Allow specifying a cert and a key manually for federation endpoint. #5163
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sorindumitru
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
azdagron
reviewed
May 23, 2024
There was a problem hiding this comment.
Thanks for this @sorindumitru. I've left some comments and there are others that were caught by the linter that should also be addressed.
| @@ -171,15 +172,19 @@ func newSource(log logrus.FieldLogger, config *Config) (JWKSSource, error) { | |||
| } | |||
|
|
|||
| func newListenerWithServingCert(ctx context.Context, log logrus.FieldLogger, config *Config) (net.Listener, error) { | |||
| certManager, err := NewDiskCertManager(config.ServingCertFile, nil, log) | |||
| certManager, err := diskcertmanager.NewDiskCertManager(&diskcertmanager.DiskCertManagerConfig{ | |||
There was a problem hiding this comment.
These names are stuttery. I'd suggest:
Suggested change
| certManager, err := diskcertmanager.NewDiskCertManager(&diskcertmanager.DiskCertManagerConfig{ | |
| certManager, err := diskcertmanager.New(&diskcertmanager.Config{ |
| serverCert, serverKey := createServerCertificate(t) | ||
|
|
||
| serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}) | ||
| err := os.WriteFile(dir+"/server.crt", serverCertPem, 0755) |
There was a problem hiding this comment.
Should use filepath to create paths so they are platform independent.
Suggested change
| err := os.WriteFile(dir+"/server.crt", serverCertPem, 0755) | |
| err := os.WriteFile(filepath.Join(dir, server.crt), serverCertPem, 0600) |
| dir := spiretest.TempDir(t) | ||
| serverCert, serverKey := createServerCertificate(t) | ||
|
|
||
| serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}) |
There was a problem hiding this comment.
nit: we have helpers for this
Suggested change
| serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}) | |
| serverCertPem := pemutil.EncodeCertificate(serverCert.Raw) |
Comment on lines
191
to
193
| serverKeyBytes, err := x509.MarshalPKCS8PrivateKey(serverKey) | ||
| require.NoError(t, err) | ||
| serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytes}) |
There was a problem hiding this comment.
Suggested change
| serverKeyBytes, err := x509.MarshalPKCS8PrivateKey(serverKey) | |
| require.NoError(t, err) | |
| serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytes}) | |
| serverKeyBytes, err := pemutil.EncodePKCS8PrivateKey(serverKey) | |
| require.NoError(t, err) |
| serverKeyBytes, err := x509.MarshalPKCS8PrivateKey(serverKey) | ||
| require.NoError(t, err) | ||
| serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytes}) | ||
| err = os.WriteFile(dir+"/server.key", serverKeyPem, 0700) |
There was a problem hiding this comment.
Suggested change
| err = os.WriteFile(dir+"/server.key", serverKeyPem, 0700) | |
| err = os.WriteFile(filepath.Join(dir, "server.key"), serverKeyPem, 0600) |
pkg/server/endpoints/config.go
Outdated
| } else if c.BundleEndpoint.DiskCertManager != nil { | ||
| serverAuth = c.BundleEndpoint.DiskCertManager | ||
| // Start watching for file changes | ||
| go c.BundleEndpoint.DiskCertManager.WatchFileChanges(ctx) |
There was a problem hiding this comment.
This goroutine shouldn't be launched yet. Rather, maybeMakeBundleEndpointServer could return a "task" that that is set on the Endpoints struct, and then that task can be managed by Endpoints.ListenAndServe (see the other tasks conditionally started in ListenAndServe).
cmd/spire-server/cli/run/run.go
Outdated
| @@ -691,46 +699,53 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool | |||
| return sc, nil | |||
| } | |||
|
|
|||
| func parseBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string, log logrus.FieldLogger) (*bundle.ACMEConfig, error) { | |||
| func parseBundleEndpointConfigProfile(config *bundleEndpointConfig, federationConfig *server.FederationConfig, dataDir string, log logrus.FieldLogger) error { | |||
There was a problem hiding this comment.
As a convention, I'd prefer parameters that are modifying by the function to be last. Also, maybe we should rename this function to imply that it is doing a little more than parsing:
Suggested change
| func parseBundleEndpointConfigProfile(config *bundleEndpointConfig, federationConfig *server.FederationConfig, dataDir string, log logrus.FieldLogger) error { | |
| func setBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string, log logrus.FieldLogger, federationConfig *server.FederationConfig) error { |
sorindumitru
force-pushed
the
https-web-cert-and-key
branch
from
23e20a7
to
c7eb48d
Compare
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Makes it more compatible with the bundle endpoint authenticator Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
… bundle endpoint Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
sorindumitru
force-pushed
the
https-web-cert-and-key
branch
from
f98d32f
to
296b5cd
Compare
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
sorindumitru
force-pushed
the
https-web-cert-and-key
branch
from
296b5cd
to
2530aa0
Compare
azdagron
reviewed
Jun 17, 2024
There was a problem hiding this comment.
One small nitpick and we're ready to merge. Thank you, @sorindumitru .
Co-authored-by: Andrew Harding <azdagron@gmail.com> Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
azdagron
approved these changes
Jun 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
spire-server bundle endpoint
Description of change
Allow configuring the certificate used for the bundle endpoint server as files on disk instead of using ACME.
Which issue this PR fixes
fixes #2202