Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add ssl support to sync service (#1479) #1501

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add ssl support to sync service (#1479) #1501

wants to merge 5 commits into from
+344 −127

Conversation

alexandraoberaigner
Copy link

This PR

Adds SSL support to the flagd sync service

Related Issues

Fixes #1479

How to test

run make test-flagd

@alexandraoberaigner alexandraoberaigner requested a review from a team as a code owner January 7, 2025 16:35
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Jan 7, 2025
@alexandraoberaigner alexandraoberaigner force-pushed the fix/1479-bug-not-supporting-ssl branch from ced5619 to 80ff0da Compare January 7, 2025 16:36
@netlify Netlify
Copy link

netlify bot commented Jan 7, 2025
edited
Loading

Deploy Preview for polite-licorice-3db33c canceled.

Name Link
🔨 Latest commit ced5619
🔍 Latest deploy log https://app.netlify.com/sites/polite-licorice-3db33c/deploys/677d57e999f813000857e2d5

@netlify Netlify
Copy link

netlify bot commented Jan 7, 2025
edited
Loading

Deploy Preview for polite-licorice-3db33c canceled.

Name Link
🔨 Latest commit 3e7e16e
🔍 Latest deploy log https://app.netlify.com/sites/polite-licorice-3db33c/deploys/677e9c8e843f3e0008842a4b

@alexandraoberaigner
fix: lint fixes (open-feature#1479)
6be6990 
Signed-off-by: Alexandra Oberaigner <[email protected]>
@alexandraoberaigner
Copy link
Author

alexandraoberaigner commented Jan 7, 2025
edited
Loading

[QUESTION] can someone help me with a maintainable solution of the certificate generation. Is it okay to run a script at the beginning of the test to generate the files (see Makefile & script)? I figured that just committing these files is not really maintainable since they expire after the on creation specified number of days. What would be good practice?

@toddbaert
Copy link
Member

[QUESTION] can someone help me with a maintainable solution of the certificate generation. Is it okay to run a script at the beginning of the test to generate the files (see Makefile & script)? I figured that just committing these files is not really maintainable since they expire after the on creation specified number of days. What would be good practice?

Is it okay to run a script at the beginning of the test to generate the files?

Yep, that's fine with me, BUT:

I can specify days 9999 in openssl which generates a cert until 2055. I'm OK with committing that, as long as it's in a folder clearly labelled "test" or something. We have other repos in the org that do the same thing, and I've seen it in many projects that do testing with SSL.

@aepfli
Copy link
Member

aepfli commented Jan 7, 2025

[QUESTION] can someone help me with a maintainable solution of the certificate generation. Is it okay to run a script at the beginning of the test to generate the files (see Makefile & script)? I figured that just committing these files is not really maintainable since they expire after the on creation specified number of days. What would be good practice?

Is it okay to run a script at the beginning of the test to generate the files?

Yep, that's fine with me, BUT:

I can specify days 9999 in openssl which generates a cert until 2055. I'm OK with committing that, as long as it's in a folder clearly labelled "test" or something. We have other repos in the org that do the same thing, and I've seen it in many projects that do testing with SSL.

should we maybe use the one from the flagd-testbed also within here?

@toddbaert
Copy link
Member

[QUESTION] can someone help me with a maintainable solution of the certificate generation. Is it okay to run a script at the beginning of the test to generate the files (see Makefile & script)? I figured that just committing these files is not really maintainable since they expire after the on creation specified number of days. What would be good practice?

Is it okay to run a script at the beginning of the test to generate the files?

Yep, that's fine with me, BUT:
I can specify days 9999 in openssl which generates a cert until 2055. I'm OK with committing that, as long as it's in a folder clearly labelled "test" or something. We have other repos in the org that do the same thing, and I've seen it in many projects that do testing with SSL.

should we maybe use the one from the flagd-testbed also within here?

Yep we could do that. What's the expiry on that one?

@beeme1mr beeme1mr changed the title fix: add ssl support to sync service (#1479) feat: add ssl support to sync service (#1479) Jan 7, 2025
@alexandraoberaigner
Copy link
Author

[QUESTION] can someone help me with a maintainable solution of the certificate generation. Is it okay to run a script at the beginning of the test to generate the files (see Makefile & script)? I figured that just committing these files is not really maintainable since they expire after the on creation specified number of days. What would be good practice?

Is it okay to run a script at the beginning of the test to generate the files?

Yep, that's fine with me, BUT:
I can specify days 9999 in openssl which generates a cert until 2055. I'm OK with committing that, as long as it's in a folder clearly labelled "test" or something. We have other repos in the org that do the same thing, and I've seen it in many projects that do testing with SSL.

should we maybe use the one from the flagd-testbed also within here?

I went the easy route & added a new certificate to the PR that expires in 9999 days as suggested by @toddbaert, let me know if there speaks something against it

alexandraoberaigner
alexandraoberaigner commented Jan 8, 2025
View reviewed changes
flagd/pkg/service/flag-sync/sync_service_test.go
return
}

serviceClient := syncv1grpc.NewFlagSyncServiceClient(con)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[INFO] from this line on the test is the same as before

@alexandraoberaigner
fix: fix lint errors (open-feature#1479)
d97fc8d 
Signed-off-by: Alexandra Oberaigner <[email protected]>
@alexandraoberaigner alexandraoberaigner force-pushed the fix/1479-bug-not-supporting-ssl branch from ef58650 to d97fc8d Compare January 8, 2025 12:26
@alexandraoberaigner
fix: fix lint errors (open-feature#1479)
3e7e16e 
Signed-off-by: Alexandra Oberaigner <[email protected]>
warber
warber approved these changes Jan 9, 2025
View reviewed changes
flagd/pkg/service/flag-sync/sync_service.go
// Load server's certificate and private key
serverCert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return nil, fmt.Errorf("failed to load key pair from given certificate paths: '%s' and '%s'", certPath, keyPath)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return nil, fmt.Errorf("failed to load key pair from given certificate paths: '%s' and '%s'", certPath, keyPath)
return nil, fmt.Errorf("failed to load key pair from certificate paths '%s' and '%s': %w", certPath, keyPath, err)

you could consider wrapping the error returned by LoadX509KeyPair() to preserve the context.

flagd/pkg/service/flag-sync/util_test.go
@@ -30,3 +36,24 @@ func getSimpleFlagStore() (*store.Flags, []string) {

return flagStore, []string{"A", "B", "C"}
}

func LoadTLSClientCredentials(certPath string) (credentials.TransportCredentials, error) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func LoadTLSClientCredentials(certPath string) (credentials.TransportCredentials, error) {
func loadTLSClientCredentials(certPath string) (credentials.TransportCredentials, error) {

flagd/pkg/service/flag-sync/test-cert/server-ext.cnf
@@ -0,0 +1 @@
subjectAltName=IP:0.0.0.0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: missing new line

flagd/pkg/service/flag-sync/util_test.go

func LoadTLSClientCredentials(certPath string) (credentials.TransportCredentials, error) {
// Load certificate of the CA who signed server's certificate
pemServerCA, err := ioutil.ReadFile(certPath)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pemServerCA, err := ioutil.ReadFile(certPath)
pemServerCA, err := os.ReadFile(certPath)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@warber warber warber approved these changes

@bacherfl bacherfl Awaiting requested review from bacherfl

@Kavindu-Dodan Kavindu-Dodan Awaiting requested review from Kavindu-Dodan

@alemrtv alemrtv Awaiting requested review from alemrtv

@toddbaert toddbaert Awaiting requested review from toddbaert

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
size:L This PR changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] [sync-service] not supporting SSL
4 participants
@alexandraoberaigner @toddbaert @aepfli @warber