-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying a cert and a key manually for federation endpoint. #5163
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @sorindumitru. I've left some comments and there are others that were caught by the linter that should also be addressed.
@@ -171,15 +172,19 @@ func newSource(log logrus.FieldLogger, config *Config) (JWKSSource, error) { | |||
} | |||
|
|||
func newListenerWithServingCert(ctx context.Context, log logrus.FieldLogger, config *Config) (net.Listener, error) { | |||
certManager, err := NewDiskCertManager(config.ServingCertFile, nil, log) | |||
certManager, err := diskcertmanager.NewDiskCertManager(&diskcertmanager.DiskCertManagerConfig{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These names are stuttery. I'd suggest:
certManager, err := diskcertmanager.NewDiskCertManager(&diskcertmanager.DiskCertManagerConfig{ | |
certManager, err := diskcertmanager.New(&diskcertmanager.Config{ |
serverCert, serverKey := createServerCertificate(t) | ||
|
||
serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}) | ||
err := os.WriteFile(dir+"/server.crt", serverCertPem, 0755) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should use filepath to create paths so they are platform independent.
err := os.WriteFile(dir+"/server.crt", serverCertPem, 0755) | |
err := os.WriteFile(filepath.Join(dir, server.crt), serverCertPem, 0600) |
dir := spiretest.TempDir(t) | ||
serverCert, serverKey := createServerCertificate(t) | ||
|
||
serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: we have helpers for this
serverCertPem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}) | |
serverCertPem := pemutil.EncodeCertificate(serverCert.Raw) |
serverKeyBytes, err := x509.MarshalPKCS8PrivateKey(serverKey) | ||
require.NoError(t, err) | ||
serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytes}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
serverKeyBytes, err := x509.MarshalPKCS8PrivateKey(serverKey) | |
require.NoError(t, err) | |
serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytes}) | |
serverKeyBytes, err := pemutil.EncodePKCS8PrivateKey(serverKey) | |
require.NoError(t, err) |
serverKeyBytes, err := x509.MarshalPKCS8PrivateKey(serverKey) | ||
require.NoError(t, err) | ||
serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: serverKeyBytes}) | ||
err = os.WriteFile(dir+"/server.key", serverKeyPem, 0700) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
err = os.WriteFile(dir+"/server.key", serverKeyPem, 0700) | |
err = os.WriteFile(filepath.Join(dir, "server.key"), serverKeyPem, 0600) |
pkg/server/endpoints/config.go
Outdated
} else if c.BundleEndpoint.DiskCertManager != nil { | ||
serverAuth = c.BundleEndpoint.DiskCertManager | ||
// Start watching for file changes | ||
go c.BundleEndpoint.DiskCertManager.WatchFileChanges(ctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This goroutine shouldn't be launched yet. Rather, maybeMakeBundleEndpointServer
could return a "task" that that is set on the Endpoints struct, and then that task can be managed by Endpoints.ListenAndServe (see the other tasks conditionally started in ListenAndServe).
cmd/spire-server/cli/run/run.go
Outdated
@@ -691,46 +699,53 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool | |||
return sc, nil | |||
} | |||
|
|||
func parseBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string, log logrus.FieldLogger) (*bundle.ACMEConfig, error) { | |||
func parseBundleEndpointConfigProfile(config *bundleEndpointConfig, federationConfig *server.FederationConfig, dataDir string, log logrus.FieldLogger) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a convention, I'd prefer parameters that are modifying by the function to be last. Also, maybe we should rename this function to imply that it is doing a little more than parsing:
func parseBundleEndpointConfigProfile(config *bundleEndpointConfig, federationConfig *server.FederationConfig, dataDir string, log logrus.FieldLogger) error { | |
func setBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string, log logrus.FieldLogger, federationConfig *server.FederationConfig) error { |
23e20a7
to
c7eb48d
Compare
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Makes it more compatible with the bundle endpoint authenticator Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
… bundle endpoint Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
f98d32f
to
296b5cd
Compare
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
296b5cd
to
2530aa0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One small nitpick and we're ready to merge. Thank you, @sorindumitru .
Co-authored-by: Andrew Harding <azdagron@gmail.com> Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
Pull Request check list
Affected functionality
spire-server bundle endpoint
Description of change
Allow configuring the certificate used for the bundle endpoint server as files on disk instead of using ACME.
Which issue this PR fixes
fixes #2202