Write server.conf. Use athenz CA. Fix certificate path

author: Ola Aunronning <olaa@yahooinc.com> 2023-06-05 14:06:43 +0200
committer: Ola Aunronning <olaa@yahooinc.com> 2023-06-05 14:06:43 +0200
commit: 8b0eecf46f1e2a2120537d169b7c4406aa5acbf6 (patch)
tree: be79c6ec77176cb320211b2558c0c1d12aaa0741 /logforwarder
parent: c7051c409f9e5fe5d7e981aedb618fea5b6c73b2 (diff)
1 files changed, 26 insertions, 2 deletions
diff --git a/logforwarder/src/apps/vespa-logforwarder-start/splunk-starter.cpp b/logforwarder/src/apps/vespa-logforwarder-start/splunk-starter.cpp
index 23c2565b0af..ca872266708 100644
--- a/logforwarder/src/apps/vespa-logforwarder-start/splunk-starter.cpp
+++ b/logforwarder/src/apps/vespa-logforwarder-start/splunk-starter.cpp
@@ -36,6 +36,15 @@ cfFilePath(const vespalib::string &parent, const vespalib::string &filename) {
     return path + "/" + filename;
 }
 
+vespalib::string splunkCertPath(const vespalib::string &parent, const vespalib::string &filename) {
+        vespalib::string path = parent;
+        path = fixDir(path, "var");
+        path = fixDir(path, "lib");
+        path = fixDir(path, "sia");
+        path = fixDir(path, "certs");
+        return path + "/" + filename;
+    }
+
 void appendFile(FILE *target, const vespalib::string &filename) {
     FILE *fp = fopen(filename.c_str(), "r");
     if (fp != NULL) {
@@ -95,12 +104,12 @@ void SplunkStarter::gotConfig(const LogforwarderConfig& config) {
     vespalib::string clientCert = clientCertFile();
     vespalib::string clientKey = clientKeyFile();
     if (!clientCert.empty() && !clientKey.empty()) {
-        vespalib::string certPath = cfFilePath(config.splunkHome, "clientcert.pem");
+        vespalib::string certPath = splunkCertPath(config.splunkHome, "servercert.pem");
         tmpPath = certPath + ".new";
         fp = fopen(tmpPath.c_str(), "w");
         appendFile(fp, clientCert);
         appendFile(fp, clientKey);
-        appendFile(fp, "/etc/ssl/certs/ca-bundle.crt");
+        appendFile(fp, "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem");
         fclose(fp);
         rename(tmpPath.c_str(), certPath.c_str());
 
@@ -113,6 +122,21 @@ void SplunkStarter::gotConfig(const LogforwarderConfig& config) {
             fclose(fp);
             rename(tmpPath.c_str(), path.c_str());
         }
+        path = cfFilePath(config.splunkHome, "server.conf");
+        tmpPath = path + ".new";
+        fp = fopen(tmpPath.c_str(), "w");
+        if (fp != NULL) {
+            fprintf(fp, "[sslConfig]\n");
+            fprintf(fp, "enableSplunkdSSL = true\n");
+            fprintf(fp, "requireClientCert = true\n");
+            fprintf(fp, "sslRootCAPath = /opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem\n");
+            fprintf(fp, "serverCert = %s\n", certPath.c_str());
+            fprintf(fp, "\n");
+            fprintf(fp, "[httpServer]\n");
+            fprintf(fp, "disableDefaultPort = true\n");
+            fclose(fp);
+            rename(tmpPath.c_str(), path.c_str());
+        }
     }
     if (config.clientName.size() == 0 ||
         config.deploymentServer.size() == 0)
author	Ola Aunronning <olaa@yahooinc.com>	2023-06-05 14:06:43 +0200
committer	Ola Aunronning <olaa@yahooinc.com>	2023-06-05 14:06:43 +0200
commit	8b0eecf46f1e2a2120537d169b7c4406aa5acbf6 (patch)
tree	be79c6ec77176cb320211b2558c0c1d12aaa0741 /logforwarder
parent	c7051c409f9e5fe5d7e981aedb618fea5b6c73b2 (diff)