Merge branch 'master' into gdbelvin-patch-1

.travis.yml

@@ -53,7 +53,9 @@ jobs:
       - curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash && sudo mv kustomize /usr/local/bin/
       - openssl aes-256-cbc -K $encrypted_555d9b2948d2_key -iv $encrypted_555d9b2948d2_iv
         -in client_secrets.json.enc -d | gcloud auth activate-service-account --key-file /dev/stdin
-      script: ./scripts/deploy.sh
+      script:
+      - ./scripts/deploy.sh
+      - ./scripts/cleanup_images.sh
 
 before_install:
   - |

README.md

@@ -33,7 +33,7 @@ development.
 
 ### Setup
 1. Install [Go 1.13](https://golang.org/doc/install).
-2. `go get github.com/google/keytransparency/cmd/keytransparency-client `
+2. `GO111MODULE=on go get github.com/google/keytransparency/cmd/keytransparency-client`
 
 ### Client operations
 
@@ -64,7 +64,7 @@ NB A default for the Key Transparency server URL is being used here. The default
 #### Get and verify a public key
 
   ```
-  keytransparency-client get <email> --insecure --verbose
+  keytransparency-client get <email> --kt-url sandbox.keytransparency.dev:443 --verbose
   ✓ Commitment verified.
   ✓ VRF verified.
   ✓ Sparse tree proof verified.
@@ -79,14 +79,14 @@ NB A default for the Key Transparency server URL is being used here. The default
 
 #### Verify key history
   ```
-  keytransparency-client history <email> --insecure
+  keytransparency-client history user@domain.com --kt-url sandbox.keytransparency.dev:443
   Revision |Timestamp                    |Profile
   4        |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >
   ```
 
 #### Checks
-- [Proof for foo@bar.com](https://35.202.56.9/v1/directories/default/users/foo@bar.com)
-- [Server configuration info](https://35.202.56.9/v1/directories/default)
+- [Proof for foo@bar.com](https://sandbox.keytransparency.dev/v1/directories/default/users/foo@bar.com)
+- [Server configuration info](https://sandbox.keytransparency.dev/v1/directories/default)
 
 ## Running the server
 

cmd/keytransparency-client/cmd/root.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
-	"net"
 	"os"
 	"time"
 
@@ -77,10 +76,10 @@ func init() {
 	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.keytransparency.yaml)")
 
 	RootCmd.PersistentFlags().String("directory", "default", "Directory within the KT server")
-	RootCmd.PersistentFlags().String("kt-url", "35.202.56.9:443", "URL of Key Transparency server")
-	RootCmd.PersistentFlags().String("kt-cert", "genfiles/server.crt", "Path to public key for Key Transparency")
+	RootCmd.PersistentFlags().String("kt-url", "sandbox.keytransparency.dev:443", "URL of Key Transparency server")
+	RootCmd.PersistentFlags().String("kt-cert", "", "Path to public key for Key Transparency")
 	RootCmd.PersistentFlags().Bool("autoconfig", true, "Fetch config info from the server's /v1/directory/info")
-	RootCmd.PersistentFlags().Bool("insecure", true, "Skip TLS checks")
+	RootCmd.PersistentFlags().Bool("insecure", false, "Skip TLS checks")
 
 	RootCmd.PersistentFlags().String("vrf", "genfiles/vrf-pubkey.pem", "path to vrf public key")
 
@@ -154,26 +153,21 @@ func getCreds(ctx context.Context, clientSecretFile string) (credentials.PerRPCC
 	return oauth.NewOauthAccess(tok), nil
 }
 
-func transportCreds(ktURL string) (credentials.TransportCredentials, error) {
+func transportCreds() (credentials.TransportCredentials, error) {
 	ktCert := viper.GetString("kt-cert")
 	insecure := viper.GetBool("insecure")
 
-	host, _, err := net.SplitHostPort(ktURL)
-	if err != nil {
-		return nil, err
-	}
-
 	switch {
 	case insecure: // Impatient insecure.
 		return credentials.NewTLS(&tls.Config{
 			InsecureSkipVerify: true, // nolint
 		}), nil
 
 	case ktCert != "": // Custom CA Cert.
-		return credentials.NewClientTLSFromFile(ktCert, host)
+		return credentials.NewClientTLSFromFile(ktCert, "")
 
 	default: // Use the local set of root certs.
-		return credentials.NewClientTLSFromCert(nil, host), nil
+		return credentials.NewClientTLSFromCert(nil, ""), nil
 	}
 }
 
@@ -196,7 +190,7 @@ func userCreds(ctx context.Context) (credentials.PerRPCCredentials, error) {
 
 func dial(ctx context.Context) (pb.KeyTransparencyClient, error) {
 	addr := viper.GetString("kt-url")
-	transportCreds, err := transportCreds(addr)
+	transportCreds, err := transportCreds()
 	if err != nil {
 		return nil, err
 	}

cmd/keytransparency-sequencer/main.go

@@ -39,6 +39,7 @@ import (
 	"github.com/google/keytransparency/core/sequencer/election"
 	"github.com/google/keytransparency/impl/sql/directory"
 	"github.com/google/keytransparency/impl/sql/mutationstorage"
+	"github.com/google/keytransparency/internal/forcemaster"
 
 	pb "github.com/google/keytransparency/core/api/v1/keytransparency_go_proto"
 	dir "github.com/google/keytransparency/core/directory"
@@ -78,7 +79,7 @@ var (
 func getElectionFactory() (election2.Factory, func()) {
 	if *forceMaster {
 		glog.Warning("Acting as master for all directories")
-		return election2.NoopFactory{}, func() {}
+		return forcemaster.Factory{}, func() {}
 	}
 	if len(*etcdServers) == 0 {
 		glog.Exit("Either --force_master or --etcd_servers must be supplied")

core/sequencer/election/tracker.go

@@ -121,7 +121,7 @@ func (mt *Tracker) watchOnce(ctx context.Context, e election2.Election, res stri
 	if err := e.Await(ctx); err != nil {
 		return err
 	}
-	glog.Infof("Obtained mastership for %v", res)
+	glog.Infof("Obtained mastership for %q", res)
 
 	// Obtain mastership ctx *before* Masterships runs to avoid racing.
 	mastershipCtx, err := e.WithMastership(ctx)
@@ -137,7 +137,7 @@ func (mt *Tracker) watchOnce(ctx context.Context, e election2.Election, res stri
 	// the parent context was closed. In either case work being done will
 	// be canceled and we will mark ourselves as not-master until we can
 	// acquire mastership again.
-	glog.Warningf("No longer master for %v", res)
+	glog.Warningf("No longer master for %q", res)
 	return nil
 }
 
@@ -184,9 +184,9 @@ func (mt *Tracker) Masterships(ctx context.Context) (map[string]context.Context,
 		// Resign mastership if we've held it for over maxHold.
 		// Resign before attempting to acquire a mastership lock.
 		if held := time.Since(m.acquired); held > mt.maxHold {
-			glog.Infof("Resigning from %v after %v", res, held)
+			glog.Infof("Resigning from %q after %v", res, held)
 			if err := m.e.Resign(ctx); err != nil {
-				glog.Errorf("Resign failed for resource %v: %v", res, err)
+				glog.Errorf("Resign failed for resource %q: %v", res, err)
 			}
 			continue
 		}

core/sequencer/election/tracker_test.go

@@ -0,0 +1,71 @@
+// Copyright 2020 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package election
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/google/keytransparency/internal/forcemaster"
+	"github.com/google/trillian/monitoring/prometheus"
+)
+
+// Ensure that mastership continues to work after resignTime.
+func TestForceMaster(t *testing.T) {
+	ctx, done := context.WithCancel(context.Background())
+	defer done()
+	resignTime := 1 * time.Hour
+	res := "test resource"
+
+	mt := NewTracker(forcemaster.Factory{}, resignTime, prometheus.MetricFactory{})
+	go mt.Run(ctx)
+	mt.AddResource(res)
+	time.Sleep(time.Millisecond) // Wait to acquire mastership.
+
+	// Verify that mastersihp works as expected, with 1 mastership for res.
+	m, err := mt.Masterships(ctx)
+	if err != nil {
+		t.Error(err)
+	}
+	if got := len(m); got != 1 {
+		t.Errorf("Masterships returned %v, want 1", got)
+	}
+
+	// Advance the clock by pretending we acquired mastersihp a long time ago.
+	mastership := mt.master[res]
+	mastership.acquired = time.Now().Add(-2 * resignTime)
+	mt.master[res] = mastership
+
+	// Verify that we resign the mastership after the clock as advanced.
+	m2, err := mt.Masterships(ctx)
+	if err != nil {
+		t.Error(err)
+	}
+	if got := len(m2); got != 0 {
+		t.Errorf("Masterships returned %v, want 0", got)
+	}
+
+	time.Sleep(time.Millisecond) // Wait to acquire mastership.
+
+	// Verify that we reaquire mastership
+	m3, err := mt.Masterships(ctx)
+	if err != nil {
+		t.Error(err)
+	}
+	if got := len(m3); got != 1 {
+		t.Errorf("Masterships returned %v, want 0", got)
+	}
+}

deploy/kubernetes/base/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: kt-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"
+spec:
+  backend:
+    serviceName: server
+    servicePort: grpc-api
+  tls:
+  - hosts:
+    - "localhost"
+    - "127.0.0.1"
+    - "sandbox.keytransparency.dev"
+    secretName: kt-tls
+  rules:
+    - http:
+       paths:
+       - path: /
+         backend:
+           serviceName: server
+           servicePort: grpc-api

deploy/kubernetes/base/kustomization.yaml

@@ -4,6 +4,7 @@ commonLabels:
 resources:
 - db-deployment.yaml
 - db-service.yaml
+- ingress.yaml
 - init-pod.yaml
 - log-server-deployment.yaml
 - log-server-service.yaml
@@ -19,4 +20,3 @@ resources:
 - sequencer-service.yaml
 - server-deployment.yaml
 - server-service.yaml
-

deploy/kubernetes/base/server-service.yaml

@@ -9,11 +9,13 @@ spec:
   - name: "grpc-api"
     port: 443
     targetPort: 8080
+    nodePort: 30080
   - name: "http-metrics"
     port: 8081
     targetPort: 8081
+    nodePort: 30081
   selector:
     io.kompose.service: server
-  type: NodePort
+  type: NodePort # Required for ingress
 status:
   loadBalancer: {}

deploy/kubernetes/overlays/gke/ingress.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: kt-ingress
+  annotations:
+    kubernetes.io/ingress.class: "gce"
+    kubernetes.io/ingress.global-static-ip-name: "kt-ingress-ip"
+    kubernetes.io/ingress.allow-http: "false"
+    networking.gke.io/managed-certificates: sandbox-keytransparency-dev

deploy/kubernetes/overlays/gke/kustomization.yaml

@@ -1,11 +1,14 @@
 bases:
 - ../../base
+resources:
+- managed-cert.yaml
 patchesStrategicMerge:
+- ingress.yaml
 - log-server-stackdriver-prometheus-sidecar.yaml
 - log-signer-stackdriver-prometheus-sidecar.yaml
 - map-server-stackdriver-prometheus-sidecar.yaml
 - sequencer-stackdriver-prometheus-sidecar.yaml
-- server-stackdriver-prometheus-sidecar.yaml
 - server-service.yaml
+- server-stackdriver-prometheus-sidecar.yaml
 
 

deploy/kubernetes/overlays/gke/managed-cert.yaml

@@ -0,0 +1,7 @@
+apiVersion: networking.gke.io/v1beta1
+kind: ManagedCertificate
+metadata:
+  name: sandbox-keytransparency-dev
+spec:
+  domains:
+    - sandbox.keytransparency.dev

deploy/kubernetes/overlays/gke/server-service.yaml

@@ -2,6 +2,5 @@ apiVersion: v1
 kind: Service
 metadata:
   name: server
-spec:
-  type: LoadBalancer
-
+  annotations:
+    cloud.google.com/app-protocols: '{"grpc-api":"HTTP2"}'

deploy/kubernetes/overlays/local/ingress-nginx/README.md

@@ -0,0 +1,21 @@
+# NGINX Configs
+
+Installing baremetal NGINX requires running the following commands according to the [directions](https://kubernetes.github.io/ingress-nginx/deploy/) on the nginx site.
+
+```
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/mandatory.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/baremetal/service-nodeport.yaml
+```
+
+The directories below contain the contents of these three configs
+1. Split out into their component yaml files.
+2. Added `kustomization.yaml` files tying them together.
+3. Removed conflicting resources.
+
+The kustomize dependency graph looks like so:
+```
+overlays\local -> overlays\local\ingress-nginx\baremetal
+overlays\local\ingress-nginx\baremetal -> overlays\local\ingress-nginx\cloudgeneric
+overlays\local\ingress-nginx\cloudgeneric -> overlays\local\ingress-nginx\static
+```

deploy/kubernetes/overlays/local/ingress-nginx/baremetal/custom-nodeport.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx
+spec:
+  type: NodePort
+  ports:
+    - name: https
+      port: 443
+      nodePort: 30443

deploy/kubernetes/overlays/local/ingress-nginx/baremetal/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../cloud-generic
+patchesStrategicMerge:
+- custom-nodeport.yaml
+- service-nodeport.yaml

deploy/kubernetes/overlays/local/ingress-nginx/baremetal/service-nodeport.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx
+spec:
+  type: NodePort
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+  externalTrafficPolicy: Cluster