with manifests

Make more configurable
Add more to .gitignore
2023-07-07 23:52:29 -04:00 · 2023-07-07 23:51:55 -04:00 · 2023-07-07 10:02:46 -04:00 · 2023-07-07 10:01:50 -04:00 · 2023-07-04 22:05:24 -04:00 · 2023-07-03 18:43:27 -04:00
27 changed files with 794 additions and 167 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
-
 # Devenv
 .devenv*
 devenv.local.nix

+.certs
+cmd/hub/hub
+cmd/spoke-agent/spoke-agent
--- a/appconfig/endpoints.go
+++ b/appconfig/endpoints.go
@@ -0,0 +1,14 @@
+package appconfig
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func handleAuthzConfig(w http.ResponseWriter, req *http.Request) {
+	headers := w.Header()
+	headers.Set("content-type", "text/plain")
+
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprintf(w, "hello, world")
+}
--- a/appconfig/log.go
+++ b/appconfig/log.go
@@ -0,0 +1,33 @@
+package appconfig
+
+import "fmt"
+
+type logger interface {
+	Output(int, string) error
+}
+
+type ilogger interface {
+	logger
+	Print(...interface{})
+	Printf(string, ...interface{})
+	Println(...interface{})
+}
+
+type internalLog struct {
+	logger
+}
+
+// Println replicates the behaviour of the standard logger.
+func (t internalLog) Println(v ...interface{}) {
+	t.Output(2, fmt.Sprintln(v...))
+}
+
+// Printf replicates the behaviour of the standard logger.
+func (t internalLog) Printf(format string, v ...interface{}) {
+	t.Output(2, fmt.Sprintf(format, v...))
+}
+
+// Print replicates the behaviour of the standard logger.
+func (t internalLog) Print(v ...interface{}) {
+	t.Output(2, fmt.Sprint(v...))
+}
--- a/appconfig/provider.go
+++ b/appconfig/provider.go
@@ -0,0 +1,31 @@
+package appconfig
+
+import (
+	"log"
+	"net/http"
+	"os"
+)
+
+type Provider struct {
+	handler http.Handler
+	log     ilogger
+}
+
+func NewProvider() Provider {
+	return Provider{
+		handler: router(),
+		log:     log.New(os.Stderr, "servicedemon/appconfig - ", log.LstdFlags|log.Lshortfile),
+	}
+}
+
+func (p Provider) Handler() http.Handler {
+	return p.handler
+}
+
+func router() *http.ServeMux {
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/config/authz", handleAuthzConfig)
+
+	return mux
+}
--- a/cmd/hub/gencerts.sh
+++ b/cmd/hub/gencerts.sh
@@ -0,0 +1,174 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash --pure
+#! nix-shell -p bash cfssl openssl
+#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/4ecab3273592f27479a583fb6d975d4aba3486fe.tar.gz
+
+
+TMPDIR=$(mktemp -d)
+OUTDIR="./.certs"
+ca="ca"
+ca_csr="${TMPDIR}/ca.json"
+ca_config="${TMPDIR}/ca-config.json"
+
+
+key_algo=rsa
+key_size=2048
+cert_expire=43800 # = 5 years * 365 days * 24 hours
+
+C="US"
+L="PA"
+O="Equinix Metal Development"
+OU="Nautilus"
+ST="Philadelphia"
+
+cat <<-EOFCACONFIG > ${ca_config}
+{
+    "signing": {
+        "default": {
+            "expiry": "${cert_expire}h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "${cert_expire}h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            },
+            "client": {
+                "expiry": "${cert_expire}h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            },
+            "client-server": {
+                "expiry": "${cert_expire}h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}
+EOFCACONFIG
+
+function generate_ca {
+    echo "==================== generating self-signed CA key pair"
+
+    cat <<-EOFCACSR > ${ca_csr}
+{
+    "CN": "Nautilus Local CA",
+    "key": {
+        "algo": "${key_algo}",
+        "size": ${key_size}
+    },
+    "names": [
+        {
+            "C": "${C}",
+            "L": "${L}",
+            "O": "${O}",
+            "ST": "${ST}",
+            "OU": "${OU}"
+        }
+    ]
+}
+EOFCACSR
+
+    cfssl gencert -initca "${ca_csr}" | cfssljson -bare ${ca}
+    mv "${ca}.pem" "${OUTDIR}/${ca}.pem"
+    mv "${ca}-key.pem" "${OUTDIR}/${ca}-key.pem"
+}
+
+function generate_server_certificate {
+    echo "=================== generating server certificate"
+
+    server_csr="${TMPDIR}/server-csr.json"
+    cat <<EOF > ${server_csr}
+{
+    "CN": "Nautilus Hub",
+    "hosts": [ "localhost", "hub.example.net" ],
+    "key": {
+        "algo": "${key_algo}",
+        "size": ${key_size}
+    }
+}
+EOF
+
+    cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client-server ${server_csr} | cfssljson -bare server
+}
+
+function generate_client_certificate {
+    echo "================== generating client certificate"
+
+    client_csr="${TMPDIR}/client-csr.json"
+    cat <<EOF > ${client_csr}
+{
+    "CN": "Nautilus Spoke 1",
+    "hosts": [ "localhost", "spoke1.example.net" ],
+    "key": {
+        "algo": "${key_algo}",
+        "size": ${key_size}
+    }
+}
+EOF
+
+    cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${client_csr} | cfssljson -bare client
+}
+
+
+function generate_admin_certificate {
+    echo "================= generating admin certificate"
+
+    admin_csr="${TMPDIR}/admin-csr.json"
+    cat <<EOF > ${admin_csr}
+{
+    "CN": "Nautilus Admin - Adam",
+    "key": {
+        "algo": "${key_algo}",
+        "size": ${key_size}
+    },
+    "names": [
+        {
+            "C": "${C}",
+            "L": "${L}",
+            "O": "${O}",
+            "ST": "${ST}",
+            "OU": "Nautilus Admins"
+        }
+    ]
+}
+EOF
+    cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${admin_csr} | cfssljson -bare admin
+}
+
+
+function move_certs {
+        echo "================ copying certificates to ${OUTDIR}"
+    for c in server client admin; do
+	[[ -f "${c}-key.pem" ]] &&  mv "${c}-key.pem" "${OUTDIR}/${c}-key.pem" || echo "${c}-key.pem not regenerated"
+	[[ -f "${c}.pem" ]] && mv "${c}.pem" "${OUTDIR}/${c}.pem" || echo "${c}.pem not regenerated"
+    done
+}
+
+
+function main {
+    mkdir -p "${OUTDIR}"
+
+    [[ -f "${OUTDIR}/ca.pem" ]] || generate_ca
+    [[ -f "${OUTDIR}/server.pem" ]] || generate_server_certificate
+    [[ -f "${OUTDIR}/client.pem" ]] || generate_client_certificate
+    [[ -f "${OUTDIR}/admin.pem" ]] || generate_admin_certificate
+    move_certs
+
+    rm {ca,server,admin,client}.csr 2>/dev/null
+
+    chmod 600 ${OUTDIR}/*-key.pem
+}
+
+main
--- a/cmd/hub/main.go
+++ b/cmd/hub/main.go
@@ -4,28 +4,17 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"io"
 	"log"
 	"net/http"
 	"os"

-	"go.fixergrid.net/servicedemon/pkg/pubsub"
-	"go.fixergrid.net/servicedemon/pkg/registrar"
+	"go.fixergrid.net/servicedemon/appconfig"
+	"go.fixergrid.net/servicedemon/pubsub"
+	"go.fixergrid.net/servicedemon/registrar"
 )

-type noopHandler struct {
-	http.HandlerFunc
-}
-
-func wrapHandlefunc(h http.HandlerFunc) noopHandler {
-	return noopHandler{
-		HandlerFunc: h,
-	}
-}
-
-func (h noopHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	h.HandlerFunc(w, req)
-}
 func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
@@ -39,40 +28,79 @@ func main() {
 	r := registrar.NewRegistrar(
 		pubsub,
 		repo,
-		registrar.WithLogger(log.New(os.Stdout, "registrar: ", log.LstdFlags|log.Lshortfile)),
 	)
+
 	al := registrar.NewApprovalListener(
 		pubsub,
 		nil,
-		registrar.OptionLog(log.New(os.Stdout, "approvalListener: ", log.LstdFlags|log.Lshortfile)),
+		repo,
 	)
 	go al.Run(ctx)

+	appConfig := appconfig.NewProvider()
+
 	mux := http.NewServeMux()
+	logger.Println("Registering endpoints...")
+	mux.HandleFunc("/register", postjson(r.HandleRegistration))
+	logger.Println("POST /register")

-	mux.HandleFunc("/register", r.HandleRegistration)
-	mux.Handle("/approvals/", http.StripPrefix("/approvals/", wrapHandlefunc(r.HandleApproval)))
+	mux.Handle("/approvals/", http.StripPrefix("/approvals/", wrapHandleFunc(postjson(r.HandleApproval))))
+	logger.Println("POST /approvals/:id")

-	certFile, err := os.Open("./certs/ca.pem")
+	mux.Handle("/application/", http.StripPrefix("/application", appConfig.Handler()))
+	logger.Println("GET  /application/config/authz")
+
+	server, err := newServer()
 	if err != nil {
-		logger.Fatalf("failed to open ca.pem: %v", err)
+		logger.Fatal(err)
+	}
+
+	server.Handler = mux
+	log.Println(server.ListenAndServeTLS("", ""))
+}
+
+func newServer() (*http.Server, error) {
+	// "./certs/combined.pem", "./certs/server-key.pem"
+	requiredVars := map[string]string{
+		"HUB_CA_CERT_FILE":     "",
+		"HUB_SERVER_CERT_FILE": "",
+		"HUB_SERVER_KEY_FILE":  "",
+	}
+
+	for k := range requiredVars {
+		val, isSet := os.LookupEnv(k)
+		if !isSet {
+			return nil, fmt.Errorf("hub: required environment variable is unset: %s", k)
+		}
+		requiredVars[k] = val
+	}
+
+	certFile, err := os.Open(requiredVars["HUB_CA_CERT_FILE"])
+	if err != nil {
+		return nil, fmt.Errorf("hub: failed to open ca.pem: %w", err)
 	}

 	caCert, err := io.ReadAll(certFile)
 	if err != nil {
-		logger.Fatalf("failed to read in ca: %v", err)
+		return nil, fmt.Errorf("hub: failed to read in ca: %w", err)
 	}

 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(caCert)

+	serverCert, err := tls.LoadX509KeyPair(requiredVars["HUB_SERVER_CERT_FILE"], requiredVars["HUB_SERVER_KEY_FILE"])
+	if err != nil {
+		return nil, fmt.Errorf("hub: failed to load server certs: %w", err)
+	}
+
 	server := &http.Server{
 		Addr: ":3001",
 		TLSConfig: &tls.Config{
-			ClientCAs:  pool,
-			ClientAuth: tls.RequireAndVerifyClientCert,
+			ClientCAs:    pool,
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+			Certificates: []tls.Certificate{serverCert},
 		},
 	}
-	server.Handler = mux
-	log.Println(server.ListenAndServeTLS("./certs/combined.pem", "./certs/server-key.pem"))
+
+	return server, nil
 }
--- a/cmd/hub/middlewares.go
+++ b/cmd/hub/middlewares.go
@@ -0,0 +1,46 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func postjson(f http.HandlerFunc) http.HandlerFunc {
+	return contentJSON(methodPost(f))
+}
+
+func methodPost(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, req *http.Request) {
+		if req.Method != http.MethodPost {
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			fmt.Fprintf(w, `{"errors": ["method not allowed"]}`)
+			return
+		}
+
+		f(w, req)
+	}
+
+}
+
+func contentJSON(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, req *http.Request) {
+		headers := w.Header()
+		headers.Set("content-type", "application/json")
+
+		f(w, req)
+	}
+}
+
+type noopHandler struct {
+	http.HandlerFunc
+}
+
+func wrapHandleFunc(h http.HandlerFunc) noopHandler {
+	return noopHandler{
+		HandlerFunc: h,
+	}
+}
+
+func (h noopHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	h.HandlerFunc(w, req)
+}
--- a/cmd/spoke-agent/main.go
+++ b/cmd/spoke-agent/main.go
@@ -0,0 +1,131 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+)
+
+var HUB_BASE_URL string = ""
+
+func main() {
+	logger := log.New(os.Stdout, "main: ", log.LstdFlags|log.Lshortfile)
+
+	client, err := HubClient()
+	if err != nil {
+		logger.Fatal(err)
+	}
+
+	registered := false
+	for !registered {
+		state := getCurrentState(client, logger)
+		switch state {
+		case "pending_approval":
+			logger.Println("waiting for approval")
+		case "registered":
+			registered = true
+			logger.Println("application registered!")
+		default:
+			logger.Println("retrying")
+
+		}
+		time.Sleep(3 * time.Second)
+	}
+
+}
+
+func HubClient() (*http.Client, error) {
+	requiredVars := map[string]string{
+		"SPOKE_AGENT_CA_CERT_FILE": "",
+		"SPOKE_AGENT_CERT_FILE":    "",
+		"SPOKE_AGENT_KEY_FILE":     "",
+		"HUB_SERVER_URL":           "",
+	}
+	for k := range requiredVars {
+		val, isSet := os.LookupEnv(k)
+		if !isSet {
+			return nil, fmt.Errorf("spoke agent: required environment variables is unset: %s", k)
+		}
+		requiredVars[k] = val
+	}
+
+	caFile, err := os.Open(requiredVars["SPOKE_AGENT_CA_CERT_FILE"])
+	if err != nil {
+		return nil, fmt.Errorf("failed to open ca cert: %w", err)
+	}
+
+	caCert, err := io.ReadAll(caFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read the ca cert: %w", err)
+	}
+
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(caCert)
+
+	certPath := requiredVars["SPOKE_AGENT_CERT_FILE"]
+	keyPath := requiredVars["SPOKE_AGENT_KEY_FILE"]
+
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load keypair: %w", err)
+	}
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs:      pool,
+				Certificates: []tls.Certificate{cert},
+			},
+		},
+	}
+
+	HUB_BASE_URL = requiredVars["HUB_SERVER_URL"]
+	return client, nil
+}
+
+func getCurrentState(client *http.Client, logger *log.Logger) string {
+	reqURL, err := url.JoinPath(HUB_BASE_URL, "/register")
+	if err != nil {
+		logger.Fatalf("failed to setup register URL: %v", err)
+	}
+
+	resp, err := client.Post(reqURL, "application/json", nil)
+	if err != nil {
+		logger.Fatalf("registration failed: %v", err)
+	}
+
+	if resp.StatusCode > 399 {
+		logger.Printf("ERROR: getCurrentState: failed to get status [%d]", resp.StatusCode)
+		return ""
+	}
+
+	out := map[string]string{}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Printf("ERROR: getCurrentState: parsing response body: %v", err)
+		return ""
+	}
+
+	err = json.Unmarshal(body, &out)
+	if err != nil {
+		log.Printf("ERROR: getCurrentState: failed to unmarshal response: %s '%s'", err, body)
+		return ""
+	}
+
+	switch resp.StatusCode {
+	case http.StatusCreated:
+		logger.Printf("successfully started application registration")
+		return "pending_approval"
+	case http.StatusOK:
+		return out["status"]
+	default:
+		return ""
+	}
+}
--- a/manifests/hub-cacrt.yaml
+++ b/manifests/hub-cacrt.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hub-ca-crt
+data:
+  ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZWRENDQkR5Z0F3SUJBZ0lSQU8xZFc4bHQrOTlOUHMxcVNZM1JzOGN3RFFZSktvWklodmNOQVFFTEJRQXcKY1RFTE1Ba0dBMVVFQmhNQ1ZWTXhNekF4QmdOVkJBb1RLaWhUVkVGSFNVNUhLU0JKYm5SbGNtNWxkQ0JUWldOMQpjbWwwZVNCU1pYTmxZWEpqYUNCSGNtOTFjREV0TUNzR0ExVUVBeE1rS0ZOVVFVZEpUa2NwSUVSdlkzUnZjbVZrCklFUjFjbWxoYmlCU2IyOTBJRU5CSUZnek1CNFhEVEl4TURFeU1ERTVNVFF3TTFvWERUSTBNRGt6TURFNE1UUXcKTTFvd1pqRUxNQWtHQTFVRUJoTUNWVk14TXpBeEJnTlZCQW9US2loVFZFRkhTVTVIS1NCSmJuUmxjbTVsZENCVApaV04xY21sMGVTQlNaWE5sWVhKamFDQkhjbTkxY0RFaU1DQUdBMVVFQXhNWktGTlVRVWRKVGtjcElGQnlaWFJsCmJtUWdVR1ZoY2lCWU1UQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxiYWdFZEQKVGExUWdHQldTWWt5TWhzY1pYRU5PQmFWUlRNWDFoY2VKRU5nc0wwTWE0OUQzTWlsSTRLUzM4bXRrbWRGNmNQVwpuTCsrZmdlaFQwRmJSSFpnak9FcjhVQU40akg2b21qcmJURCsrVlpuZVRzTVZhR2FtUW1EZEZsNWcxZ1lhaWdrCmtteDhPaUNPNjhhNFFYZzR3U3luNmlEaXBLUDh1dHNFK3gxRTI4U0E3NUhPWXFwZHJrNEhHeHVVTHZscjAzd1oKR1RJZi9vUnQyL2MrZFltRG9hSmhnZStHT3JMQUVRQnlPNys4K3Z6T3dwTkFQRXg2TFcrY3JFRVo3ZUJYaWg2VgpQMTlzVEd5M3lmcUs1dFB0VGRYWENPUU1LQXArZ0NqL1ZCeWhtSXIrMGlOREM1NDBndHZWMzAzV3BjYndua2tMCllDMEZ0MmNZVXlIdGtzdE9mUmNSTytLMmNab3pvU3dWUHlCOC9KOVJwY1JLM2pnblg5bHVqZndBL3BBYlAwSjIKVVBRRnhtV0ZSUW5GamFxNnJrcWJORUJnTHkra0ZMMU5Fc1JidkZiS3JSaTViWXkybE5tczJOSlBadmROUWJULwoyZEJaS21KcXhIa3hDdU9RRmpoSlFOZU8rTmptMVoxaUFUUy8zcnRzMnlabHFYS3N4UVV6TjZ2TmJEOEtuWFJNCkVlT1hVWXZiVjRscWZDZjhtUzE0V0ViU2lNeTg3R0I1Uzl1Y1NWMVhVcmxURzVVR2NNU1pPQmNFVXBpc1JQRW0KUVdVT1RXSW9EUTVGT2lhL0dJK0tpNTIzcjJydUVtYm1HMzdFQlNCWGR4SWRuZHFyankrUVZBbUNlYnlEeDllVgpFR09JcG4yNmJXNUxLZXJ1bUp4YS9DRkJhS2k0YlJ2bWRKUkxBZ01CQUFHamdmRXdnZTR3RGdZRFZSMFBBUUgvCkJBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkxYelpmTCtzQXFTSC9zOGZmTkUKb0t4akpjTVVNQjhHQTFVZEl3UVlNQmFBRkFoWDJvbkhvbE41REUvZDRKQ1BkTHJpSjNORU1EZ0dDQ3NHQVFVRgpCd0VCQkN3d0tqQW9CZ2dyQmdFRkJRY3dBb1ljYUhSMGNEb3ZMM04wWnkxa2MzUXpMbWt1YkdWdVkzSXViM0puCkx6QXRCZ05WSFI4RUpqQWtNQ0tnSUtBZWhoeG9kSFJ3T2k4dmMzUm5MV1J6ZERNdVl5NXNaVzVqY2k1dmNtY3YKTUNJR0ExVWRJQVFiTUJrd0NBWUdaNEVNQVFJQk1BMEdDeXNHQVFRQmd0OFRBUUVCTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQjd0UjhCMGVJUVNTNk1oUDVrdXZHdGgrZE4wMkRzSWhyMHlKdGsyZWhJY1BJcVN4UlJtSEdsCjR1MmMzUWx2RXBlUkRwMnc3ZVFkUlRsSS9Xbk5oWTRKT29mcE1mMnp3QUJnQld0QXUwVm9vUWNaWlRwUXJ1aWcKRi96NnhZa0JrM1VIa2plcXh6TU4zZDFFcUd1c3hKb3FnZFRvdVo1WDVRVFRJZWU5blEzTEVoV25SU1hEeDdZMAp0dFIxQkdmY2RxSG9wTzRJQnFBaGJrS1JqRjV6ajdPRDhjRzM1b215d1ViWnRPSm5mdGlJMG5GY1JheGJYbzB2Cm9EZkxEMFM2K0FDMlIzdEtwcWprTlg2LzkxaHJSRmdsVWFreU1jWlUveGxlcWJ2NitMcjNZRDhQc0JUdWI2bEkKb1oybFMzOGZMMThBb240NThmYmMwQlBIdGVuZmhLajUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
--- a/manifests/hub-cert.yaml
+++ b/manifests/hub-cert.yaml
@@ -0,0 +1,34 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hub-dev-fixergrid-net-stg
+  namespace: hub
+spec:
+  # Secret names are always required.
+  secretName: hub-dev-stg-cert-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+      - Equinix Metal
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: hub.dev.fixergrid.net
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - hub.dev.fixergrid.net
+  # Issuer references are always required.
+  issuerRef:
+    name: letsencrypt-staging
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
--- a/manifests/hub.yaml
+++ b/manifests/hub.yaml
@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: hub
+  name: hub
+  namespace: hub
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hub
+  template:
+    metadata:
+      labels:
+        app: hub
+    spec:
+      volumes:
+        - name: server-certs
+          projected:
+            sources:
+              - secret:
+                  name: hub-dev-stg-cert-tls
+              - secret:
+                  name: hub-ca-crt
+      containers:
+      - image: amohd/servicedemon:v2
+        name: servicedemon
+        command: ["/hub"]
+        env:
+          - name: HUB_CA_CERT_FILE
+            value: /etc/hub/certs/ca.crt
+          - name: HUB_SERVER_CERT_FILE
+            value: /etc/hub/certs/tls.crt
+          - name: HUB_SERVER_KEY_FILE
+            value: /etc/hub/certs/tls.key
+        volumeMounts:
+          - name: server-certs
+            mountPath: /etc/hub/certs/
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hub-svc
+  namespace: hub
+spec:
+  type: ClusterIP
+  selector:
+    app: hub
+  ports:
+    - port: 443
+      targetPort: 3001
+      protocol: "TCP"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  namespace: hub
+  name: hub-dev-fixergrid-net
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    passthrough: true
+  routes:
+  - match: HostSNI(`hub.dev.fixergrid.net`)
+    priority: 1
+    services:
+      - name: hub-svc
+        port: 443
+        weight: 1
--- a/manifests/issuer.yaml
+++ b/manifests/issuer.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: adam@fixergrid.net
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: dev-fixergrid-net-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: traefik
--- a/manifests/my-app-crt.yaml
+++ b/manifests/my-app-crt.yaml
@@ -0,0 +1,34 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: app-dev-fixergrid-net-stg
+  namespace: app1
+spec:
+  # Secret names are always required.
+  secretName: app1-dev-stg-cert-tls
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+      - Equinix Metal
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: app1.dev.fixergrid.net
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - app1.dev.fixergrid.net
+  # Issuer references are always required.
+  issuerRef:
+    name: letsencrypt-staging
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
--- a/manifests/my-app.yaml
+++ b/manifests/my-app.yaml
@@ -0,0 +1,42 @@
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: app1
+  name: app1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app1
+  template:
+    metadata:
+      labels:
+        app: app1
+    spec:
+      volumes:
+        - name: server-certs
+          projected:
+            sources:
+              - secret:
+                  name: app1-dev-stg-cert-tls
+              - secret:
+                  name: hub-ca-crt
+      containers:
+      - image: amohd/servicedemon:v2
+        name: servicedemon
+        command: ["/spoke-agent"]
+        env:
+          - name: SPOKE_AGENT_CA_CERT_FILE
+            value: /etc/spoke-agent/certs/ca.crt
+          - name: SPOKE_AGENT_CERT_FILE
+            value: /etc/spoke-agent/certs/tls.crt
+          - name: SPOKE_AGENT_KEY_FILE
+            value: /etc/spoke-agent/certs/tls.key
+          - name: HUB_SERVER_URL
+            value: https://hub.dev.fixergrid.net
+        volumeMounts:
+          - name: server-certs
+            mountPath: /etc/spoke-agent/certs/
--- a/pkg/discord/client.go
+++ b/pkg/discord/client.go
@@ -1,39 +0,0 @@
-package discord
-
-import (
-	"context"
-	"io"
-	"net/http"
-
-	"golang.org/x/oauth2"
-)
-
-type ChannelInfo struct{}
-
-type DiscordClient struct {
-	client         *http.Client
-	defaultChannel string
-	baseUrl        string
-	apiVersion     string
-}
-
-func NewClient(ctx context.Context, tokenSrc oauth2.TokenSource) DiscordClient {
-	return DiscordClient{
-		client:     oauth2.NewClient(ctx, tokenSrc),
-		baseUrl:    "https://discord.com",
-		apiVersion: "v10",
-	}
-}
-
-func (dc DiscordClient) WithDefaultChannel(channelID string) DiscordClient {
-	dc.defaultChannel = channelID
-	return dc
-}
-
-func (dc DiscordClient) GetChannel() ChannelInfo {
-	return ChannelInfo{}
-}
-
-func (dc DiscordClient) doRequest(path string, method string, body io.Reader) (*http.Response, error) {
-	return dc.client.Do(method, path, body)
-}
--- a/pkg/registrar/repo.go
+++ b/pkg/registrar/repo.go
@@ -1,10 +0,0 @@
-package registrar
-
-import (
-	persist "go.fixergrid.net/servicedemon/pkg/registrar/internal/persistence"
-	svc "go.fixergrid.net/servicedemon/pkg/registrar/internal/services"
-)
-
-func NewRepo() svc.AppRepo {
-	return persist.NewFakeRepo()
-}
--- a/pkg/pubsub/pubsub.go
+++ b/pkg/pubsub/pubsub.go
--- a/pkg/registrar/approval.go
+++ b/pkg/registrar/approval.go
@@ -4,9 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log"
+	"os"

 	"github.com/google/uuid"
-	svc "go.fixergrid.net/servicedemon/pkg/registrar/internal/services"
+	svc "go.fixergrid.net/servicedemon/registrar/internal/services"
 )

 const APPROVAL_TOPIC = "net.fixergrid.events.app.approved"
@@ -15,7 +17,7 @@ type ApprovalListener struct {
 	svc.ApprovalRequester
 	svc.PubSub
 	svc.AppRepo
-	log internalLog
+	log ilogger
 }

 type option func(r *ApprovalListener)
@@ -26,10 +28,12 @@ func OptionLog(l logger) option {
 	}
 }

-func NewApprovalListener(ps svc.PubSub, requester svc.ApprovalRequester, options ...option) ApprovalListener {
+func NewApprovalListener(ps svc.PubSub, requester svc.ApprovalRequester, repo svc.AppRepo, options ...option) ApprovalListener {
 	out := ApprovalListener{
 		PubSub:            ps,
 		ApprovalRequester: requester,
+		AppRepo:           repo,
+		log:               log.New(os.Stderr, "servicedemon/registrar - ", log.LstdFlags|log.Lshortfile),
 	}

 	for _, opt := range options {
--- a/pkg/registrar/endpoints.go
+++ b/pkg/registrar/endpoints.go
@@ -3,10 +3,12 @@ package registrar
 import (
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
+	"os"

 	"github.com/google/uuid"
-	svc "go.fixergrid.net/servicedemon/pkg/registrar/internal/services"
+	svc "go.fixergrid.net/servicedemon/registrar/internal/services"
 )

 const (
@@ -18,7 +20,7 @@ var validApprover string = "Nautilus Admins"
 type Registrar struct {
 	svc.Publisher
 	repo svc.AppRepo
-	log  internalLog
+	log  ilogger
 }

 func WithLogger(l logger) RegistrarOpt {
@@ -33,6 +35,7 @@ func NewRegistrar(publisher svc.Publisher, repo svc.AppRepo, options ...Registra
 	r := Registrar{
 		Publisher: publisher,
 		repo:      repo,
+		log:       log.New(os.Stderr, "servicedemon/registrar - ", log.LstdFlags|log.Lshortfile),
 	}
 	for _, opt := range options {
 		opt(&r)
@@ -44,10 +47,9 @@ func (r Registrar) HandleRegistration(resp http.ResponseWriter, req *http.Reques
 	cert := req.TLS.PeerCertificates[0]

 	name := cert.DNSNames[0]
-	if r.repo.IsRegistered(name) {
-		resp.WriteHeader(http.StatusOK)
-		resp.Write([]byte(`{"status": "registered"}`))
-	} else {
+	app, err := r.repo.GetApp(name)
+	switch err {
+	case svc.ErrApplicationNotFound:
 		id := r.repo.StartAppRegistration(name)
 		event := map[string]string{
 			"id":   id.String(),
@@ -59,13 +61,16 @@ func (r Registrar) HandleRegistration(resp http.ResponseWriter, req *http.Reques

 		resp.WriteHeader(http.StatusCreated)
 		fmt.Fprintf(resp, `{"status": "pending_approval"}`)
+	case nil:
+		resp.WriteHeader(http.StatusOK)
+		fmt.Fprintf(resp, `{"status": "%s"}`, app.State)
+	default:
+		resp.WriteHeader(http.StatusInternalServerError)
+		fmt.Fprintf(resp, `{"errors": ["%s"]}`, err)
 	}
 }

 func (r Registrar) HandleApproval(resp http.ResponseWriter, req *http.Request) {
-	headers := resp.Header()
-	headers.Set("content-type", "application/json")
-
 	in := req.URL.Path
 	cert := req.TLS.PeerCertificates[0]
 	OUs := cert.Subject.OrganizationalUnit
--- a/pkg/registrar/endpoints_test.go
+++ b/pkg/registrar/endpoints_test.go
@@ -10,71 +10,11 @@ import (
 	"testing"
 	"time"

-	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"go.fixergrid.net/servicedemon/pkg/pubsub"
+	"go.fixergrid.net/servicedemon/pubsub"
 )

-type TestRequest http.Request
-
-func NewTestRequest(t *testing.T, method string, url string, body io.Reader) TestRequest {
-	req, err := http.NewRequest(method, url, body)
-	require.NoError(t, err)
-	return TestRequest(*req)
-}
-func (tr TestRequest) WithFakeTLSState(dnsName string) TestRequest {
-	cert := x509.Certificate{
-		DNSNames: []string{
-			dnsName,
-		},
-	}
-
-	tr.TLS = &tls.ConnectionState{
-		PeerCertificates: []*x509.Certificate{&cert},
-	}
-
-	return tr
-}
-
-func (tr TestRequest) Create() *http.Request {
-	req := http.Request(tr)
-	return &req
-}
-
-type AppState struct {
-	Name  string
-	State string
-}
-type TestAppRepo []AppState
-
-func (repo TestAppRepo) IsRegistered(name string) bool {
-	for _, app := range repo {
-		if name == app.Name && app.State == "registered" {
-			return true
-		}
-	}
-	return false
-}
-
-func (repo TestAppRepo) PendingApprovalCount() int {
-	count := 0
-	for _, app := range repo {
-		if app.State == "pending_approval" {
-			count += 1
-		}
-	}
-	return count
-}
-
-func (repo *TestAppRepo) StartAppRegistration(name string) uuid.UUID {
-	*repo = append(*repo, AppState{
-		Name:  name,
-		State: "pending_approval",
-	})
-	return uuid.New()
-}
-
 func TestHandleRegisterPendingApproval(t *testing.T) {
 	resp := httptest.NewRecorder()

@@ -82,7 +22,7 @@ func TestHandleRegisterPendingApproval(t *testing.T) {
 		WithFakeTLSState("dev-app-1.delivery.engineering").
 		Create()

-	repo := &TestAppRepo{}
+	repo := NewRepo()
 	pubsub := pubsub.New()
 	subscriber := pubsub.Subscribe(REGISTRATION_TOPIC)

@@ -112,12 +52,9 @@ func TestHandleRegisterAlreadyRegistered(t *testing.T) {
 		Create()

 	pubsub := pubsub.New()
-	repo := &TestAppRepo{
-		AppState{
-			Name:  "dev-app-1.delivery.engineering",
-			State: "registered",
-		},
-	}
+	repo := NewRepo()
+	appID := repo.StartAppRegistration("dev-app-1.delivery.engineering")
+	repo.ApproveApp(appID)

 	NewRegistrar(pubsub, repo).HandleRegistration(resp, req)

@@ -129,6 +66,27 @@ func TestHandleRegisterAlreadyRegistered(t *testing.T) {
 	assert.Equal(t, []byte(`{"status": "registered"}`), body)
 }

+func TestHandleRegisterNotYetApproved(t *testing.T) {
+	resp := httptest.NewRecorder()
+
+	req := NewTestRequest(t, http.MethodPost, "http://example.com/v1/register", nil).
+		WithFakeTLSState("dev-app-1.delivery.engineering").
+		Create()
+
+	pubsub := pubsub.New()
+	repo := NewRepo()
+	repo.StartAppRegistration("dev-app-1.delivery.engineering")
+
+	NewRegistrar(pubsub, repo).HandleRegistration(resp, req)
+
+	assert.Equal(t, http.StatusOK, resp.Code)
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+
+	assert.Equal(t, []byte(`{"status": "pending_approval"}`), body)
+}
+
 func assertMessage(t *testing.T, expected map[string]string, sender <-chan string) {
 	timer := time.After(2 * time.Second)

@@ -153,3 +111,29 @@ func compareMessage(t *testing.T, expected map[string]string, observed string) {
 		assert.Equal(t, v, observedEvent[k])
 	}
 }
+
+type TestRequest http.Request
+
+func NewTestRequest(t *testing.T, method string, url string, body io.Reader) TestRequest {
+	req, err := http.NewRequest(method, url, body)
+	require.NoError(t, err)
+	return TestRequest(*req)
+}
+func (tr TestRequest) WithFakeTLSState(dnsName string) TestRequest {
+	cert := x509.Certificate{
+		DNSNames: []string{
+			dnsName,
+		},
+	}
+
+	tr.TLS = &tls.ConnectionState{
+		PeerCertificates: []*x509.Certificate{&cert},
+	}
+
+	return tr
+}
+
+func (tr TestRequest) Create() *http.Request {
+	req := http.Request(tr)
+	return &req
+}
--- a/pkg/registrar/internal/persistence/fake_repo.go
+++ b/pkg/registrar/internal/persistence/fake_repo.go
@@ -2,7 +2,7 @@ package persistence

 import (
 	"github.com/google/uuid"
-	svc "go.fixergrid.net/servicedemon/pkg/registrar/internal/services"
+	svc "go.fixergrid.net/servicedemon/registrar/internal/services"
 )

 type FakeRepo struct {
@@ -23,6 +23,16 @@ func (repo FakeRepo) IsRegistered(name string) bool {
 	return false
 }

+func (repo FakeRepo) GetApp(name string) (svc.Application, error) {
+	for _, app := range repo.apps {
+		if name == app.Name {
+			return *app, nil
+		}
+	}
+
+	return svc.Application{}, svc.ErrApplicationNotFound
+}
+
 func (repo FakeRepo) PendingApprovalCount() int {
 	count := 0
 	for _, app := range repo.apps {
@@ -34,26 +44,23 @@ func (repo FakeRepo) PendingApprovalCount() int {
 }

 func (repo *FakeRepo) StartAppRegistration(name string) uuid.UUID {
-	repo.apps = append(repo.apps, &svc.Application{
+	newApp := &svc.Application{
+		ID:    uuid.New(),
 		Name:  name,
 		State: "pending_approval",
-	})
-	return uuid.New()
+	}
+	repo.apps = append(repo.apps, newApp)
+	return newApp.ID
 }

 func (repo *FakeRepo) ApproveApp(id uuid.UUID) (svc.Application, error) {
-	var app *svc.Application
-
 	for _, application := range repo.apps {
 		if application.ID == id {
 			application.State = "registered"
+			return *application, nil
 		}
 	}

-	if app == nil {
-		return svc.Application{}, svc.ErrApplicationNotFound
-	}
-
-	return *app, nil
+	return svc.Application{}, svc.ErrApplicationNotFound

 }
--- a/pkg/registrar/internal/services/app_registration.go
+++ b/pkg/registrar/internal/services/app_registration.go
--- a/pkg/registrar/internal/services/approvals.go
+++ b/pkg/registrar/internal/services/approvals.go
--- a/pkg/registrar/internal/services/pubsub.go
+++ b/pkg/registrar/internal/services/pubsub.go
--- a/pkg/registrar/internal/services/repo.go
+++ b/pkg/registrar/internal/services/repo.go
@@ -21,6 +21,7 @@ type Application struct {
 type AppRepo interface {
 	IsRegistered(name string) bool
 	PendingApprovalCount() int
+	GetApp(name string) (Application, error)
 	StartAppRegistration(name string) uuid.UUID
 	ApproveApp(id uuid.UUID) (Application, error)
 }
--- a/pkg/registrar/logging.go
+++ b/pkg/registrar/logging.go
--- a/registrar/repo.go
+++ b/registrar/repo.go
@@ -0,0 +1,10 @@
+package registrar
+
+import (
+	persist "go.fixergrid.net/servicedemon/registrar/internal/persistence"
+	svc "go.fixergrid.net/servicedemon/registrar/internal/services"
+)
+
+func NewRepo() svc.AppRepo {
+	return persist.NewFakeRepo()
+}
Author	SHA1	Message	Date
Adam Mohammed	8b27e73203	with manifests	2023-07-07 23:52:29 -04:00
Adam Mohammed	a40fc162ff	Make more configurable	2023-07-07 23:51:55 -04:00
Adam Mohammed	f6a8a59ecf	Add more to .gitignore	2023-07-07 10:02:46 -04:00
Adam Mohammed	f5b88baa67	Add script to generate certs for local development	2023-07-07 10:01:50 -04:00
Adam Mohammed	31f6cc0a0d	Add some conifguration and logging for the hub	2023-07-04 22:05:24 -04:00
Adam Mohammed	f82d3f18c6	Add agent	2023-07-03 18:43:27 -04:00