WIP: [tink-server] add command line flags for tls certs #266
Conversation
thebsdbox
added
the
kind/feature
|
This looks a great first step in adding flags for pointing to file locations for certs, will this:
|
|
This is a great candidate for tinkerbell/proposals#15 as soon as it is accepted :) And if we agree to keep only one behavior. |
detiber
force-pushed
the
tlsFlags
branch
2 times, most recently
from
eb8c76b to
3128a23
Compare
Codecov Report
@@ Coverage Diff @@
## master #266 +/- ##
==========================================
+ Coverage 32.70% 33.20% +0.49%
==========================================
Files 44 44
Lines 3137 3090 -47
==========================================
Hits 1026 1026
+ Misses 2019 1972 -47
Partials 92 92
Continue to review full report at Codecov.
|
detiber
force-pushed
the
tlsFlags
branch
2 times, most recently
from
5fc8a2d to
e6d5bfc
Compare
detiber
added
the
ci-check/vagrant-setup
|
Not quite sure what is going on with the vagrant-setup job, GitHub Actions is complaining that it can't find the self-hosted runner and I don't have permissions that allow me to see the configuration to verify. |
|
Yeah the vagrant test is not supposed to run for this repo anymore but only for |
gianarb
added
the
breaking-change
|
Can you add a detailed "how to migrate" section as PR description that tells users how to migrate from a running tinkerbell (assume vagrant and setup.sh) to this new way? Thanks a lot |
detiber
force-pushed
the
tlsFlags
branch
2 times, most recently
from
409c606 to
2ab3bbc
Compare
cmd/tink-server/cmd/root.go
Outdated
| // createViper creates a Viper object configured to read in configuration files | ||
| // (from various paths with content type specific filename extensions) and loads | ||
| // environment variables. | ||
| func createViper(logger log.Logger) (*viper.Viper, error) { | ||
| v := viper.New() | ||
| v.AutomaticEnv() | ||
| v.SetConfigName("tink-server") | ||
| v.AddConfigPath("/etc/tinkerbell") | ||
| v.AddConfigPath(".") | ||
| v.SetEnvKeyReplacer(strings.NewReplacer("-", "_")) | ||
|
|
||
| // If a config file is found, read it in. | ||
| if err := v.ReadInConfig(); err != nil { | ||
| if _, ok := err.(viper.ConfigFileNotFoundError); !ok { | ||
| logger.With("configFile", v.ConfigFileUsed()).Error(err, "could not load config file") | ||
|
|
||
| return nil, err | ||
| } | ||
|
|
||
| logger.Info("no config file found") | ||
| } else { | ||
| logger.With("configFile", v.ConfigFileUsed()).Info("loaded config file") | ||
| } | ||
|
|
||
| return v, nil | ||
| } | ||
|
|
||
| func applyViper(v *viper.Viper, cmd *cobra.Command) error { | ||
| errors := []error{} | ||
|
|
||
| cmd.Flags().VisitAll(func(f *pflag.Flag) { | ||
| if !f.Changed && v.IsSet(f.Name) { | ||
| val := v.Get(f.Name) | ||
| if err := cmd.Flags().Set(f.Name, fmt.Sprintf("%v", val)); err != nil { | ||
| errors = append(errors, err) | ||
|
|
||
| return | ||
| } | ||
| } | ||
| }) | ||
|
|
||
| if len(errors) > 0 { | ||
| errs := []string{} | ||
| for _, err := range errors { | ||
| errs = append(errs, err.Error()) | ||
| } | ||
|
|
||
| return fmt.Errorf(strings.Join(errs, ", ")) | ||
| } | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
@displague I modeled this after the work you did for tink-worker, I'm thinking we can move this to a shared library that all cli tools import.
cmd/tink-server/main.go
Outdated
| "github.com/tinkerbell/tink/db" | ||
| rpcServer "github.com/tinkerbell/tink/grpc-server" | ||
| httpServer "github.com/tinkerbell/tink/http-server" | ||
| "github.com/tinkerbell/tink/cmd/tink-worker/cmd" |
There was a problem hiding this comment.
Oops, this should be tink-server, not tink-worker, will be fixing shortly.
detiber
force-pushed
the
tlsFlags
branch
2 times, most recently
from
aedd181 to
a05327e
Compare
|
@detiber - Any movement on this PR? It seems to be doing the right thing but is also getting a bit long in the tooth. |
Signed-off-by: Jason DeTiberus <detiber@users.noreply.github.com>
|
@tstromberg thanks for the nudge, I've started to attempt to rebase it off of the current state of the repo. Can you provide any guidance on the best way to test changes now? It looks like the former vagrant test I was relying on is no longer present. |
|
Previous lint failure was related to an existing ineffective assignment in db/mock/template.go, I've added a separate commit to address the issue. I suspect a newer version of golangci-lint being available in the github action is the reason that it just now cropped up. |
grpc-server/grpc_server.go
Outdated
| //cert []byte | ||
| //modT time.Time |
There was a problem hiding this comment.
As far as I could tell from a quick glance, these didn't actually appear to be used anywhere outside of methods that were exposed and seemingly unused in grpc-server/hardware.go
grpc-server/hardware.go
Outdated
| // TODO: is this used anywhere? | ||
| // // Cert returns the public cert that can be served to clients | ||
| // func (s *server) Cert() []byte { | ||
| // return s.cert | ||
| // } | ||
|
|
||
| // ModTime returns the modified-time of the grpc cert | ||
| func (s *server) ModTime() time.Time { | ||
| return s.modT | ||
| } | ||
| // // ModTime returns the modified-time of the grpc cert | ||
| // func (s *server) ModTime() time.Time { | ||
| // return s.modT | ||
| // } |
There was a problem hiding this comment.
As far as I could tell from a quick glance, these didn't actually appear to be used anywhere.
test-docker-compose.yml
Outdated
| command: | ||
| - --tls-cert=/certs/${FACILITY:-onprem}/bundle.pem | ||
| - --tls-key=/certs/${FACILITY:-onprem}/server-key.pem |
There was a problem hiding this comment.
This was previously needed for the purposes of the old vagrant test, I'm not sure if this compose file is actually used anywhere now.
deploy/docker-compose.yml
Outdated
| command: | ||
| - --tls-cert=/certs/${FACILITY:-onprem}/bundle.pem | ||
| - --tls-key=/certs/${FACILITY:-onprem}/server-key.pem |
There was a problem hiding this comment.
This was previously needed for the purposes of the old vagrant test, I'm not sure if this compose file is actually used anywhere now.
|
I've created a separate PR for the golangci-lint fixes that are unrelated to this PR here: #511 |
|
@detiber - would you like any help with getting this PR in? |
|
Hey @detiber, is this still something on your radar? I'll echo Thomas, would you like any help getting this through? |
|
Hey @detiber, please re-open this if/when needed. |
Description
Adds flags to tink-server for configuring tls certificates
Why is this needed
POC for tinkerbell/proposals#12
How Has This Been Tested?
I tested these changes with the existing docker-compose workflow along with a POC I've been working on using kind and cert-manager
How are existing users impacted? What migration steps/scripts do we need?
Existing users should not be impacted, but depending on discussion around the proposal, we may want to deprecate the existing certificate configuration method.
Checklist:
I have: