
 		}
 		lConfig.ServiceConfig.UseTLS = false
+		config.LocalConfig.ServiceConfig.AutoRenewManagementNodeCert = false
 		err := local_config.Update(lConfig)
 		if err != nil {
 			printError("Failed to update config")
@@ -194,6 +195,7 @@ var generateCertificateCommand = &cobra.Command{
 		printSuccess("Successfully generated TLS certificate for " + domain)
 		// Enable TLS for swiftwave service
 		config.LocalConfig.ServiceConfig.UseTLS = true
+		config.LocalConfig.ServiceConfig.AutoRenewManagementNodeCert = true
 		err = local_config.Update(config.LocalConfig)
 		if err != nil {
 			printError("Failed to update config")
@@ -220,13 +222,13 @@ var renewCertificateCommand = &cobra.Command{
 		if _, err := os.Stat(sslCertificatePath); os.IsNotExist(err) {
 			printError("No TLS certificate found")
 			printInfo("Use `swiftwave tls generate` to generate a new certificate")
-			return
+			os.Exit(1)
 		}
 		isRenewalRequired, err := isRenewalImminent(sslCertificatePath)
 		if err != nil {
 			printError("Failed to check if renewal is required")
 			printError(err.Error())
-			return
+			os.Exit(1)
 		}
 		if isRenewalRequired {
 			printSuccess("Renewal is required")

swiftwave_service/cmd/swiftwave-service-tls-renew.service

@@ -16,6 +16,7 @@ type Config struct {
 type ServiceConfig struct {
 	UseTLS                          bool   `yaml:"use_tls"`
 	ManagementNodeAddress           string `yaml:"management_node_address"`
+	AutoRenewManagementNodeCert     bool   `yaml:"auto_renew_management_node_cert"`
 	BindAddress                     string `yaml:"bind_address"`
 	BindPort                        int    `yaml:"bind_port"`
 	SocketPathDirectory             string `yaml:"-"`

swiftwave_service/cmd/swiftwave-service-tls-renew.timer

@@ -2,8 +2,11 @@ package core
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"gorm.io/gorm"
+	"time"
 )
 
 // This file contains the operations for the Domain model.
@@ -12,28 +15,42 @@ import (
 // Each function's argument format should be (ctx context.Context, db gorm.DB, ...)
 // context used to pass some data to the function e.g. user id, auth info, etc.
 
-func FindAllDomains(ctx context.Context, db gorm.DB) ([]*Domain, error) {
+func FindAllDomains(_ context.Context, db gorm.DB) ([]*Domain, error) {
 	var domains []*Domain
 	tx := db.Find(&domains)
 	return domains, tx.Error
 }
 
-func (domain *Domain) FindById(ctx context.Context, db gorm.DB, id uint) error {
+func FetchDomainsThoseWillExpire(_ context.Context, db gorm.DB, daysToExpire int) ([]*Domain, error) {
+	var domains []*Domain
+	tx := db.Where("ssl_expired_at < ?", time.Now().AddDate(0, 0, daysToExpire)).Find(&domains)
+	return domains, tx.Error
+}
+
+func (domain *Domain) FindById(_ context.Context, db gorm.DB, id uint) error {
 	tx := db.Where("id = ?", id).First(&domain)
 	return tx.Error
 }
 
-func (domain *Domain) Create(ctx context.Context, db gorm.DB) error {
+func (domain *Domain) Create(_ context.Context, db gorm.DB) error {
+	err := domain.fillSSLInfo()
+	if err != nil {
+		return err
+	}
 	tx := db.Create(&domain)
 	return tx.Error
 }
 
-func (domain *Domain) Update(ctx context.Context, db gorm.DB) error {
+func (domain *Domain) Update(_ context.Context, db gorm.DB) error {
+	err := domain.fillSSLInfo()
+	if err != nil {
+		return err
+	}
 	tx := db.Save(&domain)
 	return tx.Error
 }
 
-func (domain *Domain) Delete(ctx context.Context, db gorm.DB) error {
+func (domain *Domain) Delete(_ context.Context, db gorm.DB) error {
 	// Make sure there is no ingress rule or redirect rule associated with this domain
 	isIngressRuleExist := db.Where("domain_id = ?", domain.ID).First(&IngressRule{}).RowsAffected > 0
 	if isIngressRuleExist {
@@ -47,8 +64,31 @@ func (domain *Domain) Delete(ctx context.Context, db gorm.DB) error {
 	return tx.Error
 }
 
-func (domain *Domain) UpdateSSLStatus(ctx context.Context, db gorm.DB, status DomainSSLStatus) error {
+func (domain *Domain) UpdateSSLStatus(_ context.Context, db gorm.DB, status DomainSSLStatus) error {
 	domain.SSLStatus = status
 	tx := db.Where("id = ?", domain.ID).Update("ssl_status", status)
 	return tx.Error
 }
+
+func (domain *Domain) fillSSLInfo() error {
+	if domain == nil || domain.SSLFullChain == "" {
+		return nil
+	}
+	certBytes := []byte(domain.SSLFullChain)
+	block, _ := pem.Decode(certBytes)
+	if block == nil {
+		return errors.New("failed to decode SSL full chain certificate")
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return errors.New("failed to parse SSL full chain certificate")
+	}
+	domain.SSLIssuedAt = cert.NotBefore
+	domain.SSLExpiredAt = cert.NotAfter
+	var sslIssuer = "Unknown Issuer"
+	if len(cert.Issuer.Organization) > 0 {
+		sslIssuer = cert.Issuer.Organization[0]
+	}
+	domain.SSLIssuer = sslIssuer
+	return nil
+}

swiftwave_service/cmd/tls.go

@@ -79,6 +79,7 @@ type Domain struct {
 	SSLPrivateKey string          `json:"ssl_private_key"`
 	SSLFullChain  string          `json:"ssl_full_chain"`
 	SSLIssuedAt   time.Time       `json:"ssl_issued_at"`
+	SSLExpiredAt  time.Time       `json:"ssl_expired_at"`
 	SSLIssuer     string          `json:"ssl_issuer"`
 	SSLAutoRenew  bool            `json:"ssl_auto_renew" gorm:"default:false"`
 	IngressRules  []IngressRule   `json:"ingress_rules" gorm:"foreignKey:DomainID"`

swiftwave_service/config/local_config/types.go

@@ -9,6 +9,7 @@ import (
 )
 
 func (m Manager) CleanupUnusedImages() {
+	logger.CronJobLogger.Println("Starting cleanup of unused images [cronjob]")
 	for {
 		time.Sleep(1 * time.Hour)
 		// Fetch all servers