Use separate key, cert for Rate Limiter

Signed-off-by: Renuka Fernando <[email protected]>

adapter/config/default_config.go

@@ -133,7 +133,7 @@ var defaultConfig = &Config{
 			RequestTimeoutInMillis: 80,
 			KeyFilePath:            "/home/wso2/security/keystore/mg.key",
 			CertFilePath:           "/home/wso2/security/keystore/mg.pem",
-			CaCertFilePath:         "/home/wso2/security/truststore/mg.pem",
+			CaCertFilePath:         "/home/wso2/security/truststore/rate-limiter.pem",
 			SSLCertSANHostname:     "",
 		},
 	},

dev-scripts/create-certs.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# --------------------------------------------------------------------
+# Copyright (c) 2023, WSO2 LLC. (http://wso2.com) All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# -----------------------------------------------------------------------
+
+CN="localhost"
+SAN="DNS:localhost, DNS:rate-limiter, DNS:choreo-connect"
+
+openssl req -x509 -nodes -newkey rsa:4096 -keyout mg.key -out mg.pem -sha256 -subj "/CN=${CN}" -reqexts SAN -extensions SAN \
+  -days 3650 \
+  -subj "/CN=${CN}/C=US/ST=CA/L=Mountain View/O=WSO2/OU=WSO2" \
+  -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=${SAN}"))

distribution/src/main/assembly/assembly.xml

@@ -99,6 +99,11 @@
             <outputDirectory>choreo-connect-${project.version}/docker-compose/resources/adapter/security/truststore
             </outputDirectory>
         </file>
+        <file>
+            <source>../resources/security/rate-limiter.pem</source>
+            <outputDirectory>choreo-connect-${project.version}/docker-compose/resources/adapter/security/truststore
+            </outputDirectory>
+        </file>
         <file>
             <source>../resources/security/mg.key</source>
             <outputDirectory>choreo-connect-${project.version}/docker-compose/resources/enforcer/security/keystore
@@ -130,12 +135,17 @@
             </outputDirectory>
         </file>
         <file>
-            <source>../resources/security/mg.key</source>
+            <source>../resources/security/rate-limiter.pem</source>
+            <outputDirectory>choreo-connect-${project.version}/docker-compose/resources/router/security/truststore
+            </outputDirectory>
+        </file>
+        <file>
+            <source>../resources/security/rate-limiter.key</source>
             <outputDirectory>choreo-connect-${project.version}/docker-compose/resources/rate-limiter/security/keystore
             </outputDirectory>
         </file>
         <file>
-            <source>../resources/security/mg.pem</source>
+            <source>../resources/security/rate-limiter.pem</source>
             <outputDirectory>choreo-connect-${project.version}/docker-compose/resources/rate-limiter/security/keystore
             </outputDirectory>
         </file>

rate-limiter/src/main/resources/Dockerfile

@@ -36,13 +36,13 @@ ENV LOG_LEVEL=INFO
 ENV LOCAL_CACHE_SIZE_IN_BYTES=1024000
 
 ENV GRPC_SERVER_USE_TLS=true
-ENV GRPC_SERVER_TLS_KEY=/home/wso2/security/keystore/mg.key
-ENV GRPC_SERVER_TLS_CERT=/home/wso2/security/keystore/mg.pem
+ENV GRPC_SERVER_TLS_KEY=/home/wso2/security/keystore/rate-limiter.key
+ENV GRPC_SERVER_TLS_CERT=/home/wso2/security/keystore/rate-limiter.pem
 ENV GRPC_CLIENT_TLS_CACERT=/home/wso2/security/truststore/mg.pem
 
 ENV CONFIG_GRPC_XDS_SERVER_USE_TLS=true
-ENV CONFIG_GRPC_XDS_CLIENT_TLS_KEY=/home/wso2/security/keystore/mg.key
-ENV CONFIG_GRPC_XDS_CLIENT_TLS_CERT=/home/wso2/security/keystore/mg.pem
+ENV CONFIG_GRPC_XDS_CLIENT_TLS_KEY=/home/wso2/security/keystore/rate-limiter.key
+ENV CONFIG_GRPC_XDS_CLIENT_TLS_CERT=/home/wso2/security/keystore/rate-limiter.pem
 ENV CONFIG_GRPC_XDS_SERVER_TLS_CACERT=/home/wso2/security/truststore/mg.pem
 
 ARG MOTD="\n\

resources/conf/config.toml.template

@@ -188,7 +188,7 @@ sandboxVhost = "sandbox.host"
   # Cert file path used for the rate-limit service mTLS
   certFilePath = "/home/wso2/security/keystore/mg.pem"
   # Truststore file path used for the rate-limit service mTLS
-  caCertFilePath = "/home/wso2/security/truststore/mg.pem"
+  caCertFilePath = "/home/wso2/security/truststore/rate-limiter.pem"
   # SAN hostname represented in the public cert
   sSLCertSANHostname = ""
 

resources/docker-compose/apim/docker-compose.yaml

@@ -125,16 +125,16 @@ services:
       - GRPC_HOST=0.0.0.0
       - GRPC_PORT=8091
       - GRPC_SERVER_USE_TLS=true
-      - GRPC_SERVER_TLS_KEY=/home/wso2/security/keystore/mg.key
-      - GRPC_SERVER_TLS_CERT=/home/wso2/security/keystore/mg.pem
+      - GRPC_SERVER_TLS_KEY=/home/wso2/security/keystore/rate-limiter.key
+      - GRPC_SERVER_TLS_CERT=/home/wso2/security/keystore/rate-limiter.pem
       - GRPC_CLIENT_TLS_CACERT=/home/wso2/security/truststore/mg.pem
       - GRPC_CLIENT_TLS_SAN=localhost
       # xDS config server
       - RATE_LIMITER_LABEL=Default
       - CONFIG_GRPC_XDS_SERVER_URL=adapter:18001
       - CONFIG_GRPC_XDS_SERVER_USE_TLS=true
-      - CONFIG_GRPC_XDS_CLIENT_TLS_KEY=/home/wso2/security/keystore/mg.key
-      - CONFIG_GRPC_XDS_CLIENT_TLS_CERT=/home/wso2/security/keystore/mg.pem
+      - CONFIG_GRPC_XDS_CLIENT_TLS_KEY=/home/wso2/security/keystore/rate-limiter.key
+      - CONFIG_GRPC_XDS_CLIENT_TLS_CERT=/home/wso2/security/keystore/rate-limiter.pem
       - CONFIG_GRPC_XDS_SERVER_TLS_CACERT=/home/wso2/security/truststore/mg.pem
       - CONFIG_GRPC_XDS_SERVER_TLS_SAN=localhost
     ports:

resources/docker-compose/docker-compose.yaml

@@ -111,16 +111,16 @@ services:
       - GRPC_HOST=0.0.0.0
       - GRPC_PORT=8091
       - GRPC_SERVER_USE_TLS=true
-      - GRPC_SERVER_TLS_KEY=/home/wso2/security/keystore/mg.key
-      - GRPC_SERVER_TLS_CERT=/home/wso2/security/keystore/mg.pem
+      - GRPC_SERVER_TLS_KEY=/home/wso2/security/keystore/rate-limiter.key
+      - GRPC_SERVER_TLS_CERT=/home/wso2/security/keystore/rate-limiter.pem
       - GRPC_CLIENT_TLS_CACERT=/home/wso2/security/truststore/mg.pem
       - GRPC_CLIENT_TLS_SAN=localhost
       # xDS config server
       - RATE_LIMITER_LABEL=Default
       - CONFIG_GRPC_XDS_SERVER_URL=adapter:18001
       - CONFIG_GRPC_XDS_SERVER_USE_TLS=true
-      - CONFIG_GRPC_XDS_CLIENT_TLS_KEY=/home/wso2/security/keystore/mg.key
-      - CONFIG_GRPC_XDS_CLIENT_TLS_CERT=/home/wso2/security/keystore/mg.pem
+      - CONFIG_GRPC_XDS_CLIENT_TLS_KEY=/home/wso2/security/keystore/rate-limiter.key
+      - CONFIG_GRPC_XDS_CLIENT_TLS_CERT=/home/wso2/security/keystore/rate-limiter.pem
       - CONFIG_GRPC_XDS_SERVER_TLS_CACERT=/home/wso2/security/truststore/mg.pem
       - CONFIG_GRPC_XDS_SERVER_TLS_SAN=localhost
     ports:

resources/security/rate-limiter.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDeVN7vOjN4AVjj
+EP0mmUFnViBqLXllIRVhXf+h9iphVvZ4JCHdPtIrfFB23eYdkkvqk02Hy/RINHoV
+ykm2B0dH3Pvvg48Ceq6HBSX3xwyKTY3jN6KIyK3hXmRBot+yy8OMjnQHpEQ3KNxh
+OD6fRKRgpXv9g5YiHdBEhBSU4C9iJ40sWr9VK1wH4n+Ql6GZ4NBzN6uEdkfVAMW8
+8ngkZexF3YPECQ4uPikwCt587Zr7Gp9m0KcbtNy/KEkbYlbaivBybL0b0F9noaYk
+eD+1SBB0DsnaDNSjYub2E/7k1upFjAZYNFnjdqHaoCCU6sVOYVSpzRj+Jl8riuFC
+i+z43aTaAAvlZfHTAYHeKiSnaoq6wsofP1BGvgJO/TrG4QADjho/VaW9U5MD7gZq
+ZxaA76E1efgnEHx6iTF6f5j3ir7MIgwpZvk5yvNVCSJC1U0sZAdCk/vGbpMLj23G
+DbPOT1Ty5jJnnw52eEpglpfy12XXrxo71AEgMm9c7EcIDBwxEhq91NKJt5IF8m+r
+8DpsvJ5GMKf6xTua+wcdQPoG3aKY4FKD8pPhGDKWihVaa21SAjSjubIDbwC4W/ph
+gSHBzBPMZZIKVbAOIj5XGPehrTb8kuM3CdQ1yNJvCyiht0m0sRA+Lkfi4w/RuIr8
+Cl1nmNuQHmHOsQT2TB2Djz8/9WEjgwIDAQABAoICAEC1LtUteUFaEwazMRqEzDZJ
+KNH+PjCiulhGRVpcDOWbq8w3p+t+lyi0265c0taUd6fkC1KUl5pUO5wP7fgeki5m
+MKT7AypTjmwZoX1F3255N+yDiriIv6KyGDfKMZUWHOnRpA99TaVILSvWdNNh5P2D
+7FxSaeWwC6eFUYAq51+H51ybZMhjADwDPeFVYGEqv0BpWXAKBMoHmYVuhG0DhQqo
+d+scP5ZR3SbwYuS1OsAOdYo0/A3iS8UO8ogXzPN6MJT89OUddkbxEyvWG6SlPrSo
+gTMHPPP4mwPPugXcTv7CzC3rvqWnJ2A77n+o/JfdWAi7eqStglFn8DuwAd5Ek++b
+5eWH4KnZT37MGdTCffU4nxKguEvhpV7/MJKovAR2o1p2hYUzYZKgDk3dhy4+HLZo
+qdKRGHgEfh/uHhUM/M+JaCSuyySenoi3Etx5278jTZ4+OpkcsFFdZBfIRI2NZtcr
+6FoDlXYMR3fPZ80q/tWkNilXzs2AMbXr5KaY2yPK/PVHg+VVzOVK5Z0x0x+gVsPv
+mPJbPXSg7UWZR7uSj/j7tGskiWJrwoz+6M8YtauNBvW309FlPA2dGlHQp4t9hnA+
+7wCDm/bn84KnOI9tl7Y+PKu+totfJktWccO6RC2Up3Pk7E3ya/e72QQYj7CcIrHJ
+kz69BjToPSP9ZKOFkEqRAoIBAQDxpeBRjB90foxG0S3h4dIktUOM4QaLbkfHObBR
+g/XUk0LXgY0RS5MuVuH/SqokaQo3uuCNjPS4djYZrOR2gvx2v4uFD9A4w2Z+nDI4
+2bnvnNEc5oJT9SMDWVodciLUyAulunQ2zLkpvsfNcf3MUkd1CgphYsgJ3y4/fahL
+6H7NWIckBJ7WrMR8gWEDJkL36Cf31/NcT+vLVNsmDn2zgnMryG1eHuIc1GPCntqS
+MVjAxqvkhfEboe7mDapLuAzSkkVPmdQCWKgmRKja+cM8ijRlnj+YVhgBwNkvZ3n6
+CwFLwMYOCjctdTe4FRlPLsWaoWLBBo+xJGcs2E/21/gWYCQdAoIBAQDriUyJzh+l
+sLkapAS8grA2hJaNfIenaIHgCE+VfQD+DznGzht4b//10K9Njoh52JMfO7O4+7HF
+YAXTAuAQNYXgE5nzamZoIsmqEddtH8O/YK2z2AvguXmp1DKmrQRGfzSu7uR06CSg
+2hWDOlmc1TnOQ98fByzEXpoh0Er7Jv2x+NXO/JzS2offRtiObTwptzcFExwaaGy3
+5exxOoy0Ly90GQqs+/nJL4kPKaX4yohKqBmCh4I4IdelHYDrXLaLQ3F8W7L5tPBO
+dS0lLDDfVSRvsXBMSNvo0InnSDnblB3eu8XN1K1Bq8CGEvGbl03X2fJcS7Mr8L8H
+1f0Y5D+njJQfAoIBAGZmoJRuCLZZGiC4a/UYuPCNT77XbOqRJSGrtKgWf4pBjUW9
+xIXbvNcaQlLo1Qjw6j+LlbTmUp4ImgxvU7FU+J9ptDoC5X3ob/qfPjkRKtX7YjIZ
+DIl/jALTTnjD8TayPx1P0geW4bBrBEhvUdnP1DAovRVfwt1MElEdcsAYGgPyy/Hb
+c2QNeoY4XV/0StS7MJS6koo/4/AaWXPbGDGFykB3gsEr3S3SYyQKJR1mg/HNPvJs
+QCwxhwc+KzhDGkvxaCW/TjRgVYFB/zwsMyvodSPK17A6a5nymxaXhv0KxNXRLxyr
+/43n6mC7sCn57AsG8M5TdXjfsEk0sU4tXxg8TZECggEBAOdgzStirXwbCvu8vFpj
+F6+2uB7tgmVWKJ9oCqYTUnJBisRdnGbHv24/Pra1miP4OS6pe3fw6UW3eoE7hdjm
+e0kQeF/C2i7aXbkQJcwxNB5AXuMZDTIJghbvOYK63ERUmfBvBUZC9hh9pDxxia6j
+WFHkIr9cUQHm3Qryj3YBa571jzPyvCv2ORuBgSMI890W+pmlmCnpA0P0Pj1NAwPO
+hpNKNk6QiWS1qbKXe0/XxeNxFv4/GBEETc8KGKcdQMW1zzoW6s6ajKbGPT8TFj+O
+aGjAqkyGFmGy2oW1UgD+lAlF9J6qmji0/D+5RFdQX0v38jnws2Yq7b5I3IUjU9TI
+KIkCggEBAKy25ukeUlSYWPDyx1bYJGm6vCeq5NcLLuQB/r03AV4zkJ+3hoxl2nOk
+9PbmOBX7D7pX/zkFpBphyc7HYmYTdH3mZ6/BHCgVZEa9Ly0hu6LY+tis4tyVelWF
+kjj0fmwgxCs805v5IVoRUyT3tyZ4ZdLlceq1vB1wpCzL58V0yx04pW7WVwkvrGZY
+aZgX+IDAzo+ut/8p88SmRuJ7uulU7ycrM0N3m+VzD9PnK7xOAu2DRU2zxNytZL6a
+M0u79h1pxbi0aHhxW1cw4QhqSLvI3D+JPY9nJOV6kFUkmepMw8OQdVGIW8A66q7k
+Z2CPrpDQB1cOZ9lrFYGSaSMm3QBPy3U=
+-----END PRIVATE KEY-----

resources/security/rate-limiter.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgTCCA2mgAwIBAgIJAK+CX3qAh1xsMA0GCSqGSIb3DQEBCwUAMGQxEjAQBgNV
+BAMMCWxvY2FsaG9zdDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQH
+DA1Nb3VudGFpbiBWaWV3MQ0wCwYDVQQKDARXU08yMQ0wCwYDVQQLDARXU08yMB4X
+DTIzMDEwOTA2NDIyOVoXDTMzMDEwNjA2NDIyOVowZDESMBAGA1UEAwwJbG9jYWxo
+b3N0MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu
+IFZpZXcxDTALBgNVBAoMBFdTTzIxDTALBgNVBAsMBFdTTzIwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDeVN7vOjN4AVjjEP0mmUFnViBqLXllIRVhXf+h
+9iphVvZ4JCHdPtIrfFB23eYdkkvqk02Hy/RINHoVykm2B0dH3Pvvg48Ceq6HBSX3
+xwyKTY3jN6KIyK3hXmRBot+yy8OMjnQHpEQ3KNxhOD6fRKRgpXv9g5YiHdBEhBSU
+4C9iJ40sWr9VK1wH4n+Ql6GZ4NBzN6uEdkfVAMW88ngkZexF3YPECQ4uPikwCt58
+7Zr7Gp9m0KcbtNy/KEkbYlbaivBybL0b0F9noaYkeD+1SBB0DsnaDNSjYub2E/7k
+1upFjAZYNFnjdqHaoCCU6sVOYVSpzRj+Jl8riuFCi+z43aTaAAvlZfHTAYHeKiSn
+aoq6wsofP1BGvgJO/TrG4QADjho/VaW9U5MD7gZqZxaA76E1efgnEHx6iTF6f5j3
+ir7MIgwpZvk5yvNVCSJC1U0sZAdCk/vGbpMLj23GDbPOT1Ty5jJnnw52eEpglpfy
+12XXrxo71AEgMm9c7EcIDBwxEhq91NKJt5IF8m+r8DpsvJ5GMKf6xTua+wcdQPoG
+3aKY4FKD8pPhGDKWihVaa21SAjSjubIDbwC4W/phgSHBzBPMZZIKVbAOIj5XGPeh
+rTb8kuM3CdQ1yNJvCyiht0m0sRA+Lkfi4w/RuIr8Cl1nmNuQHmHOsQT2TB2Djz8/
+9WEjgwIDAQABozYwNDAyBgNVHREEKzApgglsb2NhbGhvc3SCDHJhdGUtbGltaXRl
+coIOY2hvcmVvLWNvbm5lY3QwDQYJKoZIhvcNAQELBQADggIBAEQp87ju5cAaWrOv
+r8pyvipX6coIvGZHpvpM99aqsvXhBkEoNPd+O7nLOgbuJ8LciIeieigvo/SOFbla
+TRZA6Di06BHkRWhbLoyZjGwXdVusva+2CHqFv+LVtOHOObqI5mveHKgZdl1AdOli
+xCk1GzkznDRcpUT5pHSnSiTkXiXq0zPVDTot1TGUMXtlUY3Lp9IxLluxWj/2dYl4
+BXj7mWawNicYWJO7LSdmTVW39oVnUPJkL+car9OGdhshFSEmFPEf5ufEP5xU8/7n
+eYgTbSkteVbjYvSXCqDK1GfuWiyD620NMWSpmY3U8vEJ04FFs16+oaiW6OOpTf39
+poYt+WwTNzHCIjrmF7dnkmvspEwxvdDjMOjfyvZ5AXVUqYqkb0d2jcp3YVi9Ky0/
+sgRw9LG2WNURlaZETTA7FzebsVu6l7Vgf5XhN51U7xlUloXCi2M06z/02kKTZyE+
+6vt9NDR62ZUcYIJCt7fVyN4h/Z2iEOYBBkX2q4qL79lcHiKs8grQvj1Ecdq6wH0J
+hdBHDVZERi/OoFpzvEI+p3zBWHrAes9g/+ye5UaKbuXpclP3VkvhSbwYSFVwVrqq
+pbbZbQOSikkb5RN0pG3c2gA4695IJfvg/85KmLEARjS0zcrwPIJPdnAKx4r6fF6K
+Srkv1gCtNNTN+ZLMh3nSS7Xd7C/O
+-----END CERTIFICATE-----