Add back the ability to specify IP for nebula create-cert

This commit is contained in:
Brian Picciano 2024-07-14 14:43:17 +02:00
parent 0f42d9367c
commit 5de93e3711
3 changed files with 35 additions and 5 deletions

View File

@ -6,6 +6,7 @@ import (
"isle/daemon" "isle/daemon"
"isle/jsonutil" "isle/jsonutil"
"isle/nebula" "isle/nebula"
"net/netip"
"os" "os"
) )
@ -16,6 +17,7 @@ var subCmdNebulaCreateCert = subCmd{
var ( var (
flags = subCmdCtx.flagSet(false) flags = subCmdCtx.flagSet(false)
hostName nebula.HostName hostName nebula.HostName
ip netip.Addr
) )
hostNameF := flags.VarPF( hostNameF := flags.VarPF(
@ -29,6 +31,12 @@ var subCmdNebulaCreateCert = subCmd{
`Path to PEM file containing public key which will be embedded in the cert.`, `Path to PEM file containing public key which will be embedded in the cert.`,
) )
flags.Var(
textUnmarshalerFlag{&ip},
"ip",
"IP address to create a cert for. If this is not given then the IP associated with the host via its `hosts create` call will be used",
)
if err := flags.Parse(subCmdCtx.args); err != nil { if err := flags.Parse(subCmdCtx.args); err != nil {
return fmt.Errorf("parsing flags: %w", err) return fmt.Errorf("parsing flags: %w", err)
} }
@ -55,6 +63,9 @@ var subCmdNebulaCreateCert = subCmd{
daemon.CreateNebulaCertificateRequest{ daemon.CreateNebulaCertificateRequest{
HostName: hostName, HostName: hostName,
HostEncryptingPublicKey: hostPub, HostEncryptingPublicKey: hostPub,
Opts: daemon.CreateNebulaCertificateOpts{
IP: ip,
},
}, },
) )
if err != nil { if err != nil {

View File

@ -29,6 +29,18 @@ type CreateHostOpts struct {
CanCreateHosts bool CanCreateHosts bool
} }
// CreateNebulaCertificateOpts are optional parameters to the
// CreateNebulaCertificate method.
type CreateNebulaCertificateOpts struct {
// IP, if given will be used for the host's IP in the created cert. If this
// is given then it is not required that the host have an entry in garage.
//
// TODO once `hosts create` automatically adds the host to garage this can
// be removed.
IP netip.Addr
}
// Daemon presents all functionality required for client frontends to interact // Daemon presents all functionality required for client frontends to interact
// with isle, typically via the unix socket. // with isle, typically via the unix socket.
type Daemon interface { type Daemon interface {
@ -87,6 +99,7 @@ type Daemon interface {
ctx context.Context, ctx context.Context,
hostName nebula.HostName, hostName nebula.HostName,
hostPubKey nebula.EncryptingPublicKey, hostPubKey nebula.EncryptingPublicKey,
opts CreateNebulaCertificateOpts,
) ( ) (
nebula.Certificate, error, nebula.Certificate, error,
) )
@ -735,6 +748,7 @@ func (d *daemon) CreateNebulaCertificate(
ctx context.Context, ctx context.Context,
hostName nebula.HostName, hostName nebula.HostName,
hostPubKey nebula.EncryptingPublicKey, hostPubKey nebula.EncryptingPublicKey,
opts CreateNebulaCertificateOpts,
) ( ) (
nebula.Certificate, error, nebula.Certificate, error,
) { ) {
@ -743,10 +757,14 @@ func (d *daemon) CreateNebulaCertificate(
) ( ) (
nebula.Certificate, error, nebula.Certificate, error,
) { ) {
ip := opts.IP
if ip == (netip.Addr{}) {
host, ok := currBootstrap.Hosts[hostName] host, ok := currBootstrap.Hosts[hostName]
if !ok { if !ok {
return nebula.Certificate{}, ErrHostNotFound return nebula.Certificate{}, ErrHostNotFound
} }
ip = host.IP()
}
caSigningPrivateKey, err := getNebulaCASigningPrivateKey( caSigningPrivateKey, err := getNebulaCASigningPrivateKey(
ctx, d.secretsStore, ctx, d.secretsStore,
@ -757,7 +775,7 @@ func (d *daemon) CreateNebulaCertificate(
caCreds := makeCACreds(currBootstrap, caSigningPrivateKey) caCreds := makeCACreds(currBootstrap, caSigningPrivateKey)
return nebula.NewHostCert(caCreds, hostPubKey, hostName, host.IP()) return nebula.NewHostCert(caCreds, hostPubKey, hostName, ip)
}) })
} }

View File

@ -163,6 +163,7 @@ func (r *RPC) CreateHost(
type CreateNebulaCertificateRequest struct { type CreateNebulaCertificateRequest struct {
HostName nebula.HostName HostName nebula.HostName
HostEncryptingPublicKey nebula.EncryptingPublicKey HostEncryptingPublicKey nebula.EncryptingPublicKey
Opts CreateNebulaCertificateOpts
} }
// CreateNebulaCertificateResult wraps the results from the // CreateNebulaCertificateResult wraps the results from the
@ -179,7 +180,7 @@ func (r *RPC) CreateNebulaCertificate(
CreateNebulaCertificateResult, error, CreateNebulaCertificateResult, error,
) { ) {
cert, err := r.daemon.CreateNebulaCertificate( cert, err := r.daemon.CreateNebulaCertificate(
ctx, req.HostName, req.HostEncryptingPublicKey, ctx, req.HostName, req.HostEncryptingPublicKey, req.Opts,
) )
if err != nil { if err != nil {
return CreateNebulaCertificateResult{}, err return CreateNebulaCertificateResult{}, err