Resolve "Allow SSL config per QuantumModule and per interKMS"

See merge request !194

Resolve "Allow SSL config per QuantumModule and per interKMS"
6b21e8ad · Neil-Jocelyn Schark · 8e143896 · 6b21e8ad · 6b21e8ad · 6b21e8ad
Commit 6b21e8ad authored 9 months ago by Neil-Jocelyn Schark
--- a/README.md
+++ b/README.md
@@ -31,22 +31,17 @@ AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the r
 AkmsCkmsServerPort: "9696" # Port of connected AKMS
 GRPCTimeoutInSeconds: 10 # Time in seconds for timeout of gRPC connections as a client. Defaults to 10 seconds. Should not be set to 0 or negative values.
 GnmiTLS: # Settings for TLS for gNMI endpoint. Can be overwritten with cli parameters.
-  TLS: true # Whether TLS is enabled
+  Active: true # Whether TLS is enabled
  CAFile: "ssl/ca.crt" # Path to ca
  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
 KmsTLS: # Settings for TLS for inter KMS communication
-  TLS: true # Whether TLS is enabled
-  CAFile: "ssl/ca.crt" # Path to ca
-  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
-  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
-QuantumModuleTLS: # Settings for TLS for quantum module communication
-  TLS: true # Whether TLS is enabled
+  Active: true # Whether TLS is enabled
  CAFile: "ssl/ca.crt" # Path to ca
  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
 AkmsCkmsTLS: # Settings for TLS for akms ckms interface
-  TLS: true # Whether TLS is enabled
+  Active: true # Whether TLS is enabled
  CAFile: "ssl/ca.crt" # Path to ca
  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
@@ -57,6 +52,11 @@ Peers: # Peers to other goKMS
      Type: danet # type of communication method between KMS (currently only danet supported)
      QuantumModule: # Quantum module used for this peer
          Type: emulated # Type of the quantum module e.g. emulated or etsi
+          TLS: # Settings for TLS for quantum module communication
+            Active: true # Whether TLS is enabled
+            CAFile: "ssl/ca.crt" # Path to ca
+            CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+            KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
          Address: 172.100.20.14 # Address of the quantum module
          Hostname: quantumlayer_1 # Optional addressing of the quantum module as hostname
    # peer to goKMS03

--- a/goKMS/config/config.go
+++ b/goKMS/config/config.go
@@ -14,10 +14,9 @@ type Config struct {
 	AkmsURL              string             `yaml:"AkmsURL"`
 	AkmsCkmsServerPort   string             `yaml:"AkmsCkmsServerPort"`
 	GnmiBindAddress      string             `yaml:"GnmiBindAddress"`
+	KmsTLS               TLSConfig          `yaml:"KmsTLS"`
 	Peers                []Peer             `yaml:"Peers"`
 	GnmiTLS              TLSConfig          `yaml:"GnmiTLS"`
-	KmsTLS               TLSConfig          `yaml:"KmsTLS"`
-	QuantumModuleTLS     TLSConfig          `yaml:"QuantumModuleTLS"`
 	AkmsCkmsTLS          TLSConfig          `yaml:"AkmsCkmsTLS"`
 	ETSI14Server         *ETSI14Server      `yaml:"ETSI14Server,omitempty"`
 	QkdnManagerServer    *QkdnManagerServer `yaml:"QkdnManagerServer,omitempty"`
@@ -32,22 +31,23 @@ type Peer struct {
 }

 type TLSConfig struct {
-	TLS      bool   `yaml:"TLS"`
+	Active   bool   `yaml:"Active"`
 	CAFile   string `yaml:"CAFile"`
 	CertFile string `yaml:"CertFile"`
 	KeyFile  string `yaml:"KeyFile"`
 }

 type QuantumModule struct {
-	QmType           string `yaml:"Type"`
-	Address          string `yaml:"Address"`
-	Hostname         string `yaml:"Hostname"`
-	LocalSAEID       string `yaml:"LocalSAEID"`
-	TargetSAEID      string `yaml:"TargetSAEID"`
-	MasterMode       bool   `yaml:"MasterMode"`
-	KeyFetchInterval int    `yaml:"KeyFetchInterval"`
-	KeyFetchAmount   int    `yaml:"KeyFetchAmount"`
-	MaxKeyFillLevel  int    `yaml:"MaxKeyFillLevel"`
+	QmType           string    `yaml:"Type"`
+	TLS              TLSConfig `yaml:"TLS"`
+	Address          string    `yaml:"Address"`
+	Hostname         string    `yaml:"Hostname"`
+	LocalSAEID       string    `yaml:"LocalSAEID"`
+	TargetSAEID      string    `yaml:"TargetSAEID"`
+	MasterMode       bool      `yaml:"MasterMode"`
+	KeyFetchInterval int       `yaml:"KeyFetchInterval"`
+	KeyFetchAmount   int       `yaml:"KeyFetchAmount"`
+	MaxKeyFillLevel  int       `yaml:"MaxKeyFillLevel"`
 }

 type ETSI14Server struct {

--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -195,7 +195,7 @@ func (kms *KMS) initializePeers(config *config.Config) error {
 			qm = peers.NewDanetQuantumModule(pqm.Address, config.Id)
 		case "etsi":
 			qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.LocalSAEID, pqm.TargetSAEID,
-				config.QuantumModuleTLS, pqm.MasterMode,
+				peer.QuantumModule.TLS, pqm.MasterMode,
 				peer.QuantumModule.KeyFetchInterval, int64(peer.QuantumModule.KeyFetchAmount), uint64(peer.QuantumModule.MaxKeyFillLevel))
 			if err != nil {
 				log.Fatalf("Failed to create ETSI QKD module: %s", err)

--- a/goKMS/kms/peers/etsi14Quantummodule.go
+++ b/goKMS/kms/peers/etsi14Quantummodule.go
@@ -50,7 +50,7 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, localSAEID, targetSAEID string, tl
 		Scheme: parsedUrl.Scheme,
 	}

-	if tlsConfig.TLS {
+	if tlsConfig.Active {
 		tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("unable to generate TLS config: %w", err)

--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -13,7 +13,7 @@ import (

 func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
-	if tlsData.TLS {
+	if tlsData.Active {
 		creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
 		if err != nil {
 			return nil, err
@@ -55,7 +55,7 @@ func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (

 func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
-	if tlsConfig.TLS {
+	if tlsConfig.Active {
 		creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
 		if err != nil {
 			return nil, err

--- a/goKMS/main.go
+++ b/goKMS/main.go
@@ -149,7 +149,7 @@ func main() {
 	}

 	// The gnmiTarget implementation uses a flag to pass NO tls, so we have to invert our flag for it to work.
-	gnmiInsecure := !kmsConfig.GnmiTLS.TLS
+	gnmiInsecure := !kmsConfig.GnmiTLS.Active
 	gnmitTarget := gnmitarget.NewGnmiTarget(schema, &gnmitargetygot.Gnmitarget{}, gnmitargetygot.ΓModelData, gnmitargetygot.Unmarshal, gnmitargetygot.ΛEnum, handlers...)
 	if err := gnmitTarget.Start(*gnmiBindAddress, kmsConfig.GnmiTLS.CertFile, kmsConfig.GnmiTLS.KeyFile, kmsConfig.GnmiTLS.CAFile, gnmiInsecure); err != nil {
 		log.Fatal(err)
@@ -160,23 +160,25 @@ func outputTlsSettings(config *config.Config) {
 	currentDirectory, _ := os.Getwd()
 	log.Debugf("current relative file path: %s", currentDirectory)

-	log.Infof("TLS enabled for gNMI: %t", config.GnmiTLS.TLS)
-	if config.GnmiTLS.TLS {
+	log.Infof("TLS enabled for gNMI: %t", config.GnmiTLS.Active)
+	if config.GnmiTLS.Active {
 		log.Infof("TLS filepaths for gNMI: ca: %s, cert: %s, key: %s", config.GnmiTLS.CAFile, config.GnmiTLS.CertFile, config.GnmiTLS.KeyFile)
 	}

-	log.Infof("TLS enabled for KMS: %t", config.KmsTLS.TLS)
-	if config.KmsTLS.TLS {
+	log.Infof("TLS enabled for KMS: %t", config.KmsTLS.Active)
+	if config.KmsTLS.Active {
 		log.Infof("TLS filepaths for KMS: ca: %s, cert: %s, key: %s", config.KmsTLS.CAFile, config.KmsTLS.CertFile, config.KmsTLS.KeyFile)
 	}

-	log.Infof("TLS enabled for Quantum Module: %t", config.QuantumModuleTLS.TLS)
-	if config.QuantumModuleTLS.TLS {
-		log.Infof("TLS filepaths for Quantum Module: ca: %s, cert: %s, key: %s", config.QuantumModuleTLS.CAFile, config.QuantumModuleTLS.CertFile, config.QuantumModuleTLS.KeyFile)
+	for _, peer := range config.Peers {
+		log.Infof("TLS enabled for Quantum Module for peer %s: %t", peer.PeerId, peer.QuantumModule.TLS.Active)
+		if peer.QuantumModule.TLS.Active {
+			log.Infof("TLS filepaths for Quantum Module for peer %s: ca: %s, cert: %s, key: %s", peer.PeerId, peer.QuantumModule.TLS.CAFile, peer.QuantumModule.TLS.CertFile, peer.QuantumModule.TLS.KeyFile)
+		}
 	}

-	log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.TLS)
-	if config.AkmsCkmsTLS.TLS {
+	log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.Active)
+	if config.AkmsCkmsTLS.Active {
 		log.Infof("TLS filepaths for AKMS-CKMS interface: ca: %s, cert: %s, key: %s", config.AkmsCkmsTLS.CAFile, config.AkmsCkmsTLS.CertFile, config.AkmsCkmsTLS.KeyFile)
 	}
 }
@@ -193,7 +195,7 @@ func isFlagPassed(name string) bool {

 func overwriteConfigFieldsWithFlags(config *config.Config, gnmiBindAddress *string, gnmiTLS *bool, certFile *string, keyFile *string, caFile *string) {
 	if isFlagPassed("gnmiTLS") {
-		config.GnmiTLS.TLS = *gnmiTLS
+		config.GnmiTLS.Active = *gnmiTLS
 	}

 	if isFlagPassed("gnmiBindAddress") {