Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config.TLS: Inline PEM-encoded Certs, Keys and CAs #113

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

config.TLS: Inline PEM-encoded Certs, Keys and CAs #113

wants to merge 1 commit into from
+235 −17

Conversation

oxzi
Copy link
Member

@oxzi oxzi commented Mar 5, 2025

Introduced support for raw encoded PEM data instead of filenames for TLS.Cert, TLS.Key and TLS.Ca. This should make it easier to get rid of the additional entrypoint program for docker-icingadb and allow direct use of Icinga DB with its environment variable support.

In addition to the implementation, new tests were written with the goal of complete coverage. A consumer of this type, database.Config, got another test case using PEMs both as environment variables and as YAML

@oxzi oxzi added this to the 0.6.0 milestone Mar 5, 2025
@oxzi oxzi requested a review from lippserd March 5, 2025 09:57
@cla-bot cla-bot bot added the cla/signed CLA is signed by all contributors of a PR label Mar 5, 2025
julianbrost
julianbrost reviewed Mar 5, 2025
View reviewed changes
@oxzi oxzi force-pushed the tls-support-inline-pem branch from b9a288c to 42cf4c4 Compare March 5, 2025 10:35
@oxzi oxzi requested a review from julianbrost March 5, 2025 10:37
oxzi added a commit to Icinga/icingadb that referenced this pull request Mar 5, 2025
@oxzi
doc/03-Configuration.md: Environment Variables
49ecf4e 
New ways to configure Icinga DB were introduced in [icingadb-831] and
[igl-113]. The first change allows configuring Icinga DB using
environment variables instead of or next to the YAML configuration file.
In addition, the second change allows setting certificates and keys as
PEM-encoded strings next to referencing files. This was now documented.

As a structural change, the order of the Database and Redis sections
were changed to reflect the order in the example configuration file.

Some words about the Logging Components were written, as the
documentation previously that they exist.

[icingadb-831]: #831
[igl-113]: Icinga/icinga-go-library#113
@oxzi oxzi mentioned this pull request Mar 5, 2025
Draft
3 tasks
lippserd
lippserd requested changes Mar 5, 2025
View reviewed changes
Copy link
Member

@lippserd lippserd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would introduce a utility function that does both pem.Decode() and os.ReadFile() in order to reduce code complexity. The first part could then look like this:

certPem, err := loadPemOrFile(t.Cert)
if err != nil {
    return nil, errors.Wrap(err, "can't load certificate")
}

keyPem, err := loadPemOrFile(t.Key)
if err != nil {
    return nil, errors.Wrap(err, "can't load key")
}

crt, err := tls.X509KeyPair(certPem, KeyPem)
if err != nil {
    return nil, errors.Wrap(err, "can't load X.509 key pair")
}

tlsConfig.Certificates = []tls.Certificate{crt}
func loadPemOrFile(subject string) ([]byte, error) {
    if block, _ := pem.Decode([]byte(subject)); block != nil {
        return []byte(subject), nil
    }

    data, err := os.ReadFile(subject)
    if err != nil {
        return nil, err
    }

    return data, nil
}

@oxzi
config.TLS: Inline PEM-encoded Certs, Keys and CAs
914dd25 
Introduced support for raw encoded PEM data instead of filenames for
TLS.Cert, TLS.Key and TLS.Ca. This should make it easier to get rid of
the additional entrypoint program for docker-icingadb and allow direct
use of Icinga DB with its environment variable support.

In addition to the implementation, new tests were written with the goal
of complete coverage. A consumer of this type, database.Config, got
another test case using PEMs both as environment variables and as YAML
@oxzi oxzi force-pushed the tls-support-inline-pem branch from 42cf4c4 to 914dd25 Compare March 6, 2025 08:10
@oxzi
Copy link
Member Author

oxzi commented Mar 6, 2025

@lippserd: Valid point. I have moved the decision logic to a helper function like you suggested. Now the body of the actual MakeConfig method looks cleaner. While working on it, I have flattened the if and removed the nested if, making it easier to read IMO.

@oxzi oxzi requested a review from lippserd March 6, 2025 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianbrost julianbrost Awaiting requested review from julianbrost

@lippserd lippserd Awaiting requested review from lippserd

Assignees
No one assigned
Labels
cla/signed CLA is signed by all contributors of a PR
Projects
None yet
Milestone
0.6.0
Development

Successfully merging this pull request may close these issues.
3 participants
@oxzi @julianbrost @lippserd