Staging PR for 0.5.0

.dockerignore

@@ -1,3 +1,4 @@
 target/
 .env
 Dockerfile
+*.log

.github/workflows/helm-oci.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   docker:
-
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/v')
     permissions:
       contents: read
       packages: write

.gitignore

@@ -4,4 +4,5 @@
 /test
 
 .env
-.vscode/
+.vscode/
+*.log

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "chisel-operator"
-version = "0.4.1"
+version = "0.5.0"
 edition = "2021"
 description = "Chisel tunnel operator for Kubernetes"
 authors = [

site/src/content/docs/reference/exitnode.md

@@ -57,5 +57,7 @@ spec:
   port: 9090
   # Name of the secret containing the auth key
   # Create a secret with a key named "auth" and put the value there
-  # auth: SECRET-NAME
+  # This value is now required for security reasons, if there's no secret
+  # Chisel Operator will fail.
+  auth: SECRET-NAME
 ```

src/cloud/aws.rs

@@ -1,4 +1,4 @@
-use super::{cloud_init::generate_cloud_init_config, pwgen::generate_password, Provisioner};
+use super::{cloud_init::generate_cloud_init_config, Provisioner};
 use crate::{
     cloud::CHISEL_PORT,
     ops::{parse_provisioner_label_value, ExitNode, ExitNodeStatus, EXIT_NODE_PROVISIONER_LABEL},
@@ -112,6 +112,7 @@ impl Provisioner for AWSProvisioner {
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus> {
         let provisioner = exit_node
             .metadata
@@ -125,9 +126,7 @@ impl Provisioner for AWSProvisioner {
                 )
             })?;
 
-        let password = generate_password(32);
-
-        let cloud_init_config = generate_cloud_init_config(&password, CHISEL_PORT);
+        let cloud_init_config = generate_cloud_init_config(&node_password, CHISEL_PORT);
         let user_data = base64::engine::general_purpose::STANDARD.encode(cloud_init_config);
 
         let aws_api: aws_config::SdkConfig = AWSIdentity::from_secret(&auth, self.region.clone())?
@@ -219,7 +218,7 @@ impl Provisioner for AWSProvisioner {
             public_ip,
             // needless conversion?
             // todo: Clean this up, minor performance hit
-            instance.instance_id.map(|id| id.to_string()).as_deref(),
+            instance.instance_id,
         );
 
         Ok(exit_node)
@@ -229,6 +228,7 @@ impl Provisioner for AWSProvisioner {
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus> {
         let aws_api: aws_config::SdkConfig = AWSIdentity::from_secret(&auth, self.region.clone())?
             .generate_aws_config()
@@ -268,7 +268,7 @@ impl Provisioner for AWSProvisioner {
         } else {
             warn!("No status found for exit node, creating new instance");
             // TODO: this should be handled by the controller logic
-            return self.create_exit_node(auth, exit_node).await;
+            return self.create_exit_node(auth, exit_node, node_password).await;
         }
     }
 

src/cloud/cloud_init.rs

@@ -1,4 +1,4 @@
-pub fn generate_cloud_init_config(password: &str, port: u16) -> String {
+pub fn generate_cloud_init_config(auth_string: &str, port: u16) -> String {
     let cloud_config = serde_json::json!({
       "runcmd": ["curl https://i.jpillora.com/chisel! | bash", "systemctl enable --now chisel"],
       "write_files": [{
@@ -19,14 +19,14 @@ RestartSec=1
 User=root
 # You can add any additional flags here
 # This example uses port 9090 for the tunnel socket. `--reverse` is required for our use case.
-ExecStart=/usr/local/bin/chisel server --port={port} --reverse --auth chisel:{password}
+ExecStart=/usr/local/bin/chisel server --port={port} --reverse --auth {auth_string}
 # Additional .env file for auth and secrets
 EnvironmentFile=-/etc/sysconfig/chisel
 PassEnvironment=AUTH
 "#)
       }, {
         "path": "/etc/sysconfig/chisel",
-        "content": format!("AUTH=chisel:{}\n", password)
+        "content": format!("AUTH={auth_string}\n")
       }]
     });
 
@@ -35,8 +35,11 @@ PassEnvironment=AUTH
 
 #[test]
 fn test_generate_cloud_init_config() {
-    let password = "test";
+    let password = "chisel:test";
     let config = generate_cloud_init_config(password, 9090);
     println!("{}", config);
-    assert!(config.contains("chisel:test"));
+    assert!(config.contains("AUTH=chisel:test"));
+    assert!(config.contains(
+        "ExecStart=/usr/local/bin/chisel server --port=9090 --reverse --auth chisel:test"
+    ));
 }

src/cloud/digitalocean.rs

@@ -1,4 +1,4 @@
-use super::{cloud_init::generate_cloud_init_config, pwgen::generate_password, Provisioner};
+use super::{cloud_init::generate_cloud_init_config, Provisioner};
 use crate::ops::{
     parse_provisioner_label_value, ExitNode, ExitNodeStatus, EXIT_NODE_PROVISIONER_LABEL,
 };
@@ -61,14 +61,9 @@ impl Provisioner for DigitalOceanProvisioner {
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus> {
-        let password = generate_password(32);
-
-        // create secret for password too
-
-        let _secret = exit_node.generate_secret(password.clone()).await?;
-
-        let config = generate_cloud_init_config(&password, exit_node.spec.port);
+        let config = generate_cloud_init_config(&node_password, exit_node.spec.port);
 
         // TODO: Secret reference, not plaintext
         let api: DigitalOceanApi = DigitalOceanApi::new(self.get_token(auth).await?);
@@ -135,16 +130,19 @@ impl Provisioner for DigitalOceanProvisioner {
             provisioner.clone(),
             name.clone(),
             droplet_ip.clone(),
-            Some(&droplet_id),
+            Some(droplet_id),
         );
 
+        debug!(?exit_node, "Created exit node!!");
+
         Ok(exit_node)
     }
 
     async fn update_exit_node(
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus> {
         // check if droplet exists, then update it
         let api: DigitalOceanApi = DigitalOceanApi::new(self.get_token(auth.clone()).await?);
@@ -170,7 +168,7 @@ impl Provisioner for DigitalOceanProvisioner {
         } else {
             warn!("No status found for exit node, creating new droplet");
             // TODO: this should be handled by the controller logic
-            return self.create_exit_node(auth, exit_node).await;
+            return self.create_exit_node(auth, exit_node, node_password).await;
         }
     }
 

src/cloud/linode.rs

@@ -1,4 +1,4 @@
-use super::{cloud_init::generate_cloud_init_config, pwgen::generate_password, Provisioner};
+use super::{cloud_init::generate_cloud_init_config, Provisioner};
 use crate::ops::{
     parse_provisioner_label_value, ExitNode, ExitNodeStatus, EXIT_NODE_PROVISIONER_LABEL,
 };
@@ -54,12 +54,9 @@ impl Provisioner for LinodeProvisioner {
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        chisel_auth_string: String,
     ) -> color_eyre::Result<ExitNodeStatus> {
-        let password = generate_password(32);
-
-        let _secret = exit_node.generate_secret(password.clone()).await?;
-
-        let config = generate_cloud_init_config(&password, exit_node.spec.port);
+        let config = generate_cloud_init_config(&chisel_auth_string, exit_node.spec.port);
 
         // Okay, so apparently Linode uses base64 for user_data, so let's
         // base64 encode the config
@@ -85,9 +82,14 @@ impl Provisioner for LinodeProvisioner {
             exit_node.metadata.name.as_ref().unwrap()
         );
 
+        // Since we now directly pass in the chisel auth string with the `chisel:` prefix, let's remove the prefix
+        let root_password = chisel_auth_string
+            .strip_prefix("chisel:")
+            .unwrap_or(&chisel_auth_string);
+
         let mut instance = api
             .create_instance(&self.region, &self.size)
-            .root_pass(&password)
+            .root_pass(root_password)
             .label(&name)
             .user_data(&user_data)
             .tags(vec![format!("chisel-operator-provisioner:{}", provisioner)])
@@ -123,7 +125,7 @@ impl Provisioner for LinodeProvisioner {
             instance_ip,
             instance.label,
             provisioner.to_string(),
-            Some(&instance.id.to_string()),
+            Some(instance.id.to_string()),
         );
 
         Ok(status)
@@ -152,6 +154,7 @@ impl Provisioner for LinodeProvisioner {
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus> {
         let api = LinodeApi::new(self.get_token(&auth).await?);
 
@@ -178,7 +181,9 @@ impl Provisioner for LinodeProvisioner {
             Ok(status)
         } else {
             warn!("No instance status found, creating new instance");
-            return self.create_exit_node(auth.clone(), exit_node).await;
+            return self
+                .create_exit_node(auth.clone(), exit_node, node_password)
+                .await;
         }
     }
 }

src/cloud/mod.rs

@@ -27,11 +27,13 @@ pub trait Provisioner {
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus>;
     async fn update_exit_node(
         &self,
         auth: Secret,
         exit_node: ExitNode,
+        node_password: String,
     ) -> color_eyre::Result<ExitNodeStatus>;
     async fn delete_exit_node(&self, auth: Secret, exit_node: ExitNode) -> color_eyre::Result<()>;
 }