Skip to content
This repository was archived by the owner on Sep 9, 2025. It is now read-only.

Add tls to gin apiserver#363

Open
Gregory-Pereira wants to merge 4 commits intoinstructlab:mainfrom
Gregory-Pereira:add-tls-to-gin-apiserver
Open

Add tls to gin apiserver#363
Gregory-Pereira wants to merge 4 commits intoinstructlab:mainfrom
Gregory-Pereira:add-tls-to-gin-apiserver

Conversation

@Gregory-Pereira
Copy link
Collaborator

@Gregory-Pereira Gregory-Pereira commented May 19, 2024

Addresses: #361
Looking for feedback:

  1. In a subsection of the buildHTTPClient function which previously lived in the sendPostRequest method for the API server, I load in the server CA certificate, which I am not sure I need.
  2. The way I have implemented buildHTTPClient function, it will first try to generate an HTTPS client, and if it fails reading the keys it will instead generate an HTTP client with an error describing as much, and those errors will get picked out of the sendPostRequest function and ignored with appropriate logging. Is this an acceptable implementation? Or if the user specifies they want an HTTPS sessions, and it fails, should the API server just fail to spin?

Changes:

  • env support for the apiserver
  • TLS Secure client enablement

PTAL @vishnoianil @nerdalert

@Gregory-Pereira Gregory-Pereira force-pushed the add-tls-to-gin-apiserver branch from 854fbc4 to c065a22 Compare May 19, 2024 17:45
vishnoianil
vishnoianil suggested changes May 20, 2024
View reviewed changes
ui/apiserver/apiserver.go Outdated
Copy link
Collaborator

@vishnoianil vishnoianil May 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you don't need to load it for the client, but the root ca need to be locally deployed (mkcert -i in the apiserver container to make the http request. For prod I think we need to update ansible to make sure that it generates the cert/keys/rootca and deploy those in the gobot http server as well as the apiserver client.

On the side note, I think things will be much better and cleaner once we move to kuberentes/ocp/kind for cert management.

ui/apiserver/apiserver.go
tlsServerCaCertPath := pflag.String("tls-server-ca-cert", "", "Path to the TLS server CA certificate. Evantually defaults to '$HOME/server-ca-crt.pem2'")
pflag.Parse()

/* ENV support, most variabls take 3 options, with the following priority:
Copy link
Collaborator

@vishnoianil vishnoianil May 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think let's take these as an input parameter only. We should probably move to urfave/cli? It does pretty clean job with these 3 options. Irrespective of that, I think it would be good if we take care of this (checking env variable) across all the go binaries on the repo in separate PR? wdyt?

ui/apiserver/apiserver.go Outdated
Copy link
Collaborator

@vishnoianil vishnoianil May 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should introduce a "dev" flag, that basically means --tls-insecure or http. Switching to insecure connection because the tls handshake failed is not a good idea in my opinion. in non-dev mode, if tls fails, just fail, log error and exit. In dev mode, just use --tls-insecure or even http. That will give user the behavior they are expecting from these cli flags.

ui/compose.ui
network_mode: "host"
depends_on:
- redis
env_file:
Copy link
Collaborator

@vishnoianil vishnoianil May 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you also need to fix the deploy/compose/deplo

@Gregory-Pereira
apiserver env support + tls configs
f5297e5 
Signed-off-by: greg pereira <grpereir@redhat.com>
@Gregory-Pereira
apiserver credential env support
c2f3a0a 
Signed-off-by: greg pereira <grpereir@redhat.com>
@Gregory-Pereira
bugfixing, using home var instead of home var string
49a4236 
Signed-off-by: greg pereira <grpereir@redhat.com>
@Gregory-Pereira Gregory-Pereira force-pushed the add-tls-to-gin-apiserver branch from 06b33e8 to 30b7da4 Compare May 30, 2024 19:03
@Gregory-Pereira
wip refactor to single dev mode flag
c483619 
Signed-off-by: greg pereira <grpereir@redhat.com>
@Gregory-Pereira Gregory-Pereira force-pushed the add-tls-to-gin-apiserver branch from 30b7da4 to c483619 Compare May 30, 2024 19:31
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nerdalert nerdalert Awaiting requested review from nerdalert

1 more reviewer

@vishnoianil vishnoianil vishnoianil requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Gregory-Pereira @vishnoianil

Comments