feat: TLS, HTTP basic auth and config file for AgentCTL #1534
Conversation
|
Maybe it would be easier to just reuse the exsiting ConfigToClient func from cn-infra? Anyway, it would be useful if etcd endpoints could be passed via config file as well. Maybe even if any agentctl argument (e.g. service label) could be passed via config file? |
cmd/agentctl/cli/config.go
Outdated
| ) | ||
|
|
||
| // ConfigFile represents info from ~/.agentctl/all.conf. | ||
| type ConfigFile struct { |
There was a problem hiding this comment.
I agree with comment from @rastislavszabo #1534 (comment)
Anyway, it would be useful if etcd endpoints could be passed via config file as well. Maybe even if any agentctl argument (e.g. service label) could be passed via config file?
This definition should serve as a complete configuration for the AgentCTL.
Initial values for the config should be provided by DefaultConfig() function and used on line 56. Then config file contents should be loaded (possibly overridding some defaults) and after loading config file, the environment variables and program arguments should be applied to the config value. This order should be used to properly handle precedence order:
- default config
- config file (possibly system and then local)
- env vars
- program arguments
The Go library viper might be really helpful here and provide simpler way to make this all work automatically.
There was a problem hiding this comment.
a complete configuration for the AgentCTL
Sure, complete configuration sounds good. Will work on that too.
The Go library viper might be really helpful
yeah, tab with Viper is open in my browser from the beginning of work on this task, but for now I'm fighting for better TLS (I don't like that code from cn-infra). Definitely will look into Viper, but a little bit later, when I'll be working on a complete configuration and that order of different ways of configurating AgentCTL, I think.
|
@rastislavszabo thanks for checking out my work! Main problem with reusing is that the mentioned function not only creates connection to ETCD, but also tries to finish with configuration, and I don't want that. The second problem is with
|
| // TODO: support TLS | ||
| TLS bool | ||
| TLSVerify bool | ||
| TLSOptions *tlsconfig.Options |
There was a problem hiding this comment.
These options will be needed for providing security related options for connection (gRPC) to the agent and should not be used for the KVDB connection.
There was a problem hiding this comment.
So grpc is the only thing which can be configured via flags? Right now I'm using --tls flag to tell whether or not use TLS for different connections, for example if all files (cert, key and ca) are defined for kvdb in config file, but I want to connect to local etcd, so I don't need any TLS for now, but later I want to connect to remote etcd with auth enabled so I going to need those files.
I'll rethink this with clear head tomorrow. Now I'm only about to push today's work and go home 😌
There was a problem hiding this comment.
Well, I guess we can keep this shared for now since the agentctl uses one connection per single run anyway.
In the future when we start using viper any config option defined for configuration can be overriden automatically from env vars and flags by using BindEnv and BindFlags. So it would be easy to override the TLS configuration from file with using some auto-generated flag --kvdb-tls=false, essentially same as cfg.Kvdb.TLS = false.
|
I'm done with TLS and it looks like Viper requires big changes for Agenctl, so I think it will be better to continue (although I did not push anything) working on that in a new PR. EDIT: |
rewenset
changed the title
rewenset
force-pushed
the
agentctl-secure
branch
from
fe979e3 to
a3a84b2
Compare
yeah, having the config in a |
In such case it would be easier to see what configuration can be applied and we may get rid of I agree and I'll start to work on that (shouldn't take much time). @ondrej-fabry may you approve this with 👍 on this comment? |
|
It feels like endless PR ✨ |
I feel you.. but better have it done properly at first than just increasing technical debt by putting "refactor.." task into backlog. |
|
Configuration table: |
cmd/agentctl/cli/viper.go
Outdated
| func viperReadInConfig() { | ||
| if err := viper.ReadInConfig(); err != nil { | ||
| if _, ok := err.(viper.ConfigFileNotFoundError); ok { | ||
| logging.Debug("unable to find config file") |
There was a problem hiding this comment.
Better to print the actual error here too. It contains more error context about where and what file was being accessed:
|
That configuration table is slick! It would be nice to have a way to print this with something like ..or perhaps even better with some agentctl command remotely? |
I'm glad you like it! I agree, it would be nice to have something like this printed by
And also, I vote for separate command to do that, so with flags you may change columns printed and maybe level of verbosity. To existing columns, I would add "example" and "current value" and maybe "comment" too. But it is another task and not suits in this PR! :) Let's finish with this first, please. And, in a first place, by putting that "high overview" configuration table, I wanted to receive some feedback. Maybe we need rename something or add more ENV variables or change defaults. |
|
Thanks for the table and all the work! I have some comments, but I would prefer finally merging this PR and addressing that (as well as the table you were discussing) in a separate PR.
|
|
@rastislavszabo
sure
Yes, it is for HTTP only. Before now, I thought that basic auth is HTTP thing only. I'll rename it so it will be more clear
I was thinking that user may not want to verify server's cert (or use host's CA set) so no need in CA file and server may not be configured to require client's cert so no need in cert and key files. In such case user just want that secure connection to work without any files and to achieve that you just add Somehow I've forgot about that and it's not working with latest changes. Thanks for pointing that out. In a current state there are two options: either remove that Example of what I wanted to achieve:
EDIT: |
Good idea, but maybe I would use different naming. E.g. with |
And by providing that flag, user will know that no verification of server's certificate is done behind the scenes, so it is basically insecure security 😁. Looks like a good naming choice 👍 And what if there is some TLS configuration? Will this flag override all connections to not verify server's certificate (and therefore skip CA file if set) and just send our cert (if it is set) for "authentication with HTTPS client certificates"? |
yeah, this seems to be the best option |
rewenset
force-pushed
the
agentctl-secure
branch
from
d66e132 to
b0ebbb7
Compare
tests/e2e/resources/agentctl.conf
Outdated
| @@ -0,0 +1,16 @@ | |||
| use-tls: true | |||
There was a problem hiding this comment.
this option is already outdated, isn't it?
Issue #1529
Config File
Default Path:
~/.agentctl/config.ymlPath to directory with config file may be changed with
--config-dirflagSetup TLS
Example of conf file:
insecure-tls: yesin config file is the same as passing--insecure-tlsflag. This configuration enables TLS withskip-verify: true(so client does not validate server's certificate) for all connections, even for disabled one (yes, it enables them but without using neithercert-file, norkey-file, and obviously norca-file). If TLS config was not disabled andcert-filewithkey-fileare set, then--insecure-tlsoption will keep that as it is and use them for secure connections.Agent host configuration
config-dirto some random path which not contains any configuration file for agentctl)➜ agentctl --config-dir=/ status HTTP request failed: Cannot connect to the agent at 127.0.0.1. Is the agent running?➜ cat ~/.agentctl/config.yml host: fromconfig ➜ agentctl status HTTP request failed: error during connect: Get http://fromconfig:9191/readiness: dial tcp: lookup fromconfig: no such host➜ cat ~/.agentctl/config.yml host: fromconfig ➜ AGENT_HOST=fromenv agentctl status HTTP request failed: error during connect: Get http://fromenv:9191/readiness: dial tcp: lookup fromenv: no such host➜ cat ~/.agentctl/config.yml host: fromconfig ➜ AGENT_HOST=fromenv agentctl --host fromflags status HTTP request failed: error during connect: Get http://fromflags:9191/readiness: dial tcp: lookup fromflags: no such hostService label configuration
Config file line:
service-label: best-service-everEnv variable:
MICROSERVICE_LABEL= awesome-serviceFlag:
agentctl --service-label magic-service ...gRPC and HTTP ports
Config file lines:
Env variables: Not supported
Flag:
agentctl --grpc-port 1010 --http-port 2020 ...ETCD endpoints
Config file lines:
Env variable:
ETCD_ENDPOINTS= 1.1.1.1:1241,2.2.2.2:3333(use,as separator)Flag:
agentctl --debug --etcd-endpoints 1.1.1.1:1241 --etcd-endpoints 2.2.2.2:3333 ...or
agentctl --debug --etcd-endpoints 1.1.1.1:1241,2.2.2.2:3333 ...Basic Auth for HTTP connection:
--http-basic-authflagAGENTCTL_HTTP_BASIC_AUTH