tink-server: support running in insecure mode

Signed-off-by: Nahum Shalman <[email protected]>
tinkerbell · Dec 6, 2021 · 0a19809 · 0a19809
1 parent b5e45fc
commit 0a19809
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 20 deletions.
diff --git a/cmd/tink-server/main.go b/cmd/tink-server/main.go
@@ -39,6 +39,7 @@ type DaemonConfig struct {
 	HTTPAuthority         string
 	HTTPBasicAuthUsername string
 	HTTPBasicAuthPassword string
+	Insecure              bool
 }
 
 func (c *DaemonConfig) AddFlags(fs *pflag.FlagSet) {
@@ -52,6 +53,7 @@ func (c *DaemonConfig) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&c.TLSCert, "tls-cert", "", "")
 	fs.StringVar(&c.CertDir, "cert-dir", "", "")
 	fs.StringVar(&c.HTTPAuthority, "http-authority", ":42114", "The address used to expose the HTTP server")
+	fs.BoolVar(&c.Insecure, "insecure", false, "Run in insecure mode (without TLS)")
 }
 
 func (c *DaemonConfig) PopulateFromLegacyEnvVar() {
@@ -93,6 +95,11 @@ func (c *DaemonConfig) PopulateFromLegacyEnvVar() {
 	if basicAuthPass := os.Getenv("TINK_AUTH_PASSWORD"); basicAuthPass != "" {
 		c.HTTPBasicAuthPassword = basicAuthPass
 	}
+	if insecure, isSet := os.LookupEnv("INSECURE"); isSet {
+		if b, err := strconv.ParseBool(insecure); err != nil {
+			c.Insecure = b
+		}
+	}
 }
 
 func main() {
@@ -180,22 +187,30 @@ func NewRootCommand(config *DaemonConfig, logger log.Logger) *cobra.Command {
 				logger.Info("Your database schema is not up to date. Please apply migrations running tink-server with env var ONLY_MIGRATION set.")
 			}
 
-			cert, modT := rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
-				Facility:      config.Facility,
-				TLSCert:       config.TLSCert,
-				GRPCAuthority: config.GRPCAuthority,
-				DB:            tinkDB,
-			}, errCh)
-
-			httpServer.SetupHTTP(ctx, logger, &httpServer.Config{
-				CertPEM:               cert,
-				ModTime:               modT,
-				GRPCAuthority:         config.GRPCAuthority,
-				HTTPAuthority:         config.HTTPAuthority,
-				HTTPBasicAuthUsername: config.HTTPBasicAuthUsername,
-				HTTPBasicAuthPassword: config.HTTPBasicAuthPassword,
-			}, errCh)
+			if config.Insecure {
+				rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
+					Facility:      config.Facility,
+					TLSCert:       "insecure",
+					GRPCAuthority: config.GRPCAuthority,
+					DB:            tinkDB,
+				}, errCh)
+			} else {
+				cert, modT := rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
+					Facility:      config.Facility,
+					TLSCert:       config.TLSCert,
+					GRPCAuthority: config.GRPCAuthority,
+					DB:            tinkDB,
+				}, errCh)
 
+				httpServer.SetupHTTP(ctx, logger, &httpServer.Config{
+					CertPEM:               cert,
+					ModTime:               modT,
+					GRPCAuthority:         config.GRPCAuthority,
+					HTTPAuthority:         config.HTTPAuthority,
+					HTTPBasicAuthUsername: config.HTTPBasicAuthUsername,
+					HTTPBasicAuthPassword: config.HTTPBasicAuthPassword,
+				}, errCh)
+			}
 			select {
 			case err = <-errCh:
 				logger.Error(err)

diff --git a/docker-compose-insecure.yaml b/docker-compose-insecure.yaml
@@ -0,0 +1,88 @@
+version: "3.8"
+services:
+  tinkerbell:
+    build:
+      context: ./cmd/tink-server/
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    environment:
+      FACILITY: ${FACILITY:-onprem}
+      PACKET_ENV: ${PACKET_ENV:-testing}
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
+      ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
+      INSECURE: "true"
+    depends_on:
+      tink-server-migration:
+        condition: service_started
+      db:
+        condition: service_healthy
+    ports:
+      - 42113:42113/tcp
+      - 42114:42114/tcp
+
+  tink-server-migration:
+    image: quay.io/tinkerbell/tink:latest
+    restart: on-failure
+    environment:
+      ONLY_MIGRATION: "true"
+      INSECURE: "true"
+      FACILITY: ${FACILITY:-onprem}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: tinkerbell
+      POSTGRES_PASSWORD: tinkerbell
+      POSTGRES_USER: tinkerbell
+    volumes:
+      - postgres_data:/var/lib/postgresql/data:rw
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U tinkerbell"]
+      interval: 1s
+      timeout: 1s
+      retries: 30
+
+  tink-cli:
+    build:
+      context: ./cmd/tink-cli/
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    environment:
+      TINKERBELL_GRPC_AUTHORITY: tinkerbell:42113
+      TINKERBELL_INSECURE: "true"
+    depends_on:
+      tinkerbell:
+        condition: service_started
+      db:
+        condition: service_healthy
+
+volumes:
+  postgres_data:
+  certs:
diff --git a/grpc-server/grpc_server.go b/grpc-server/grpc_server.go
@@ -60,14 +60,19 @@ func SetupGRPC(ctx context.Context, logger log.Logger, config *ConfigGRPCServer,
 		dbReady: true,
 		logger:  logger,
 	}
-	if cert := config.TLSCert; cert != "" {
-		server.cert = []byte(cert)
+	cert := config.TLSCert
+	switch cert {
+	case "insecure":
+		server.cert = []byte("")
 		server.modT = time.Now()
-	} else {
+	case "":
 		tlsCert, certPEM, modT := getCerts(config.Facility, logger)
 		params = append(params, grpc.Creds(credentials.NewServerTLSFromCert(&tlsCert)))
 		server.cert = certPEM
 		server.modT = modT
+	default:
+		server.cert = []byte(cert)
+		server.modT = time.Now()
 	}
 
 	// register servers

diff --git a/rules.mk b/rules.mk
@@ -45,9 +45,11 @@ tink-server-image: cmd/tink-server/tink-server-linux-amd64
 tink-worker-image: cmd/tink-worker/tink-worker-linux-amd64
 	docker build -t tink-worker cmd/tink-worker/
 
-.PHONY: run-stack
+.PHONY: run-stack run-stack-insecure
 run-stack:
 	docker-compose up --build
+run-stack-insecure:
+	docker-compose -f docker-compose-insecure.yaml up --build
 
 ifeq ($(origin GOBIN), undefined)
 GOBIN := ${PWD}/bin

diff --git a/shell.nix b/shell.nix
@@ -11,6 +11,7 @@ with pkgs;
 
 mkShell {
   buildInputs = [
+    docker-compose
     git
     gnumake
     gnused
@@ -20,8 +21,8 @@ mkShell {
     nodePackages.prettier
     protobuf
     python3Packages.codespell
-    shfmt
     shellcheck
+    shfmt
     vagrant
   ];
 }