mainboilerplate: rename various "key-file" to "cert-key-file"

This is to more clearly scope private keys to being an aspect of their
TLS certificate, and to reduce confusion with the new "auth-keys" flag
and environment variable.

cmd/gazette/main.go

@@ -77,11 +77,11 @@ func (cmdServe) Execute(args []string) error {
 
 	if Config.Broker.ServerCertFile != "" {
 		serverTLS, err = server.BuildTLSConfig(
-			Config.Broker.ServerCertFile, Config.Broker.ServerKeyFile, Config.Broker.ServerCAFile)
+			Config.Broker.ServerCertFile, Config.Broker.ServerCertKeyFile, Config.Broker.ServerCAFile)
 		mbp.Must(err, "building server TLS config")
 
 		peerTLS, err = server.BuildTLSConfig(
-			Config.Broker.PeerCertFile, Config.Broker.PeerKeyFile, Config.Broker.PeerCAFile)
+			Config.Broker.PeerCertFile, Config.Broker.PeerCertKeyFile, Config.Broker.PeerCAFile)
 		mbp.Must(err, "building peer TLS config")
 	}
 

mainboilerplate/client.go

@@ -22,7 +22,7 @@ import (
 type AddressConfig struct {
 	Address       pb.Endpoint `long:"address" env:"ADDRESS" default:"http://localhost:8080" description:"Service address endpoint"`
 	CertFile      string      `long:"cert-file" env:"CERT_FILE" default:"" description:"Path to the client TLS certificate"`
-	KeyFile       string      `long:"key-file" env:"KEY_FILE" default:"" description:"Path to the client TLS private key"`
+	CertKeyFile   string      `long:"cert-key-file" env:"CERT_KEY_FILE" default:"" description:"Path to the client TLS private key"`
 	TrustedCAFile string      `long:"trusted-ca-file" env:"TRUSTED_CA_FILE" default:"" description:"Path to the trusted CA for client verification of server certificates"`
 	AuthKeys      string      `long:"auth-keys" env:"AUTH_KEYS" description:"Whitespace separated, base64-encoded keys. The first key is used to sign Authorization tokens."`
 }
@@ -32,7 +32,7 @@ func (c *AddressConfig) MustDial(ctx context.Context) *grpc.ClientConn {
 	var tc credentials.TransportCredentials
 
 	if c.Address.URL().Scheme == "https" {
-		var tlsConfig, err = server.BuildTLSConfig(c.CertFile, c.KeyFile, c.TrustedCAFile)
+		var tlsConfig, err = server.BuildTLSConfig(c.CertFile, c.CertKeyFile, c.TrustedCAFile)
 		Must(err, "failed to build TLS config")
 		tc = credentials.NewTLS(tlsConfig)
 	} else {

mainboilerplate/etcd.go

@@ -16,7 +16,7 @@ import (
 type EtcdConfig struct {
 	Address       protocol.Endpoint `long:"address" env:"ADDRESS" default:"http://localhost:2379" description:"Etcd service address endpoint"`
 	CertFile      string            `long:"cert-file" env:"CERT_FILE" default:"" description:"Path to the client TLS certificate"`
-	KeyFile       string            `long:"key-file" env:"KEY_FILE" default:"" description:"Path to the client TLS private key"`
+	CertKeyFile   string            `long:"cert-key-file" env:"CERT_KEY_FILE" default:"" description:"Path to the client TLS private key"`
 	TrustedCAFile string            `long:"trusted-ca-file" env:"TRUSTED_CA_FILE" default:"" description:"Path to the trusted CA for client verification of server certificates"`
 	LeaseTTL      time.Duration     `long:"lease" env:"LEASE_TTL" default:"20s" description:"Time-to-live of Etcd lease"`
 }
@@ -29,7 +29,7 @@ func (c *EtcdConfig) MustDial() *clientv3.Client {
 	switch addr.Scheme {
 	case "https":
 		var err error
-		tlsConfig, err = server.BuildTLSConfig(c.CertFile, c.KeyFile, c.TrustedCAFile)
+		tlsConfig, err = server.BuildTLSConfig(c.CertFile, c.CertKeyFile, c.TrustedCAFile)
 		Must(err, "failed to build TLS config")
 	case "unix":
 		// The Etcd client requires hostname is stripped from unix:// URLs.

mainboilerplate/runconsumer/run_consumer.go

@@ -141,11 +141,11 @@ func (sc Cmd) Execute(args []string) error {
 
 	if bc.Consumer.ServerCertFile != "" {
 		serverTLS, err = server.BuildTLSConfig(
-			bc.Consumer.ServerCertFile, bc.Consumer.ServerKeyFile, bc.Consumer.ServerCAFile)
+			bc.Consumer.ServerCertFile, bc.Consumer.ServerCertKeyFile, bc.Consumer.ServerCAFile)
 		mbp.Must(err, "building server TLS config")
 
 		peerTLS, err = server.BuildTLSConfig(
-			bc.Consumer.PeerCertFile, bc.Consumer.PeerKeyFile, bc.Consumer.PeerCAFile)
+			bc.Consumer.PeerCertFile, bc.Consumer.PeerCertKeyFile, bc.Consumer.PeerCAFile)
 		mbp.Must(err, "building peer TLS config")
 	}
 

mainboilerplate/service.go

@@ -14,15 +14,15 @@ type ZoneConfig struct {
 // ServiceConfig represents identification and addressing configuration of the process.
 type ServiceConfig struct {
 	ZoneConfig
-	ID             string `long:"id" env:"ID" description:"Unique ID of this process. Auto-generated if not set"`
-	Host           string `long:"host" env:"HOST" description:"Addressable, advertised hostname or IP of this process. Hostname is used if not set"`
-	Port           string `long:"port" env:"PORT" description:"Service port for HTTP and gRPC requests. A random port is used if not set. Port may also take the form 'unix:///path/to/socket' to use a Unix Domain Socket"`
-	ServerCertFile string `long:"server-cert-file" env:"SERVER_CERT_FILE" default:"" description:"Path to the server TLS certificate. This option toggles whether TLS is used. If absent, all other TLS settings are ignored."`
-	ServerKeyFile  string `long:"server-key-file" env:"SERVER_KEY_FILE" default:"" description:"Path to the server TLS private key"`
-	ServerCAFile   string `long:"server-ca-file" env:"SERVER_CA_FILE" default:"" description:"Path to the trusted CA for server verification of client certificates. When present, client certificates are required and verified against this CA. When absent, client certificates are not required but are verified against the system CA pool if presented."`
-	PeerCertFile   string `long:"peer-cert-file" env:"PEER_CERT_FILE" default:"" description:"Path to the client TLS certificate for peer-to-peer requests"`
-	PeerKeyFile    string `long:"peer-key-file" env:"PEER_KEY_FILE" default:"" description:"Path to the client TLS private key for peer-to-peer requests"`
-	PeerCAFile     string `long:"peer-ca-file" env:"PEER_CA_FILE" default:"" description:"Path to the trusted CA for client verification of peer server certificates. When absent, the system CA pool is used instead."`
+	ID                string `long:"id" env:"ID" description:"Unique ID of this process. Auto-generated if not set"`
+	Host              string `long:"host" env:"HOST" description:"Addressable, advertised hostname or IP of this process. Hostname is used if not set"`
+	Port              string `long:"port" env:"PORT" description:"Service port for HTTP and gRPC requests. A random port is used if not set. Port may also take the form 'unix:///path/to/socket' to use a Unix Domain Socket"`
+	ServerCertFile    string `long:"server-cert-file" env:"SERVER_CERT_FILE" default:"" description:"Path to the server TLS certificate. This option toggles whether TLS is used. If absent, all other TLS settings are ignored."`
+	ServerCertKeyFile string `long:"server-cert-key-file" env:"SERVER_CERT_KEY_FILE" default:"" description:"Path to the server TLS private key"`
+	ServerCAFile      string `long:"server-ca-file" env:"SERVER_CA_FILE" default:"" description:"Path to the trusted CA for server verification of client certificates. When present, client certificates are required and verified against this CA. When absent, client certificates are not required but are verified against the system CA pool if presented."`
+	PeerCertFile      string `long:"peer-cert-file" env:"PEER_CERT_FILE" default:"" description:"Path to the client TLS certificate for peer-to-peer requests"`
+	PeerCertKeyFile   string `long:"peer-cert-key-file" env:"PEER_CERT_KEY_FILE" default:"" description:"Path to the client TLS private key for peer-to-peer requests"`
+	PeerCAFile        string `long:"peer-ca-file" env:"PEER_CA_FILE" default:"" description:"Path to the trusted CA for client verification of peer server certificates. When absent, the system CA pool is used instead."`
 }
 
 // ProcessSpec of the ServiceConfig.