From f5297e5c731527db4768ff8763ccb39808f6c90b Mon Sep 17 00:00:00 2001 From: greg pereira Date: Sun, 19 May 2024 10:10:29 -0700 Subject: [PATCH 1/4] apiserver env support + tls configs Signed-off-by: greg pereira --- ui/.env.example | 8 +++ ui/apiserver/apiserver.go | 134 +++++++++++++++++++++++++++++++++++--- ui/compose.ui | 2 + 3 files changed, 135 insertions(+), 9 deletions(-) diff --git a/ui/.env.example b/ui/.env.example index aee17b0..9b251cb 100644 --- a/ui/.env.example +++ b/ui/.env.example @@ -12,3 +12,11 @@ IL_GRANITE_MODEL_NAME= IL_MERLINITE_API= IL_MERLINITE_MODEL_NAME= GITHUB_TOKEN= +PRECHECK_ENDPOINT= + +# TLS variables +# the following have to absoulte paths +TLS_CLIENT_CERT_PATH= +TLS_CLIENT_KEY_PATH= +TLS_SERVER_CA_CERT_PATH= +# Note, you cannot set TLS_INSECURE in this .env file, you have to pass it to the apiserver as a CLI arg diff --git a/ui/apiserver/apiserver.go b/ui/apiserver/apiserver.go index aa78196..32ac542 100644 --- a/ui/apiserver/apiserver.go +++ b/ui/apiserver/apiserver.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "crypto/tls" + "crypto/x509" "encoding/json" "fmt" "io" @@ -25,8 +26,17 @@ const ( redisQueueArchive = "archived" ) -const PreCheckEndpointURL = "https://merlinite-7b-vllm-openai.apps.fmaas-backend.fmaas.res.ibm.com/v1" -const InstructLabBotUrl = "http://bot:8081" +const ( + localEndpoint = "http://localhost:8000/v1" + InstructLabBotUrl = "http://bot:8081" +) + +type TLSConfig struct { + TlsClientCertPath string + TlsClientKeyPath string + TlsServerCaCertPath string + TlsInsecure bool +} type ApiServer struct { router *gin.Engine @@ -36,6 +46,7 @@ type ApiServer struct { testMode bool preCheckEndpointURL string instructLabBotUrl string + tlsConfig TLSConfig } type JobData struct { @@ -202,14 +213,61 @@ func (api *ApiServer) knowledgePRHandler(c *gin.Context) { c.JSON(http.StatusCreated, gin.H{"msg": responseBody.String()}) } -// Sent http post request using custom client with zero timeout -func (api *ApiServer) sendPostRequest(url string, body io.Reader) (*http.Response, error) { - client := &http.Client{ +func (api *ApiServer) buildHTTPServer() (http.Client, error) { + defaultHTTPClient := http.Client{ Timeout: 0 * time.Second, Transport: &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, }, } + if !api.tlsConfig.TlsInsecure { + certs, err := tls.LoadX509KeyPair(api.tlsConfig.TlsClientCertPath, api.tlsConfig.TlsClientKeyPath) + if err != nil { + api.logger.Warnf("failed to load client certificate/key: %w", err) + return defaultHTTPClient, fmt.Errorf("Error load client certificate/key, defaulting to TLS Insecure session (http)") + } + // // NOT SURE WE NEED SERVER CA CERT FOR THIS, PLEASE ADVISE + caCert, err := os.ReadFile(api.tlsConfig.TlsServerCaCertPath) + if err != nil { + api.logger.Warnf("failed to read server CA certificate: %w", err) + return defaultHTTPClient, fmt.Errorf("Error load server CA certificate, defaulting to TLS Insecure session (http)") + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(caCert) + tlsConfig := &tls.Config{ + Certificates: []tls.Certificate{certs}, + RootCAs: caCertPool, + InsecureSkipVerify: true, + } + httpClient := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + }, + } + return *httpClient, nil + } else { + return defaultHTTPClient, nil + } +} + +// Sent http post request using custom client with zero timeout +func (api *ApiServer) sendPostRequest(url string, body io.Reader) (*http.Response, error) { + client, err := api.buildHTTPServer() + if err != nil { + // Either running http with tlsInsecure = true, or https runing with tlsInsecure = false + if err.Error() == "Error load client certificate/key, defaulting to TLS Insecure session (http)" || + err.Error() == "Error load server CA certificate, defaulting to TLS Insecure session (http)" { + // Handle the specific error (e.g., log it) + api.logger.Warn("Warning: TLS certificate/key or server CA certificate not loaded, downgraded to http client.") + } else { + // Handle other errors + err = fmt.Errorf("Error creating http(s) server: %v", err) + fmt.Print(err) + return nil, err + } + } request, err := http.NewRequest("POST", url, body) if err != nil { @@ -459,10 +517,51 @@ func main() { redisAddress := pflag.String("redis-server", "localhost:6379", "Redis server address") apiUser := pflag.String("api-user", "", "API username") apiPass := pflag.String("api-pass", "", "API password") - preCheckEndpointURL := pflag.String("precheck-endpoint", PreCheckEndpointURL, "Precheck endpoint URL") + preCheckEndpointURL := pflag.String("precheck-endpoint", "", "Precheck endpoint URL") InstructLabBotUrl := pflag.String("bot-url", InstructLabBotUrl, "InstructLab Bot URL") + // TLS variables + tlsInsecure := pflag.Bool("tls-insecure", false, "Whether to skip TLS verification") + tlsClientCertPath := pflag.String("tls-client-cert", "$HOME/client-tls-crt.pem2", "Path to the TLS client certificate. Defaults to 'client-tls-crt.pem2'") + tlsClientKeyPath := pflag.String("tls-client-key", "$HOME/client-tls-key.pem2", "Path to the TLS client key. Defaults to 'client-tls-key.pem2'") + tlsServerCaCertPath := pflag.String("tls-server-ca-cert", "$HOME/server-ca-crt.pem2", "Path to the TLS server CA certificate. Defaults to 'server-ca-crt.pem2'") pflag.Parse() + /* Support env population with priority being: + 1) flag + 2) env + 3) acceptable defaults + */ + + // Precheck endpoint + HOME := os.Getenv("HOME") + if *preCheckEndpointURL == "" { + preCheckEndpointURLEnvValue := os.Getenv("PECHECK_ENDPOINT") + if preCheckEndpointURLEnvValue != "" { + *preCheckEndpointURL = preCheckEndpointURLEnvValue + } else { + *preCheckEndpointURL = localEndpoint + } + } + // TLS certPath + if *tlsClientCertPath == "" { + tlsClientCertPathEnvValue := os.Getenv("TLS_CLIENT_CERT_PATH") + if tlsClientCertPathEnvValue != "" { + *tlsClientCertPath = tlsClientCertPathEnvValue + } else { + *tlsClientCertPath = fmt.Sprintf("%s/client-tls-crt.pem2", HOME) + } + } + // TLS keyPath + if *tlsClientKeyPath == "" { + tlsClientKeyPathEnvValue := os.Getenv("TLS_CLIENT_KEY_PATH") + if tlsClientKeyPathEnvValue != "" { + *tlsClientKeyPath = tlsClientKeyPathEnvValue + } else { + *tlsClientKeyPath = fmt.Sprintf("%s/client-tls-key.pem2", HOME) + } + } + // NOTE: TLSInsecure not settable by env, just apiserver cli flag or defaults to false + logger := setupLogger(*debugFlag) defer logger.Sync() @@ -483,11 +582,28 @@ func main() { testMode: *testMode, preCheckEndpointURL: *preCheckEndpointURL, instructLabBotUrl: *InstructLabBotUrl, + tlsConfig: TLSConfig{ + TlsInsecure: *tlsInsecure, + TlsClientCertPath: *tlsClientCertPath, + TlsClientKeyPath: *tlsClientKeyPath, + TlsServerCaCertPath: *tlsServerCaCertPath, + }, } svr.setupRoutes(*apiUser, *apiPass) - svr.logger.Info("ApiServer starting", zap.String("listen-address", *listenAddress)) - if err := svr.router.Run(*listenAddress); err != nil { - svr.logger.Error("ApiServer failed to start", zap.Error(err)) + if *tlsInsecure == false { + // Check if we is valid key pair + _, err := tls.LoadX509KeyPair(*tlsClientCertPath, *tlsClientKeyPath) + if err != nil { + logger.Fatal(fmt.Errorf("TLS enforced but failed to load client certificate/key: %w", err)) + } + svr.logger.Info("ApiServer starting with TLS", zap.String("listen-address", *listenAddress)) + if err := svr.router.RunTLS(*listenAddress, *tlsClientCertPath, *tlsClientKeyPath); err != nil { + svr.logger.Error("ApiServer failed to start", zap.Error(err)) + } + } else { + if err := svr.router.Run(*listenAddress); err != nil { + svr.logger.Error("ApiServer failed to start", zap.Error(err)) + } } } diff --git a/ui/compose.ui b/ui/compose.ui index 1a1c761..73624c8 100644 --- a/ui/compose.ui +++ b/ui/compose.ui @@ -39,6 +39,8 @@ services: network_mode: "host" depends_on: - redis + env_file: + - .env environment: # Bind on all interface LISTEN_ADDRESS: "${LISTEN_ADDRESS:-:3000}" From c2f3a0a702c424dd6914521835f4707b0f185e21 Mon Sep 17 00:00:00 2001 From: greg pereira Date: Sun, 19 May 2024 10:18:30 -0700 Subject: [PATCH 2/4] apiserver credential env support Signed-off-by: greg pereira --- ui/.env.example | 6 ++++-- ui/apiserver/apiserver.go | 27 +++++++++++++++++++++++++-- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/ui/.env.example b/ui/.env.example index 9b251cb..836f88e 100644 --- a/ui/.env.example +++ b/ui/.env.example @@ -1,7 +1,5 @@ IL_UI_ADMIN_USERNAME=admin IL_UI_ADMIN_PASSWORD=password -IL_UI_API_SERVER_USERNAME=kitteh -IL_UI_API_SERVER_PASSWORD=floofykittens IL_UI_API_SERVER_URL=http://:8000 OAUTH_GITHUB_ID= OAUTH_GITHUB_SECRET= @@ -20,3 +18,7 @@ TLS_CLIENT_CERT_PATH= TLS_CLIENT_KEY_PATH= TLS_SERVER_CA_CERT_PATH= # Note, you cannot set TLS_INSECURE in this .env file, you have to pass it to the apiserver as a CLI arg + +# API creds variables +API_USER= +API_PASS= diff --git a/ui/apiserver/apiserver.go b/ui/apiserver/apiserver.go index 32ac542..89945ae 100644 --- a/ui/apiserver/apiserver.go +++ b/ui/apiserver/apiserver.go @@ -526,12 +526,15 @@ func main() { tlsServerCaCertPath := pflag.String("tls-server-ca-cert", "$HOME/server-ca-crt.pem2", "Path to the TLS server CA certificate. Defaults to 'server-ca-crt.pem2'") pflag.Parse() - /* Support env population with priority being: + /* ENV support, most variabls take 3 options, with the following priority: 1) flag 2) env 3) acceptable defaults */ + // NOTE: not all variables support all 3 methods, in which case they will be documented via comments. + // With no comment, assume they support all 3. + // Precheck endpoint HOME := os.Getenv("HOME") if *preCheckEndpointURL == "" { @@ -542,7 +545,8 @@ func main() { *preCheckEndpointURL = localEndpoint } } - // TLS certPath + + // TLS configurations if *tlsClientCertPath == "" { tlsClientCertPathEnvValue := os.Getenv("TLS_CLIENT_CERT_PATH") if tlsClientCertPathEnvValue != "" { @@ -560,8 +564,27 @@ func main() { *tlsClientKeyPath = fmt.Sprintf("%s/client-tls-key.pem2", HOME) } } + // NOTE: TLSInsecure not settable by env, just apiserver cli flag or defaults to false + /* API credentials + API creds support only apiserver cli flag or env, no default values. + */ + // API user + if *apiUser == "" { + apiUserEnvValue := os.Getenv("API_USER") + if apiUserEnvValue != "" { + *apiUser = apiUserEnvValue + } + } + // API pass + if *apiPass == "" { + apiPassEnvValue := os.Getenv("API_PASS") + if apiPassEnvValue != "" { + *apiPass = apiPassEnvValue + } + } + logger := setupLogger(*debugFlag) defer logger.Sync() From 49a4236f65ef739ac97af654790ada9267fac050 Mon Sep 17 00:00:00 2001 From: greg pereira Date: Sun, 19 May 2024 10:57:44 -0700 Subject: [PATCH 3/4] bugfixing, using home var instead of home var string Signed-off-by: greg pereira --- ui/apiserver/apiserver.go | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/ui/apiserver/apiserver.go b/ui/apiserver/apiserver.go index 89945ae..8cf6281 100644 --- a/ui/apiserver/apiserver.go +++ b/ui/apiserver/apiserver.go @@ -521,9 +521,9 @@ func main() { InstructLabBotUrl := pflag.String("bot-url", InstructLabBotUrl, "InstructLab Bot URL") // TLS variables tlsInsecure := pflag.Bool("tls-insecure", false, "Whether to skip TLS verification") - tlsClientCertPath := pflag.String("tls-client-cert", "$HOME/client-tls-crt.pem2", "Path to the TLS client certificate. Defaults to 'client-tls-crt.pem2'") - tlsClientKeyPath := pflag.String("tls-client-key", "$HOME/client-tls-key.pem2", "Path to the TLS client key. Defaults to 'client-tls-key.pem2'") - tlsServerCaCertPath := pflag.String("tls-server-ca-cert", "$HOME/server-ca-crt.pem2", "Path to the TLS server CA certificate. Defaults to 'server-ca-crt.pem2'") + tlsClientCertPath := pflag.String("tls-client-cert", "", "Path to the TLS client certificate. Evantually defaults to '$HOME/client-tls-crt.pem2'") + tlsClientKeyPath := pflag.String("tls-client-key", "", "Path to the TLS client key. Evantually defaults to '$HOME/client-tls-key.pem2'") + tlsServerCaCertPath := pflag.String("tls-server-ca-cert", "", "Path to the TLS server CA certificate. Evantually defaults to '$HOME/server-ca-crt.pem2'") pflag.Parse() /* ENV support, most variabls take 3 options, with the following priority: @@ -536,7 +536,6 @@ func main() { // With no comment, assume they support all 3. // Precheck endpoint - HOME := os.Getenv("HOME") if *preCheckEndpointURL == "" { preCheckEndpointURLEnvValue := os.Getenv("PECHECK_ENDPOINT") if preCheckEndpointURLEnvValue != "" { @@ -547,6 +546,7 @@ func main() { } // TLS configurations + HOME := os.Getenv("HOME") if *tlsClientCertPath == "" { tlsClientCertPathEnvValue := os.Getenv("TLS_CLIENT_CERT_PATH") if tlsClientCertPathEnvValue != "" { @@ -564,6 +564,14 @@ func main() { *tlsClientKeyPath = fmt.Sprintf("%s/client-tls-key.pem2", HOME) } } + if *tlsServerCaCertPath == "" { + tlsServerCaCertPathEnvValue := os.Getenv("TLS_SERVER_CA_CERT_PATH") + if tlsServerCaCertPathEnvValue != "" { + *tlsServerCaCertPath = tlsServerCaCertPathEnvValue + } else { + *tlsServerCaCertPath = fmt.Sprintf("%s/server-ca-crt.pem2", HOME) + } + } // NOTE: TLSInsecure not settable by env, just apiserver cli flag or defaults to false From c483619278e2038e0720547406054fc4c88433e5 Mon Sep 17 00:00:00 2001 From: greg pereira Date: Thu, 30 May 2024 09:32:35 -0700 Subject: [PATCH 4/4] wip refactor to single dev mode flag Signed-off-by: greg pereira --- ui/apiserver/apiserver.go | 156 +++++++++++++------------------------- 1 file changed, 52 insertions(+), 104 deletions(-) diff --git a/ui/apiserver/apiserver.go b/ui/apiserver/apiserver.go index 8cf6281..41f81cb 100644 --- a/ui/apiserver/apiserver.go +++ b/ui/apiserver/apiserver.go @@ -8,6 +8,7 @@ import ( "encoding/json" "fmt" "io" + "log" "net/http" "os" "os/exec" @@ -29,15 +30,11 @@ const ( const ( localEndpoint = "http://localhost:8000/v1" InstructLabBotUrl = "http://bot:8081" + TLSCertChainPath = "/home/fedora/chain.pem" + TLSClientCRTPath = "/home/fedora/client-tls-crt.pem2" + TLSClientKEYPath = "/home/fedora/client-tls-key.pem2" ) -type TLSConfig struct { - TlsClientCertPath string - TlsClientKeyPath string - TlsServerCaCertPath string - TlsInsecure bool -} - type ApiServer struct { router *gin.Engine logger *zap.SugaredLogger @@ -46,7 +43,7 @@ type ApiServer struct { testMode bool preCheckEndpointURL string instructLabBotUrl string - tlsConfig TLSConfig + devMode bool } type JobData struct { @@ -214,30 +211,23 @@ func (api *ApiServer) knowledgePRHandler(c *gin.Context) { } func (api *ApiServer) buildHTTPServer() (http.Client, error) { - defaultHTTPClient := http.Client{ - Timeout: 0 * time.Second, - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - }, - } - if !api.tlsConfig.TlsInsecure { - certs, err := tls.LoadX509KeyPair(api.tlsConfig.TlsClientCertPath, api.tlsConfig.TlsClientKeyPath) + tlsInseucre := !api.devMode + if !api.devMode { + certPool := x509.NewCertPool() + pemData, err := os.ReadFile(TLSCertChainPath) // Replace with your certificate file path if err != nil { - api.logger.Warnf("failed to load client certificate/key: %w", err) - return defaultHTTPClient, fmt.Errorf("Error load client certificate/key, defaulting to TLS Insecure session (http)") + err = fmt.Errorf("Failed to read cert chain file: %s", err) + api.logger.Error(err) + return http.Client{}, err } - // // NOT SURE WE NEED SERVER CA CERT FOR THIS, PLEASE ADVISE - caCert, err := os.ReadFile(api.tlsConfig.TlsServerCaCertPath) - if err != nil { - api.logger.Warnf("failed to read server CA certificate: %w", err) - return defaultHTTPClient, fmt.Errorf("Error load server CA certificate, defaulting to TLS Insecure session (http)") + if !certPool.AppendCertsFromPEM(pemData) { + err = fmt.Errorf("Failed to append pemData to certPool: %s", err) + api.logger.Error(err) + return http.Client{}, err } - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(caCert) tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{certs}, - RootCAs: caCertPool, - InsecureSkipVerify: true, + RootCAs: certPool, + InsecureSkipVerify: tlsInseucre, } httpClient := &http.Client{ Transport: &http.Transport{ @@ -248,7 +238,11 @@ func (api *ApiServer) buildHTTPServer() (http.Client, error) { } return *httpClient, nil } else { - return defaultHTTPClient, nil + return http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: tlsInseucre}, + }, + }, nil } } @@ -256,29 +250,14 @@ func (api *ApiServer) buildHTTPServer() (http.Client, error) { func (api *ApiServer) sendPostRequest(url string, body io.Reader) (*http.Response, error) { client, err := api.buildHTTPServer() if err != nil { - // Either running http with tlsInsecure = true, or https runing with tlsInsecure = false - if err.Error() == "Error load client certificate/key, defaulting to TLS Insecure session (http)" || - err.Error() == "Error load server CA certificate, defaulting to TLS Insecure session (http)" { - // Handle the specific error (e.g., log it) - api.logger.Warn("Warning: TLS certificate/key or server CA certificate not loaded, downgraded to http client.") - } else { - // Handle other errors - err = fmt.Errorf("Error creating http(s) server: %v", err) - fmt.Print(err) - return nil, err - } - } - - request, err := http.NewRequest("POST", url, body) - if err != nil { - api.logger.Errorf("Error creating http request: %v", err) + err = fmt.Errorf("Error creating http(s) server: %v", err) + api.logger.Error(err) return nil, err } - request.Header.Set("Content-Type", "application/json") - response, err := client.Do(request) + response, err := client.Post(url, "application/json", body) if err != nil { - api.logger.Errorf("Error sending http request: %v", err) - return nil, err + api.logger.Errorf("Error creating and or sending http request: %v", err) + return response, err } return response, nil } @@ -448,26 +427,19 @@ func (api *ApiServer) fetchModelName(fullName bool) (string, error) { } endpoint += "models" - http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} - http.DefaultTransport.(*http.Transport).TLSHandshakeTimeout = 10 * time.Second - http.DefaultTransport.(*http.Transport).ExpectContinueTimeout = 1 * time.Second - - req, err := http.NewRequestWithContext(api.ctx, "GET", endpoint, nil) - if err != nil { - return "", fmt.Errorf("failed to create request: %w", err) - } + client, err := api.buildHTTPServer() - resp, err := http.DefaultClient.Do(req) + response, err := client.Get(endpoint) if err != nil { return "", fmt.Errorf("failed to fetch model details: %w", err) } - defer resp.Body.Close() + defer response.Body.Close() - if resp.StatusCode != http.StatusOK { - return "", fmt.Errorf("unexpected status code: %d", resp.StatusCode) + if response.StatusCode != http.StatusOK { + return "", fmt.Errorf("unexpected status code: %d", response.StatusCode) } - body, err := io.ReadAll(resp.Body) + body, err := io.ReadAll(response.Body) if err != nil { return "", fmt.Errorf("failed to read response body: %w", err) } @@ -520,10 +492,7 @@ func main() { preCheckEndpointURL := pflag.String("precheck-endpoint", "", "Precheck endpoint URL") InstructLabBotUrl := pflag.String("bot-url", InstructLabBotUrl, "InstructLab Bot URL") // TLS variables - tlsInsecure := pflag.Bool("tls-insecure", false, "Whether to skip TLS verification") - tlsClientCertPath := pflag.String("tls-client-cert", "", "Path to the TLS client certificate. Evantually defaults to '$HOME/client-tls-crt.pem2'") - tlsClientKeyPath := pflag.String("tls-client-key", "", "Path to the TLS client key. Evantually defaults to '$HOME/client-tls-key.pem2'") - tlsServerCaCertPath := pflag.String("tls-server-ca-cert", "", "Path to the TLS server CA certificate. Evantually defaults to '$HOME/server-ca-crt.pem2'") + devMode := pflag.Bool("dev-mode", false, "Whether to skip TLS verification") pflag.Parse() /* ENV support, most variabls take 3 options, with the following priority: @@ -545,34 +514,6 @@ func main() { } } - // TLS configurations - HOME := os.Getenv("HOME") - if *tlsClientCertPath == "" { - tlsClientCertPathEnvValue := os.Getenv("TLS_CLIENT_CERT_PATH") - if tlsClientCertPathEnvValue != "" { - *tlsClientCertPath = tlsClientCertPathEnvValue - } else { - *tlsClientCertPath = fmt.Sprintf("%s/client-tls-crt.pem2", HOME) - } - } - // TLS keyPath - if *tlsClientKeyPath == "" { - tlsClientKeyPathEnvValue := os.Getenv("TLS_CLIENT_KEY_PATH") - if tlsClientKeyPathEnvValue != "" { - *tlsClientKeyPath = tlsClientKeyPathEnvValue - } else { - *tlsClientKeyPath = fmt.Sprintf("%s/client-tls-key.pem2", HOME) - } - } - if *tlsServerCaCertPath == "" { - tlsServerCaCertPathEnvValue := os.Getenv("TLS_SERVER_CA_CERT_PATH") - if tlsServerCaCertPathEnvValue != "" { - *tlsServerCaCertPath = tlsServerCaCertPathEnvValue - } else { - *tlsServerCaCertPath = fmt.Sprintf("%s/server-ca-crt.pem2", HOME) - } - } - // NOTE: TLSInsecure not settable by env, just apiserver cli flag or defaults to false /* API credentials @@ -604,6 +545,7 @@ func main() { Addr: *redisAddress, }) + tlsInsecure := !*devMode router := gin.Default() svr := ApiServer{ router: router, @@ -613,23 +555,29 @@ func main() { testMode: *testMode, preCheckEndpointURL: *preCheckEndpointURL, instructLabBotUrl: *InstructLabBotUrl, - tlsConfig: TLSConfig{ - TlsInsecure: *tlsInsecure, - TlsClientCertPath: *tlsClientCertPath, - TlsClientKeyPath: *tlsClientKeyPath, - TlsServerCaCertPath: *tlsServerCaCertPath, - }, + devMode: *devMode, } svr.setupRoutes(*apiUser, *apiPass) - if *tlsInsecure == false { + if tlsInsecure == false { // Check if we is valid key pair - _, err := tls.LoadX509KeyPair(*tlsClientCertPath, *tlsClientKeyPath) + + certPool := x509.NewCertPool() + pemData, err := os.ReadFile(TLSCertChainPath) // Replace with your certificate file path if err != nil { - logger.Fatal(fmt.Errorf("TLS enforced but failed to load client certificate/key: %w", err)) + log.Fatalf("Failed to read cert chain file: %s", err) + } + if !certPool.AppendCertsFromPEM(pemData) { + log.Fatalf("Failed to append pemData to certPool: %s", err) } + // tlsConfig := &tls.Config{ + // RootCAs: certPool, + // InsecureSkipVerify: *tlsInsecure, + // } + // if err := svr.router. svr.logger.Info("ApiServer starting with TLS", zap.String("listen-address", *listenAddress)) - if err := svr.router.RunTLS(*listenAddress, *tlsClientCertPath, *tlsClientKeyPath); err != nil { + if err := svr.router.RunTLS(*listenAddress, *TLSCertChainPath, nil); != nil { + // if err := svr.router.RunTLS(*listenAddress, *tlsClientCertPath, *tlsClientKeyPath); err != nil { svr.logger.Error("ApiServer failed to start", zap.Error(err)) } } else {