commit ac82c0d984cd23b4b35163b223c9ed0001df8f55
author Lorenz Brun <lorenz@monogon.tech> Tue Mar 01 13:32:45 2022 +0100
committer Lorenz Brun <lorenz@monogon.tech> Tue Mar 01 19:23:13 2022 +0000
tree 8f89e032104961783859b32a5c3525cda48b638a
parent 6dff6d6a57b999eb91f1b9cf956e2ebc18c2defd

m/n/core: only run debug service in debug build

This excludes the debug service from non-debug builds as it exposes a
bunch of unauthenticated interfaces for debugging to the world.
The Kubernetes tests were the last user of this service but getting
Kubernetes credentials is now handled by an authenticated production
service (the authproxy).
Some parts of the debug service functionality, namely GetLogs will also
be needed outside of debug builds, but nothing depends on its
availability so we can do this right away.

Change-Id: I5ba3d2853c69ae295d6224b359b36c160b58c430
Reviewed-on: https://review.monogon.dev/c/monogon/+/552
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>

metropolis/node/core/main.go

diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index 6528ab5..3254f2b 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go
@@ -20,14 +20,11 @@
 	"context"
 	"fmt"
 	"io"
-	"net"
 	"os"
 	"runtime/debug"
 
 	"golang.org/x/sys/unix"
-	"google.golang.org/grpc"
 
-	common "source.monogon.dev/metropolis/node"
 	"source.monogon.dev/metropolis/node/core/cluster"
 	"source.monogon.dev/metropolis/node/core/localstorage"
 	"source.monogon.dev/metropolis/node/core/localstorage/declarative"
@@ -38,7 +35,6 @@
 	"source.monogon.dev/metropolis/pkg/logtree"
 	"source.monogon.dev/metropolis/pkg/supervisor"
 	"source.monogon.dev/metropolis/pkg/tpm"
-	apb "source.monogon.dev/metropolis/proto/api"
 )
 
 func main() {
@@ -170,22 +166,8 @@
 			return fmt.Errorf("when starting enrolment: %w", err)
 		}
 
-		// Start the node debug service.
-		supervisor.Logger(ctx).Infof("Starting debug service...")
-		dbg := &debugService{
-			roleserve:       rs,
-			logtree:         lt,
-			traceLock:       make(chan struct{}, 1),
-			ephemeralVolume: &root.Ephemeral.Containerd,
-		}
-		dbgSrv := grpc.NewServer()
-		apb.RegisterNodeDebugServiceServer(dbgSrv, dbg)
-		dbgLis, err := net.Listen("tcp", fmt.Sprintf(":%d", common.DebugServicePort))
-		if err != nil {
-			return fmt.Errorf("failed to listen on debug service: %w", err)
-		}
-		if err := supervisor.Run(ctx, "debug", supervisor.GRPCServer(dbgSrv, dbgLis, false)); err != nil {
-			return fmt.Errorf("failed to start debug service: %w", err)
+		if err := runDebugService(ctx, rs, lt, root); err != nil {
+			return fmt.Errorf("when starting debug service: %w", err)
 		}
 
 		supervisor.Signal(ctx, supervisor.SignalHealthy)