Skip to content

Commit

Permalink
chore(custom-domains): clean up after SW removal
Browse files Browse the repository at this point in the history
  • Loading branch information
@r-birkner
r-birkner committed Jan 26, 2024
1 parent f49ee20 commit 6fb24fc
Show file tree
Hide file tree
Showing 9 changed files with 12 additions and 129 deletions.
39 changes: 0 additions & 39 deletions ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl
View file

This file was deleted.

0 ...tc/certificate-syncer/domain-with-sw.tmpl → ...rootfs/etc/certificate-syncer/domain.tmpl
View file
File renamed without changes.
4 changes: 1 addition & 3 deletions ic-os/boundary-guestos/rootfs/etc/systemd/system/certificate-syncer.service
View file
Expand Up @@ -17,9 +17,7 @@ ExecStart=/bin/bash -c '
--certificates-exporter-uri "http://localhost:3000/certificates" \
--local-certificates-path "/var/opt/nginx/certs" \
--local-configuration-path "/var/opt/nginx/domains.conf" \
--configuration-template-sw-path "/etc/certificate-syncer/domain-with-sw.tmpl" \
--configuration-template-no-sw-path "/etc/certificate-syncer/domain-without-sw.tmpl" \
${RAW_DOMAINS_PATH:+ --no-sw-domains-path "${RAW_DOMAINS_PATH}"} \
--configuration-template-path "/etc/certificate-syncer/domain.tmpl" \
--domain-mappings-path "/var/opt/nginx/domain_canister_mappings.js" \
--metrics-addr "[::]:9322" \
${POLLING_INTERVAL_SEC:+ --polling-interval-sec "${POLLING_INTERVAL_SEC}"} \
Expand Down
1 change: 0 additions & 1 deletion ic-os/boundary-guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh
View file
Expand Up @@ -71,7 +71,6 @@ function process_bootstrap() {
nns.conf
pre_isolation_canisters.txt
prober_identity.pem
raw_domains.txt
)

for FILE in ${FILES[@]}; do
Expand Down
13 changes: 0 additions & 13 deletions ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-certificate-syncer.sh
View file
Expand Up @@ -5,11 +5,9 @@ source '/opt/ic/bin/helpers.shlib'
source '/opt/ic/bin/exec_condition.shlib'

readonly IDENTITY_PEM="${BOOT_DIR}/certificate_issuer_identity.pem"
readonly RAW_DOMAINS="${BOOT_DIR}/raw_domains.txt"

readonly RUN_DIR='/run/ic-node/etc/default'
readonly ENV_FILE="${RUN_DIR}/certificate-syncer"
readonly CFG_DIR='/run/ic-node/etc/certificate-syncer'
readonly CONFIG_FILE="${BOOT_DIR}/certificate_syncer.conf"

# Read the config variables. The files must be of the form
Expand All @@ -32,20 +30,10 @@ function read_variables() {
fi
}

function copy_files() {
mkdir -p "${CFG_DIR}"

if [ -f "${RAW_DOMAINS}" ]; then
RAW_FILE_PATH="${CFG_DIR}/raw_domains.txt"
cp "${RAW_DOMAINS}" "${RAW_FILE_PATH}"
fi
}

function generate_config() {
mkdir -p $(dirname "${ENV_FILE}")

cat >"${ENV_FILE}" <<EOF
RAW_DOMAINS_PATH=${RAW_FILE_PATH:-}
POLLING_INTERVAL_SEC=${POLLING_INTERVAL_SEC:-}
EOF
}
Expand All @@ -58,7 +46,6 @@ function main() {
fi

read_variables
copy_files
generate_config
}

Expand Down
17 changes: 0 additions & 17 deletions ic-os/boundary-guestos/scripts/build-deployment.sh
View file
Expand Up @@ -534,22 +534,6 @@ EOF
done
}

function generate_certificate_syncer_config() {
if [ ! -z "${CERTIFICATE_SYNCER_RAW_DOMAINS_FILE}" ]; then
for n in $NODES; do
declare -n NODE=$n
if [[ "${NODE["type"]}" != "boundary" ]]; then
continue
fi

local SUBNET_IDX="${NODE["subnet_idx"]}"
local NODE_IDX="${NODE["node_idx"]}"
local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
cp "${CERTIFICATE_SYNCER_RAW_DOMAINS_FILE}" "${CONFIG_DIR}/${NODE_PREFIX}/raw_domains.txt"
done
fi
}

function copy_pre_isolation_canisters() {
if [[ -z "${PRE_ISOLATION_CANISTERS:-}" ]]; then
err "pre-domain-isolation canisters have not been provided, proceeding without copying them"
Expand Down Expand Up @@ -685,7 +669,6 @@ function main() {
copy_deny_list
copy_geolite2_dbs
generate_certificate_issuer_config
generate_certificate_syncer_config
copy_pre_isolation_canisters
copy_ip_hash_salt
copy_logging_credentials
Expand Down
33 changes: 4 additions & 29 deletions rs/boundary_node/certificate_issuance/certificate_syncer/src/main.rs
View file
@@ -1,6 +1,4 @@
use std::{
fs::File,
io::{self, BufRead},
net::SocketAddr,
path::PathBuf,
sync::{Arc, RwLock},
Expand Down Expand Up @@ -65,13 +63,7 @@ struct Cli {
local_configuration_path: PathBuf,

#[clap(long, default_value = "servers.conf.tmpl")]
configuration_template_sw_path: PathBuf,

#[clap(long, default_value = "servers.conf.tmpl")]
configuration_template_no_sw_path: PathBuf,

#[clap(long)]
no_sw_domains_path: Option<PathBuf>,
configuration_template_path: PathBuf,

#[clap(long, default_value = "mappings.js")]
domain_mappings_path: PathBuf,
Expand Down Expand Up @@ -135,27 +127,10 @@ async fn main() -> Result<(), Error> {
let reloader = WithMetrics(reloader, MetricParams::new(&meter, SERVICE_NAME, "reload"));

// Persistence
let configuration_template_sw = std::fs::read_to_string(&cli.configuration_template_sw_path)
.context("failed to read configuration template for using the service worker")?;

let configuration_template_no_sw =
std::fs::read_to_string(&cli.configuration_template_no_sw_path)
.context("failed to read configuration template for using icx-proxy")?;

let no_sw_domains: Vec<String> = match &cli.no_sw_domains_path {
Some(no_sw_domains_path) => {
let file = File::open(no_sw_domains_path)?;
let reader = io::BufReader::new(file);
reader.lines().map(|line| line.unwrap()).collect()
}
None => Vec::new(),
};
let configuration_template = std::fs::read_to_string(&cli.configuration_template_path)
.context("failed to read configuration template")?;

let renderer = Renderer::new(
&configuration_template_sw,
&configuration_template_no_sw,
no_sw_domains,
);
let renderer = Renderer::new(&configuration_template);
let renderer = WithMetrics(renderer, MetricParams::new(&meter, SERVICE_NAME, "render"));
let renderer = Arc::new(renderer);

Expand Down
6 changes: 1 addition & 5 deletions rs/boundary_node/certificate_issuance/certificate_syncer/src/persist.rs
View file
Expand Up @@ -282,11 +282,7 @@ mod tests {

let tmp_dir = tempdir()?;

let renderer = Renderer::new(
"{name}|{ssl_certificate_key_path}|{ssl_certificate_path}",
"{name}|{ssl_certificate_key_path}|{ssl_certificate_path}",
vec!["X".to_string(), "Y".to_string(), "Z".to_string()],
);
let renderer = Renderer::new("{name}|{ssl_certificate_key_path}|{ssl_certificate_path}");

let persister = Persister::new(
Arc::new(renderer), // renderer
Expand Down
28 changes: 6 additions & 22 deletions rs/boundary_node/certificate_issuance/certificate_syncer/src/render.rs
View file
Expand Up @@ -18,32 +18,20 @@ pub trait Render: Sync + Send {
}

pub struct Renderer {
template_with_service_worker: String,
template_with_icx_proxy: String,
no_sw_domains: Vec<String>,
template: String,
}

impl Renderer {
pub fn new(
template_with_service_worker: &str,
template_with_icx_proxy: &str,
no_sw_domains: Vec<String>,
) -> Self {
pub fn new(template: &str) -> Self {
Self {
template_with_service_worker: template_with_service_worker.to_owned(),
template_with_icx_proxy: template_with_icx_proxy.to_owned(),
no_sw_domains: no_sw_domains.to_owned(),
template: template.to_owned(),
}
}
}

impl Render for Renderer {
fn render(&self, cx: &Context) -> Result<String, Error> {
let out = if self.no_sw_domains.contains(&cx.name.to_string()) {
self.template_with_icx_proxy.clone()
} else {
self.template_with_service_worker.clone()
};
let out = self.template.clone();
let out = out.replace("{name}", cx.name);
let out = out.replace("{ssl_certificate_key_path}", cx.ssl_certificate_key_path);
let out = out.replace("{ssl_certificate_path}", cx.ssl_certificate_path);
Expand Down Expand Up @@ -80,11 +68,7 @@ mod tests {

#[test]
fn test_render() {
let r = Renderer::new(
"{name}|{ssl_certificate_key_path}|{ssl_certificate_path}",
"{name}|{ssl_certificate_path}|{ssl_certificate_key_path}",
vec!["X".to_string(), "Y".to_string(), "Z".to_string()],
);
let r = Renderer::new("{name}|{ssl_certificate_key_path}|{ssl_certificate_path}");

let out = r
.render(&Context {
Expand All @@ -104,6 +88,6 @@ mod tests {
})
.expect("failed to render");

assert_eq!(out, "X|3|2");
assert_eq!(out, "X|2|3");
}
}

0 comments on commit 6fb24fc

Please sign in to comment.