Skip to content

Commit

Permalink
tink-server: support GRPC insecure mode
Browse files Browse the repository at this point in the history
Signed-off-by: Nahum Shalman <[email protected]>
  • Loading branch information
nshalman authored and mmlb committed Jan 19, 2022
1 parent 45cccc2 commit f8d8636
Show file tree
Hide file tree
Showing 4 changed files with 126 additions and 20 deletions.
43 changes: 27 additions & 16 deletions cmd/tink-server/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ type DaemonConfig struct {
HTTPAuthority string
HTTPBasicAuthUsername string
HTTPBasicAuthPassword string
Insecure bool
}

func (c *DaemonConfig) AddFlags(fs *pflag.FlagSet) {
Expand All @@ -52,6 +53,7 @@ func (c *DaemonConfig) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&c.TLSCert, "tls-cert", "", "")
fs.StringVar(&c.CertDir, "cert-dir", "", "")
fs.StringVar(&c.HTTPAuthority, "http-authority", ":42114", "The address used to expose the HTTP server")
fs.BoolVar(&c.Insecure, "insecure", false, "Run in insecure mode (without TLS)")
}

func (c *DaemonConfig) PopulateFromLegacyEnvVar() {
Expand All @@ -67,6 +69,7 @@ func (c *DaemonConfig) PopulateFromLegacyEnvVar() {
c.CertDir = env.Get("TINKERBELL_CERTS_DIR", c.CertDir)
c.GRPCAuthority = env.Get("TINKERBELL_GRPC_AUTHORITY", c.GRPCAuthority)
c.HTTPAuthority = env.Get("TINKERBELL_HTTP_AUTHORITY", c.HTTPAuthority)
c.Insecure = env.Bool("TINKERBELL_INSECURE", c.Insecure)

c.HTTPBasicAuthUsername = env.Get("TINK_AUTH_USERNAME", c.HTTPBasicAuthUsername)
c.HTTPBasicAuthPassword = env.Get("TINK_AUTH_PASSWORD", c.HTTPBasicAuthPassword)
Expand Down Expand Up @@ -157,22 +160,30 @@ func NewRootCommand(config *DaemonConfig, logger log.Logger) *cobra.Command {
logger.Info("Your database schema is not up to date. Please apply migrations running tink-server with env var ONLY_MIGRATION set.")
}

cert, modT := rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
Facility: config.Facility,
TLSCert: config.TLSCert,
GRPCAuthority: config.GRPCAuthority,
DB: tinkDB,
}, errCh)

httpServer.SetupHTTP(ctx, logger, &httpServer.Config{
CertPEM: cert,
ModTime: modT,
GRPCAuthority: config.GRPCAuthority,
HTTPAuthority: config.HTTPAuthority,
HTTPBasicAuthUsername: config.HTTPBasicAuthUsername,
HTTPBasicAuthPassword: config.HTTPBasicAuthPassword,
}, errCh)

if config.Insecure {
rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
Facility: config.Facility,
TLSCert: "insecure",
GRPCAuthority: config.GRPCAuthority,
DB: tinkDB,
}, errCh)
} else {
cert, modT := rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
Facility: config.Facility,
TLSCert: config.TLSCert,
GRPCAuthority: config.GRPCAuthority,
DB: tinkDB,
}, errCh)

httpServer.SetupHTTP(ctx, logger, &httpServer.Config{
CertPEM: cert,
ModTime: modT,
GRPCAuthority: config.GRPCAuthority,
HTTPAuthority: config.HTTPAuthority,
HTTPBasicAuthUsername: config.HTTPBasicAuthUsername,
HTTPBasicAuthPassword: config.HTTPBasicAuthPassword,
}, errCh)
}
select {
case err = <-errCh:
logger.Error(err)
Expand Down
88 changes: 88 additions & 0 deletions docker-compose-insecure.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
version: "3.8"
services:
tinkerbell:
build:
context: ./cmd/tink-server/
dockerfile: Dockerfile
restart: unless-stopped
environment:
FACILITY: ${FACILITY:-onprem}
PACKET_ENV: ${PACKET_ENV:-testing}
PACKET_VERSION: ${PACKET_VERSION:-ignored}
ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
PGDATABASE: tinkerbell
PGHOST: db
PGPASSWORD: tinkerbell
PGPORT: 5432
PGSSLMODE: disable
PGUSER: tinkerbell
TINKERBELL_GRPC_AUTHORITY: :42113
TINKERBELL_HTTP_AUTHORITY: :42114
TINKERBELL_INSECURE: "true"
TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
depends_on:
tink-server-migration:
condition: service_started
db:
condition: service_healthy
ports:
- 42113:42113/tcp
- 42114:42114/tcp

tink-server-migration:
image: quay.io/tinkerbell/tink:latest
restart: on-failure
environment:
ONLY_MIGRATION: "true"
FACILITY: ${FACILITY:-onprem}
PGDATABASE: tinkerbell
PGHOST: db
PGPASSWORD: tinkerbell
PGPORT: 5432
PGSSLMODE: disable
PGUSER: tinkerbell
TINKERBELL_GRPC_AUTHORITY: :42113
TINKERBELL_HTTP_AUTHORITY: :42114
TINKERBELL_INSECURE: "true"
TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
depends_on:
db:
condition: service_healthy

db:
image: postgres:14-alpine
restart: unless-stopped
environment:
POSTGRES_DB: tinkerbell
POSTGRES_PASSWORD: tinkerbell
POSTGRES_USER: tinkerbell
volumes:
- postgres_data:/var/lib/postgresql/data:rw
ports:
- 5432:5432
healthcheck:
test: ["CMD-SHELL", "pg_isready -U tinkerbell"]
interval: 1s
timeout: 1s
retries: 30

tink-cli:
build:
context: ./cmd/tink-cli/
dockerfile: Dockerfile
restart: unless-stopped
environment:
TINKERBELL_GRPC_AUTHORITY: tinkerbell:42113
TINKERBELL_INSECURE: "true"
depends_on:
tinkerbell:
condition: service_started
db:
condition: service_healthy

volumes:
postgres_data:
certs:
11 changes: 8 additions & 3 deletions grpc-server/grpc_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,14 +60,19 @@ func SetupGRPC(ctx context.Context, logger log.Logger, config *ConfigGRPCServer,
dbReady: true,
logger: logger,
}
if cert := config.TLSCert; cert != "" {
server.cert = []byte(cert)
cert := config.TLSCert
switch cert {
case "insecure":
server.cert = []byte("")
server.modT = time.Now()
} else {
case "":
tlsCert, certPEM, modT := getCerts(config.Facility, logger)
params = append(params, grpc.Creds(credentials.NewServerTLSFromCert(&tlsCert)))
server.cert = certPEM
server.modT = modT
default:
server.cert = []byte(cert)
server.modT = time.Now()
}

// register servers
Expand Down
4 changes: 3 additions & 1 deletion rules.mk
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,11 @@ tink-server-image: cmd/tink-server/tink-server-linux-amd64
tink-worker-image: cmd/tink-worker/tink-worker-linux-amd64
docker build -t tink-worker cmd/tink-worker/

.PHONY: run-stack
.PHONY: run-stack run-stack-insecure
run-stack:
docker-compose up --build
run-stack-insecure:
docker-compose -f docker-compose-insecure.yaml up --build

ifeq ($(origin GOBIN), undefined)
GOBIN := ${PWD}/bin
Expand Down

0 comments on commit f8d8636

Please sign in to comment.