Fix default garage ports not being used in 'storage add'

go/cmd/entrypoint/main_test.go

@@ -97,9 +97,7 @@ func (h *runHarness) runAssertErrorContains(
 	t *testing.T, want string, args ...string,
 ) {
 	err := h.run(t, args...)
-	if assert.Error(t, err) {
-		assert.Contains(t, err.Error(), want)
-	}
+	assert.ErrorContains(t, err, want)
 }
 
 func (h *runHarness) assertChangeStaged(

go/cmd/entrypoint/storage_allocation_test.go

@@ -28,6 +28,9 @@ func TestStorageAllocationAdd(t *testing.T) {
 				DataPath:  "foo",
 				MetaPath:  "bar",
 				Capacity:  1,
+				S3APIPort: 3901,
+				RPCPort:   3900,
+				AdminPort: 3902,
 			},
 		},
 		{

go/cmd/entrypoint/vpn_firewall_test.go

@@ -101,7 +101,7 @@ func TestVPNFirewallAdd(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			var (
 				h      = newRunHarness(t)
-				config daecommon.NetworkConfig
+				config = daecommon.NewNetworkConfig(nil)
 			)
 
 			args := append([]string{"vpn", "firewall", "add"}, test.flags...)
@@ -193,7 +193,7 @@ func TestVPNFirewallCommit(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			var (
 				h      = newRunHarness(t)
-				config daecommon.NetworkConfig
+				config = daecommon.NewNetworkConfig(nil)
 			)
 
 			args := []string{"vpn", "firewall", "commit"}

go/daemon/daecommon/config.go

@@ -2,6 +2,7 @@ package daecommon
 
 import (
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"io"
 	"isle/bootstrap"
@@ -70,11 +71,7 @@ type ConfigFirewallRule struct {
 	Code   string   `yaml:"code,omitempty"`
 	Proto  string   `yaml:"proto,omitempty"`
 	Host   string   `yaml:"host,omitempty"`
-	Group  string   `yaml:"group,omitempty"`
 	Groups []string `yaml:"groups,omitempty"`
-	CIDR   string   `yaml:"cidr,omitempty"`
-	CASha  string   `yaml:"ca_sha,omitempty"`
-	CAName string   `yaml:"ca_name,omitempty"`
 }
 
 // ConfigStorageAllocation describes the structure of each storage allocation
@@ -186,7 +183,19 @@ func (c NetworkConfig) Validate() error {
 func (c *NetworkConfig) UnmarshalYAML(n *yaml.Node) error {
 	type wrap NetworkConfig
 	if err := n.Decode((*wrap)(c)); err != nil {
-		return fmt.Errorf("decoding into %T: %w", c, err)
+		return fmt.Errorf("yaml decoding into %T: %w", c, err)
+	}
+
+	c.fillDefaults()
+	return nil
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface. It will attempt to
+// fill in default values where it can.
+func (c *NetworkConfig) UnmarshalJSON(b []byte) error {
+	type wrap NetworkConfig
+	if err := json.Unmarshal(b, (*wrap)(c)); err != nil {
+		return fmt.Errorf("json decoding into %T: %w", c, err)
 	}
 
 	c.fillDefaults()
@@ -263,7 +272,18 @@ func (c *Config) UnmarshalYAML(n *yaml.Node) error {
 
 	type wrap Config
 	if err := n.Decode((*wrap)(c)); err != nil {
-		return fmt.Errorf("yaml unmarshaling back into Config struct: %w", err)
+		return fmt.Errorf("yaml decoding into %T: %w", c, err)
+	}
+
+	return c.Validate()
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface. It will attempt to
+// fill in default values where it can.
+func (c *Config) UnmarshalJSON(b []byte) error {
+	type wrap Config
+	if err := json.Unmarshal(b, (*wrap)(c)); err != nil {
+		return fmt.Errorf("json decoding into %T: %w", c, err)
 	}
 
 	return c.Validate()

tasks/bugs/set-config-dont-commit-new-config-on-err.md

@@ -0,0 +1,8 @@
+---
+type: task
+---
+
+When SetConfig is called, but ends up erroring, the new config should not end up
+getting stored in the state directory.
+
+This could be tricky if the reload call succeeds but the postInit fails.

tasks/soon/docs/clarify-firewalls.md

@@ -0,0 +1,12 @@
+---
+type: task
+---
+
+The Firewalls doc page should be extra clear that adding the line
+
+```
+-A INPUT --source <network CIDR> --jump ACCEPT
+```
+
+will not expose the host to the network entirely, as the nebula firewall will
+still block all traffic by default.