refactor: extract TLS bits from apid main.go

No functional changes, just moving code around.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>

internal/app/apid/main.go

@@ -7,8 +7,6 @@ package main
 import (
 	"flag"
 	"log"
-	stdlibnet "net"
-	"os"
 	"regexp"
 	"strings"
 
@@ -18,11 +16,11 @@ import (
 
 	"github.com/talos-systems/talos/internal/app/apid/pkg/backend"
 	"github.com/talos-systems/talos/internal/app/apid/pkg/director"
+	"github.com/talos-systems/talos/internal/app/apid/pkg/provider"
+	"github.com/talos-systems/talos/internal/pkg/runtime"
 	"github.com/talos-systems/talos/pkg/config"
 	"github.com/talos-systems/talos/pkg/constants"
 	"github.com/talos-systems/talos/pkg/grpc/factory"
-	"github.com/talos-systems/talos/pkg/grpc/tls"
-	"github.com/talos-systems/talos/pkg/net"
 	"github.com/talos-systems/talos/pkg/startup"
 )
 
@@ -45,30 +43,22 @@ func main() {
 		log.Fatalf("failed to seed RNG: %v", err)
 	}
 
-	provider, err := createProvider()
+	config, err := loadConfig()
 	if err != nil {
-		log.Fatalf("failed to create remote certificate provider: %+v", err)
+		log.Fatalf("open config: %v", err)
 	}
 
-	ca, err := provider.GetCA()
+	tlsConfig, err := provider.NewTLSConfig(config, strings.Split(*endpoints, ","))
 	if err != nil {
-		log.Fatalf("failed to get root CA: %+v", err)
+		log.Fatalf("failed to create remote certificate provider: %+v", err)
 	}
 
-	tlsConfig, err := tls.New(
-		tls.WithClientAuthType(tls.Mutual),
-		tls.WithCACertPEM(ca),
-		tls.WithServerCertificateProvider(provider),
-	)
+	serverTLSConfig, err := tlsConfig.ServerConfig()
 	if err != nil {
 		log.Fatalf("failed to create OS-level TLS configuration: %v", err)
 	}
 
-	clientTLSConfig, err := tls.New(
-		tls.WithClientAuthType(tls.Mutual),
-		tls.WithCACertPEM(ca),
-		tls.WithClientCertificateProvider(provider),
-	)
+	clientTLSConfig, err := tlsConfig.ClientConfig()
 	if err != nil {
 		log.Fatalf("failed to create client TLS config: %v", err)
 	}
@@ -101,7 +91,7 @@ func main() {
 		factory.WithDefaultLog(),
 		factory.ServerOptions(
 			grpc.Creds(
-				credentials.NewTLS(tlsConfig),
+				credentials.NewTLS(serverTLSConfig),
 			),
 			grpc.CustomCodec(proxy.Codec()),
 			grpc.UnknownServiceHandler(
@@ -116,32 +106,11 @@ func main() {
 	}
 }
 
-func createProvider() (tls.CertificateProvider, error) {
+func loadConfig() (runtime.Configurator, error) {
 	content, err := config.FromFile(*configPath)
 	if err != nil {
-		log.Fatalf("open config: %v", err)
-	}
-
-	config, err := config.New(content)
-	if err != nil {
-		log.Fatalf("open config: %v", err)
-	}
-
-	ips, err := net.IPAddrs()
-	if err != nil {
-		log.Fatalf("failed to discover IP addresses: %+v", err)
-	}
-	// TODO(andrewrynhard): Allow for DNS names.
-	for _, san := range config.Machine().Security().CertSANs() {
-		if ip := stdlibnet.ParseIP(san); ip != nil {
-			ips = append(ips, ip)
-		}
-	}
-
-	hostname, err := os.Hostname()
-	if err != nil {
-		log.Fatalf("failed to discover hostname: %+v", err)
+		return nil, err
 	}
 
-	return tls.NewRemoteRenewingFileCertificateProvider(config.Machine().Security().Token(), strings.Split(*endpoints, ","), constants.TrustdPort, hostname, ips)
+	return config.New(content)
 }

internal/app/apid/pkg/provider/provider_test.go

@@ -0,0 +1,14 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package provider_test
+
+import "testing"
+
+func TestEmpty(t *testing.T) {
+	// added for accurate coverage estimation
+	//
+	// please remove it once any unit-test is added
+	// for this package
+}

internal/app/apid/pkg/provider/tls.go

@@ -0,0 +1,85 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package provider provides TLS config for client & server
+package provider
+
+import (
+	stdlibtls "crypto/tls"
+	"fmt"
+	stdlibnet "net"
+	"os"
+
+	"github.com/talos-systems/talos/internal/pkg/runtime"
+	"github.com/talos-systems/talos/pkg/constants"
+	"github.com/talos-systems/talos/pkg/grpc/tls"
+	"github.com/talos-systems/talos/pkg/net"
+)
+
+// TLSConfig provides client & server TLS configs for apid.
+type TLSConfig struct {
+	certificateProvider tls.CertificateProvider
+}
+
+// NewTLSConfig builds provider from configuration and endpoints.
+func NewTLSConfig(config runtime.Configurator, endpoints []string) (*TLSConfig, error) {
+	ips, err := net.IPAddrs()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover IP addresses: %w", err)
+	}
+	// TODO(andrewrynhard): Allow for DNS names.
+	for _, san := range config.Machine().Security().CertSANs() {
+		if ip := stdlibnet.ParseIP(san); ip != nil {
+			ips = append(ips, ip)
+		}
+	}
+
+	hostname, err := os.Hostname()
+	if err != nil {
+		return nil, fmt.Errorf("failed to discover hostname: %w", err)
+	}
+
+	tlsConfig := &TLSConfig{}
+
+	tlsConfig.certificateProvider, err = tls.NewRemoteRenewingFileCertificateProvider(
+		config.Machine().Security().Token(),
+		endpoints,
+		constants.TrustdPort,
+		hostname,
+		ips,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return tlsConfig, nil
+}
+
+// ServerConfig generates server-side tls.Config.
+func (tlsConfig *TLSConfig) ServerConfig() (*stdlibtls.Config, error) {
+	ca, err := tlsConfig.certificateProvider.GetCA()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get root CA: %w", err)
+	}
+
+	return tls.New(
+		tls.WithClientAuthType(tls.Mutual),
+		tls.WithCACertPEM(ca),
+		tls.WithServerCertificateProvider(tlsConfig.certificateProvider),
+	)
+}
+
+// ClientConfig generates client-side tls.Config.
+func (tlsConfig *TLSConfig) ClientConfig() (*stdlibtls.Config, error) {
+	ca, err := tlsConfig.certificateProvider.GetCA()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get root CA: %w", err)
+	}
+
+	return tls.New(
+		tls.WithClientAuthType(tls.Mutual),
+		tls.WithCACertPEM(ca),
+		tls.WithClientCertificateProvider(tlsConfig.certificateProvider),
+	)
+}