Rework certificate environment and argument config to be more idiomatic #12358
Conversation
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 12358Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 12358" |
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the certificate trust configuration API to be more idiomatic by unifying the configuration approach for executables and containers, and moving certificate processing logic out of DcpExecutor into a more appropriate location. The changes introduce a new OpaqueValueProvider type for representing paths that will be resolved at runtime, consolidate callback annotations, and simplify the configuration model.
Key Changes:
- Consolidated
ExecutableCertificateTrustCallbackAnnotationandContainerCertificateTrustCallbackAnnotationinto a singleCertificateTrustConfigurationCallbackAnnotationthat works for both resource types - Moved certificate trust configuration processing from DcpExecutor into a new
ProcessCertificateTrustConfigAsyncextension method inResourceExtensions - Introduced
OpaqueValueProviderto represent runtime-resolved paths for certificate bundles and directories - Replaced separate container/executable certificate callbacks with unified
WithCertificateTrustConfigurationCallbackmethod
Reviewed Changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| ResourceBuilderExtensions.cs | Added WithCertificateTrustConfigurationCallback method and updated XML docs to clarify run-mode-only behavior |
| ProjectResourceBuilderExtensions.cs | Updated to use new unified callback annotation, removed old WithExecutableCertificateTrustCallback method |
| ExecutableResourceBuilderExtensions.cs | Removed deprecated WithExecutableCertificateTrustCallback method |
| DcpExecutor.cs | Refactored certificate configuration to use new ProcessCertificateTrustConfigAsync method, simplified logic |
| ContainerResourceBuilderExtensions.cs | Replaced WithContainerCertificateTrustCallback with WithContainerCertificatePaths for path configuration |
| ResourceExtensions.cs | Added ProcessCertificateTrustConfigAsync extension method with core certificate processing logic, extracted value resolution logic |
| OpaqueValueProvider.cs | New file introducing value provider for runtime-resolved opaque values |
| ExecutableCertificateTrustCallbackAnnotation.cs | Removed - replaced by unified annotation |
| ContainerCertificateTrustCallbackAnnotation.cs | Removed - replaced by unified annotation |
| ContainerCertificatePathsAnnotation.cs | New annotation for container-specific certificate path configuration |
| CertificateTrustConfigurationCallbackAnnotation.cs | New unified callback annotation for both executable and container resources |
| PythonAppResourceBuilderExtensions.cs | Updated to use new callback API with environment variables dictionary instead of list |
| NodeExtensions.cs | Updated to use new callback API with environment variables dictionary instead of list |
src/Aspire.Hosting/ApplicationModel/ContainerCertificatePathsAnnotation.cs
Outdated
Show resolved
Hide resolved
src/Aspire.Hosting/ApplicationModel/ContainerCertificatePathsAnnotation.cs
Outdated
Show resolved
Hide resolved
|
It's still not exactly the most approachable API for configuring resources, but that's somewhat due to the nature of the problem. This at least cleans up a lot of duplication and makes the API much more inline with other environment and argument configuration. |
|
This is going to be a bit of a problem to reconcile with #12361 |
The only change that should be more than a simple structural change is the new |
|
I can always back out that particular change and re-introduce it once the tunnel PR is merged. |
| /// <summary> | ||
| /// Gets the callback to invoke to populate or modify the certificate authority collection. | ||
| /// </summary> | ||
| public Func<CertificateTrustConfigurationCallbackAnnotationContext, Task> Callback { get; } = callback ?? throw new ArgumentNullException(nameof(callback)); |
There was a problem hiding this comment.
Suggestion (feel free to disregard): instead of calling this just "callback", maybe we can use a name that reflects what the purpose of this function is, like ConfigureCertificateTrust or something like that.
…ic (#12358) * Rework certificate environment and argument config to be more idiomatic * Don't double apply SSL_CERT_DIR * Add extra examples * Respond to PR feedback * Switch to factories for certificate path value providers * Ensure service is available * Fix logging tests * Fix another logging test case
3 participants
Update the resource certificate trust configuration API to be more idiomatic to argument and environment variable configuration for resources.
Unified much of the configuration logic for executables and containers (no more separate container and executable configuration callbacks) and moved the initial certificate, environment, and argument processing out of DcpExecutor.
Fixes: #12015