erservercli: embeddable loadbalancer's CLI

joonas-fi · joonas-fi · commit 4c16f23aa001 · 2022-01-22T15:38:32.000+02:00
diff --git a/cmd/edgerouter/main.go b/cmd/edgerouter/main.go
@@ -46,6 +46,7 @@ func serveEntry() *cobra.Command {
 
 			osutil.ExitIfError(erserver.Serve(
 				osutil.CancelOnInterruptOrTerminate(rootLogger),
+				erserver.DefaultConfigDir,
 				rootLogger))
 		},
 	}
diff --git a/pkg/erserver/ipfilter.go b/pkg/erserver/ipfilter.go
@@ -9,17 +9,12 @@ import (
 	"io"
 	"os"
 
-	"github.com/function61/gokit/fileexists"
 	"github.com/function61/gokit/hcl2json"
 	"github.com/function61/gokit/jsonfile"
 	"github.com/function61/gokit/sliceutil"
 	"inet.af/netaddr"
 )
 
-const (
-	ipRulesFile = "/etc/edgerouter/ip-rules.hcl" // temporary solution - these will have to live in EventHorizon
-)
-
 type ipRule struct {
 	ipPrefix      netaddr.IPPrefix
 	allowedAppIds []string // if empty, means all apps are allowed
@@ -94,19 +89,14 @@ type ipRulesConfig struct {
 	} `json:"allow_specified"`
 }
 
-func loadIpRules() ([]ipRule, error) {
-	exists, err := fileexists.Exists(ipRulesFile)
-	if err != nil {
-		return nil, err
-	}
-
-	if !exists { // not an error => we just don't have any rules.. pun intended :)
-		return nil, nil
-	}
-
+func loadIpRules(ipRulesFile string) ([]ipRule, error) {
 	f, err := os.Open(ipRulesFile)
 	if err != nil {
-		return nil, err
+		if os.IsNotExist(err) { // not an error => we just don't have any rules.. pun intended :)
+			return nil, nil
+		} else { // actual error
+			return nil, err
+		}
 	}
 	defer f.Close()
 
diff --git a/pkg/erserver/serve.go b/pkg/erserver/serve.go
@@ -9,6 +9,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"sync/atomic"
@@ -29,13 +30,12 @@ import (
 )
 
 const (
-	ConfigDir            = "/etc/edgerouter"
-	LocalDevCertfilePath = "/etc/edgerouter/dev-cert.pem" // used when CertBus not configured
+	DefaultConfigDir ConfigDir = "/etc/edgerouter"
 )
 
 type GetCertificateFn func(*tls.ClientHelloInfo) (*tls.Certificate, error)
 
-func Serve(ctx context.Context, logger *log.Logger) error {
+func Serve(ctx context.Context, configDir ConfigDir, logger *log.Logger) error {
 	logl := logex.Levels(logger)
 
 	metrics := initMetrics()
@@ -70,10 +70,10 @@ func Serve(ctx context.Context, logger *log.Logger) error {
 
 			return certBus.GetCertificateAdapter(), nil
 		} else {
-			logl.Info.Printf("CertBus not configured - assuming local dev-server & using %s", LocalDevCertfilePath)
+			logl.Info.Printf("CertBus not configured - assuming local dev-server & using %s", configDir.DevelopmentCertificate())
 
 			// this is expected to be configured with mkcert or similar
-			keyPair, err := tls.LoadX509KeyPair(LocalDevCertfilePath, LocalDevCertfilePath)
+			keyPair, err := tls.LoadX509KeyPair(configDir.DevelopmentCertificate(), configDir.DevelopmentCertificate())
 			if err != nil {
 				if errors.Is(err, os.ErrNotExist) {
 					return nil, fmt.Errorf(
@@ -111,7 +111,9 @@ func Serve(ctx context.Context, logger *log.Logger) error {
 
 	// TODO: if these rules have syntax error, it'd be good if it came up before other async tasks
 	//       are started.
-	ipRules, err := loadIpRules()
+	//
+	// file is a temporary solution - these will have to live in EventHorizon
+	ipRules, err := loadIpRules("/etc/edgerouter/ip-rules.hcl")
 	if err != nil {
 		return err
 	}
@@ -363,6 +365,22 @@ func alwaysReturnSameCertificate(keyPair *tls.Certificate) GetCertificateFn {
 	}
 }
 
+type ConfigDir string
+
+func (c ConfigDir) DevelopmentCertificate() string {
+	return c.File("dev-cert.pem")
+}
+
+func (c ConfigDir) String() string {
+	return string(c)
+}
+
+// makes path to any file in the configuration directory
+// use sparingly
+func (c ConfigDir) File(filename string) string {
+	return filepath.Join(string(c), filename)
+}
+
 type atomicConfig struct {
 	atomic.Value // stores *frontendMatchers
 }
diff --git a/pkg/erservercli/servercli.go b/pkg/erservercli/servercli.go
@@ -0,0 +1,111 @@
+// Embeddable CLI for Edgerouter server library.
+// Think calling "yourapp proxy ..." and all subcommands are routed to Edgerouter-provided subcommands.
+package erservercli
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/function61/edgerouter/pkg/erserver"
+	"github.com/function61/gokit/dynversion"
+	"github.com/function61/gokit/fileexists"
+	"github.com/function61/gokit/logex"
+	"github.com/function61/gokit/osutil"
+	"github.com/function61/gokit/systemdinstaller"
+	"github.com/spf13/cobra"
+)
+
+type Options struct {
+	ServiceName    string
+	SubcommandName string
+}
+
+func (o Options) ConfigDir() erserver.ConfigDir {
+	return erserver.ConfigDir(filepath.Join("/etc", o.ServiceName))
+}
+
+// suppose you embed Edgerouter in application called "bob".
+// it is assumed that you'll assign top-level subcommand name e.g. "proxy" for Edgerouter inside bob.
+// hence commands to edgerouter will start with "bob proxy".
+func Entrypoint(opts Options) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     opts.SubcommandName,
+		Short:   "Edgerouter embeddable proxy",
+		Version: dynversion.Version,
+	}
+
+	cmd.AddCommand(&cobra.Command{
+		Use:   "serve",
+		Short: "Runs the HTTP server",
+		Args:  cobra.NoArgs,
+		Run: func(cmd *cobra.Command, args []string) {
+			rootLogger := logex.StandardLogger()
+
+			osutil.ExitIfError(erserver.Serve(
+				osutil.CancelOnInterruptOrTerminate(rootLogger),
+				opts.ConfigDir(),
+				rootLogger))
+		},
+	})
+
+	cmd.AddCommand(setupDevCertsEntry(opts))
+
+	cmd.AddCommand(&cobra.Command{
+		Use:   "install-as-service",
+		Short: "Install systemd service file to start Edgerouter on system startup",
+		Args:  cobra.NoArgs,
+		Run: func(cmd *cobra.Command, args []string) {
+			osutil.ExitIfError(installAsService(opts))
+		},
+	})
+
+	return cmd
+}
+
+func installAsService(opts Options) error {
+	envFile := opts.ConfigDir().File("edgerouter.env")
+	exists, err := fileexists.Exists(opts.ConfigDir().String())
+	if err != nil {
+		return err
+	}
+
+	if exists {
+		return fmt.Errorf("'%s' exists - Edgerouter already installed? Not continuing for safety", opts.ConfigDir().String())
+	}
+
+	service := systemdinstaller.SystemdServiceFile(
+		opts.ServiceName,
+		"Edgerouter",
+		systemdinstaller.Args(opts.SubcommandName, "serve"),
+		// TODO: systemdinstaller.EnvFile("/etc/edgerouter.env")
+		systemdinstaller.Env("DUMMY", "x\nEnvironmentFile="+envFile), // ugly hack
+		systemdinstaller.Docs(
+			"https://github.com/function61/edgerouter",
+			"https://function61.com/"))
+
+	osutil.ExitIfError(systemdinstaller.Install(service))
+
+	fmt.Println(systemdinstaller.GetHints(service))
+
+	if err := os.MkdirAll(opts.ConfigDir().String(), 0700); err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(envFile, []byte(`
+# --- Docker integration
+DOCKER_URL=unix:///var/run/docker.sock
+NETWORK_NAME=docker_gwbridge
+
+# --- CertBus / EventHorizon-based discovery / Lambda function routing / S3 hosting
+# AWS_SECRET_ACCESS_KEY=...
+# AWS_ACCESS_KEY_ID=AKIA...
+
+# --- CertBus / EventHorizon-based discovery
+# EVENTHORIZON=prod:1:::eu-central-1
+
+# --- CertBus
+# CERTBUS_CLIENT_PRIVKEY=...
+`), 0600)
+}
diff --git a/pkg/erservercli/setupdevcerts.go b/pkg/erservercli/setupdevcerts.go
@@ -0,0 +1,132 @@
+package erservercli
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/function61/gokit/osutil"
+	"github.com/spf13/cobra"
+)
+
+func setupDevCertsEntry(opts Options) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "setup-devcerts",
+		Short: "mkcert utility shortcuts for generating CA and server cert for development purposes",
+	}
+
+	cmd.AddCommand(&cobra.Command{
+		Use:   "ca-install",
+		Short: "Install local-trust-only CA certificate into system trust stores",
+		Args:  cobra.NoArgs,
+		Run: func(cmd *cobra.Command, args []string) {
+			mkcert := exec.Command("mkcert", "-install")
+			mkcert.Stdout = os.Stdout
+			mkcert.Stderr = os.Stderr
+			osutil.ExitIfError(translateIfMkcertNotInstalledError(mkcert.Run()))
+		},
+	})
+
+	cmd.AddCommand(&cobra.Command{
+		Use:   "servercert-generate [hostname]",
+		Short: "Generate server cert. Example hostname: *.dev.example.com",
+		Args:  cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			osutil.ExitIfError(serverCertGenerate(args[0], opts))
+		},
+	})
+
+	return cmd
+}
+
+func serverCertGenerate(hostname string, opts Options) error {
+	tempDir, err := ioutil.TempDir("", "edgerouter-mkcert-*")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)
+
+	if err := os.MkdirAll(filepath.Dir(opts.ConfigDir().DevelopmentCertificate()), 0750); err != nil {
+		return translateIfSudoError(err)
+	}
+
+	// unfortunately, you can't ask mkcert where or for which name to store the certs under
+
+	mkcert := exec.Command("mkcert", hostname)
+	mkcert.Dir = tempDir
+	mkcert.Stdout = os.Stdout
+	mkcert.Stderr = os.Stderr
+	if err := mkcert.Run(); err != nil {
+		return translateIfMkcertNotInstalledError(err)
+	}
+
+	// *.dev.fn61.net would generate these names
+	// _wildcard.dev.fn61.net.pem
+	// _wildcard.dev.fn61.net-key.pem
+	fmt.Println("\nServer cert generated.")
+
+	key, err := findReadAndDeleteFile(filepath.Join(tempDir, "*-key.pem"))
+	if err != nil {
+		return err
+	}
+
+	cert, err := findReadAndDeleteFile(filepath.Join(tempDir, "*.pem"))
+	if err != nil {
+		return err
+	}
+
+	if err := translateIfSudoError(ioutil.WriteFile(
+		opts.ConfigDir().DevelopmentCertificate(),
+		append(cert, key...),
+		0600),
+	); err != nil {
+		return err
+	}
+
+	fmt.Printf(
+		"Server cert written to '%s' - will be picked up on Edgerouter start\n",
+		opts.ConfigDir().DevelopmentCertificate())
+
+	return nil
+}
+
+func translateIfMkcertNotInstalledError(err error) error {
+	if err != nil && errors.Is(err, exec.ErrNotFound) {
+		return errors.New("mkcert not installed? See https://github.com/FiloSottile/mkcert#installation")
+	}
+
+	return err
+}
+
+func translateIfSudoError(err error) error {
+	if err != nil && errors.Is(err, os.ErrPermission) {
+		return fmt.Errorf("(probably need '$ sudo ...') %w", err)
+	}
+
+	return err
+}
+
+func findReadAndDeleteFile(globPattern string) ([]byte, error) {
+	globMatches, err := filepath.Glob(globPattern)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(globMatches) != 1 {
+		return nil, fmt.Errorf("findReadAndDeleteFile: expected 1 match; got %d", len(globMatches))
+	}
+
+	content, err := ioutil.ReadFile(globMatches[0])
+	if err != nil {
+		return nil, err
+	}
+
+	if err := os.Remove(globMatches[0]); err != nil {
+		return nil, err
+	}
+
+	return content, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ func serveEntry() *cobra.Command {`
`46`	`46`
`47`	`47`	`osutil.ExitIfError(erserver.Serve(`
`48`	`48`	`osutil.CancelOnInterruptOrTerminate(rootLogger),`
	`49`	`+ erserver.DefaultConfigDir,`
`49`	`50`	`rootLogger))`
`50`	`51`	`},`
`51`	`52`	`}`