eclipse-hono

How can I deploy all Hono components with only insecure ports exposed?


Introduction:

Hello! I would like to deploy all Hono components with only insecure ports exposed because we have other security mechanisms on top of that and this is as for now only complicating our infrastructure.

I am using official Hono Helm deployments (except device registry, which is basically forked version of the Hono MongoDB Device Registry) to deploy hono to GCP kubernetes (GKE). I was able to successfully run the whole deployment using certificates from our own PKI, what I did was mounting correct certs using extraVolumes and extraVolumeMounts and providing required configurations via tenantSpec, deviceRegistrationSpec and credentialsSpec. It was working fine on minikube.

My current target is to deploy components that are able to communicate properly with each other and then protect only adapters with certificates from our PKI.

Problem:

Can I deploy all Hono components that will use insecure ports to communicate with each other? Currently I am getting SASL handshake failed due to a transient error in communication between command-router and device-registry, I am not sure where the real cause of this error lay.

I've tried to tweak configurations in multiple ways, the closest one to what I want to achieve is down below. Hosts are correct for sure, but in terms of ports - it looks like Hono helm charts does not really deploy Services with insecure ports (only amqps-5671 is bound)

device-registry config:

  hono:
    auth:
      host: hono-service-auth
      port: 5672
      hostnameVerificationRequired: false
      supportedSaslMechanisms: PLAIN
      connectTimeout: 2000
    registry:
      http:
        authenticationRequired: false
        insecurePortEnabled: true
        insecurePortBindAddress: 0.0.0.0
      amqp:
        insecurePort: 5672
        insecurePortEnabled: true
        insecurePortBindAddress: 0.0.0.0

global config to access tenant/device/credentials APIs

adapters:
  tenantSpec:
    credentialsPath: /opt/hono/config/adapter.credentials
    host: device-registry-chart-service-device-registry
    port: 5672
    tlsEnabled: false
    hostnameVerificationRequired: false
  deviceRegistrationSpec:
    credentialsPath: /opt/hono/config/adapter.credentials
    host: device-registry-chart-service-device-registry
    port: 5672
    tlsEnabled: false
    hostnameVerificationRequired: false
  credentialsSpec:
    credentialsPath: /opt/hono/config/adapter.credentials
    host: device-registry-chart-service-device-registry
    port: 5672
    tlsEnabled: false
    hostnameVerificationRequired: false

auth-server config:

hono:
  auth:
    amqp:
      insecurePortEnabled: true
      insecurePortBindAddress: 0.0.0.0
      bindAddress: 0.0.0.0
    svc:
      permissionsPath: "file:///mnt/permissions/permissions.json"
      supportedSaslMechanisms: "PLAIN"
      //// auth-server does not boot-up without any signing material configured, maybe this is related? I was trying to validate cert. on clients side but it didn't help
      signing:
        keyPath: /mnt/cert/tls.key
        certPath: /mnt/cert/tls.crt

Solution

  • You should find all relevant information in the Hono documentation. IN particular in the admin guides. That said, it is indeed possible to do what you intend to achieve. The most important thing is to configure the Auth Server's signing material correctly. Given that you do not want to use TLS for the connections you most likely do not want to configure the Auth Server with a private key. Instead, you can configure a string to derive a symmetric key from, which can then be used by the Auth Server to sign the tokens that it issues. See https://eclipse.dev/hono/docs/admin-guide/auth-server-config/#signing-key-configuration for details. The property to set is hono.auth.svc.signing.sharedSecret.

    The Device Registry and the Command Router then also need to be configured with the same symmetric key so that they are able to verify the token signature. See https://eclipse.dev/hono/docs/admin-guide/command-router-config/#authentication-service-connection-configuration and https://eclipse.dev/hono/docs/admin-guide/mongodb-device-registry-config/#authentication-service-connection-configuration respectively. The property to set is hono.auth.validation.sharedSecret.

    Your configuration of the connections between the adapters and the registry and command router should do the trick. You might want to reconsider if you really want to expose the Device Registry's HTTP endpoint without TLS as well. Hono's other components use the registry's AMQP endpoints for retrieving device data during connection establishment. The HTTP endpoint is used for managing device registration information by external clients.