From f8d8636b099b2dce4a2942fbd8f1ea6bf28543d1 Mon Sep 17 00:00:00 2001
From: Nahum Shalman <nshalman@equinix.com>
Date: Fri, 10 Dec 2021 15:24:52 +0000
Subject: [PATCH] tink-server: support GRPC insecure mode

Signed-off-by: Nahum Shalman <nshalman@equinix.com>
---
 cmd/tink-server/main.go      | 43 +++++++++++-------
 docker-compose-insecure.yaml | 88 ++++++++++++++++++++++++++++++++++++
 grpc-server/grpc_server.go   | 11 +++--
 rules.mk                     |  4 +-
 4 files changed, 126 insertions(+), 20 deletions(-)
 create mode 100644 docker-compose-insecure.yaml

diff --git a/cmd/tink-server/main.go b/cmd/tink-server/main.go
index a0e3a2b59..9d61fba4d 100644
--- a/cmd/tink-server/main.go
+++ b/cmd/tink-server/main.go
@@ -39,6 +39,7 @@ type DaemonConfig struct {
 	HTTPAuthority         string
 	HTTPBasicAuthUsername string
 	HTTPBasicAuthPassword string
+	Insecure              bool
 }
 
 func (c *DaemonConfig) AddFlags(fs *pflag.FlagSet) {
@@ -52,6 +53,7 @@ func (c *DaemonConfig) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&c.TLSCert, "tls-cert", "", "")
 	fs.StringVar(&c.CertDir, "cert-dir", "", "")
 	fs.StringVar(&c.HTTPAuthority, "http-authority", ":42114", "The address used to expose the HTTP server")
+	fs.BoolVar(&c.Insecure, "insecure", false, "Run in insecure mode (without TLS)")
 }
 
 func (c *DaemonConfig) PopulateFromLegacyEnvVar() {
@@ -67,6 +69,7 @@ func (c *DaemonConfig) PopulateFromLegacyEnvVar() {
 	c.CertDir = env.Get("TINKERBELL_CERTS_DIR", c.CertDir)
 	c.GRPCAuthority = env.Get("TINKERBELL_GRPC_AUTHORITY", c.GRPCAuthority)
 	c.HTTPAuthority = env.Get("TINKERBELL_HTTP_AUTHORITY", c.HTTPAuthority)
+	c.Insecure = env.Bool("TINKERBELL_INSECURE", c.Insecure)
 
 	c.HTTPBasicAuthUsername = env.Get("TINK_AUTH_USERNAME", c.HTTPBasicAuthUsername)
 	c.HTTPBasicAuthPassword = env.Get("TINK_AUTH_PASSWORD", c.HTTPBasicAuthPassword)
@@ -157,22 +160,30 @@ func NewRootCommand(config *DaemonConfig, logger log.Logger) *cobra.Command {
 				logger.Info("Your database schema is not up to date. Please apply migrations running tink-server with env var ONLY_MIGRATION set.")
 			}
 
-			cert, modT := rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
-				Facility:      config.Facility,
-				TLSCert:       config.TLSCert,
-				GRPCAuthority: config.GRPCAuthority,
-				DB:            tinkDB,
-			}, errCh)
-
-			httpServer.SetupHTTP(ctx, logger, &httpServer.Config{
-				CertPEM:               cert,
-				ModTime:               modT,
-				GRPCAuthority:         config.GRPCAuthority,
-				HTTPAuthority:         config.HTTPAuthority,
-				HTTPBasicAuthUsername: config.HTTPBasicAuthUsername,
-				HTTPBasicAuthPassword: config.HTTPBasicAuthPassword,
-			}, errCh)
-
+			if config.Insecure {
+				rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
+					Facility:      config.Facility,
+					TLSCert:       "insecure",
+					GRPCAuthority: config.GRPCAuthority,
+					DB:            tinkDB,
+				}, errCh)
+			} else {
+				cert, modT := rpcServer.SetupGRPC(ctx, logger, &rpcServer.ConfigGRPCServer{
+					Facility:      config.Facility,
+					TLSCert:       config.TLSCert,
+					GRPCAuthority: config.GRPCAuthority,
+					DB:            tinkDB,
+				}, errCh)
+
+				httpServer.SetupHTTP(ctx, logger, &httpServer.Config{
+					CertPEM:               cert,
+					ModTime:               modT,
+					GRPCAuthority:         config.GRPCAuthority,
+					HTTPAuthority:         config.HTTPAuthority,
+					HTTPBasicAuthUsername: config.HTTPBasicAuthUsername,
+					HTTPBasicAuthPassword: config.HTTPBasicAuthPassword,
+				}, errCh)
+			}
 			select {
 			case err = <-errCh:
 				logger.Error(err)
diff --git a/docker-compose-insecure.yaml b/docker-compose-insecure.yaml
new file mode 100644
index 000000000..5299fd13c
--- /dev/null
+++ b/docker-compose-insecure.yaml
@@ -0,0 +1,88 @@
+version: "3.8"
+services:
+  tinkerbell:
+    build:
+      context: ./cmd/tink-server/
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    environment:
+      FACILITY: ${FACILITY:-onprem}
+      PACKET_ENV: ${PACKET_ENV:-testing}
+      PACKET_VERSION: ${PACKET_VERSION:-ignored}
+      ROLLBAR_TOKEN: ${ROLLBAR_TOKEN:-ignored}
+      ROLLBAR_DISABLE: ${ROLLBAR_DISABLE:-1}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINKERBELL_INSECURE: "true"
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
+    depends_on:
+      tink-server-migration:
+        condition: service_started
+      db:
+        condition: service_healthy
+    ports:
+      - 42113:42113/tcp
+      - 42114:42114/tcp
+
+  tink-server-migration:
+    image: quay.io/tinkerbell/tink:latest
+    restart: on-failure
+    environment:
+      ONLY_MIGRATION: "true"
+      FACILITY: ${FACILITY:-onprem}
+      PGDATABASE: tinkerbell
+      PGHOST: db
+      PGPASSWORD: tinkerbell
+      PGPORT: 5432
+      PGSSLMODE: disable
+      PGUSER: tinkerbell
+      TINKERBELL_GRPC_AUTHORITY: :42113
+      TINKERBELL_HTTP_AUTHORITY: :42114
+      TINKERBELL_INSECURE: "true"
+      TINK_AUTH_USERNAME: ${TINKERBELL_TINK_USERNAME}
+      TINK_AUTH_PASSWORD: ${TINKERBELL_TINK_PASSWORD}
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: tinkerbell
+      POSTGRES_PASSWORD: tinkerbell
+      POSTGRES_USER: tinkerbell
+    volumes:
+      - postgres_data:/var/lib/postgresql/data:rw
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U tinkerbell"]
+      interval: 1s
+      timeout: 1s
+      retries: 30
+
+  tink-cli:
+    build:
+      context: ./cmd/tink-cli/
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    environment:
+      TINKERBELL_GRPC_AUTHORITY: tinkerbell:42113
+      TINKERBELL_INSECURE: "true"
+    depends_on:
+      tinkerbell:
+        condition: service_started
+      db:
+        condition: service_healthy
+
+volumes:
+  postgres_data:
+  certs:
diff --git a/grpc-server/grpc_server.go b/grpc-server/grpc_server.go
index 2722be8b5..adc2f527f 100644
--- a/grpc-server/grpc_server.go
+++ b/grpc-server/grpc_server.go
@@ -60,14 +60,19 @@ func SetupGRPC(ctx context.Context, logger log.Logger, config *ConfigGRPCServer,
 		dbReady: true,
 		logger:  logger,
 	}
-	if cert := config.TLSCert; cert != "" {
-		server.cert = []byte(cert)
+	cert := config.TLSCert
+	switch cert {
+	case "insecure":
+		server.cert = []byte("")
 		server.modT = time.Now()
-	} else {
+	case "":
 		tlsCert, certPEM, modT := getCerts(config.Facility, logger)
 		params = append(params, grpc.Creds(credentials.NewServerTLSFromCert(&tlsCert)))
 		server.cert = certPEM
 		server.modT = modT
+	default:
+		server.cert = []byte(cert)
+		server.modT = time.Now()
 	}
 
 	// register servers
diff --git a/rules.mk b/rules.mk
index 24e318d37..e80131cc2 100644
--- a/rules.mk
+++ b/rules.mk
@@ -48,9 +48,11 @@ tink-server-image: cmd/tink-server/tink-server-linux-amd64
 tink-worker-image: cmd/tink-worker/tink-worker-linux-amd64
 	docker build -t tink-worker cmd/tink-worker/
 
-.PHONY: run-stack
+.PHONY: run-stack run-stack-insecure
 run-stack:
 	docker-compose up --build
+run-stack-insecure:
+	docker-compose -f docker-compose-insecure.yaml up --build
 
 ifeq ($(origin GOBIN), undefined)
 GOBIN := ${PWD}/bin