fix: add special-case flag to store certs when frontend_tls configuration includes certificate entries

Author: AshishNaware

jobs/tcp_router/templates/pre-start.erb

@@ -1,5 +1,5 @@
 #!/bin/bash -e
 
 <% if spec.bootstrap == true %>
-/var/vcap/packages/tcp_router/bin/config-validator -config /var/vcap/jobs/tcp_router/config/tcp_router.yml
+/var/vcap/packages/tcp_router/bin/config-validator -config /var/vcap/jobs/tcp_router/config/tcp_router.yml -enable-cert-creation true
 <% end %>

src/code.cloudfoundry.org/cf-tcp-router/cmd/cf-tcp-router/main.go

@@ -76,6 +76,12 @@ var configFile = flag.String(
 	"The Router configurer yml config.",
 )
 
+var enableCertCreation = flag.Bool(
+	"enable-cert-creation",
+	false,
+	"Parse certs and keys from tcp_router.yml and store them",
+)
+
 var routingGroupCheckExit = flag.Bool(
 	"routingGroupCheckExit",
 	false,
@@ -152,7 +158,7 @@ func main() {
 
 	initializeDropsonde(logger)
 
-	cfg, err := config.New(*configFile)
+	cfg, err := config.New(*configFile, *enableCertCreation)
 	if err != nil {
 		logger.Error("failed-to-unmarshal-config-file", err)
 		os.Exit(1)

src/code.cloudfoundry.org/cf-tcp-router/cmd/config-validator/main.go

@@ -8,14 +8,19 @@ import (
 )
 
 var (
-	configFile string
+	configFile         string
+	enableCertCreation bool
 )
 
 func main() {
 	flag.StringVar(&configFile, "config", "", "Configuration File")
+
+	// enableCertCreation is a special-case flag that allows the TCP router to generate
+	// certificates and keys when frontend_tls certificates are defined in tcp_router.yml
+	flag.BoolVar(&enableCertCreation, "enable-cert-creation", false, "Enables creation certs and keys")
 	flag.Parse()
 
-	_, err := config.New(configFile)
+	_, err := config.New(configFile, enableCertCreation)
 	if err != nil {
 		log.Fatal("failed-to-load-config: ", err)
 	}

src/code.cloudfoundry.org/cf-tcp-router/config/config.go

@@ -12,7 +12,6 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
-	"syscall"
 	"time"
 
 	"gopkg.in/yaml.v3"
@@ -70,9 +69,9 @@ type Config struct {
 
 const DrainWaitDefault = 20 * time.Second
 
-func New(path string) (*Config, error) {
+func New(path string, enableCertCreation bool) (*Config, error) {
 	c := &Config{}
-	err := c.initConfigFromFile(path)
+	err := c.initConfigFromFile(path, enableCertCreation)
 	if err != nil {
 		return nil, err
 	}
@@ -103,7 +102,7 @@ func resolveGroupID(primary, fallback string) (int, error) {
 	return gid, nil
 }
 
-func (c *Config) initConfigFromFile(path string) error {
+func (c *Config) initConfigFromFile(path string, enableCertCreation bool) error {
 	b, err := os.ReadFile(path)
 	if err != nil {
 		return err
@@ -121,22 +120,21 @@ func (c *Config) initConfigFromFile(path string) error {
 		c.DrainWaitDuration = DrainWaitDefault
 	}
 
-	owner, err := user.Lookup("root")
-	if err != nil {
-		return err
-	}
-
-	uid, err := strconv.Atoi(owner.Uid)
-	if err != nil {
-		return err
-	}
+	if enableCertCreation && len(c.FrontendTLSJob) > 0 {
+		owner, err := user.Lookup("root")
+		if err != nil {
+			return err
+		}
 
-	gid, err := resolveGroupID("vcap", "root")
-	if err != nil {
-		return err
-	}
+		uid, err := strconv.Atoi(owner.Uid)
+		if err != nil {
+			return err
+		}
 
-	if len(c.FrontendTLSJob) > 0 {
+		gid, err := resolveGroupID("vcap", "root")
+		if err != nil {
+			return err
+		}
 		var outputs []FrontendTLSConfig
 		basePath := c.FrontendTLSJobBasePath()
 		for i, cert := range c.FrontendTLSJob {
@@ -165,9 +163,7 @@ func (c *Config) initConfigFromFile(path string) error {
 
 			dirPath := filepath.Join(basePath, name)
 			if err := os.MkdirAll(dirPath, 0750); err != nil {
-				if !(isReadOnlyFS(err) || isPermissionDenied(err)) {
-					return err
-				}
+				return err
 			}
 
 			certFilePath := filepath.Join(dirPath, fmt.Sprintf("%s.pem", name))
@@ -280,36 +276,14 @@ func certHasSAN(cert *x509.Certificate) bool {
 	return hasSANExtension || hasDNSEntries
 }
 
-// writeFile writes data to the given path with the specified file mode and ownership.
-//
-// this function is accessed from:
-//  1. prestart errand which has the necessary privs and is responsible for creating the files
-//  2. tcp_router_ctl which doesn't have the necessary privs but also invokes this function
-//     and so can be safely skipped
 func writeFile(path string, data []byte, mode os.FileMode, uid, gid int) error {
 	if err := os.WriteFile(path, data, mode); err != nil {
-		if isReadOnlyFS(err) || isPermissionDenied(err) {
-			return nil
-		}
 		return err
 	}
 
 	if err := os.Chown(path, uid, gid); err != nil {
-		if isReadOnlyFS(err) || isPermissionDenied(err) {
-			return nil
-		}
 		return err
 	}
 
 	return nil
 }
-
-func isReadOnlyFS(err error) bool {
-	return errors.Is(err, syscall.EROFS)
-}
-
-func isPermissionDenied(err error) bool {
-	return errors.Is(err, syscall.EPERM) ||
-		errors.Is(err, syscall.EACCES) ||
-		errors.Is(err, os.ErrPermission)
-}

src/code.cloudfoundry.org/cf-tcp-router/config/config_test.go

@@ -93,7 +93,7 @@ var _ = Describe("Config", Serial, func() {
 					ClientCertAndKeyPath: certAndKeyFile,
 				},
 			}
-			cfg, err := config.New("fixtures/valid_config.yml")
+			cfg, err := config.New("fixtures/valid_config.yml", false)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(*cfg).To(Equal(expectedCfg))
 		})
@@ -102,13 +102,13 @@ var _ = Describe("Config", Serial, func() {
 	Context("when given an invalid config", func() {
 		Context("non existing config", func() {
 			It("return error", func() {
-				_, err := config.New("fixtures/non_existing_config.yml")
+				_, err := config.New("fixtures/non_existing_config.yml", false)
 				Expect(err).To(HaveOccurred())
 			})
 		})
 		Context("malformed YAML config", func() {
 			It("return error", func() {
-				_, err := config.New("fixtures/malformed_config.yml")
+				_, err := config.New("fixtures/malformed_config.yml", false)
 				Expect(err).To(HaveOccurred())
 			})
 		})
@@ -118,23 +118,23 @@ var _ = Describe("Config", Serial, func() {
 		Context("is enabled", func() {
 			Context("when the CA path is not a valid CA", func() {
 				It("returns an error", func() {
-					_, err := config.New("fixtures/bad_ca_config.yml")
+					_, err := config.New("fixtures/bad_ca_config.yml", false)
 					Expect(err).To(HaveOccurred())
 					Expect(err.Error()).To(ContainSubstring("Invalid PEM block found in file"))
 				})
 			})
 
 			Context("when the Client Cert/key pair are not valid", func() {
 				It("returns an error", func() {
-					_, err := config.New("fixtures/bad_client_cert_config.yml")
+					_, err := config.New("fixtures/bad_client_cert_config.yml", false)
 					Expect(err).To(HaveOccurred())
 					Expect(err.Error()).To(ContainSubstring("Invalid PEM CERTIFICATE found in file"))
 				})
 			})
 
 			Context("when the Client Cert/key pair are mismatched", func() {
 				It("returns an error", func() {
-					_, err := config.New("fixtures/mismatched_client_cert_config.yml")
+					_, err := config.New("fixtures/mismatched_client_cert_config.yml", false)
 					Expect(err).To(HaveOccurred())
 					Expect(err.Error()).To(ContainSubstring("Unable to validate backend TLS client cert + key in file"))
 					Expect(err.Error()).To(ContainSubstring("tls: private key does not match public key"))
@@ -143,7 +143,7 @@ var _ = Describe("Config", Serial, func() {
 
 			Context("when CA path is not specified", func() {
 				It("returns an error", func() {
-					_, err := config.New("fixtures/no_ca.yml")
+					_, err := config.New("fixtures/no_ca.yml", false)
 					Expect(err).To(HaveOccurred())
 					Expect(err.Error()).To(ContainSubstring("Backend TLS was enabled but no CA certificates were specified"))
 				})
@@ -152,7 +152,7 @@ var _ = Describe("Config", Serial, func() {
 
 		Context("is disabled", func() {
 			It("does not set any of the backend_tls cert/ca values", func() {
-				cfg, err := config.New("fixtures/disabled_tls.yml")
+				cfg, err := config.New("fixtures/disabled_tls.yml", false)
 				Expect(err).NotTo(HaveOccurred())
 				Expect(cfg.BackendTLS).To(Equal(config.BackendTLSConfig{
 					Enabled: false,
@@ -163,7 +163,7 @@ var _ = Describe("Config", Serial, func() {
 
 	Context("when haproxy pid file is missing", func() {
 		It("return error", func() {
-			_, err := config.New("fixtures/no_haproxy.yml")
+			_, err := config.New("fixtures/no_haproxy.yml", false)
 			Expect(err).To(HaveOccurred())
 		})
 	})
@@ -177,7 +177,7 @@ var _ = Describe("Config", Serial, func() {
 				},
 				HaProxyPidFile: "/path/to/pid/file",
 			}
-			cfg, err := config.New("fixtures/no_oauth.yml")
+			cfg, err := config.New("fixtures/no_oauth.yml", false)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(*cfg).To(Equal(expectedCfg))
 		})
@@ -199,15 +199,15 @@ var _ = Describe("Config", Serial, func() {
 				},
 				HaProxyPidFile: "/path/to/pid/file",
 			}
-			cfg, err := config.New("fixtures/missing_oauth_fields.yml")
+			cfg, err := config.New("fixtures/missing_oauth_fields.yml", false)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(*cfg).To(Equal(expectedCfg))
 		})
 	})
 
 	Context("when drain_wait is a negative number", func() {
 		It("defaults to 20s", func() {
-			cfg, err := config.New("fixtures/negative_drain_wait.yml")
+			cfg, err := config.New("fixtures/negative_drain_wait.yml", false)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(cfg.DrainWaitDuration).To(Equal(20 * time.Second))
 		})
@@ -231,7 +231,7 @@ var _ = Describe("Config", Serial, func() {
 
 		Context("with valid cert and key", func() {
 			BeforeEach(func() {
-				cfg, err = config.New("fixtures/valid_frontend_cert.yml")
+				cfg, err = config.New("fixtures/valid_frontend_cert.yml", true)
 			})
 
 			It("loads config without error", func() {
@@ -274,7 +274,7 @@ var _ = Describe("Config", Serial, func() {
 
 		Context("with invalid cert and key", func() {
 			BeforeEach(func() {
-				cfg, err = config.New("fixtures/valid_frontend_cert.yml")
+				cfg, err = config.New("fixtures/valid_frontend_cert.yml", true)
 			})
 
 			It("loads config without error", func() {
@@ -325,17 +325,17 @@ var _ = Describe("Config", Serial, func() {
 
 		Context("with invalid frontend_tls config", func() {
 			It("should fail if cert_chain is missing SAN information", func() {
-				_, err := config.New("fixtures/frontend_cert_without_san.yml")
+				_, err := config.New("fixtures/frontend_cert_without_san.yml", true)
 				Expect(err).To(HaveOccurred())
 				Expect(err.Error()).To(Equal("frontend_tls[0].cert_chain must include a subjectAltName extension"))
 			})
 			It("should fail if certs or keys are empty", func() {
-				_, err := config.New("fixtures/no_frontend_certs.yml")
+				_, err := config.New("fixtures/no_frontend_certs.yml", true)
 				Expect(err).To(HaveOccurred())
 				Expect(err.Error()).To(Equal("frontend_tls[0] must include name, cert_chain, and private_key"))
 			})
 			It("should fail if cert is invalid", func() {
-				_, err := config.New("fixtures/invalid_frontend_certs.yml")
+				_, err := config.New("fixtures/invalid_frontend_certs.yml", true)
 				Expect(err).To(HaveOccurred())
 				Expect(err.Error()).To(Equal("failed to parse PEM block"))
 			})