-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat-273: TLS Flags #303
feat-273: TLS Flags #303
Conversation
Signed-off-by: will <30413278+wcrum@users.noreply.github.com>
@zackbradys working on fixing unit tests. |
Thanks @wcrum! It looks like it's due to the PR for |
I made a few small syntax changes and addressed the failing unit test workflow. Feel free to let us know if you disagree with any of the updates/changes! diff/commit: 9bbbc5b |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM pending any feedback!
Looks good to me. Appreciate it! I've been meaning to migrate flags from other commands as well to stick with the changed folder format. Will open docs PR. |
After reviewing again I realized that although adding |
Thanks for catching those! Im comfortable finishing the flags migration on this PR. Feel free to add a bit more on this one. Looks like I see a few left over ones in |
Testing locally built zackbradys@Zacks-MacBook-Pro hauler % ./bin/hauler store sync -f testdata/hauler-manifest.yaml
2024-08-25 16:05:34 INF syncing [content.hauler.cattle.io/v1alpha1, Kind=Images] to store
2024-08-25 16:05:34 INF adding 'image' [busybox:latest] to the store
2024-08-25 16:05:38 INF successfully added 'image' [index.docker.io/library/busybox:latest]
2024-08-25 16:05:38 INF syncing [content.hauler.cattle.io/v1alpha1, Kind=Charts] to store
2024-08-25 16:05:38 INF adding 'chart' [rancher] to the store
2024-08-25 16:05:39 INF successfully added 'chart' [hauler/rancher:2.8.2]
2024-08-25 16:05:39 INF syncing [content.hauler.cattle.io/v1alpha1, Kind=Files] to store
2024-08-25 16:05:39 INF adding 'file' [https://get.rke2.io] to the store as [hauler/install.sh:latest]
2024-08-25 16:05:39 INF successfully added 'file' [hauler/install.sh:latest]
zackbradys@Zacks-MacBook-Pro hauler % ./bin/hauler store info
+--------------------------+-------+----------------+----------+----------+
| REFERENCE | TYPE | PLATFORM | # LAYERS | SIZE |
+--------------------------+-------+----------------+----------+----------+
| hauler/install.sh:latest | file | - | 1 | 25.0 kB |
| hauler/rancher:2.8.2 | chart | - | 1 | 15.0 kB |
| library/busybox:latest | image | linux/386 | 1 | 2.2 MB |
| | image | linux/amd64 | 1 | 2.2 MB |
| | image | linux/arm | 1 | 1.8 MB |
| | image | linux/arm | 1 | 949.0 kB |
| | image | linux/arm | 1 | 1.6 MB |
| | image | linux/arm64 | 1 | 1.8 MB |
| | image | linux/mips64le | 1 | 2.1 MB |
| | image | linux/ppc64le | 1 | 2.5 MB |
| | image | linux/riscv64 | 1 | 895.2 kB |
| | image | linux/s390x | 1 | 1.9 MB |
+--------------------------+-------+----------------+----------+----------+
| TOTAL | 17.8 MB |
+--------------------------+-------+----------------+----------+----------+
zackbradys@Zacks-MacBook-Pro hauler % ./bin/hauler store serve registry --help
Serve the embedded registry
Usage:
hauler store serve registry [flags]
Flags:
-c, --config string Path to config file, overrides all other flags
--directory string Directory to use for backend. Defaults to $PWD/registry (default "registry")
-h, --help help for registry
-p, --port int Port used to accept incoming connections (default 5000)
--readonly Run the registry as readonly (default true)
--tls-cert string Location of the TLS Certificate
--tls-key string Location of the TLS Key
Global Flags:
--cache string (deprecated flag and currently not used)
-l, --log-level string (default "info")
-s, --store string Location to create store at (default "store")
zackbradys@Zacks-MacBook-Pro hauler % ./bin/hauler store serve registry --port 5001 --readonly --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key
2024-08-25 16:06:38 INF library/busybox:latest
2024-08-25 16:06:38 INF 2024/08/25 16:06:38 existing manifest: latest@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7
2024-08-25 16:06:38 INF hauler/rancher:2.8.2
2024-08-25 16:06:38 INF 2024/08/25 16:06:38 existing manifest: 2.8.2@sha256:27e742f51e66e32512509a95523bc9a531ec63f723c730b47685e7678cbc30d3
2024-08-25 16:06:38 INF hauler/install.sh:latest
2024-08-25 16:06:38 INF 2024/08/25 16:06:38 existing manifest: latest@sha256:d50b7c9f77ecb424481ee733421a2a1d154e49dde6a7f56996cd440958819b21
2024-08-25 16:06:38 INF copied artifacts to [127.0.0.1:58804]
2024-08-25 16:06:38 INF starting registry on port [5001]
WARN[0001] No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable. go.version=go1.23.0 version=v3.0.0+unknown
INFO[0001] redis not configured go.version=go1.23.0 version=v3.0.0+unknown
INFO[0001] Starting upload purge in 39m0s go.version=go1.23.0 version=v3.0.0+unknown
INFO[0001] using inmemory blob descriptor cache go.version=go1.23.0 version=v3.0.0+unknown
INFO[0001] restricting TLS version to tls1.2 or higher go.version=go1.23.0 version=v3.0.0+unknown
INFO[0001] restricting TLS cipher suites to: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384 go.version=go1.23.0 version=v3.0.0+unknown
INFO[0001] listening on [::]:5001, tls go.version=go1.23.0 version=v3.0.0+unknown
127.0.0.1 - - [25/Aug/2024:16:09:01 -0400] "GET / HTTP/2.0" 200 0 "" "curl/8.7.1"
127.0.0.1 - - [25/Aug/2024:16:09:12 -0400] "GET / HTTP/2.0" 200 0 "" "curl/8.7.1"
127.0.0.1 - - [25/Aug/2024:16:09:18 -0400] "GET / HTTP/2.0" 200 0 "" "curl/8.7.1" Testing certificates with zackbradys@Zacks-MacBook-Pro certs % curl -v --cacert cacerts.pem https://hauler.dev:5001
* Host hauler.dev:5001 was resolved.
* IPv6: 2606:4700:3036::6815:1962, 2606:4700:3034::ac43:85fb
* IPv4: 127.0.0.1
* Trying 127.0.0.1:5001...
* Connected to hauler.dev (127.0.0.1) port 5001
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: cacerts.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: C=US; ST=VIRGINIA; L=RESTON; O=HAULER; OU=HAULER DEV; CN=hauler.dev
* start date: Aug 25 20:04:36 2024 GMT
* expire date: Aug 23 20:04:36 2034 GMT
* subjectAltName: host "hauler.dev" matched cert's "hauler.dev"
* issuer: C=US; ST=VIRGINIA; L=RESTON; O=HAULER; OU=HAULER DEV; CN=INTERMEDIARY CERTIFICATE AUTHORITY CERTIFICATE
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://hauler.dev:5001/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: hauler.dev:5001]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: hauler.dev:5001
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< cache-control: no-cache
< content-length: 0
< date: Sun, 25 Aug 2024 20:10:07 GMT
<
* Connection #0 to host hauler.dev left intact Testing registry endpoint with zackbradys@Zacks-MacBook-Pro certs % curl --cacert cacerts.pem https://hauler.dev:5001/v2/_catalog
{"repositories":["hauler/install.sh","hauler/rancher","library/busybox"]} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Looks good and thank you for the multiple updates.
Please check below, if the PR fulfills these requirements:
Associated Links:
Types of Changes:
DefaultStoreName
topkg/consts/consts.go
to standard constant locations.ListenAndServeTLS(string, string)
to Server interface to support TLS.--tls-cert
and--tls-key
tohauler store serve [fileserver|registry]
.internal/flags/*
to prevent loop import cycle.AddArgs
toAddFlags
bbad607Proposed Changes:
Verification/Testing of Changes:
Additional Context: