another day, another try

dfinity · Sep 25, 2024 · 028e28b · 028e28b
1 parent 559ec5f
commit 028e28b
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 66 deletions.
diff --git a/src/core.rs b/src/core.rs
@@ -106,68 +106,60 @@ pub async fn main(cli: &Cli) -> Result<(), Error> {
     // HTTP server metrics
     let http_metrics = http::server::Metrics::new(&registry);
 
-    if cli.misc.insecure_serve_http_only {
-        // Create routers
-        let gateway_router = routing::setup_router(
+    // Custom domains
+    let (issuer_certificate_providers, issuer_custom_domain_providers) =
+        tls::cert::providers::setup_issuer_providers(
             cli,
-            Vec::new(),
             &mut tasks,
             http_client.clone(),
-            reqwest_client,
             &registry,
-            clickhouse.clone(),
-            vector.clone(),
-        )
-        .await?;
-
-        // Set up HTTP to serve all gateway endpoints
-        let http_server = Arc::new(http::Server::new(
-            http::server::Addr::Tcp(cli.http_server.http_server_listen_plain),
-            gateway_router,
-            (&cli.http_server).into(),
-            http_metrics.clone(),
-            None,
-        ));
-        tasks.add("http_server", http_server);
+        );
+
+    // Create gateway router to serve all endpoints
+    let gateway_router = routing::setup_router(
+        cli,
+        issuer_custom_domain_providers,
+        &mut tasks,
+        http_client.clone(),
+        reqwest_client,
+        &registry,
+        clickhouse.clone(),
+        vector.clone(),
+    )
+    .await?;
+
+    // Set up HTTP router (redirecting to HTTPS or serving all endpoints)
+    let http_router = if !cli.http_server.insecure_serve_http_only {
+        Router::new().fallback(routing::redirect_to_https)
     } else {
-        // Set up HTTP to redirect to HTTPS
-        let redirect_router = Router::new().fallback(routing::redirect_to_https);
-        let http_server = Arc::new(http::Server::new(
-            http::server::Addr::Tcp(cli.http_server.http_server_listen_plain),
-            redirect_router,
-            (&cli.http_server).into(),
-            http_metrics.clone(),
-            None,
-        ));
-        tasks.add("http_server", http_server);
+        gateway_router.clone()
+    };
+
+    // Create HTTP server
+    let http_server = Arc::new(http::Server::new(
+        http::server::Addr::Tcp(cli.http_server.http_server_listen_plain),
+        http_router,
+        (&cli.http_server).into(),
+        http_metrics.clone(),
+        None,
+    ));
+    tasks.add("http_server", http_server);
 
+    // Create HTTPS server
+    if !cli.http_server.insecure_serve_http_only {
         // Prepare TLS related stuff
-        let (rustls_cfg, custom_domain_providers) = tls::setup(
+        let rustls_cfg = tls::setup(
             cli,
             &mut tasks,
             domains.clone(),
-            http_client.clone(),
             Arc::new(dns_resolver),
+            issuer_certificate_providers,
             tls_session_cache.clone(),
             &registry,
         )
         .await
         .context("unable to setup TLS")?;
 
-        // Create routers
-        let gateway_router = routing::setup_router(
-            cli,
-            custom_domain_providers,
-            &mut tasks,
-            http_client.clone(),
-            reqwest_client,
-            &registry,
-            clickhouse.clone(),
-            vector.clone(),
-        )
-        .await?;
-
-        // Set up HTTPS to serve all gateway endpoints
         let https_server = Arc::new(http::Server::new(
             http::server::Addr::Tcp(cli.http_server.http_server_listen_tls),
             gateway_router,

diff --git a/src/tls/cert/providers/mod.rs b/src/tls/cert/providers/mod.rs
@@ -5,6 +5,11 @@ pub use dir::Provider as Dir;
 pub use issuer::CertificatesImporter as Issuer;
 
 use async_trait::async_trait;
+use ic_bn_lib::{http::Client, tasks::TaskManager};
+use prometheus::Registry;
+use std::sync::Arc;
+
+use crate::{cli::Cli, routing::domain::ProvidesCustomDomains};
 
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct Pem {
@@ -18,3 +23,32 @@ pub struct Pem {
 pub trait ProvidesCertificates: Sync + Send + std::fmt::Debug {
     async fn get_certificates(&self) -> Result<Vec<Pem>, anyhow::Error>;
 }
+
+pub fn setup_issuer_providers(
+    cli: &Cli,
+    tasks: &mut TaskManager,
+    http_client: Arc<dyn Client>,
+    registry: &Registry,
+) -> (
+    Vec<Arc<dyn ProvidesCertificates>>,
+    Vec<Arc<dyn ProvidesCustomDomains>>,
+) {
+    let mut cert_providers: Vec<Arc<dyn ProvidesCertificates>> = vec![];
+    let mut custom_domain_providers: Vec<Arc<dyn ProvidesCustomDomains>> = vec![];
+
+    let issuer_metrics = issuer::Metrics::new(registry);
+    for v in &cli.cert.cert_provider_issuer_url {
+        let issuer = Arc::new(Issuer::new(
+            http_client.clone(),
+            v.clone(),
+            cli.cert.cert_provider_issuer_poll_interval,
+            issuer_metrics.clone(),
+        ));
+
+        cert_providers.push(issuer.clone());
+        custom_domain_providers.push(issuer.clone());
+        tasks.add(&format!("{issuer:?}"), issuer);
+    }
+
+    (cert_providers, custom_domain_providers)
+}
diff --git a/src/tls/mod.rs b/src/tls/mod.rs
@@ -7,7 +7,7 @@ use anyhow::{anyhow, Context, Error};
 use async_trait::async_trait;
 use fqdn::FQDN;
 use ic_bn_lib::{
-    http::{dns::Resolves, Client, ALPN_ACME, ALPN_H1, ALPN_H2},
+    http::{dns::Resolves, ALPN_ACME, ALPN_H1, ALPN_H2},
     tasks::{Run, TaskManager},
     tls::{
         acme::{
@@ -31,7 +31,6 @@ use tokio_util::sync::CancellationToken;
 
 use crate::{
     cli::Cli,
-    routing::domain::ProvidesCustomDomains,
     tls::{
         cert::{providers, Aggregator},
         resolver::AggregatingResolver,
@@ -136,40 +135,26 @@ pub async fn setup(
     cli: &Cli,
     tasks: &mut TaskManager,
     domains: Vec<FQDN>,
-    http_client: Arc<dyn Client>,
     dns_resolver: Arc<dyn Resolves>,
+    custom_domain_providers: Vec<Arc<dyn ProvidesCertificates>>,
     tls_session_storage: Arc<dyn StoresServerSessions + Send + Sync>,
     registry: &Registry,
-) -> Result<(ServerConfig, Vec<Arc<dyn ProvidesCustomDomains>>), Error> {
+) -> Result<ServerConfig, Error> {
     // Prepare certificate storage
     let cert_storage = Arc::new(storage::Storage::new(
         cli.cert.cert_default.clone(),
         storage::Metrics::new(registry),
     ));
 
     let mut cert_providers: Vec<Arc<dyn ProvidesCertificates>> = vec![];
-    let mut custom_domain_providers: Vec<Arc<dyn ProvidesCustomDomains>> = vec![];
 
     // Create Dir providers
     for v in &cli.cert.cert_provider_dir {
         cert_providers.push(Arc::new(providers::Dir::new(v.clone())));
     }
 
-    // Create CertIssuer providers
-    // It's a custom domain & cert provider at the same time.
-    let issuer_metrics = providers::issuer::Metrics::new(registry);
-    for v in &cli.cert.cert_provider_issuer_url {
-        let issuer = Arc::new(providers::Issuer::new(
-            http_client.clone(),
-            v.clone(),
-            cli.cert.cert_provider_issuer_poll_interval,
-            issuer_metrics.clone(),
-        ));
-
-        cert_providers.push(issuer.clone());
-        custom_domain_providers.push(issuer.clone());
-        tasks.add(&format!("{issuer:?}"), issuer);
-    }
+    // Add custom domain certificate providers
+    cert_providers.extend(custom_domain_providers);
 
     // Prepare ACME if configured
     let acme_resolver = if let Some(v) = &cli.acme.acme_challenge {
@@ -228,5 +213,5 @@ pub async fn setup(
         registry,
     );
 
-    Ok((config, custom_domain_providers))
+    Ok(config)
 }