init and save self signed CA pem

waynz0r · waynz0r · commit 199f682e6232 · 2024-01-29T15:57:41.000+01:00
if not provided
diff --git a/config.yaml b/config.yaml
@@ -1,4 +1,5 @@
 agent:
+  caPEMPath: /tmp/ca.pem
   trustDomain: acme.corp
   defaultCertTTL: 2h
   metadataCollectors:
diff --git a/internal/cli/cmd/agent/agent.go b/internal/cli/cmd/agent/agent.go
@@ -23,6 +23,7 @@ import (
 	"context"
 	"crypto/x509/pkix"
 	"encoding/json"
+	"os"
 
 	"emperror.dev/errors"
 	"github.com/spf13/cobra"
@@ -37,6 +38,10 @@ import (
 	"github.com/cisco-open/camblet/pkg/tls"
 )
 
+const (
+	defaultRootCACommonName = "Camblet root CA"
+)
+
 type agentCommand struct {
 	cli cli.CLI
 }
@@ -62,7 +67,7 @@ func NewCommand(c cli.CLI) *cobra.Command {
 	cmd.Flags().StringSlice("services-path", config.DefaultServicesPaths, "Path to file or directory for service definitions")
 	cmd.Flags().String("trust-domain", config.DefaultTrustDomain, "Trust domain")
 	cmd.Flags().Duration("default-cert-ttl", config.DefaultCertTTLDuration, "Default certificate TTL")
-	cmd.Flags().String("ca-pem-path", "", "Path for CA pem")
+	cmd.Flags().String("ca-pem-path", config.DefaultCAPEMPath, "Path for CA pem")
 
 	cli.BindCMDFlags(c.Viper(), cmd)
 
@@ -82,20 +87,12 @@ func (c *agentCommand) runCommander(ctx context.Context) error {
 	h.AddHandler("connect", commands.Connect())
 
 	caOpts := []tls.CertificateAuthorityOption{}
-	if c.cli.Configuration().Agent.CAPemPath == "" {
-		if cert, pkey, err := tls.CreateSelfSignedCACertificate(tls.CertificateOptions{
-			Subject: pkix.Name{
-				CommonName: "Camblet root CA",
-			},
-		}); err != nil {
-			return errors.WrapIf(err, "could not create self signed root CA certificate")
-		} else {
-			caOpts = append(caOpts, tls.CertificateAuthorityWithPEM(append(cert.GetPEM(), pkey.GetPEM()...)))
-		}
-	} else {
-		caOpts = append(caOpts, tls.CertificateAuthorityWithPEMFile(c.cli.Configuration().Agent.CAPemPath))
+	caPEMPath, err := c.ensureCACertificate()
+	if err != nil {
+		return errors.WithStackIf(err)
 	}
 
+	caOpts = append(caOpts, tls.CertificateAuthorityWithPEMFile(caPEMPath))
 	ca, err := tls.NewCertificateAuthority(caOpts...)
 	if err != nil {
 		return err
@@ -105,6 +102,8 @@ func (c *agentCommand) runCommander(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+	c.cli.Logger().Info("CA signer initialized", "caPEMPath", caPEMPath)
+
 	h.AddHandler("csr_sign", csrSign)
 
 	collector := collectors.GetMetadataCollector(c.cli.Configuration().Agent.MetadataCollectors, c.cli.Logger())
@@ -117,6 +116,35 @@ func (c *agentCommand) runCommander(ctx context.Context) error {
 	return nil
 }
 
+func (c *agentCommand) ensureCACertificate() (string, error) {
+	path := c.cli.Configuration().Agent.CAPemPath
+
+	if _, err := os.Stat(path); path != "" && err == nil {
+		return path, nil
+	}
+
+	cert, pkey, err := tls.CreateSelfSignedCACertificate(tls.CertificateOptions{
+		Subject: pkix.Name{
+			CommonName: defaultRootCACommonName,
+		},
+	})
+	if err != nil {
+		return "", errors.WrapIf(err, "could not generate self signed root CA certificate")
+	}
+
+	if file, err := os.Create(path); err != nil {
+		return "", errors.WrapIf(err, "could not write generated self signed root CA certificate")
+	} else {
+		defer file.Close()
+		if _, err := file.Write(append(cert.GetPEM(), pkey.GetPEM()...)); err != nil {
+			return "", errors.WrapIf(err, "could not write generated self signed root CA certificate")
+		}
+		c.cli.Logger().Info("self signed root CA certificate is created and saved", "path", path)
+	}
+
+	return path, nil
+}
+
 func (c *agentCommand) run(cmd *cobra.Command) error {
 	logger := c.cli.Logger()
 	eventBus := c.cli.EventBus()
diff --git a/pkg/agent/commands/augment.go b/pkg/agent/commands/augment.go
@@ -99,9 +99,6 @@ func (c *augmentCommand) HandleCommand(cmd messenger.Command) (string, error) {
 
 	js := string(j)
 	c.cache.Set(cmd.Context.UniqueString(), js, ttlcache.DefaultTTL)
-	if cmd.Context.PID == 25085 {
-		fmt.Printf("%d %s\n", cmd.Context.PID, js)
-	}
 	logger.V(2).Info("augmentation response cached")
 
 	return js, nil
diff --git a/pkg/config/agent.go b/pkg/config/agent.go
@@ -30,6 +30,7 @@ import (
 const (
 	DefaultTrustDomain     = "camblet"
 	DefaultCertTTLDuration = time.Hour * 24
+	DefaultCAPEMPath       = "/etc/camblet/ca.pem"
 )
 
 var (

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`agent:`
	`2`	`+ caPEMPath: /tmp/ca.pem`
`2`	`3`	`trustDomain: acme.corp`
`3`	`4`	`defaultCertTTL: 2h`
`4`	`5`	`metadataCollectors:`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ import (`
`30`	`30`	`const (`
`31`	`31`	`DefaultTrustDomain = "camblet"`
`32`	`32`	`DefaultCertTTLDuration = time.Hour * 24`
	`33`	`+ DefaultCAPEMPath = "/etc/camblet/ca.pem"`
`33`	`34`	`)`
`34`	`35`
`35`	`36`	`var (`