Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: [tink-server] add command line flags for tls certs #266

Closed
wants to merge 4 commits into from

Conversation

detiber
Copy link
Contributor

@detiber detiber commented Aug 25, 2020

Description

Adds flags to tink-server for configuring tls certificates

Why is this needed

POC for tinkerbell/proposals#12

How Has This Been Tested?

I tested these changes with the existing docker-compose workflow along with a POC I've been working on using kind and cert-manager

How are existing users impacted? What migration steps/scripts do we need?

Existing users should not be impacted, but depending on discussion around the proposal, we may want to deprecate the existing certificate configuration method.

Checklist:

I have:

  • updated the documentation and/or roadmap (if required)
  • added unit or e2e tests
  • provided instructions on how to upgrade

@thebsdbox thebsdbox added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 25, 2020
@thebsdbox
Copy link
Contributor

This looks a great first step in adding flags for pointing to file locations for certs, will this:

  • Come with any additional testing
  • Break any of the current deployments (setup.sh)

@gianarb
Copy link
Contributor

gianarb commented Sep 2, 2020

This is a great candidate for tinkerbell/proposals#15 as soon as it is accepted :) And if we agree to keep only one behavior.

@detiber detiber force-pushed the tlsFlags branch 2 times, most recently from eb8c76b to 3128a23 Compare September 9, 2020 19:29
@codecov
Copy link

codecov bot commented Sep 9, 2020

Codecov Report

Merging #266 (a5d4bd2) into master (013d202) will increase coverage by 0.49%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #266      +/-   ##
==========================================
+ Coverage   32.70%   33.20%   +0.49%     
==========================================
  Files          44       44              
  Lines        3137     3090      -47     
==========================================
  Hits         1026     1026              
+ Misses       2019     1972      -47     
  Partials       92       92              
Impacted Files Coverage Δ
grpc-server/grpc_server.go 0.00% <0.00%> (ø)
grpc-server/hardware.go 1.57% <ø> (+0.01%) ⬆️
http-server/http_server.go 0.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 60a74c7...a5d4bd2. Read the comment docs.

@detiber detiber force-pushed the tlsFlags branch 2 times, most recently from 5fc8a2d to e6d5bfc Compare September 9, 2020 19:38
@detiber detiber added the ci-check/vagrant-setup This label trigger a GitHub action that tests the Vagrant Setup guide https://tinkerbell.org/setup/ label Sep 9, 2020
@detiber
Copy link
Contributor Author

detiber commented Sep 9, 2020

Not quite sure what is going on with the vagrant-setup job, GitHub Actions is complaining that it can't find the self-hosted runner and I don't have permissions that allow me to see the configuration to verify.

@displague displague mentioned this pull request Sep 9, 2020
3 tasks
@gianarb
Copy link
Contributor

gianarb commented Sep 10, 2020

Yeah the vagrant test is not supposed to run for this repo anymore but only for sandbox.
Not sure if we have to have it here as well. Related to #277

@gianarb gianarb added the breaking-change Denotes a PR that introduces potentially breaking changes that require user action. label Sep 10, 2020
@gianarb
Copy link
Contributor

gianarb commented Sep 10, 2020

Can you add a detailed "how to migrate" section as PR description that tells users how to migrate from a running tinkerbell (assume vagrant and setup.sh) to this new way?

Thanks a lot

@detiber detiber force-pushed the tlsFlags branch 2 times, most recently from 409c606 to 2ab3bbc Compare October 6, 2020 18:27
Comment on lines 123 to 174
// createViper creates a Viper object configured to read in configuration files
// (from various paths with content type specific filename extensions) and loads
// environment variables.
func createViper(logger log.Logger) (*viper.Viper, error) {
v := viper.New()
v.AutomaticEnv()
v.SetConfigName("tink-server")
v.AddConfigPath("/etc/tinkerbell")
v.AddConfigPath(".")
v.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))

// If a config file is found, read it in.
if err := v.ReadInConfig(); err != nil {
if _, ok := err.(viper.ConfigFileNotFoundError); !ok {
logger.With("configFile", v.ConfigFileUsed()).Error(err, "could not load config file")

return nil, err
}

logger.Info("no config file found")
} else {
logger.With("configFile", v.ConfigFileUsed()).Info("loaded config file")
}

return v, nil
}

func applyViper(v *viper.Viper, cmd *cobra.Command) error {
errors := []error{}

cmd.Flags().VisitAll(func(f *pflag.Flag) {
if !f.Changed && v.IsSet(f.Name) {
val := v.Get(f.Name)
if err := cmd.Flags().Set(f.Name, fmt.Sprintf("%v", val)); err != nil {
errors = append(errors, err)

return
}
}
})

if len(errors) > 0 {
errs := []string{}
for _, err := range errors {
errs = append(errs, err.Error())
}

return fmt.Errorf(strings.Join(errs, ", "))
}

return nil
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@displague I modeled this after the work you did for tink-worker, I'm thinking we can move this to a shared library that all cli tools import.

"github.com/tinkerbell/tink/db"
rpcServer "github.com/tinkerbell/tink/grpc-server"
httpServer "github.com/tinkerbell/tink/http-server"
"github.com/tinkerbell/tink/cmd/tink-worker/cmd"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, this should be tink-server, not tink-worker, will be fixing shortly.

@detiber detiber force-pushed the tlsFlags branch 2 times, most recently from aedd181 to a05327e Compare October 9, 2020 18:04
@tstromberg
Copy link
Contributor

@detiber - Any movement on this PR? It seems to be doing the right thing but is also getting a bit long in the tooth.

@detiber
Copy link
Contributor Author

detiber commented Jun 23, 2021

@tstromberg thanks for the nudge, I've started to attempt to rebase it off of the current state of the repo. Can you provide any guidance on the best way to test changes now? It looks like the former vagrant test I was relying on is no longer present.

@detiber
Copy link
Contributor Author

detiber commented Jun 23, 2021

Previous lint failure was related to an existing ineffective assignment in db/mock/template.go, I've added a separate commit to address the issue. I suspect a newer version of golangci-lint being available in the github action is the reason that it just now cropped up.

Copy link
Contributor Author

@detiber detiber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some comments around some of the rebase related changes that I still need to sort out.

Comment on lines 24 to 25
//cert []byte
//modT time.Time
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I could tell from a quick glance, these didn't actually appear to be used anywhere outside of methods that were exposed and seemingly unused in grpc-server/hardware.go

Comment on lines 243 to 252
// TODO: is this used anywhere?
// // Cert returns the public cert that can be served to clients
// func (s *server) Cert() []byte {
// return s.cert
// }

// ModTime returns the modified-time of the grpc cert
func (s *server) ModTime() time.Time {
return s.modT
}
// // ModTime returns the modified-time of the grpc cert
// func (s *server) ModTime() time.Time {
// return s.modT
// }
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I could tell from a quick glance, these didn't actually appear to be used anywhere.

Comment on lines 10 to 12
command:
- --tls-cert=/certs/${FACILITY:-onprem}/bundle.pem
- --tls-key=/certs/${FACILITY:-onprem}/server-key.pem
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was previously needed for the purposes of the old vagrant test, I'm not sure if this compose file is actually used anywhere now.

Comment on lines 6 to 8
command:
- --tls-cert=/certs/${FACILITY:-onprem}/bundle.pem
- --tls-key=/certs/${FACILITY:-onprem}/server-key.pem
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was previously needed for the purposes of the old vagrant test, I'm not sure if this compose file is actually used anywhere now.

@detiber
Copy link
Contributor Author

detiber commented Jun 24, 2021

I've created a separate PR for the golangci-lint fixes that are unrelated to this PR here: #511

@tstromberg
Copy link
Contributor

@detiber - would you like any help with getting this PR in?

@jacobweinstock
Copy link
Member

Hey @detiber, is this still something on your radar? I'll echo Thomas, would you like any help getting this through?

@jacobweinstock
Copy link
Member

Hey @detiber, please re-open this if/when needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking-change Denotes a PR that introduces potentially breaking changes that require user action. ci-check/vagrant-setup This label trigger a GitHub action that tests the Vagrant Setup guide https://tinkerbell.org/setup/ kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants