Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 5253884d51cb64c1d1afcb2d7b969f7c2b50b302
commit5253884d51cb64c1d1afcb2d7b969f7c2b50b302[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Wed Aug 11 16:22:41 2021 +0200
committerSergiusz Bazanski <serge@monogon.tech>Thu Aug 19 10:20:55 2021 +0000
tree10a6bf03472e9c14da2515ea7755d74bb3f660e6
parent99f477412a2e701f89f7698be1dd432adcfff17c [diff]
m/pkg/pki: refactor, allow for external certificates

The pki library supported managing certificates in two modes:

 - default, when name != ""
 - volatile/ephemeral, when name == ""

The difference between the two being that default certificates were
fully stored in etcd (key and x509 certificate), while volatile
certificates weren't stored at all. However, both kinds needed private
keys passed to the pki library.

We want to be able to emit certificates without having private keys for
that certificate, so we end up a third mode of operation: 'external
certificates'. These are still stored in etcd, but without any
corresponding private key.

In the future we might actually get rid of ephemeral certificates by
expanding the logic of external certificates to provide a full audit log
and revocation system, instead of matching by Certificate Name. But this
will do for now.

We also use this opportunity to write some simple tests for this
package.

Change-Id: I193f4b147273b0a3981c38d749b43362d3c1b69a
Reviewed-on: https://review.monogon.dev/c/monogon/+/263
Reviewed-by: Mateusz Zalega <mateusz@monogon.tech>
9 files changed
tree: 10a6bf03472e9c14da2515ea7755d74bb3f660e6
  1. build/
  2. intellij/
  3. metropolis/
  4. scripts/
  5. third_party/
  6. .bazelignore
  7. .bazelproject
  8. .bazelrc
  9. .git-ignore-revs
  10. .gitignore
  11. BUILD
  12. LICENSE
  13. README.md
  14. WORKSPACE
README.md

Monogon Monorepo

This is the main repository containing the source code for the Monogon Project.

⚠️ This is pre-release software that happens to be publicly available. Nothing to see here, please move along.

Environment

Our build environment requires a working Podman binary (your distribution should have one).

Usage

Spinning up: scripts/create_container.sh

Spinning down: scripts/destroy_container.sh

Running commands: scripts/run_in_container.sh <...>

Using bazel using a wrapper script: scripts/bin/bazel <...> (add to your local $PATH for convenience)

IntelliJ

This repository is compatible with the IntelliJ Bazel plugin, which enables full autocompletion for external dependencies and generated code. All commands run inside the container, and necessary paths are mapped into the container.

The following steps are necessary:

  • Install Google's Bazel plugin in IntelliJ. On IntelliJ 2020.3 or later, you need to install a beta release of the plugin.

  • Add the absolute path to your ~/.cache/bazel-monogon folder to your idea64.vmoptions (Help → Edit Custom VM Options) and restart IntelliJ:

    -Dbazel.bep.path=/home/leopold/.cache/bazel-monogon

  • Set "Bazel Binary Location" in Other Settings → Bazel Settings to the absolute path of scripts/bin/bazel. This is a wrapper that will execute Bazel inside the container.

  • Use File → Import Bazel project... to create a new project from .bazelproject.

After running the first sync, everything should now resolve in the IDE, including generated code.

Metropolis

Run a single node cluster

Launch the node:

scripts/bin/bazel run //:launch

Run a kubectl command:

scripts/bin/bazel run //metropolis/cli/dbg -- kubectl describe

Run tests:

scripts/bin/bazel test //...