From 51d13c5b3c2c28a5c1b4b190cfaf8f8287495621 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 15 Feb 2024 10:42:43 -0800 Subject: [PATCH 01/52] add traefik config and update cli --- sidecar/cli/cli.py | 34 ++++++++++++++++++++++++++++++++-- sidecar/dynamic_conf.yaml | 34 ++++++++++++++++++++++++++++++++++ sidecar/traefik.yaml | 22 ++++++++++++++++++++++ 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 sidecar/dynamic_conf.yaml create mode 100644 sidecar/traefik.yaml diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index de13f8e..37deff9 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -43,6 +43,31 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) +def start_traefik_command( + config_path: Path, + identity: int, + root_path: Optional[Path] = None, +): + role = Role(int(identity)) + root_path = root_path or Path(f"tmp/sidecar/{role.value}") + if role == Role.COORDINATOR: + base_domain = "coordinator.ipa-helper.dev" + else: + base_domain = f"helper{role.value}.ipa-helper.dev" + cert_path = config_path / Path("cert.pem") + key_path = config_path / Path("key.pem") + + env = { + **os.environ, + "BASE_DOMAIN": base_domain, + "CERT_PATH": cert_path, + "KEY_PATH": key_path, + "DYNAMIC_CONF_PATH": Path("sidecar/dynamic_conf.yaml"), + } + cmd = "./traefik --configFile=sidecar/traefik.yaml" + return Command(cmd=cmd, env=env) + + @cli.command @click.option( "--config_path", @@ -57,12 +82,17 @@ def start_helper_sidecar( root_path: Optional[Path], identity: int, ): - command = start_helper_sidecar_command( + sidecar_command = start_helper_sidecar_command( + config_path, + identity, + root_path, + ) + traefik_command = start_traefik_command( config_path, identity, root_path, ) - command.run_blocking_no_output_capture() + start_commands_parallel([sidecar_command, traefik_command]) @cli.command diff --git a/sidecar/dynamic_conf.yaml b/sidecar/dynamic_conf.yaml new file mode 100644 index 0000000..f71c4b0 --- /dev/null +++ b/sidecar/dynamic_conf.yaml @@ -0,0 +1,34 @@ +# dynamic_conf.yaml +tls: + options: + default: + minVersion: VersionTLS12 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + +http: + routers: + service1: + rule: "Host(`${BASE_DOMAIN}`)" + service: "service1" + entryPoints: + - "web-secure" + tls: + options: "default" + service2: + rule: "Host(`ipa.${BASE_DOMAIN}`)" + service: "service2" + entryPoints: + - "web-secure" + tls: + options: "default" + + services: + service1: + loadBalancer: + servers: + - url: "http://localhost:17340" + service2: + loadBalancer: + servers: + - url: "http://localhost:17341" diff --git a/sidecar/traefik.yaml b/sidecar/traefik.yaml new file mode 100644 index 0000000..9437d06 --- /dev/null +++ b/sidecar/traefik.yaml @@ -0,0 +1,22 @@ +# traefik.yaml +entryPoints: + web: + address: ":80" + web-secure: + address: ":443" + http: + tls: + certificateStore: + default: "default" + +providers: + file: + filename: "${DYNAMIC_CONF_PATH}" + watch: true + +tls: + stores: + default: + defaultCertificate: + certFile: "${CERT_PATH}" + keyFile: "${KEY_PATH}" From ff09d45954c3efb965d2b0935b208c5f073fdd5b Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 15 Feb 2024 11:54:51 -0800 Subject: [PATCH 02/52] cannot use env variables in traefik.yaml, use static config env variables instead --- sidecar/cli/cli.py | 6 +++--- sidecar/traefik.yaml | 16 ---------------- 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 37deff9..ae2b717 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -60,9 +60,9 @@ def start_traefik_command( env = { **os.environ, "BASE_DOMAIN": base_domain, - "CERT_PATH": cert_path, - "KEY_PATH": key_path, - "DYNAMIC_CONF_PATH": Path("sidecar/dynamic_conf.yaml"), + "TRAEFIK_PROVIDERS_HTTP_TLS_CERT": cert_path, + "TRAEFIK_PROVIDERS_HTTP_TLS_KEY": key_path, + "TRAEFIK_PROVIDERS_FILE_FILENAME": Path("sidecar/dynamic_conf.yaml"), } cmd = "./traefik --configFile=sidecar/traefik.yaml" return Command(cmd=cmd, env=env) diff --git a/sidecar/traefik.yaml b/sidecar/traefik.yaml index 9437d06..254a983 100644 --- a/sidecar/traefik.yaml +++ b/sidecar/traefik.yaml @@ -4,19 +4,3 @@ entryPoints: address: ":80" web-secure: address: ":443" - http: - tls: - certificateStore: - default: "default" - -providers: - file: - filename: "${DYNAMIC_CONF_PATH}" - watch: true - -tls: - stores: - default: - defaultCertificate: - certFile: "${CERT_PATH}" - keyFile: "${KEY_PATH}" From 512dd3051851c8847545c18a6ef91fe57f609059 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 15 Feb 2024 11:59:25 -0800 Subject: [PATCH 03/52] must call traefik with sudo to run on these ports --- sidecar/cli/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index ae2b717..686ee43 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -64,7 +64,7 @@ def start_traefik_command( "TRAEFIK_PROVIDERS_HTTP_TLS_KEY": key_path, "TRAEFIK_PROVIDERS_FILE_FILENAME": Path("sidecar/dynamic_conf.yaml"), } - cmd = "./traefik --configFile=sidecar/traefik.yaml" + cmd = "sudo ./traefik --configFile=sidecar/traefik.yaml" return Command(cmd=cmd, env=env) From ce75e4c9bd33b204d429aa4a87232eccefcf5172 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 15 Feb 2024 12:42:59 -0800 Subject: [PATCH 04/52] use traefik cli args instead of env for key/cert --- sidecar/cli/cli.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 686ee43..29e01d9 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -64,7 +64,10 @@ def start_traefik_command( "TRAEFIK_PROVIDERS_HTTP_TLS_KEY": key_path, "TRAEFIK_PROVIDERS_FILE_FILENAME": Path("sidecar/dynamic_conf.yaml"), } - cmd = "sudo ./traefik --configFile=sidecar/traefik.yaml" + cmd = ( + f"sudo ./traefik --configFile=sidecar/traefik.yaml" + f" --cert={cert_path} --key={key_path}" + ) return Command(cmd=cmd, env=env) From 01eab142e8bad58725d0bd8a8cf20f4e4b88ee55 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 15 Feb 2024 12:55:54 -0800 Subject: [PATCH 05/52] move key/cert into dynamic_conf --- sidecar/cli/cli.py | 9 +++------ sidecar/dynamic_conf.yaml | 6 ++++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 29e01d9..ec4c06d 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -60,14 +60,11 @@ def start_traefik_command( env = { **os.environ, "BASE_DOMAIN": base_domain, - "TRAEFIK_PROVIDERS_HTTP_TLS_CERT": cert_path, - "TRAEFIK_PROVIDERS_HTTP_TLS_KEY": key_path, "TRAEFIK_PROVIDERS_FILE_FILENAME": Path("sidecar/dynamic_conf.yaml"), + "CERT_PATH": cert_path, + "KEY_PATH": key_path, } - cmd = ( - f"sudo ./traefik --configFile=sidecar/traefik.yaml" - f" --cert={cert_path} --key={key_path}" - ) + cmd = "sudo ./traefik --configFile=sidecar/traefik.yaml" return Command(cmd=cmd, env=env) diff --git a/sidecar/dynamic_conf.yaml b/sidecar/dynamic_conf.yaml index f71c4b0..06cbeb1 100644 --- a/sidecar/dynamic_conf.yaml +++ b/sidecar/dynamic_conf.yaml @@ -14,14 +14,16 @@ http: entryPoints: - "web-secure" tls: - options: "default" + cert: "${CERT_PATH}" + key: "${KEY_PATH}" service2: rule: "Host(`ipa.${BASE_DOMAIN}`)" service: "service2" entryPoints: - "web-secure" tls: - options: "default" + cert: "${CERT_PATH}" + key: "${KEY_PATH}" services: service1: From da0e50197e21aab5865e498c3345456b8863e1ae Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 15 Feb 2024 14:06:29 -0800 Subject: [PATCH 06/52] use different env formatting --- sidecar/dynamic_conf.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sidecar/dynamic_conf.yaml b/sidecar/dynamic_conf.yaml index 06cbeb1..df26560 100644 --- a/sidecar/dynamic_conf.yaml +++ b/sidecar/dynamic_conf.yaml @@ -1,5 +1,8 @@ # dynamic_conf.yaml tls: + certificates: + - certFile: "`{{env "CERT_PATH"}}`" + keyFile: "`{{env "KEY_PATH"}}`" options: default: minVersion: VersionTLS12 @@ -9,7 +12,7 @@ tls: http: routers: service1: - rule: "Host(`${BASE_DOMAIN}`)" + rule: "Host(`{{env "BASE_DOMAIN"}}`)" service: "service1" entryPoints: - "web-secure" @@ -17,7 +20,7 @@ http: cert: "${CERT_PATH}" key: "${KEY_PATH}" service2: - rule: "Host(`ipa.${BASE_DOMAIN}`)" + rule: "Host(`ipa.{{env "BASE_DOMAIN"}`)" service: "service2" entryPoints: - "web-secure" From 9ad214054df8bdfd530ebcdbf0c06ad4f57c1cbd Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 11:16:36 -0800 Subject: [PATCH 07/52] move tls config into a file created in cli command --- sidecar/cli/cli.py | 25 ++++++++++++++++--- .../{ => traefik/dynamic}/dynamic_conf.yaml | 4 --- sidecar/{ => traefik}/traefik.yaml | 5 +++- 3 files changed, 25 insertions(+), 9 deletions(-) rename sidecar/{ => traefik/dynamic}/dynamic_conf.yaml (86%) rename sidecar/{ => traefik}/traefik.yaml (54%) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index ec4c06d..ebae1e2 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -4,6 +4,7 @@ import click import click_pathlib +import yaml from ..app.command import Command, start_commands_parallel from ..app.helpers import Role, load_helpers_from_network_config @@ -43,6 +44,23 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) +def create_dynamic_tls_config(cert_path: Path, key_path: Path, config_path: Path): + data = { + "tls": { + "stores": { + "default": { + "defaultCertificate": { + "certFile": str(cert_path.absolute()), + "keyFile": str(key_path.absolute()), + } + } + } + } + } + with config_path.open(mode="w") as f: + yaml.dump(data, f) + + def start_traefik_command( config_path: Path, identity: int, @@ -56,15 +74,14 @@ def start_traefik_command( base_domain = f"helper{role.value}.ipa-helper.dev" cert_path = config_path / Path("cert.pem") key_path = config_path / Path("key.pem") + config_path = Path("sidecar/traefik/dynamic/tls_conf.yaml") + create_dynamic_tls_config(cert_path, key_path, config_path) env = { **os.environ, "BASE_DOMAIN": base_domain, - "TRAEFIK_PROVIDERS_FILE_FILENAME": Path("sidecar/dynamic_conf.yaml"), - "CERT_PATH": cert_path, - "KEY_PATH": key_path, } - cmd = "sudo ./traefik --configFile=sidecar/traefik.yaml" + cmd = "sudo ./traefik --configFile=sidecar/traefik/traefik.yaml" return Command(cmd=cmd, env=env) diff --git a/sidecar/dynamic_conf.yaml b/sidecar/traefik/dynamic/dynamic_conf.yaml similarity index 86% rename from sidecar/dynamic_conf.yaml rename to sidecar/traefik/dynamic/dynamic_conf.yaml index df26560..c987db6 100644 --- a/sidecar/dynamic_conf.yaml +++ b/sidecar/traefik/dynamic/dynamic_conf.yaml @@ -1,8 +1,4 @@ -# dynamic_conf.yaml tls: - certificates: - - certFile: "`{{env "CERT_PATH"}}`" - keyFile: "`{{env "KEY_PATH"}}`" options: default: minVersion: VersionTLS12 diff --git a/sidecar/traefik.yaml b/sidecar/traefik/traefik.yaml similarity index 54% rename from sidecar/traefik.yaml rename to sidecar/traefik/traefik.yaml index 254a983..1281337 100644 --- a/sidecar/traefik.yaml +++ b/sidecar/traefik/traefik.yaml @@ -1,6 +1,9 @@ -# traefik.yaml entryPoints: web: address: ":80" web-secure: address: ":443" + +providers: + file: + directory: "sidecar/traefik/dynamic" From c23b5cd60278dd6367c098850e3858d45fb89887 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 11:20:31 -0800 Subject: [PATCH 08/52] fix bug in dynamic_config --- sidecar/traefik/dynamic/dynamic_conf.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/sidecar/traefik/dynamic/dynamic_conf.yaml b/sidecar/traefik/dynamic/dynamic_conf.yaml index c987db6..c2f6316 100644 --- a/sidecar/traefik/dynamic/dynamic_conf.yaml +++ b/sidecar/traefik/dynamic/dynamic_conf.yaml @@ -13,17 +13,14 @@ http: entryPoints: - "web-secure" tls: - cert: "${CERT_PATH}" - key: "${KEY_PATH}" + options: "default" service2: rule: "Host(`ipa.{{env "BASE_DOMAIN"}`)" service: "service2" entryPoints: - "web-secure" tls: - cert: "${CERT_PATH}" - key: "${KEY_PATH}" - + options: "default" services: service1: loadBalancer: From f9fa873d75021745e3a8fc275ce9d298b43c89cc Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 11:21:56 -0800 Subject: [PATCH 09/52] fix bug in dynamic_config --- sidecar/traefik/dynamic/dynamic_conf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/traefik/dynamic/dynamic_conf.yaml b/sidecar/traefik/dynamic/dynamic_conf.yaml index c2f6316..2370953 100644 --- a/sidecar/traefik/dynamic/dynamic_conf.yaml +++ b/sidecar/traefik/dynamic/dynamic_conf.yaml @@ -15,7 +15,7 @@ http: tls: options: "default" service2: - rule: "Host(`ipa.{{env "BASE_DOMAIN"}`)" + rule: "Host(`ipa.{{env "BASE_DOMAIN"}}`)" service: "service2" entryPoints: - "web-secure" From 45512b524826fe5f5743644d7f9aa17124578b07 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 11:27:55 -0800 Subject: [PATCH 10/52] use different env format --- sidecar/traefik/dynamic/dynamic_conf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sidecar/traefik/dynamic/dynamic_conf.yaml b/sidecar/traefik/dynamic/dynamic_conf.yaml index 2370953..673cd5d 100644 --- a/sidecar/traefik/dynamic/dynamic_conf.yaml +++ b/sidecar/traefik/dynamic/dynamic_conf.yaml @@ -8,14 +8,14 @@ tls: http: routers: service1: - rule: "Host(`{{env "BASE_DOMAIN"}}`)" + rule: "Host(`{{ .Env.BASE_DOMAIN }}`)" service: "service1" entryPoints: - "web-secure" tls: options: "default" service2: - rule: "Host(`ipa.{{env "BASE_DOMAIN"}}`)" + rule: "Host(`ipa.{{ .Env.BASE_DOMAIN }}`)" service: "service2" entryPoints: - "web-secure" From 49b785ba41af6598fa4b4076a47730fbe9d1bc1c Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 12:17:59 -0800 Subject: [PATCH 11/52] move dynamic config into cli --- sidecar/cli/cli.py | 73 +++++++++++++++++++++-- sidecar/traefik/dynamic/.nothing | 0 sidecar/traefik/dynamic/dynamic_conf.yaml | 32 ---------- 3 files changed, 68 insertions(+), 37 deletions(-) create mode 100644 sidecar/traefik/dynamic/.nothing delete mode 100644 sidecar/traefik/dynamic/dynamic_conf.yaml diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index ebae1e2..98681e3 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -44,7 +44,52 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) -def create_dynamic_tls_config(cert_path: Path, key_path: Path, config_path: Path): +def create_dynamic_config( + base_domain: str, config_path: Path, sidecar_port=int, ipa_port=int +): + data = { + "tls": { + "options": { + "default": { + "minVersion": "VersionTLS12", + "cipherSuites": ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"], + } + } + }, + "http": { + "routers": { + "service1": { + "rule": f"Host({base_domain})", + "service": "service1", + "entryPoints": ["web-secure"], + "tls": {"options": "default"}, + }, + "service2": { + "rule": f"Host(ipa.{base_domain})", + "service": "service2", + "entryPoints": ["web-secure"], + "tls": {"options": "default"}, + }, + }, + "services": { + "service1": { + "loadBalancer": { + "servers": [{"url": f"http://localhost:{sidecar_port}"}] + } + }, + "service2": { + "loadBalancer": { + "servers": [{"url": f"http://localhost:{ipa_port}"}] + } + }, + }, + }, + } + with config_path.open(mode="w") as f: + yaml.dump(data, f) + + +def create_tls_config(cert_path: Path, key_path: Path, config_path: Path): data = { "tls": { "stores": { @@ -64,18 +109,33 @@ def create_dynamic_tls_config(cert_path: Path, key_path: Path, config_path: Path def start_traefik_command( config_path: Path, identity: int, + root_domain: str, root_path: Optional[Path] = None, ): role = Role(int(identity)) root_path = root_path or Path(f"tmp/sidecar/{role.value}") if role == Role.COORDINATOR: - base_domain = "coordinator.ipa-helper.dev" + base_domain = f"coordinator.{root_domain}" else: - base_domain = f"helper{role.value}.ipa-helper.dev" + base_domain = f"helper{role.value}.{root_domain}" + network_config = config_path / Path("network.toml") + helpers = load_helpers_from_network_config(network_config) + helper = helpers[role] cert_path = config_path / Path("cert.pem") key_path = config_path / Path("key.pem") - config_path = Path("sidecar/traefik/dynamic/tls_conf.yaml") - create_dynamic_tls_config(cert_path, key_path, config_path) + tls_config_path = Path("sidecar/traefik/dynamic/tls_conf.yaml") + create_tls_config( + cert_path=cert_path, + key_path=key_path, + config_path=tls_config_path, + ) + dynamic_config_path = Path("sidecar/traefik/dynamic/dyanmic_conf.yaml") + create_dynamic_config( + base_domain=base_domain, + config_path=dynamic_config_path, + sidecar_port=helper.helper_port, + ipa_port=helper.helper_port + 1, + ) env = { **os.environ, @@ -93,10 +153,12 @@ def start_traefik_command( show_default=True, ) @click.option("--root_path", type=click_pathlib.Path(), default=None) +@click.option("--root_domain", type=str, default="ipa-helper.dev") @click.option("--identity", required=True, type=int) def start_helper_sidecar( config_path: Path, root_path: Optional[Path], + root_domain: str, identity: int, ): sidecar_command = start_helper_sidecar_command( @@ -107,6 +169,7 @@ def start_helper_sidecar( traefik_command = start_traefik_command( config_path, identity, + root_domain, root_path, ) start_commands_parallel([sidecar_command, traefik_command]) diff --git a/sidecar/traefik/dynamic/.nothing b/sidecar/traefik/dynamic/.nothing new file mode 100644 index 0000000..e69de29 diff --git a/sidecar/traefik/dynamic/dynamic_conf.yaml b/sidecar/traefik/dynamic/dynamic_conf.yaml deleted file mode 100644 index 673cd5d..0000000 --- a/sidecar/traefik/dynamic/dynamic_conf.yaml +++ /dev/null @@ -1,32 +0,0 @@ -tls: - options: - default: - minVersion: VersionTLS12 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - -http: - routers: - service1: - rule: "Host(`{{ .Env.BASE_DOMAIN }}`)" - service: "service1" - entryPoints: - - "web-secure" - tls: - options: "default" - service2: - rule: "Host(`ipa.{{ .Env.BASE_DOMAIN }}`)" - service: "service2" - entryPoints: - - "web-secure" - tls: - options: "default" - services: - service1: - loadBalancer: - servers: - - url: "http://localhost:17340" - service2: - loadBalancer: - servers: - - url: "http://localhost:17341" From e0873664a12a89617a8d9fb2c590f1804ee0cc05 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 12:22:17 -0800 Subject: [PATCH 12/52] make sure to wrap single quotes around double quotes when needed --- sidecar/cli/cli.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 98681e3..04b15d1 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -59,27 +59,27 @@ def create_dynamic_config( "http": { "routers": { "service1": { - "rule": f"Host({base_domain})", - "service": "service1", - "entryPoints": ["web-secure"], - "tls": {"options": "default"}, + "rule": f'"Host({base_domain})"', + "service": '"service1"', + "entryPoints": ['"web-secure"'], + "tls": {"options": '"default"'}, }, "service2": { - "rule": f"Host(ipa.{base_domain})", - "service": "service2", - "entryPoints": ["web-secure"], - "tls": {"options": "default"}, + "rule": f'"Host(ipa.{base_domain})"', + "service": '"service2"', + "entryPoints": ['"web-secure"'], + "tls": {"options": '"default"'}, }, }, "services": { "service1": { "loadBalancer": { - "servers": [{"url": f"http://localhost:{sidecar_port}"}] + "servers": [{"url": f'"http://localhost:{sidecar_port}"'}] } }, "service2": { "loadBalancer": { - "servers": [{"url": f"http://localhost:{ipa_port}"}] + "servers": [{"url": f'"http://localhost:{ipa_port}"'}] } }, }, From 64591508ab523e2384c219278aa7cf950d72827a Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 12:52:11 -0800 Subject: [PATCH 13/52] remove single/double quotes, add backticks --- sidecar/cli/cli.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 04b15d1..90ab66d 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -59,27 +59,27 @@ def create_dynamic_config( "http": { "routers": { "service1": { - "rule": f'"Host({base_domain})"', - "service": '"service1"', - "entryPoints": ['"web-secure"'], - "tls": {"options": '"default"'}, + "rule": f"Host(`{base_domain}`)", + "service": "service1", + "entryPoints": ["web-secure"], + "tls": {"options": "default"}, }, "service2": { - "rule": f'"Host(ipa.{base_domain})"', - "service": '"service2"', - "entryPoints": ['"web-secure"'], - "tls": {"options": '"default"'}, + "rule": f"Host(`ipa.{base_domain}`)", + "service": "service2", + "entryPoints": ["web-secure"], + "tls": {"options": "default"}, }, }, "services": { "service1": { "loadBalancer": { - "servers": [{"url": f'"http://localhost:{sidecar_port}"'}] + "servers": [{"url": f"http://localhost:{sidecar_port}"}] } }, "service2": { "loadBalancer": { - "servers": [{"url": f'"http://localhost:{ipa_port}"'}] + "servers": [{"url": f"http://localhost:{ipa_port}"}] } }, }, From 4cfac0784af4799809ec9f2b265be3bce9929b8f Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 12:54:49 -0800 Subject: [PATCH 14/52] fix ports --- sidecar/cli/cli.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 90ab66d..deed29a 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -133,8 +133,8 @@ def start_traefik_command( create_dynamic_config( base_domain=base_domain, config_path=dynamic_config_path, - sidecar_port=helper.helper_port, - ipa_port=helper.helper_port + 1, + sidecar_port=helper.sidecar_port, + ipa_port=helper.helper_port, ) env = { From 6eb0be146f18047ceb98567cac2478eb00a84ce1 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 13:11:18 -0800 Subject: [PATCH 15/52] use adjacent subdomains, not nested --- sidecar/cli/cli.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index deed29a..10bacd9 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -45,7 +45,11 @@ def start_helper_sidecar_command( def create_dynamic_config( - base_domain: str, config_path: Path, sidecar_port=int, ipa_port=int + sidecar_domain: str, + helper_domain: str, + config_path: Path, + sidecar_port=int, + ipa_port=int, ): data = { "tls": { @@ -59,13 +63,13 @@ def create_dynamic_config( "http": { "routers": { "service1": { - "rule": f"Host(`{base_domain}`)", + "rule": f"Host(`{sidecar_domain}`)", "service": "service1", "entryPoints": ["web-secure"], "tls": {"options": "default"}, }, "service2": { - "rule": f"Host(`ipa.{base_domain}`)", + "rule": f"Host(`ipa.{helper_domain}`)", "service": "service2", "entryPoints": ["web-secure"], "tls": {"options": "default"}, @@ -110,14 +114,14 @@ def start_traefik_command( config_path: Path, identity: int, root_domain: str, - root_path: Optional[Path] = None, ): role = Role(int(identity)) - root_path = root_path or Path(f"tmp/sidecar/{role.value}") if role == Role.COORDINATOR: - base_domain = f"coordinator.{root_domain}" + sidecar_domain = f"sidecar-coordinator.{root_domain}" + helper_domain = f"helper-coordinator.{root_domain}" else: - base_domain = f"helper{role.value}.{root_domain}" + sidecar_domain = f"sidecar{role.value}.{root_domain}" + helper_domain = f"helper{role.value}.{root_domain}" network_config = config_path / Path("network.toml") helpers = load_helpers_from_network_config(network_config) helper = helpers[role] @@ -131,7 +135,8 @@ def start_traefik_command( ) dynamic_config_path = Path("sidecar/traefik/dynamic/dyanmic_conf.yaml") create_dynamic_config( - base_domain=base_domain, + sidecar_domain=sidecar_domain, + helper_domain=helper_domain, config_path=dynamic_config_path, sidecar_port=helper.sidecar_port, ipa_port=helper.helper_port, @@ -139,7 +144,6 @@ def start_traefik_command( env = { **os.environ, - "BASE_DOMAIN": base_domain, } cmd = "sudo ./traefik --configFile=sidecar/traefik/traefik.yaml" return Command(cmd=cmd, env=env) @@ -170,7 +174,6 @@ def start_helper_sidecar( config_path, identity, root_domain, - root_path, ) start_commands_parallel([sidecar_command, traefik_command]) From 05416d57a1b44164a3131463bcd56b4cd9b927cf Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 14:03:38 -0800 Subject: [PATCH 16/52] add draft-mpc.vercel.app to CORS domains --- sidecar/app/main.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sidecar/app/main.py b/sidecar/app/main.py index 037f587..3751498 100644 --- a/sidecar/app/main.py +++ b/sidecar/app/main.py @@ -8,9 +8,7 @@ app.include_router(start.router) app.include_router(stop.router) -origins = [ - "http://localhost:3000", -] +origins = ["http://localhost:3000", "https://draft-mpc.vercel.app"] app.add_middleware( CORSMiddleware, From 1ac44f733f6c7d276350b849cdb76c13bd979786 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 14:19:08 -0800 Subject: [PATCH 17/52] make test data directory before generating it --- sidecar/app/query/ipa.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index d81246f..b8949bf 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -168,6 +168,9 @@ class IPACoordinatorGenerateTestDataStep(CommandStep): max_trigger_value: int status: ClassVar[Status] = Status.COMPILING + def pre_run(self): + self.output_file_path.parent.mkdir(parents=True, exist_ok=True) + @classmethod def build_from_query(cls, query: IPACoordinatorQuery): return cls( From 6aed89e9343ae70e29655b36c59367cb982af830 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 15:54:34 -0800 Subject: [PATCH 18/52] adjust ports, not inferred from network.toml --- local_dev/config/network.toml | 8 ++--- sidecar/app/helpers.py | 39 +++++++------------------ sidecar/app/query/ipa.py | 7 +++-- sidecar/app/routes/start.py | 2 +- sidecar/app/settings.py | 1 + sidecar/cli/cli.py | 55 ++++++++++++++++++++++------------- 6 files changed, 54 insertions(+), 58 deletions(-) diff --git a/local_dev/config/network.toml b/local_dev/config/network.toml index 1f7e730..5617fb2 100644 --- a/local_dev/config/network.toml +++ b/local_dev/config/network.toml @@ -12,7 +12,7 @@ N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw== -----END CERTIFICATE----- """ url = "localhost:7431" -sidecar_port = "17431" +sidecar_url = "localhost:17431" [peers.hpke] public_key = "fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e" @@ -31,7 +31,7 @@ RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD -----END CERTIFICATE----- """ url = "localhost:7432" -sidecar_port = "17432" +sidecar_url = "localhost:17432" [peers.hpke] public_key = "4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d" @@ -50,7 +50,7 @@ B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g== -----END CERTIFICATE----- """ url = "localhost:7433" -sidecar_port = "17433" +sidecar_url = "localhost:17433" [peers.hpke] public_key = "ebedcfa02354a1d17aed80b0ed55028d0616152d5f8971291e030231dc92063d" @@ -61,7 +61,7 @@ version = "http2" [coordinator] url = "localhost:7430" -sidecar_port = "17430" +sidecar_url = "localhost:17430" certificate = """ -----BEGIN CERTIFICATE----- MIIBHDCBwqADAgECAghMfLQt7MF1IDAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls diff --git a/sidecar/app/helpers.py b/sidecar/app/helpers.py index 41cdf94..0686aef 100644 --- a/sidecar/app/helpers.py +++ b/sidecar/app/helpers.py @@ -18,19 +18,10 @@ class Role(IntEnum): @dataclass class Helper: role: Role - hostname: str - sidecar_port: int - helper_port: int + helper_url: ParseResult + sidecar_url: ParseResult public_key: EllipticCurvePublicKey - @property - def sidecar_url(self) -> ParseResult: - return urlparse(f"http://{self.hostname}:{self.sidecar_port}") - - @property - def helper_url(self) -> ParseResult: - return urlparse(f"http://{self.hostname}:{self.helper_port}") - def load_helpers_from_network_config(network_config_path: Path) -> dict[Role, Helper]: with network_config_path.open("rb") as f: @@ -39,30 +30,21 @@ def load_helpers_from_network_config(network_config_path: Path) -> dict[Role, He helper_roles = list(r for r in Role if r != Role.COORDINATOR) helpers = {} for helper_config, role in zip(helper_configs, helper_roles): - url = urlparse(f"http://{helper_config['url']}") - hostname = str(url.hostname) - helper_port = int(url.port or 0) - sidecar_port = int(helper_config.get("sidecar_port", 0)) - if not hostname or not helper_port or not sidecar_port: - raise Exception(f"{network_data=} missing data.") + helper_url = urlparse(f"http://{helper_config['url']}") + sidecar_url = urlparse(f"http://{helper_config['sidecar_url']}") public_key_pem_data = helper_config.get("certificate") cert = load_pem_x509_certificate(public_key_pem_data.encode("utf8")) public_key = cert.public_key() assert isinstance(public_key, EllipticCurvePublicKey) helpers[role] = Helper( role=role, - hostname=hostname, - helper_port=helper_port, - sidecar_port=sidecar_port, + helper_url=helper_url, + sidecar_url=sidecar_url, public_key=public_key, ) - url = urlparse(f"http://{network_data['coordinator']['url']}") - hostname = str(url.hostname) - helper_port = int(url.port or 0) - sidecar_port = int(network_data["coordinator"].get("sidecar_port", 0)) - if not hostname or not helper_port or not sidecar_port: - raise Exception(f"{network_data=} missing data.") + helper_url = urlparse(f"http://{network_data['coordinator']['url']}") + sidecar_url = urlparse(f"http://{network_data['coordinator']['sidecar_url']}") public_key_pem_data = network_data["coordinator"].get("certificate") cert = load_pem_x509_certificate(public_key_pem_data.encode("utf8")) public_key = cert.public_key() @@ -70,9 +52,8 @@ def load_helpers_from_network_config(network_config_path: Path) -> dict[Role, He helpers[Role.COORDINATOR] = Helper( role=Role.COORDINATOR, - hostname=hostname, - helper_port=helper_port, - sidecar_port=sidecar_port, + helper_url=helper_url, + sidecar_url=sidecar_url, public_key=public_key, ) return helpers diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index b8949bf..90a7e1f 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -202,18 +202,19 @@ def build_from_query(cls, query: IPAQuery): ) def run(self): - helper_urls = [ + sidecar_urls = [ helper.sidecar_url for helper in settings.helpers.values() if helper.role != Role.COORDINATOR ] - for helper_url in helper_urls: + for sidecar_url in sidecar_urls: url = urlunparse( - helper_url._replace( + sidecar_url._replace( scheme="ws", path=f"/start/ipa-helper/{self.query_id}/status" ), ) while True: + print(url) r = httpx.get(url).json() print(r) status = r.get("status") diff --git a/sidecar/app/routes/start.py b/sidecar/app/routes/start.py index b3ff611..2b42304 100644 --- a/sidecar/app/routes/start.py +++ b/sidecar/app/routes/start.py @@ -53,7 +53,7 @@ def start_ipa_helper( query = IPAHelperQuery( paths=paths, query_id=query_id, - port=settings.helper.helper_port, + port=settings.helper_port, ) background_tasks.add_task(query.start) diff --git a/sidecar/app/settings.py b/sidecar/app/settings.py index c5acf8f..349f512 100644 --- a/sidecar/app/settings.py +++ b/sidecar/app/settings.py @@ -20,6 +20,7 @@ class Settings(BaseSettings): network_config_path: Annotated[Path, BeforeValidator(gen_path)] private_key_pem_path: Annotated[Path, BeforeValidator(gen_path)] role: Role + helper_port: int _helpers: dict[Role, Helper] _private_key: EllipticCurvePrivateKey diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 10bacd9..342da40 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -7,7 +7,7 @@ import yaml from ..app.command import Command, start_commands_parallel -from ..app.helpers import Role, load_helpers_from_network_config +from ..app.helpers import Role @click.group() @@ -18,18 +18,18 @@ def cli(): def start_helper_sidecar_command( config_path: Path, identity: int, + helper_port: int, + sidecar_port: int, root_path: Optional[Path] = None, ): role = Role(int(identity)) network_config = config_path / Path("network.toml") root_path = root_path or Path(f"tmp/sidecar/{role.value}") root_path.mkdir(parents=True, exist_ok=True) - helpers = load_helpers_from_network_config(network_config) if role == Role.COORDINATOR: private_key_pem_path = config_path / Path("coordinator.key") else: private_key_pem_path = config_path / Path(f"h{role.value}.key") - helper = helpers[role] cmd = "uvicorn sidecar.app.main:app" env = { **os.environ, @@ -38,7 +38,8 @@ def start_helper_sidecar_command( "CONFIG_PATH": config_path, "NETWORK_CONFIG_PATH": network_config, "PRIVATE_KEY_PEM_PATH": private_key_pem_path, - "UVICORN_PORT": str(helper.sidecar_port), + "HELPER_PORT": str(helper_port), + "UVICORN_PORT": str(sidecar_port), "UVICORN_HOST": "0.0.0.0", } return Command(cmd=cmd, env=env) @@ -113,6 +114,8 @@ def create_tls_config(cert_path: Path, key_path: Path, config_path: Path): def start_traefik_command( config_path: Path, identity: int, + helper_port: int, + sidecar_port: int, root_domain: str, ): role = Role(int(identity)) @@ -122,9 +125,6 @@ def start_traefik_command( else: sidecar_domain = f"sidecar{role.value}.{root_domain}" helper_domain = f"helper{role.value}.{root_domain}" - network_config = config_path / Path("network.toml") - helpers = load_helpers_from_network_config(network_config) - helper = helpers[role] cert_path = config_path / Path("cert.pem") key_path = config_path / Path("key.pem") tls_config_path = Path("sidecar/traefik/dynamic/tls_conf.yaml") @@ -138,8 +138,8 @@ def start_traefik_command( sidecar_domain=sidecar_domain, helper_domain=helper_domain, config_path=dynamic_config_path, - sidecar_port=helper.sidecar_port, - ipa_port=helper.helper_port, + sidecar_port=sidecar_port, + ipa_port=helper_port, ) env = { @@ -149,6 +149,7 @@ def start_traefik_command( return Command(cmd=cmd, env=env) +# pylint: disable=too-many-arguments @cli.command @click.option( "--config_path", @@ -158,22 +159,30 @@ def start_traefik_command( ) @click.option("--root_path", type=click_pathlib.Path(), default=None) @click.option("--root_domain", type=str, default="ipa-helper.dev") +@click.option("--helper_port", type=int, default=7430) +@click.option("--sidecar_port", type=int, default=17430) @click.option("--identity", required=True, type=int) def start_helper_sidecar( config_path: Path, root_path: Optional[Path], root_domain: str, + helper_port: int, + sidecar_port: int, identity: int, ): sidecar_command = start_helper_sidecar_command( - config_path, - identity, - root_path, + config_path=config_path, + identity=identity, + helper_port=helper_port, + sidecar_port=sidecar_port, + root_path=root_path, ) traefik_command = start_traefik_command( - config_path, - identity, - root_domain, + config_path=config_path, + identity=identity, + helper_port=helper_port, + sidecar_port=sidecar_port, + root_domain=root_domain, ) start_commands_parallel([sidecar_command, traefik_command]) @@ -186,9 +195,13 @@ def start_helper_sidecar( show_default=True, ) @click.option("--root_path", type=click_pathlib.Path(), default=None) +@click.option("--helper_start_port", type=int, default=7430) +@click.option("--sidecar_start_port", type=int, default=17430) def start_local_dev( config_path: Path, root_path: Optional[Path], + helper_start_port: int, + sidecar_start_port: int, ): npm_install_command = Command( cmd="npm --prefix server install", @@ -198,15 +211,15 @@ def start_local_dev( cmd="npm --prefix server run dev", ) - network_config = Path(config_path) / Path("network.toml") - helpers = load_helpers_from_network_config(network_config) sidecar_commands = [ start_helper_sidecar_command( - config_path, - helper.role, - root_path, + config_path=config_path, + identity=role, + helper_port=helper_start_port + int(role), + sidecar_port=sidecar_start_port + int(role), + root_path=root_path, ) - for helper in helpers.values() + for role in Role ] commands = [npm_run_dev_command] + sidecar_commands start_commands_parallel(commands) From 89458c4ff95c5b9d4138e922a1ba8b43fac1a6c6 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 17:42:05 -0800 Subject: [PATCH 19/52] use https not ws for checking status --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 90a7e1f..5268e33 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -210,7 +210,7 @@ def run(self): for sidecar_url in sidecar_urls: url = urlunparse( sidecar_url._replace( - scheme="ws", path=f"/start/ipa-helper/{self.query_id}/status" + scheme="https", path=f"/start/ipa-helper/{self.query_id}/status" ), ) while True: From bffedefaf9d011dbfdb16d65013287df059bc6df Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 17:43:21 -0800 Subject: [PATCH 20/52] use http not https for checking status --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 5268e33..d945645 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -210,7 +210,7 @@ def run(self): for sidecar_url in sidecar_urls: url = urlunparse( sidecar_url._replace( - scheme="https", path=f"/start/ipa-helper/{self.query_id}/status" + scheme="http", path=f"/start/ipa-helper/{self.query_id}/status" ), ) while True: From 48684ff4af80e95ba1296cee09fe816e8772e813 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:18:00 -0800 Subject: [PATCH 21/52] turn off verify for status check temporarily --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index d945645..4eeb920 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -215,7 +215,7 @@ def run(self): ) while True: print(url) - r = httpx.get(url).json() + r = httpx.get(url, verify=False).json() print(r) status = r.get("status") match status: From d3e73242f04a17b277c51cf65c54c5e5d01c71a4 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:20:12 -0800 Subject: [PATCH 22/52] use https for status check --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 4eeb920..8073aff 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -210,7 +210,7 @@ def run(self): for sidecar_url in sidecar_urls: url = urlunparse( sidecar_url._replace( - scheme="http", path=f"/start/ipa-helper/{self.query_id}/status" + scheme="https", path=f"/start/ipa-helper/{self.query_id}/status" ), ) while True: From a303c0cd0b13ce8ad021a1e18725d85632e11afe Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:29:59 -0800 Subject: [PATCH 23/52] turn off verification for terminate posts --- sidecar/app/query/ipa.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 8073aff..010eab2 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -34,6 +34,7 @@ def send_kill_signals(self): ) r = httpx.post( finish_url, + verify=False, ) self.logger.info(f"sent post request: {r.text}") @@ -318,6 +319,7 @@ def send_terminate_signals(self): r = httpx.post( finish_url, json={"identity": str(self.role.value), "signature": signature}, + verify=False, ) self.logger.info(f"sent post request: {finish_url}: {r.text}") From 2f7e64a1a175d050d785010fc0a409f4c5e40c59 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:32:36 -0800 Subject: [PATCH 24/52] use https for terminate posts --- sidecar/app/query/ipa.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 010eab2..c472b5e 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -5,7 +5,7 @@ from dataclasses import dataclass, field from pathlib import Path from typing import ClassVar -from urllib.parse import urljoin, urlunparse +from urllib.parse import urlunparse import httpx import loguru @@ -29,9 +29,12 @@ def send_kill_signals(self): for helper in settings.helpers.values(): if helper.role == self.role: continue - finish_url = urljoin( - helper.sidecar_url.geturl(), f"/stop/kill/{self.query_id}" + finish_url = urlunparse( + helper.sidecar_url._replace( + scheme="https", path=f"/stop/kill/{self.query_id}" + ), ) + r = httpx.post( finish_url, verify=False, @@ -313,9 +316,12 @@ def send_terminate_signals(self): for helper in settings.helpers.values(): if helper.role == self.role: continue - finish_url = urljoin( - helper.sidecar_url.geturl(), f"/stop/finish/{self.query_id}" + finish_url = urlunparse( + helper.sidecar_url._replace( + scheme="https", path=f"/stop/finish/{self.query_id}" + ), ) + r = httpx.post( finish_url, json={"identity": str(self.role.value), "signature": signature}, From 7e8c5d8aa94c30a5393a5f658e487eb5d8b266a3 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:39:28 -0800 Subject: [PATCH 25/52] fix traefik bug --- sidecar/cli/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 342da40..142d2ae 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -70,7 +70,7 @@ def create_dynamic_config( "tls": {"options": "default"}, }, "service2": { - "rule": f"Host(`ipa.{helper_domain}`)", + "rule": f"Host(`{helper_domain}`)", "service": "service2", "entryPoints": ["web-secure"], "tls": {"options": "default"}, From ec40bcb1b1b8e54df2aac567a6c09af2f6c61cb1 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:44:03 -0800 Subject: [PATCH 26/52] remove tls from helper traefik config --- sidecar/cli/cli.py | 1 - 1 file changed, 1 deletion(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 142d2ae..7c35f43 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -73,7 +73,6 @@ def create_dynamic_config( "rule": f"Host(`{helper_domain}`)", "service": "service2", "entryPoints": ["web-secure"], - "tls": {"options": "default"}, }, }, "services": { From f40f95560278024b6dce7656cc566c63c17871f0 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 22:49:58 -0800 Subject: [PATCH 27/52] readd tls from helper traefik config --- sidecar/cli/cli.py | 1 + 1 file changed, 1 insertion(+) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 7c35f43..142d2ae 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -73,6 +73,7 @@ def create_dynamic_config( "rule": f"Host(`{helper_domain}`)", "service": "service2", "entryPoints": ["web-secure"], + "tls": {"options": "default"}, }, }, "services": { From 6ead5672a5cd473475cca4660d7ff9002f116068 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 16 Feb 2024 23:10:25 -0800 Subject: [PATCH 28/52] try a different approach to not using tls for helpers --- sidecar/cli/cli.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 142d2ae..5ea7005 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -72,8 +72,7 @@ def create_dynamic_config( "service2": { "rule": f"Host(`{helper_domain}`)", "service": "service2", - "entryPoints": ["web-secure"], - "tls": {"options": "default"}, + "entryPoints": ["web"], }, }, "services": { From 9273e54bfa051e507d87b4a4dca5539a6f3df2ba Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Sun, 3 Mar 2024 16:44:36 -0800 Subject: [PATCH 29/52] local traefik working. helpers still not working with domains --- .gitignore | 4 + README.md | 38 ++++++ local_dev/config/network.toml | 8 +- server/app/auth/callback/route.ts | 9 +- server/app/login/GitHubOAuthComponent.tsx | 6 +- server/app/query/servers.tsx | 21 ++- server/supabase/config.toml | 10 +- sidecar/app/main.py | 2 +- sidecar/cli/cli.py | 148 ++++++++------------- sidecar/traefik/dynamic-local/dynamic.yaml | 89 +++++++++++++ sidecar/traefik/dynamic-local/tls.yaml | 4 + sidecar/traefik/dynamic/.nothing | 0 sidecar/traefik/dynamic/dynamic.yaml | 24 ++++ sidecar/traefik/dynamic/tls.yaml | 4 + sidecar/traefik/traefik-local.yaml | 9 ++ 15 files changed, 264 insertions(+), 112 deletions(-) create mode 100644 sidecar/traefik/dynamic-local/dynamic.yaml create mode 100644 sidecar/traefik/dynamic-local/tls.yaml delete mode 100644 sidecar/traefik/dynamic/.nothing create mode 100644 sidecar/traefik/dynamic/dynamic.yaml create mode 100644 sidecar/traefik/dynamic/tls.yaml create mode 100644 sidecar/traefik/traefik-local.yaml diff --git a/.gitignore b/.gitignore index 29c14c9..80a13a0 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,7 @@ IGNORE-ME* # local env files .env* + +# local certs +local_dev/config/cert.pem +local_dev/config/key.pem diff --git a/README.md b/README.md index 54ca41e..24724b4 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,44 @@ SUPABASE_AUTH_GITHUB_CLIENT_ID="" SUPABASE_AUTH_GITHUB_SECRET="" ``` +**Traefik** + +install traefik + +``` +brew install traefik +``` + +update /etc/hosts with (requires sudo) + +``` +127.0.0.1 draft.test +127.0.0.1 helper0.draft.test +127.0.0.1 helper1.draft.test +127.0.0.1 helper2.draft.test +127.0.0.1 helper3.draft.test +127.0.0.1 sidecar0.draft.test +127.0.0.1 sidecar1.draft.test +127.0.0.1 sidecar2.draft.test +127.0.0.1 sidecar3.draft.test +``` + +make local certs + +install mkcert with + +``` +brew install mkcert +``` + +make the cert with + +``` +mkcert -cert-file "local_dev/config/cert.pem" -key-file "local_dev/config/key.pem" "draft.test" "*.draft.test" +``` + +**Run local dev** + You're now ready to install, run, and develop on `draft`! To start the local development environment: diff --git a/local_dev/config/network.toml b/local_dev/config/network.toml index 5617fb2..b16ba9f 100644 --- a/local_dev/config/network.toml +++ b/local_dev/config/network.toml @@ -12,7 +12,7 @@ N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw== -----END CERTIFICATE----- """ url = "localhost:7431" -sidecar_url = "localhost:17431" +sidecar_url = "sidecar1.draft.test" [peers.hpke] public_key = "fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e" @@ -31,7 +31,7 @@ RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD -----END CERTIFICATE----- """ url = "localhost:7432" -sidecar_url = "localhost:17432" +sidecar_url = "sidecar2.draft.test" [peers.hpke] public_key = "4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d" @@ -50,7 +50,7 @@ B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g== -----END CERTIFICATE----- """ url = "localhost:7433" -sidecar_url = "localhost:17433" +sidecar_url = "sidecar3.draft.test" [peers.hpke] public_key = "ebedcfa02354a1d17aed80b0ed55028d0616152d5f8971291e030231dc92063d" @@ -61,7 +61,7 @@ version = "http2" [coordinator] url = "localhost:7430" -sidecar_url = "localhost:17430" +sidecar_url = "sidecar-coordinator.draft.test" certificate = """ -----BEGIN CERTIFICATE----- MIIBHDCBwqADAgECAghMfLQt7MF1IDAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls diff --git a/server/app/auth/callback/route.ts b/server/app/auth/callback/route.ts index 641d2b2..9dd5daa 100644 --- a/server/app/auth/callback/route.ts +++ b/server/app/auth/callback/route.ts @@ -3,11 +3,18 @@ import { NextResponse } from "next/server"; import { createServerClient, type CookieOptions } from "@supabase/ssr"; export async function GET(request: Request) { - const { searchParams, origin } = new URL(request.url); + const { searchParams } = new URL(request.url); const code = searchParams.get("code"); // if "next" is in param, use it as the redirect URL const next = searchParams.get("next") ?? "/"; + let origin = + process?.env?.NEXT_PUBLIC_SITE_URL ?? // Set this to your site URL in production env. + process?.env?.NEXT_PUBLIC_VERCEL_URL ?? // Automatically set by Vercel. + "https://draft.test/"; + // Make sure to include `https://` + origin = origin.includes("https://") ? origin : `https://${origin}`; + if (code) { const cookieStore = cookies(); const supabase = createServerClient( diff --git a/server/app/login/GitHubOAuthComponent.tsx b/server/app/login/GitHubOAuthComponent.tsx index 3dde4c0..7edc30c 100644 --- a/server/app/login/GitHubOAuthComponent.tsx +++ b/server/app/login/GitHubOAuthComponent.tsx @@ -12,9 +12,9 @@ export default function GitHubOAuthComponent() { let url = process?.env?.NEXT_PUBLIC_SITE_URL ?? // Set this to your site URL in production env. process?.env?.NEXT_PUBLIC_VERCEL_URL ?? // Automatically set by Vercel. - "http://localhost:3000/"; - // Make sure to include `https://` when not localhost. - url = url.includes("http") ? url : `https://${url}`; + "https://draft.test/"; + // Make sure to include `https://` + url = url.includes("https://") ? url : `https://${url}`; // Make sure to include a trailing `/`. url = url.charAt(url.length - 1) === "/" ? url : `${url}/`; diff --git a/server/app/query/servers.tsx b/server/app/query/servers.tsx index ebf3847..a01ac19 100644 --- a/server/app/query/servers.tsx +++ b/server/app/query/servers.tsx @@ -87,19 +87,19 @@ export class RemoteServer { logsWebSocketURL(id: string): URL { const webSocketURL = new URL(`/ws/logs/${id}`, this.baseURL); - webSocketURL.protocol = "ws"; + webSocketURL.protocol = "wss"; return webSocketURL; } statusWebSocketURL(id: string): URL { const webSocketURL = new URL(`/ws/status/${id}`, this.baseURL); - webSocketURL.protocol = "ws"; + webSocketURL.protocol = "wss"; return webSocketURL; } statsWebSocketURL(id: string): URL { const webSocketURL = new URL(`/ws/stats/${id}`, this.baseURL); - webSocketURL.protocol = "ws"; + webSocketURL.protocol = "wss"; return webSocketURL; } @@ -271,19 +271,26 @@ export const IPARemoteServers: RemoteServersType = { [RemoteServerNames.Coordinator]: new IPACoordinatorRemoteServer( RemoteServerNames.Coordinator, new URL( - process?.env?.NEXT_PUBLIC_COORDINATOR_URL ?? "http://localhost:17430", + process?.env?.NEXT_PUBLIC_COORDINATOR_URL ?? + "https://sidecar-coordinator.draft.test", ), ), [RemoteServerNames.Helper1]: new IPAHelperRemoteServer( RemoteServerNames.Helper1, - new URL(process?.env?.NEXT_PUBLIC_HELPER1_URL ?? "http://localhost:17431"), + new URL( + process?.env?.NEXT_PUBLIC_HELPER1_URL ?? "https://sidecar1.draft.test", + ), ), [RemoteServerNames.Helper2]: new IPAHelperRemoteServer( RemoteServerNames.Helper2, - new URL(process?.env?.NEXT_PUBLIC_HELPER2_URL ?? "http://localhost:17432"), + new URL( + process?.env?.NEXT_PUBLIC_HELPER2_URL ?? "https://sidecar2.draft.test", + ), ), [RemoteServerNames.Helper3]: new IPAHelperRemoteServer( RemoteServerNames.Helper3, - new URL(process?.env?.NEXT_PUBLIC_HELPER3_URL ?? "http://localhost:17433"), + new URL( + process?.env?.NEXT_PUBLIC_HELPER3_URL ?? "https://sidecar3.draft.test", + ), ), }; diff --git a/server/supabase/config.toml b/server/supabase/config.toml index bb13569..9157ecd 100644 --- a/server/supabase/config.toml +++ b/server/supabase/config.toml @@ -40,9 +40,9 @@ file_size_limit = "50MiB" [auth] # The base URL of your website. Used as an allow-list for redirects and for constructing URLs used # in emails. -site_url = "http://localhost:3000" +site_url = "https://draft.test" # A list of *exact* URLs that auth providers are permitted to redirect to post authentication. -additional_redirect_urls = ["https://localhost:3000/auth/callback"] +additional_redirect_urls = ["https://draft.test/auth/callback"] # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one # week). jwt_expiry = 3600 @@ -59,11 +59,11 @@ secret = "env(SUPABASE_AUTH_GITHUB_SECRET)" redirect_uri = "http://localhost:54321/auth/v1/callback" [analytics] -enabled = true +enabled = false port = 54327 vector_port = 54328 # Setup BigQuery project to enable log viewer on local development stack. # See: https://supabase.com/docs/guides/getting-started/local-development#enabling-local-logging -gcp_project_id = "" -gcp_project_number = "" +gcp_project_id = "null" +gcp_project_number = "null" gcp_jwt_path = "supabase/gcloud.json" diff --git a/sidecar/app/main.py b/sidecar/app/main.py index 3751498..7c283ca 100644 --- a/sidecar/app/main.py +++ b/sidecar/app/main.py @@ -8,7 +8,7 @@ app.include_router(start.router) app.include_router(stop.router) -origins = ["http://localhost:3000", "https://draft-mpc.vercel.app"] +origins = ["https://draft.test", "https://draft-mpc.vercel.app"] app.add_middleware( CORSMiddleware, diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 5ea7005..c00e6da 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -4,7 +4,6 @@ import click import click_pathlib -import yaml from ..app.command import Command, start_commands_parallel from ..app.helpers import Role @@ -45,78 +44,10 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) -def create_dynamic_config( - sidecar_domain: str, - helper_domain: str, - config_path: Path, - sidecar_port=int, - ipa_port=int, -): - data = { - "tls": { - "options": { - "default": { - "minVersion": "VersionTLS12", - "cipherSuites": ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"], - } - } - }, - "http": { - "routers": { - "service1": { - "rule": f"Host(`{sidecar_domain}`)", - "service": "service1", - "entryPoints": ["web-secure"], - "tls": {"options": "default"}, - }, - "service2": { - "rule": f"Host(`{helper_domain}`)", - "service": "service2", - "entryPoints": ["web"], - }, - }, - "services": { - "service1": { - "loadBalancer": { - "servers": [{"url": f"http://localhost:{sidecar_port}"}] - } - }, - "service2": { - "loadBalancer": { - "servers": [{"url": f"http://localhost:{ipa_port}"}] - } - }, - }, - }, - } - with config_path.open(mode="w") as f: - yaml.dump(data, f) - - -def create_tls_config(cert_path: Path, key_path: Path, config_path: Path): - data = { - "tls": { - "stores": { - "default": { - "defaultCertificate": { - "certFile": str(cert_path.absolute()), - "keyFile": str(key_path.absolute()), - } - } - } - } - } - with config_path.open(mode="w") as f: - yaml.dump(data, f) - - -def start_traefik_command( - config_path: Path, +def build_domains( identity: int, - helper_port: int, - sidecar_port: int, root_domain: str, -): +) -> tuple[str, str]: role = Role(int(identity)) if role == Role.COORDINATOR: sidecar_domain = f"sidecar-coordinator.{root_domain}" @@ -124,30 +55,53 @@ def start_traefik_command( else: sidecar_domain = f"sidecar{role.value}.{root_domain}" helper_domain = f"helper{role.value}.{root_domain}" - cert_path = config_path / Path("cert.pem") - key_path = config_path / Path("key.pem") - tls_config_path = Path("sidecar/traefik/dynamic/tls_conf.yaml") - create_tls_config( - cert_path=cert_path, - key_path=key_path, - config_path=tls_config_path, - ) - dynamic_config_path = Path("sidecar/traefik/dynamic/dyanmic_conf.yaml") - create_dynamic_config( - sidecar_domain=sidecar_domain, - helper_domain=helper_domain, - config_path=dynamic_config_path, - sidecar_port=sidecar_port, - ipa_port=helper_port, - ) + return sidecar_domain, helper_domain + +def start_traefik_command( + config_path: Path, + identity: int, + helper_port: int, + sidecar_port: int, + root_domain: str, +): + sidecar_domain, helper_domain = build_domains(identity, root_domain) env = { **os.environ, + "SIDECAR_DOMAIN": sidecar_domain, + "SIDECAR_PORT": str(sidecar_port), + "HELPER_DOMAIN": helper_domain, + "HELPER_PORT": str(helper_port), + "CERT_DIR": config_path, } cmd = "sudo ./traefik --configFile=sidecar/traefik/traefik.yaml" return Command(cmd=cmd, env=env) +def start_traefik_local_command( + config_path: Path, + helper_ports: tuple[int, ...], + sidecar_ports: tuple[int, ...], + server_port: int, + root_domain: str, +): + env = { + **os.environ, + "CERT_DIR": config_path, + "SERVER_DOMAIN": root_domain, + "SERVER_PORT": str(server_port), + } + for identity, (h_port, s_port) in enumerate(zip(helper_ports, sidecar_ports)): + sidecar_domain, helper_domain = build_domains(identity, root_domain) + env[f"SIDECAR_{identity}_DOMAIN"] = sidecar_domain + env[f"SIDECAR_{identity}_PORT"] = str(s_port) + env[f"HELPER_{identity}_DOMAIN"] = helper_domain + env[f"HELPER_{identity}_PORT"] = str(h_port) + + cmd = "traefik --configFile=sidecar/traefik/traefik-local.yaml" + return Command(cmd=cmd, env=env) + + # pylint: disable=too-many-arguments @cli.command @click.option( @@ -202,25 +156,37 @@ def start_local_dev( helper_start_port: int, sidecar_start_port: int, ): + root_domain: str = "draft.test" + server_port: int = 7530 npm_install_command = Command( cmd="npm --prefix server install", ) npm_install_command.run_blocking_no_output_capture() npm_run_dev_command = Command( - cmd="npm --prefix server run dev", + cmd=f"npm --prefix server run dev -- --port {server_port}", ) + helper_ports = {role: helper_start_port + int(role) for role in Role} + sidecar_ports = {role: sidecar_start_port + int(role) for role in Role} + sidecar_commands = [ start_helper_sidecar_command( config_path=config_path, identity=role, - helper_port=helper_start_port + int(role), - sidecar_port=sidecar_start_port + int(role), + helper_port=helper_ports[role], + sidecar_port=sidecar_ports[role], root_path=root_path, ) for role in Role ] - commands = [npm_run_dev_command] + sidecar_commands + traefik_command = start_traefik_local_command( + config_path=config_path, + helper_ports=tuple(helper_ports.values()), + sidecar_ports=tuple(sidecar_ports.values()), + server_port=server_port, + root_domain=root_domain, + ) + commands = sidecar_commands + [npm_run_dev_command, traefik_command] start_commands_parallel(commands) diff --git a/sidecar/traefik/dynamic-local/dynamic.yaml b/sidecar/traefik/dynamic-local/dynamic.yaml new file mode 100644 index 0000000..80266e8 --- /dev/null +++ b/sidecar/traefik/dynamic-local/dynamic.yaml @@ -0,0 +1,89 @@ +http: + routers: + server-router: + entryPoints: + - "web-secure" + rule: "Host(`{{ env "SERVER_DOMAIN"}}`)" + service: "server-service" + tls: {} + sidecar-0-router: + entryPoints: + - "web-secure" + rule: "Host(`{{ env "SIDECAR_0_DOMAIN"}}`)" + service: "sidecar-0-service" + tls: {} + helper-0-router: + entryPoints: + - "web" + rule: "Host(`{{ env "HELPER_0_DOMAIN"}}`)" + service: "helper-0-service" + sidecar-1-router: + entryPoints: + - "web-secure" + rule: "Host(`{{ env "SIDECAR_1_DOMAIN"}}`)" + service: "sidecar-1-service" + tls: {} + helper-1-router: + entryPoints: + - "web" + rule: "Host(`{{ env "HELPER_1_DOMAIN"}}`)" + service: "helper-1-service" + sidecar-2-router: + entryPoints: + - "web-secure" + rule: "Host(`{{ env "SIDECAR_2_DOMAIN"}}`)" + service: "sidecar-2-service" + tls: {} + helper-2-router: + entryPoints: + - "web" + rule: "Host(`{{ env "HELPER_2_DOMAIN"}}`)" + service: "helper-2-service" + sidecar-3-router: + entryPoints: + - "web-secure" + rule: "Host(`{{ env "SIDECAR_3_DOMAIN"}}`)" + service: "sidecar-3-service" + tls: {} + helper-3-router: + entryPoints: + - "web" + rule: "Host(`{{ env "HELPER_3_DOMAIN"}}`)" + service: "helper-3-service" + services: + server-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "SERVER_PORT"}}" + sidecar-0-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "SIDECAR_0_PORT"}}" + helper-0-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "HELPER_0_PORT" }}" + sidecar-1-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "SIDECAR_1_PORT"}}" + helper-1-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "HELPER_1_PORT" }}" + sidecar-2-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "SIDECAR_2_PORT"}}" + helper-2-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "HELPER_2_PORT" }}" + sidecar-3-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "SIDECAR_3_PORT"}}" + helper-3-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "HELPER_3_PORT" }}" diff --git a/sidecar/traefik/dynamic-local/tls.yaml b/sidecar/traefik/dynamic-local/tls.yaml new file mode 100644 index 0000000..e59cc17 --- /dev/null +++ b/sidecar/traefik/dynamic-local/tls.yaml @@ -0,0 +1,4 @@ +tls: + certificates: + - certFile: {{ env "CERT_DIR" }}/cert.pem + keyFile: {{ env "CERT_DIR" }}/key.pem diff --git a/sidecar/traefik/dynamic/.nothing b/sidecar/traefik/dynamic/.nothing deleted file mode 100644 index e69de29..0000000 diff --git a/sidecar/traefik/dynamic/dynamic.yaml b/sidecar/traefik/dynamic/dynamic.yaml new file mode 100644 index 0000000..3901f5e --- /dev/null +++ b/sidecar/traefik/dynamic/dynamic.yaml @@ -0,0 +1,24 @@ +http: + routers: + sidecar-router: + entryPoints: + - "web" + - "web-secure" + rule: "Host(`{{ env "SIDECAR_DOMAIN"}}`)" + service: "sidecar-service" + tls: {} + helper-router: + entryPoints: + - "web-secure" + rule: "Host(`{{ env "HELPER_DOMAIN"}}`)" + service: "helper-service" + tls: {} + services: + sidecar-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "SIDECAR_PORT"}}" + helper-service: + loadBalancer: + servers: + - url: "http://localhost:{{ env "HELPER_PORT" }}" diff --git a/sidecar/traefik/dynamic/tls.yaml b/sidecar/traefik/dynamic/tls.yaml new file mode 100644 index 0000000..e59cc17 --- /dev/null +++ b/sidecar/traefik/dynamic/tls.yaml @@ -0,0 +1,4 @@ +tls: + certificates: + - certFile: {{ env "CERT_DIR" }}/cert.pem + keyFile: {{ env "CERT_DIR" }}/key.pem diff --git a/sidecar/traefik/traefik-local.yaml b/sidecar/traefik/traefik-local.yaml new file mode 100644 index 0000000..b980684 --- /dev/null +++ b/sidecar/traefik/traefik-local.yaml @@ -0,0 +1,9 @@ +entryPoints: + web: + address: ":80" + web-secure: + address: ":443" + +providers: + file: + directory: "sidecar/traefik/dynamic-local" From bc772fc9144d11e98a740f1e4e78a9a221ac59c6 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Mon, 4 Mar 2024 14:59:12 -0800 Subject: [PATCH 30/52] server updates, use localhost for ipa connections --- README.md | 67 +++++++++++++++++++++- sidecar/cli/cli.py | 20 +++++-- sidecar/traefik/dynamic-local/dynamic.yaml | 36 ------------ sidecar/traefik/dynamic/dynamic.yaml | 10 ---- 4 files changed, 79 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index 24724b4..54ef252 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ draft start-local-dev If needed, clone this repo: ``` -git clone https://github.com/eriktaubeneck/draft.git +git clone https://github.com/private-attribution/draft.git cd draft ``` @@ -163,5 +163,68 @@ pip install --editable . ``` -## Credit +## Deployment + +### Requirements + +*Instructions for AWS Linux 2023* + +1. **Python3.11**: Install with `sudo yum install python3.11` +2. **git**: Install with `sudo yum install git` +3. **draft** (this package): + 1. Clone with `git clone https://github.com/private-attribution/draft.git` + 2. Enter directory `cd draft`. + 3. Create virtualenv: `python3.11 -m venv .venv` + 4. Use virtualeenv: `source .venv/bin/activate` + 5. Upgrade pip: `pip install --upgrade pip` + 6. Install: `pip install --editable .` +4. **traefik**: + 1. Download version 2.11: `curl https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz` + 2. Validate checksum: `sha256sum traefik_v2.11.0_linux_amd64.tar.gz` should print `7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552 traefik_v2.11.0_linux_amd64.tar.gz` + 3. Extract the binary: `tar -zxvf traefik_v2.11.0_linux_amd64.tar.gz` + + +### Generating TLS certs with Let's Encrypt + +You will need a domain name and TLS certificates for the sidecar to properly run over HTTPS. The following instructions assume your domain is `example.com`, please replace with the domain you'd like to use. You will need to create two sub-domains, `sidecar.example.com` and `helper.example.com`. (Note, you could also use a sub-domain as your base domain, e.g., `test.example.com` with two sub-domains of that: `sidecar.test.example.com` and `helper.test.example.com`.) + +1. Set up DNS records for `sidecar.example.com` and `helper.example.com` pointing to a server you control. +2. Make sure you've installed the requirements above, and are using the virtual environment. +3. Install `certbot`: `pip install certbot` +4. `sudo .venv/bin/certbot certonly --standalone -m cert-renewal@example.com -d "sidecar.example.com,helper.example.com"` + 1. Note that you must point directly to `.venv/bin/certbot` as `sudo` does not operate in the virtualenv. +5. Accept the [Let's Encrypt terms](https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf). + + +### Make Configuration + +For this stage, you'll need to know a few things about the other parties involved: +1. Their root domain +2. Their public keys +3. Everyone's *identity* (e.g., 0, 1, 2, 3) + + +One you know these: +1. Make a config directory `mkdir config` +2. Copy the default network config: `cp local_dev/config/network.toml config/.` +3. Update that file. + 1. Replace `helper1.draft.test` and `sidecar1.draft.test` with the respective domains for party with identity=1. + 2. Repeat for identity=2 and identity=3. + 3. Replace respective certificates with their public keys. + 4. Replace `helper-coordinator.draft.test` and `sidecar-coordinator.draft.test` with domain for party with identity=0. +4. Move your Let's Encrypt key and cert into place: `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/fullchain.pem config/cert.pem` and `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/privkey.pem key.pem` +5. Generate IPA specific keys: + 1. TODO + + +### Run draft + +``` +draft start-helper-sidecar --identity --root_domain example.com --config_path config +``` + + + + +# Credit [Beer tap icons created by wanicon - Flaticon]("https://www.flaticon.com/free-icons/beer-tap") diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index c00e6da..c764037 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -58,23 +58,26 @@ def build_domains( return sidecar_domain, helper_domain +# pylint: disable=too-many-arguments def start_traefik_command( config_path: Path, - identity: int, helper_port: int, sidecar_port: int, root_domain: str, + helper_domain: str, + sidecar_domain: str, ): - sidecar_domain, helper_domain = build_domains(identity, root_domain) + helper_domain = helper_domain or f"helper.{root_domain}" + sidecar_domain = sidecar_domain or f"sidecar.{root_domain}" env = { **os.environ, - "SIDECAR_DOMAIN": sidecar_domain, - "SIDECAR_PORT": str(sidecar_port), "HELPER_DOMAIN": helper_domain, + "SIDECAR_DOMAIN": sidecar_domain, "HELPER_PORT": str(helper_port), + "SIDECAR_PORT": str(sidecar_port), "CERT_DIR": config_path, } - cmd = "sudo ./traefik --configFile=sidecar/traefik/traefik.yaml" + cmd = "sudo -E ./traefik --configFile=sidecar/traefik/traefik.yaml" return Command(cmd=cmd, env=env) @@ -112,6 +115,8 @@ def start_traefik_local_command( ) @click.option("--root_path", type=click_pathlib.Path(), default=None) @click.option("--root_domain", type=str, default="ipa-helper.dev") +@click.option("--helper_domain", type=str, default="") +@click.option("--sidecar_domain", type=str, default="") @click.option("--helper_port", type=int, default=7430) @click.option("--sidecar_port", type=int, default=17430) @click.option("--identity", required=True, type=int) @@ -119,6 +124,8 @@ def start_helper_sidecar( config_path: Path, root_path: Optional[Path], root_domain: str, + helper_domain: str, + sidecar_domain: str, helper_port: int, sidecar_port: int, identity: int, @@ -132,10 +139,11 @@ def start_helper_sidecar( ) traefik_command = start_traefik_command( config_path=config_path, - identity=identity, helper_port=helper_port, sidecar_port=sidecar_port, root_domain=root_domain, + helper_domain=helper_domain, + sidecar_domain=sidecar_domain, ) start_commands_parallel([sidecar_command, traefik_command]) diff --git a/sidecar/traefik/dynamic-local/dynamic.yaml b/sidecar/traefik/dynamic-local/dynamic.yaml index 80266e8..c2c84cf 100644 --- a/sidecar/traefik/dynamic-local/dynamic.yaml +++ b/sidecar/traefik/dynamic-local/dynamic.yaml @@ -12,44 +12,24 @@ http: rule: "Host(`{{ env "SIDECAR_0_DOMAIN"}}`)" service: "sidecar-0-service" tls: {} - helper-0-router: - entryPoints: - - "web" - rule: "Host(`{{ env "HELPER_0_DOMAIN"}}`)" - service: "helper-0-service" sidecar-1-router: entryPoints: - "web-secure" rule: "Host(`{{ env "SIDECAR_1_DOMAIN"}}`)" service: "sidecar-1-service" tls: {} - helper-1-router: - entryPoints: - - "web" - rule: "Host(`{{ env "HELPER_1_DOMAIN"}}`)" - service: "helper-1-service" sidecar-2-router: entryPoints: - "web-secure" rule: "Host(`{{ env "SIDECAR_2_DOMAIN"}}`)" service: "sidecar-2-service" tls: {} - helper-2-router: - entryPoints: - - "web" - rule: "Host(`{{ env "HELPER_2_DOMAIN"}}`)" - service: "helper-2-service" sidecar-3-router: entryPoints: - "web-secure" rule: "Host(`{{ env "SIDECAR_3_DOMAIN"}}`)" service: "sidecar-3-service" tls: {} - helper-3-router: - entryPoints: - - "web" - rule: "Host(`{{ env "HELPER_3_DOMAIN"}}`)" - service: "helper-3-service" services: server-service: loadBalancer: @@ -59,31 +39,15 @@ http: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_0_PORT"}}" - helper-0-service: - loadBalancer: - servers: - - url: "http://localhost:{{ env "HELPER_0_PORT" }}" sidecar-1-service: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_1_PORT"}}" - helper-1-service: - loadBalancer: - servers: - - url: "http://localhost:{{ env "HELPER_1_PORT" }}" sidecar-2-service: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_2_PORT"}}" - helper-2-service: - loadBalancer: - servers: - - url: "http://localhost:{{ env "HELPER_2_PORT" }}" sidecar-3-service: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_3_PORT"}}" - helper-3-service: - loadBalancer: - servers: - - url: "http://localhost:{{ env "HELPER_3_PORT" }}" diff --git a/sidecar/traefik/dynamic/dynamic.yaml b/sidecar/traefik/dynamic/dynamic.yaml index 3901f5e..8db0ebf 100644 --- a/sidecar/traefik/dynamic/dynamic.yaml +++ b/sidecar/traefik/dynamic/dynamic.yaml @@ -7,18 +7,8 @@ http: rule: "Host(`{{ env "SIDECAR_DOMAIN"}}`)" service: "sidecar-service" tls: {} - helper-router: - entryPoints: - - "web-secure" - rule: "Host(`{{ env "HELPER_DOMAIN"}}`)" - service: "helper-service" - tls: {} services: sidecar-service: loadBalancer: servers: - url: "http://localhost:{{ env "SIDECAR_PORT"}}" - helper-service: - loadBalancer: - servers: - - url: "http://localhost:{{ env "HELPER_PORT" }}" From 0a87b6dd76204784fb5aa0f19dc67d58aa687d45 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Tue, 5 Mar 2024 12:33:30 -0800 Subject: [PATCH 31/52] remove unneeded helper_domain from cli --- sidecar/cli/cli.py | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index c764037..5b3cf69 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -44,36 +44,28 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) -def build_domains( +def build_sidecar_domain( identity: int, root_domain: str, -) -> tuple[str, str]: +) -> str: role = Role(int(identity)) if role == Role.COORDINATOR: sidecar_domain = f"sidecar-coordinator.{root_domain}" - helper_domain = f"helper-coordinator.{root_domain}" else: sidecar_domain = f"sidecar{role.value}.{root_domain}" - helper_domain = f"helper{role.value}.{root_domain}" - return sidecar_domain, helper_domain + return sidecar_domain -# pylint: disable=too-many-arguments def start_traefik_command( config_path: Path, - helper_port: int, sidecar_port: int, root_domain: str, - helper_domain: str, sidecar_domain: str, ): - helper_domain = helper_domain or f"helper.{root_domain}" sidecar_domain = sidecar_domain or f"sidecar.{root_domain}" env = { **os.environ, - "HELPER_DOMAIN": helper_domain, "SIDECAR_DOMAIN": sidecar_domain, - "HELPER_PORT": str(helper_port), "SIDECAR_PORT": str(sidecar_port), "CERT_DIR": config_path, } @@ -83,7 +75,6 @@ def start_traefik_command( def start_traefik_local_command( config_path: Path, - helper_ports: tuple[int, ...], sidecar_ports: tuple[int, ...], server_port: int, root_domain: str, @@ -94,12 +85,10 @@ def start_traefik_local_command( "SERVER_DOMAIN": root_domain, "SERVER_PORT": str(server_port), } - for identity, (h_port, s_port) in enumerate(zip(helper_ports, sidecar_ports)): - sidecar_domain, helper_domain = build_domains(identity, root_domain) + for identity, s_port in enumerate(sidecar_ports): + sidecar_domain = build_sidecar_domain(identity, root_domain) env[f"SIDECAR_{identity}_DOMAIN"] = sidecar_domain env[f"SIDECAR_{identity}_PORT"] = str(s_port) - env[f"HELPER_{identity}_DOMAIN"] = helper_domain - env[f"HELPER_{identity}_PORT"] = str(h_port) cmd = "traefik --configFile=sidecar/traefik/traefik-local.yaml" return Command(cmd=cmd, env=env) @@ -115,7 +104,6 @@ def start_traefik_local_command( ) @click.option("--root_path", type=click_pathlib.Path(), default=None) @click.option("--root_domain", type=str, default="ipa-helper.dev") -@click.option("--helper_domain", type=str, default="") @click.option("--sidecar_domain", type=str, default="") @click.option("--helper_port", type=int, default=7430) @click.option("--sidecar_port", type=int, default=17430) @@ -124,7 +112,6 @@ def start_helper_sidecar( config_path: Path, root_path: Optional[Path], root_domain: str, - helper_domain: str, sidecar_domain: str, helper_port: int, sidecar_port: int, @@ -139,10 +126,8 @@ def start_helper_sidecar( ) traefik_command = start_traefik_command( config_path=config_path, - helper_port=helper_port, sidecar_port=sidecar_port, root_domain=root_domain, - helper_domain=helper_domain, sidecar_domain=sidecar_domain, ) start_commands_parallel([sidecar_command, traefik_command]) @@ -189,7 +174,6 @@ def start_local_dev( ] traefik_command = start_traefik_local_command( config_path=config_path, - helper_ports=tuple(helper_ports.values()), sidecar_ports=tuple(sidecar_ports.values()), server_port=server_port, root_domain=root_domain, From 5956af09878830a4d2a81de7d0d49d3bee9fd288 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Tue, 5 Mar 2024 14:58:29 -0800 Subject: [PATCH 32/52] Update README.md formating --- README.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 54ef252..4dc4ebd 100644 --- a/README.md +++ b/README.md @@ -172,16 +172,16 @@ pip install --editable . 1. **Python3.11**: Install with `sudo yum install python3.11` 2. **git**: Install with `sudo yum install git` 3. **draft** (this package): - 1. Clone with `git clone https://github.com/private-attribution/draft.git` - 2. Enter directory `cd draft`. - 3. Create virtualenv: `python3.11 -m venv .venv` - 4. Use virtualeenv: `source .venv/bin/activate` - 5. Upgrade pip: `pip install --upgrade pip` - 6. Install: `pip install --editable .` + 1. Clone with `git clone https://github.com/private-attribution/draft.git` + 2. Enter directory `cd draft`. + 3. Create virtualenv: `python3.11 -m venv .venv` + 4. Use virtualeenv: `source .venv/bin/activate` + 5. Upgrade pip: `pip install --upgrade pip` + 6. Install: `pip install --editable .` 4. **traefik**: - 1. Download version 2.11: `curl https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz` - 2. Validate checksum: `sha256sum traefik_v2.11.0_linux_amd64.tar.gz` should print `7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552 traefik_v2.11.0_linux_amd64.tar.gz` - 3. Extract the binary: `tar -zxvf traefik_v2.11.0_linux_amd64.tar.gz` + 1. Download version 2.11: `wget https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz` + 2. Validate checksum: `sha256sum traefik_v2.11.0_linux_amd64.tar.gz` should print `7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552 traefik_v2.11.0_linux_amd64.tar.gz` + 3. Extract the binary: `tar -zxvf traefik_v2.11.0_linux_amd64.tar.gz` ### Generating TLS certs with Let's Encrypt @@ -192,7 +192,7 @@ You will need a domain name and TLS certificates for the sidecar to properly run 2. Make sure you've installed the requirements above, and are using the virtual environment. 3. Install `certbot`: `pip install certbot` 4. `sudo .venv/bin/certbot certonly --standalone -m cert-renewal@example.com -d "sidecar.example.com,helper.example.com"` - 1. Note that you must point directly to `.venv/bin/certbot` as `sudo` does not operate in the virtualenv. + 1. Note that you must point directly to `.venv/bin/certbot` as `sudo` does not operate in the virtualenv. 5. Accept the [Let's Encrypt terms](https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf). @@ -208,13 +208,13 @@ One you know these: 1. Make a config directory `mkdir config` 2. Copy the default network config: `cp local_dev/config/network.toml config/.` 3. Update that file. - 1. Replace `helper1.draft.test` and `sidecar1.draft.test` with the respective domains for party with identity=1. - 2. Repeat for identity=2 and identity=3. - 3. Replace respective certificates with their public keys. - 4. Replace `helper-coordinator.draft.test` and `sidecar-coordinator.draft.test` with domain for party with identity=0. + 1. Replace `helper1.draft.test` and `sidecar1.draft.test` with the respective domains for party with identity=1. + 2. Repeat for identity=2 and identity=3. + 3. Replace respective certificates with their public keys. + 4. Replace `helper-coordinator.draft.test` and `sidecar-coordinator.draft.test` with domain for party with identity=0. 4. Move your Let's Encrypt key and cert into place: `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/fullchain.pem config/cert.pem` and `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/privkey.pem key.pem` 5. Generate IPA specific keys: - 1. TODO + 1. TODO ### Run draft From 609a16ea36cfd67b01803a4b103ef504043bf19c Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Tue, 5 Mar 2024 12:54:20 -0800 Subject: [PATCH 33/52] use sidecar0 instead of sidecar-coordinator --- README.md | 16 +++++++++------- local_dev/config/network.toml | 2 +- server/app/query/servers.tsx | 2 +- sidecar/cli/cli.py | 14 +------------- 4 files changed, 12 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 4dc4ebd..44f54be 100644 --- a/README.md +++ b/README.md @@ -111,10 +111,6 @@ update /etc/hosts with (requires sudo) ``` 127.0.0.1 draft.test -127.0.0.1 helper0.draft.test -127.0.0.1 helper1.draft.test -127.0.0.1 helper2.draft.test -127.0.0.1 helper3.draft.test 127.0.0.1 sidecar0.draft.test 127.0.0.1 sidecar1.draft.test 127.0.0.1 sidecar2.draft.test @@ -182,6 +178,7 @@ pip install --editable . 1. Download version 2.11: `wget https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz` 2. Validate checksum: `sha256sum traefik_v2.11.0_linux_amd64.tar.gz` should print `7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552 traefik_v2.11.0_linux_amd64.tar.gz` 3. Extract the binary: `tar -zxvf traefik_v2.11.0_linux_amd64.tar.gz` +5. **tmux**: `sudo yum install tmux` ### Generating TLS certs with Let's Encrypt @@ -208,10 +205,9 @@ One you know these: 1. Make a config directory `mkdir config` 2. Copy the default network config: `cp local_dev/config/network.toml config/.` 3. Update that file. - 1. Replace `helper1.draft.test` and `sidecar1.draft.test` with the respective domains for party with identity=1. - 2. Repeat for identity=2 and identity=3. + 1. Replace `helper0.draft.test` and `sidecar0.draft.test` with the respective domains for party with identity=0. + 2. Repeat for identity= 1, 2, and 3. 3. Replace respective certificates with their public keys. - 4. Replace `helper-coordinator.draft.test` and `sidecar-coordinator.draft.test` with domain for party with identity=0. 4. Move your Let's Encrypt key and cert into place: `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/fullchain.pem config/cert.pem` and `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/privkey.pem key.pem` 5. Generate IPA specific keys: 1. TODO @@ -219,6 +215,12 @@ One you know these: ### Run draft +You'll want this to continue to run, even if you disconnect from the host, so it's a good idea to start a tmux session: + +``` +tmux new -s draft-session +``` + ``` draft start-helper-sidecar --identity --root_domain example.com --config_path config ``` diff --git a/local_dev/config/network.toml b/local_dev/config/network.toml index b16ba9f..6888cb6 100644 --- a/local_dev/config/network.toml +++ b/local_dev/config/network.toml @@ -61,7 +61,7 @@ version = "http2" [coordinator] url = "localhost:7430" -sidecar_url = "sidecar-coordinator.draft.test" +sidecar_url = "sidecar0.draft.test" certificate = """ -----BEGIN CERTIFICATE----- MIIBHDCBwqADAgECAghMfLQt7MF1IDAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls diff --git a/server/app/query/servers.tsx b/server/app/query/servers.tsx index a01ac19..d23a043 100644 --- a/server/app/query/servers.tsx +++ b/server/app/query/servers.tsx @@ -272,7 +272,7 @@ export const IPARemoteServers: RemoteServersType = { RemoteServerNames.Coordinator, new URL( process?.env?.NEXT_PUBLIC_COORDINATOR_URL ?? - "https://sidecar-coordinator.draft.test", + "https://sidecar0.draft.test", ), ), [RemoteServerNames.Helper1]: new IPAHelperRemoteServer( diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 5b3cf69..63f95a7 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -44,18 +44,6 @@ def start_helper_sidecar_command( return Command(cmd=cmd, env=env) -def build_sidecar_domain( - identity: int, - root_domain: str, -) -> str: - role = Role(int(identity)) - if role == Role.COORDINATOR: - sidecar_domain = f"sidecar-coordinator.{root_domain}" - else: - sidecar_domain = f"sidecar{role.value}.{root_domain}" - return sidecar_domain - - def start_traefik_command( config_path: Path, sidecar_port: int, @@ -86,7 +74,7 @@ def start_traefik_local_command( "SERVER_PORT": str(server_port), } for identity, s_port in enumerate(sidecar_ports): - sidecar_domain = build_sidecar_domain(identity, root_domain) + sidecar_domain = f"sidecar{identity}.{root_domain}" env[f"SIDECAR_{identity}_DOMAIN"] = sidecar_domain env[f"SIDECAR_{identity}_PORT"] = str(s_port) From 656a7e42f315421e8f5c4bbb4c67134bae8a9589 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Wed, 6 Mar 2024 14:59:44 -0800 Subject: [PATCH 34/52] removed signed call to /stop. needs to be handled differently --- sidecar/app/query/ipa.py | 12 ------------ sidecar/app/routes/stop.py | 38 -------------------------------------- sidecar/app/settings.py | 12 ------------ 3 files changed, 62 deletions(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index c472b5e..54b70aa 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -1,6 +1,5 @@ from __future__ import annotations -import base64 import time from dataclasses import dataclass, field from pathlib import Path @@ -9,8 +8,6 @@ import httpx import loguru -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ec from ..helpers import Role from ..local_paths import Paths @@ -303,15 +300,7 @@ class IPACoordinatorQuery(IPAQuery): IPACoordinatorStartStep, ] - def sign_query_id(self): - return base64.b64encode( - settings.private_key.sign( - self.query_id.encode("utf8"), ec.ECDSA(hashes.SHA256()) - ) - ).decode("utf8") - def send_terminate_signals(self): - signature = self.sign_query_id() self.logger.info("sending terminate signals") for helper in settings.helpers.values(): if helper.role == self.role: @@ -324,7 +313,6 @@ def send_terminate_signals(self): r = httpx.post( finish_url, - json={"identity": str(self.role.value), "signature": signature}, verify=False, ) self.logger.info(f"sent post request: {finish_url}: {r.text}") diff --git a/sidecar/app/routes/stop.py b/sidecar/app/routes/stop.py index 8bffb89..4dde4d8 100644 --- a/sidecar/app/routes/stop.py +++ b/sidecar/app/routes/stop.py @@ -1,16 +1,8 @@ -import base64 - -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ec from fastapi import APIRouter -from pydantic import BaseModel -from ..helpers import Role from ..logger import logger from ..query.base import Query from ..query.step import Status -from ..settings import settings router = APIRouter( prefix="/stop", @@ -20,40 +12,10 @@ ) -def validate_query_signature( - query_id: str, - identity: int, - signature: bytes, -) -> bool: - helpers = settings.helpers - role = Role(identity) - helper = helpers[role] - try: - helper.public_key.verify( - signature, query_id.encode("utf8"), ec.ECDSA(hashes.SHA256()) - ) - return True - except InvalidSignature: - return False - - -# pyre-ignore: https://pyre-check.org/docs/errors/#dataclass-like-classes -class SignedRequestModel(BaseModel): - identity: int - signature: bytes - - @router.post("/finish/{query_id}") def finish( query_id: str, - data: SignedRequestModel, ): - identity = data.identity - signature = base64.b64decode(data.signature) - logger.info(f"finish called for {query_id=}") - if not validate_query_signature(query_id, identity, signature): - logger.warning("signature invalid") - return {"message": "Invalid signature"} query = Query.get_from_query_id(query_id) if query is None: return {"message": "Query not found", "query_id": query_id} diff --git a/sidecar/app/settings.py b/sidecar/app/settings.py index 349f512..0035412 100644 --- a/sidecar/app/settings.py +++ b/sidecar/app/settings.py @@ -1,8 +1,6 @@ from pathlib import Path from typing import Annotated, Any -from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey -from cryptography.hazmat.primitives.serialization import load_pem_private_key from pydantic.functional_validators import BeforeValidator from pydantic_settings import BaseSettings @@ -18,18 +16,12 @@ class Settings(BaseSettings): root_path: Annotated[Path, BeforeValidator(gen_path)] config_path: Annotated[Path, BeforeValidator(gen_path)] network_config_path: Annotated[Path, BeforeValidator(gen_path)] - private_key_pem_path: Annotated[Path, BeforeValidator(gen_path)] role: Role helper_port: int _helpers: dict[Role, Helper] - _private_key: EllipticCurvePrivateKey def model_post_init(self, __context) -> None: self._helpers = load_helpers_from_network_config(self.network_config_path) - with self.private_key_pem_path.open("rb") as f: - _private_key = load_pem_private_key(f.read(), None) - assert isinstance(_private_key, EllipticCurvePrivateKey) - self._private_key = _private_key @property def helper(self): @@ -39,9 +31,5 @@ def helper(self): def helpers(self): return self._helpers - @property - def private_key(self): - return self._private_key - settings = Settings() From 136d5bee62d52a1d07cb6e72e1f87c175b375a2d Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 13:36:14 -0800 Subject: [PATCH 35/52] add multi-threading to compile features for IPA --- sidecar/app/query/ipa.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 54b70aa..47e127b 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -154,8 +154,9 @@ def build_from_query(cls, query: IPAQuery): def build_command(self) -> LoggerOutputCommand: return LoggerOutputCommand( cmd=f"cargo build --bin helper --manifest-path={self.manifest_path} " - f'--features="web-app real-world-infra compact-gate stall-detection" ' - f"--no-default-features --target-dir={self.target_path} --release", + f'--features="web-app real-world-infra compact-gate stall-detection ' + f'multi-threading" --no-default-features --target-dir={self.target_path} ' + f"--release", logger=self.logger, ) From 9660d9f85d19105eb35e31aeaddbe2ffb65ea5b7 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 15:35:34 -0800 Subject: [PATCH 36/52] add a step to generate the MPC steps file --- sidecar/app/query/ipa.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 47e127b..f5cbcb8 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -161,6 +161,32 @@ def build_command(self) -> LoggerOutputCommand: ) +@dataclass(kw_only=True) +class IPAHelperCollectStepsStep(CommandStep): + manifest_path: Path + output_file_path: Path + logger: loguru.Logger = field(repr=False) + status: ClassVar[Status] = Status.COMPILING + + @classmethod + def build_from_query(cls, query: IPAQuery): + manifest_path = query.paths.repo_path / Path("Cargo.toml") + output_file_path = ( + query.paths.repo_path / "ipa-core/src/protocol/step/steps.txt" + ) + return cls( + manifest_path=manifest_path, + logger=query.logger, + output_file_path=output_file_path, + ) + + def build_command(self) -> FileOutputCommand: + return FileOutputCommand( + cmd="python3 scripts/collect_scripts.py", + output_file_path=self.output_file_path, + ) + + @dataclass(kw_only=True) class IPACoordinatorGenerateTestDataStep(CommandStep): output_file_path: Path @@ -376,5 +402,6 @@ class IPAHelperQuery(IPAQuery): IPAFetchUpstreamStep, IPACheckoutCommitStep, IPAHelperCompileStep, + IPAHelperCollectStepsStep, IPAStartHelperStep, ] From a0938033975dde562a38a1d4752c2d5d298211df Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 22:20:48 -0800 Subject: [PATCH 37/52] typo --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index f5cbcb8..17e5b03 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -182,7 +182,7 @@ def build_from_query(cls, query: IPAQuery): def build_command(self) -> FileOutputCommand: return FileOutputCommand( - cmd="python3 scripts/collect_scripts.py", + cmd="python3 scripts/collect_steps.py", output_file_path=self.output_file_path, ) From cfecf75980744306daccaedd92b3327a270b3ceb Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 22:26:21 -0800 Subject: [PATCH 38/52] fix script path --- sidecar/app/query/ipa.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 17e5b03..fd73e33 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -165,24 +165,27 @@ def build_command(self) -> LoggerOutputCommand: class IPAHelperCollectStepsStep(CommandStep): manifest_path: Path output_file_path: Path + script_path: Path logger: loguru.Logger = field(repr=False) status: ClassVar[Status] = Status.COMPILING @classmethod def build_from_query(cls, query: IPAQuery): manifest_path = query.paths.repo_path / Path("Cargo.toml") - output_file_path = ( - query.paths.repo_path / "ipa-core/src/protocol/step/steps.txt" + script_path = query.paths.repo_path / Path("scripts/collect_steps.py") + output_file_path = query.paths.repo_path / Path( + "ipa-core/src/protocol/step/steps.txt" ) return cls( manifest_path=manifest_path, logger=query.logger, output_file_path=output_file_path, + script_path=script_path, ) def build_command(self) -> FileOutputCommand: return FileOutputCommand( - cmd="python3 scripts/collect_steps.py", + cmd=f"python3 {self.script_path}", output_file_path=self.output_file_path, ) From f727f4724a36e3411d159c987d077c077ebd1090 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 22:46:48 -0800 Subject: [PATCH 39/52] add env option to command --- sidecar/app/query/command.py | 2 ++ sidecar/app/query/ipa.py | 20 +++++++------------- sidecar/app/query/step.py | 1 + 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/sidecar/app/query/command.py b/sidecar/app/query/command.py index 51cca81..e9f696c 100644 --- a/sidecar/app/query/command.py +++ b/sidecar/app/query/command.py @@ -16,6 +16,7 @@ class Command: cmd: str env: Optional[dict] = field(default_factory=lambda: {**os.environ}, repr=False) + cwd: Optional[Path] = field(default=None, repr=True) process: Optional[subprocess.Popen] = field(init=False, default=None, repr=True) @property @@ -65,6 +66,7 @@ def build_process(self): return subprocess.Popen( shlex.split(self.cmd), env=self.env, + cwd=self.cwd, ) def start(self): diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index fd73e33..cbd8d63 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -163,30 +163,24 @@ def build_command(self) -> LoggerOutputCommand: @dataclass(kw_only=True) class IPAHelperCollectStepsStep(CommandStep): - manifest_path: Path - output_file_path: Path - script_path: Path + repo_path: Path logger: loguru.Logger = field(repr=False) status: ClassVar[Status] = Status.COMPILING @classmethod def build_from_query(cls, query: IPAQuery): - manifest_path = query.paths.repo_path / Path("Cargo.toml") - script_path = query.paths.repo_path / Path("scripts/collect_steps.py") - output_file_path = query.paths.repo_path / Path( - "ipa-core/src/protocol/step/steps.txt" - ) + repo_path = query.paths.repo_path return cls( - manifest_path=manifest_path, + repo_path=repo_path, logger=query.logger, - output_file_path=output_file_path, - script_path=script_path, ) def build_command(self) -> FileOutputCommand: + output_file_path = self.repo_path / Path("ipa-core/src/protocol/step/steps.txt") return FileOutputCommand( - cmd=f"python3 {self.script_path}", - output_file_path=self.output_file_path, + cmd=f"python3 scripts/collect_steps.py", + cwd=self.repo_path, + output_file_path=output_file_path, ) diff --git a/sidecar/app/query/step.py b/sidecar/app/query/step.py index 6a949ea..af61f64 100644 --- a/sidecar/app/query/step.py +++ b/sidecar/app/query/step.py @@ -80,6 +80,7 @@ def memory_rss_usage(self) -> int: @dataclass(kw_only=True) class CommandStep(Step, ABC): + # TODO : maybe delete env from here env: Optional[dict] = field(default_factory=lambda: {**os.environ}, repr=False) command: Command = field(init=False, repr=True) From d5873a8f108b565166b572d8e7a31b14feb8a7b1 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 22:49:42 -0800 Subject: [PATCH 40/52] add -m flag to collect_steps --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index cbd8d63..56cbf46 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -178,7 +178,7 @@ def build_from_query(cls, query: IPAQuery): def build_command(self) -> FileOutputCommand: output_file_path = self.repo_path / Path("ipa-core/src/protocol/step/steps.txt") return FileOutputCommand( - cmd=f"python3 scripts/collect_steps.py", + cmd=f"python3 scripts/collect_steps.py -m", cwd=self.repo_path, output_file_path=output_file_path, ) From f815f57d1444d6c6c6aca4a4e37b7e8125280ac5 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Thu, 7 Mar 2024 22:58:06 -0800 Subject: [PATCH 41/52] add cwd to subclasses of Command --- sidecar/app/query/command.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sidecar/app/query/command.py b/sidecar/app/query/command.py index e9f696c..bd3519e 100644 --- a/sidecar/app/query/command.py +++ b/sidecar/app/query/command.py @@ -101,6 +101,7 @@ def build_process(self): shlex.split(self.cmd), stdout=self.output_file, env=self.env, + cwd=self.cwd, ) def start(self): @@ -116,6 +117,7 @@ def build_process(self): return subprocess.Popen( shlex.split(self.cmd), env=self.env, + cwd=self.cwd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, From 66ccf83828fb6beb71fd103417321d4013044737 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Tue, 12 Mar 2024 16:42:46 -0700 Subject: [PATCH 42/52] fix pylint errors --- sidecar/app/query/ipa.py | 2 +- sidecar/app/query/step.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 56cbf46..ff8b185 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -178,7 +178,7 @@ def build_from_query(cls, query: IPAQuery): def build_command(self) -> FileOutputCommand: output_file_path = self.repo_path / Path("ipa-core/src/protocol/step/steps.txt") return FileOutputCommand( - cmd=f"python3 scripts/collect_steps.py -m", + cmd="python3 scripts/collect_steps.py -m", cwd=self.repo_path, output_file_path=output_file_path, ) diff --git a/sidecar/app/query/step.py b/sidecar/app/query/step.py index af61f64..3ff58b9 100644 --- a/sidecar/app/query/step.py +++ b/sidecar/app/query/step.py @@ -80,7 +80,8 @@ def memory_rss_usage(self) -> int: @dataclass(kw_only=True) class CommandStep(Step, ABC): - # TODO : maybe delete env from here + # pylint: disable=fixme + # TODO : maybe delete env from here # [fixme] env: Optional[dict] = field(default_factory=lambda: {**os.environ}, repr=False) command: Command = field(init=False, repr=True) From 0dc32d84ebde615efdce58abd64e06ae7d0f57c6 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 10:32:52 -0700 Subject: [PATCH 43/52] use mkcert CA with httpx --- sidecar/cli/cli.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/sidecar/cli/cli.py b/sidecar/cli/cli.py index 63f95a7..7ef2c4a 100644 --- a/sidecar/cli/cli.py +++ b/sidecar/cli/cli.py @@ -1,4 +1,6 @@ import os +import shlex +import subprocess from pathlib import Path from typing import Optional @@ -20,6 +22,7 @@ def start_helper_sidecar_command( helper_port: int, sidecar_port: int, root_path: Optional[Path] = None, + _env: Optional[dict[str, str]] = None, ): role = Role(int(identity)) network_config = config_path / Path("network.toml") @@ -30,8 +33,11 @@ def start_helper_sidecar_command( else: private_key_pem_path = config_path / Path(f"h{role.value}.key") cmd = "uvicorn sidecar.app.main:app" + if _env is None: + _env = {} env = { **os.environ, + **_env, "ROLE": str(role.value), "ROOT_PATH": root_path, "CONFIG_PATH": config_path, @@ -150,6 +156,16 @@ def start_local_dev( helper_ports = {role: helper_start_port + int(role) for role in Role} sidecar_ports = {role: sidecar_start_port + int(role) for role in Role} + _env = {} + local_ca_process = subprocess.run( + shlex.split("mkcert -CAROOT"), + capture_output=True, + check=True, + ) + _env["SSL_CERT_FILE"] = ( + Path(local_ca_process.stdout.decode("utf8").strip()) / "rootCA.pem" + ) + sidecar_commands = [ start_helper_sidecar_command( config_path=config_path, @@ -157,6 +173,7 @@ def start_local_dev( helper_port=helper_ports[role], sidecar_port=sidecar_ports[role], root_path=root_path, + _env=_env, ) for role in Role ] From 1153d1d6a9b4d09a0fa032458889b84499f21ef6 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 12:39:51 -0700 Subject: [PATCH 44/52] update github.tsx to warn if OCTOKIT_GITHUB_API_KEY isn't present --- server/app/query/github.tsx | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/server/app/query/github.tsx b/server/app/query/github.tsx index d48fbed..d55de63 100644 --- a/server/app/query/github.tsx +++ b/server/app/query/github.tsx @@ -9,6 +9,13 @@ export interface Branch { commitHash: string; } +// TODO: raise error if api key is expired +if (process.env.OCTOKIT_GITHUB_API_KEY === undefined) { + console.warn( + "WARNING: Octokit requires a personal access token to function properly. Please add OCTOKIT_GITHUB_API_KEY to .env. It does not require any permissions.", + ); +} + export async function Branches(owner: string, repo: string): Promise { const branchesIter = octokit.paginate.iterator( octokit.rest.repos.listBranches, @@ -16,7 +23,7 @@ export async function Branches(owner: string, repo: string): Promise { owner: owner, repo: repo, per_page: 100, - auth: process.env.GITHUB_API_KEY, + auth: process.env.OCTOKIT_GITHUB_API_KEY, }, ); @@ -30,9 +37,11 @@ export async function Branches(owner: string, repo: string): Promise { } } - const mainBranch = branchesArray.find((branch) => branch.name === "main"); - if (mainBranch) { - branchesArray.unshift(mainBranch); + const mainBranchIndex = branchesArray.findIndex( + (branch) => branch.name === "main", + ); + if (mainBranchIndex != -1) { + branchesArray.unshift(branchesArray.splice(mainBranchIndex, 1)[0]); } branchesArray.unshift({ name: "N/A", commitHash: "" }); return branchesArray; @@ -45,7 +54,7 @@ export async function Commits(owner: string, repo: string): Promise { owner: owner, repo: repo, per_page: 100, - auth: process.env.GITHUB_API_KEY, + auth: process.env.OCTOKIT_GITHUB_API_KEY, }, ); From 2dfb7176e678488df69597ea1043b28372aefb43 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 12:45:39 -0700 Subject: [PATCH 45/52] avoid race condition with getting a query that may be being created --- sidecar/app/query/base.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/sidecar/app/query/base.py b/sidecar/app/query/base.py index 3b3f12d..981e67a 100644 --- a/sidecar/app/query/base.py +++ b/sidecar/app/query/base.py @@ -18,6 +18,10 @@ queries: dict[str, "Query"] = {} +class QueryExistsError(Exception): + pass + + @dataclass class Query: # pylint: disable=too-many-instance-attributes @@ -45,7 +49,7 @@ def __post_init__(self): ) self.logger.debug(f"adding new Query {self}.") if queries.get(self.query_id) is not None: - raise Exception(f"{self.query_id} already exists") + raise QueryExistsError(f"{self.query_id} already exists") queries[self.query_id] = self @property @@ -65,7 +69,14 @@ def get_from_query_id(cls, query_id) -> Optional["Query"]: query = queries.get(query_id) if query: return query - query = cls(query_id) + try: + query = cls(query_id) + except QueryExistsError as e: + # avoid race condition on queries + query = queries.get(query_id) + if query: + return query + raise e if query.status_file_path.exists(): with query.status_file_path.open("r") as f: status_str = f.readline() From 310359324f86c485e2265fe86555002522c3fb94 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 12:46:25 -0700 Subject: [PATCH 46/52] add -f to git checkout command, as producing steps.txt causes an overwrite --- sidecar/app/query/ipa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index ff8b185..2fd4547 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -102,7 +102,7 @@ def build_from_query(cls, query: IPAQuery): def build_command(self) -> LoggerOutputCommand: return LoggerOutputCommand( - cmd=f"git -C {self.repo_path} checkout {self.commit_hash}", + cmd=f"git -C {self.repo_path} checkout -f {self.commit_hash}", logger=self.logger, ) From 37984f07ae94031e6e4479c4dbf861be58e16a6b Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 12:48:02 -0700 Subject: [PATCH 47/52] remove verify=False from httpx requests --- sidecar/app/query/ipa.py | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/sidecar/app/query/ipa.py b/sidecar/app/query/ipa.py index 2fd4547..8e3e43a 100644 --- a/sidecar/app/query/ipa.py +++ b/sidecar/app/query/ipa.py @@ -32,10 +32,7 @@ def send_kill_signals(self): ), ) - r = httpx.post( - finish_url, - verify=False, - ) + r = httpx.post(finish_url) self.logger.info(f"sent post request: {r.text}") def crash(self): @@ -239,9 +236,7 @@ def run(self): ), ) while True: - print(url) - r = httpx.get(url, verify=False).json() - print(r) + r = httpx.get(url).json() status = r.get("status") match status: case Status.IN_PROGRESS.name: @@ -335,10 +330,7 @@ def send_terminate_signals(self): ), ) - r = httpx.post( - finish_url, - verify=False, - ) + r = httpx.post(finish_url) self.logger.info(f"sent post request: {finish_url}: {r.text}") def finish(self): From 896820acca5f15aa03bcf04576545253c643f72a Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 15:48:07 -0700 Subject: [PATCH 48/52] update readme for first use of mkcert --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 44f54be..458b81c 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ In the output, you'll find an `ANON_KEY`. Update the `server/.env` file one more ``` NEXT_PUBLIC_SUPABASE_URL="http://localhost:54321" NEXT_PUBLIC_SUPABASE_ANON_KEY="" -NEXT_PUBLIC_SITE_URL=http://localhost:3000 +NEXT_PUBLIC_SITE_URL="https://draft.test" SUPABASE_AUTH_GITHUB_CLIENT_ID="" SUPABASE_AUTH_GITHUB_SECRET="" ``` @@ -131,6 +131,11 @@ make the cert with mkcert -cert-file "local_dev/config/cert.pem" -key-file "local_dev/config/key.pem" "draft.test" "*.draft.test" ``` +If you get a warning about the cert not being installed (i.e., it's the first time you've used mkcert), also run: +``` +mkcert -install +``` + **Run local dev** You're now ready to install, run, and develop on `draft`! From 6db365a30478fd9b295ace0172e0a307b45f49ba Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 18:34:07 -0700 Subject: [PATCH 49/52] refresh IPA self signed local_dev keys --- local_dev/config/coordinator.key | 5 --- local_dev/config/h1.key | 6 ++-- local_dev/config/h1_mk.key | 2 +- local_dev/config/h2.key | 6 ++-- local_dev/config/h2_mk.key | 2 +- local_dev/config/h3.key | 6 ++-- local_dev/config/network.toml | 58 +++++++++++++++++--------------- local_dev/config/pub/h1.pem | 14 ++++---- local_dev/config/pub/h1_mk.pub | 2 +- local_dev/config/pub/h2.pem | 14 ++++---- local_dev/config/pub/h2_mk.pub | 2 +- local_dev/config/pub/h3.pem | 16 ++++----- local_dev/config/pub/h3_mk.pub | 2 +- 13 files changed, 66 insertions(+), 69 deletions(-) delete mode 100644 local_dev/config/coordinator.key diff --git a/local_dev/config/coordinator.key b/local_dev/config/coordinator.key deleted file mode 100644 index d1763a6..0000000 --- a/local_dev/config/coordinator.key +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgV3QSqe+FY9sGFVlW -gwgMlyvQfNhOBfAqkjlW0HBkA4+hRANCAASP4CHXZ0iCuuWu0Cl3cczy8kpztvc2 -thbitqVR4o7G1rbifsTu+Iva9FD7wTWodq3pzvMAsTI82QrGoB6cbELH ------END PRIVATE KEY----- diff --git a/local_dev/config/h1.key b/local_dev/config/h1.key index 0bacad4..f5f85a9 100644 --- a/local_dev/config/h1.key +++ b/local_dev/config/h1.key @@ -1,5 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgnHorOkrEJyf6LDPr -0ILtQgWgXL49FX7ceoAouLg3wRuhRANCAAT61P9K+vLXu+dWdjoqKGatzasipb0g -gLqOHg5OwazEaneNExmv0xLmg25xuwL7eD+EYfq9AXgixs6vODgSPihr +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNXRbeh+/oz5xv2yY +uSR0EPFuRratsNNVf9BzoBthCZyhRANCAASa4rehLdFG8wIcRyHg04c8Sj7XGHx9 +hwa65bmXgEEsoNph/7uFVdZIgKswWXX/IQU7UTznqWD8WpXGGnbkj+Eo -----END PRIVATE KEY----- diff --git a/local_dev/config/h1_mk.key b/local_dev/config/h1_mk.key index f2f1b03..10d9928 100644 --- a/local_dev/config/h1_mk.key +++ b/local_dev/config/h1_mk.key @@ -1 +1 @@ -e07c9bb08f1a70c8a65c82fd70d8cc6421eb52a400690643a45c9d793803d288 \ No newline at end of file +9e98e12742ca6a1b6f7543b6fbe1e40f6ed946bcfaf94eabd8701b2c21c92773 \ No newline at end of file diff --git a/local_dev/config/h2.key b/local_dev/config/h2.key index 83eb5e6..b4f0d21 100644 --- a/local_dev/config/h2.key +++ b/local_dev/config/h2.key @@ -1,5 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgqzg9oloWvOdlsnLP -tNtCTbsiN3/9VC3BIjw5jNlXNn6hRANCAATiidzqYon1ecMzoy+gW1ZflyljEVfh -h0wANWdGQQXJQ8mJqo6RQGgZ95JGPO5cHRIimFZFqS51T5m55VRACVkt +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgpj/IkcF3+K5LvYO3 +rFBGXRLQcIDTITGMwrzH48IwdFqhRANCAARE1EvqrvduIUxdaPPxYgVi68qA8uWH +vZVNkjywpBcfQ4vevAov5KWzYkR0aCDI82IziNSv1T5PQipvGHmGBwu5 -----END PRIVATE KEY----- diff --git a/local_dev/config/h2_mk.key b/local_dev/config/h2_mk.key index 2001ddc..3ce735c 100644 --- a/local_dev/config/h2_mk.key +++ b/local_dev/config/h2_mk.key @@ -1 +1 @@ -17f3ee5d2f28aea3f6ad8c9a4ab448315c0447f85815d6d57599ed559315f353 \ No newline at end of file +baa3cc11f2cfe092eb86acabc028889438735fc667d0c88214185f8802b316a7 \ No newline at end of file diff --git a/local_dev/config/h3.key b/local_dev/config/h3.key index 8abbfcb..c765c43 100644 --- a/local_dev/config/h3.key +++ b/local_dev/config/h3.key @@ -1,5 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjmstRdmbAtf3JqVq -0u37RmTGbMn9+wrh0gijKuOKN/uhRANCAATpFEd+whG8LYmTVDpGsFQ5dy8wjIdL -WyCrCjcKYiJIHih+boD4NeDJB96e51M3nUt9/akdgXvXr5S5qZhA3GwK +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPEB0qkkpZ1sp44NS +Ogbiz1MLgvyO/N3uvXgEhEGtKGahRANCAATLqehLL42VKHNmfZtY2BVehHsQNyGq +fmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6GlvM6AqqcjuVc -----END PRIVATE KEY----- diff --git a/local_dev/config/network.toml b/local_dev/config/network.toml index 6888cb6..d9e5a08 100644 --- a/local_dev/config/network.toml +++ b/local_dev/config/network.toml @@ -1,14 +1,14 @@ [[peers]] certificate = """ -----BEGIN CERTIFICATE----- -MIIBZTCCAQugAwIBAgIIHerS5sIdRy4wCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+tT/Svry -17vnVnY6Kihmrc2rIqW9IIC6jh4OTsGsxGp3jRMZr9MS5oNucbsC+3g/hGH6vQF4 -IsbOrzg4Ej4oa6NHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE +MIIBZTCCAQugAwIBAgIIRxb0DaIIjkkwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ +bG9jYWxob3N0MB4XDTI0MDMxNTAxMTI0M1oXDTI0MDYxNDAxMTI0M1owFDESMBAG +A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuK3oS3R +RvMCHEch4NOHPEo+1xh8fYcGuuW5l4BBLKDaYf+7hVXWSICrMFl1/yEFO1E856lg +/FqVxhp25I/hKKNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -SAAwRQIgZyp9ReXpjC+ZVx/rZ8lk5kGgWsvNQhvidpE6EPD8wP4CIQD0hZSIXPEC -N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw== +SAAwRQIgYgv5V5unp9q0WSnuPttA5fNASFLKrvslL+T0BKfLjRoCIQC4B+fmHpqX +GVYq2Y0sGz79X+evTPmyJo7X3ye5DlSDeg== -----END CERTIFICATE----- """ url = "localhost:7431" @@ -20,14 +20,14 @@ public_key = "fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e" [[peers]] certificate = """ -----BEGIN CERTIFICATE----- -MIIBZDCCAQugAwIBAgIIVcv1NVaCs0swCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4onc6mKJ -9XnDM6MvoFtWX5cpYxFX4YdMADVnRkEFyUPJiaqOkUBoGfeSRjzuXB0SIphWRaku -dU+ZueVUQAlZLaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE +MIIBZDCCAQugAwIBAgIIIHqS6JxF2+AwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ +bG9jYWxob3N0MB4XDTI0MDMxNTAxMTMyMVoXDTI0MDYxNDAxMTMyMVowFDESMBAG +A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERNRL6q73 +biFMXWjz8WIFYuvKgPLlh72VTZI8sKQXH0OL3rwKL+Sls2JEdGggyPNiM4jUr9U+ +T0Iqbxh5hgcLuaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD -9ylYODUrZag+pK4GCiq2UdjUVMuq/8l1 +RwAwRAIgUBVQLsrbhfoLfg6a2ATU+ulhYmFNvweQ/Xj1M9QgXaECIEbsLs0h4TRG +loU+/Eo4LOm5CkEd8fPOuSdZTp1s8IGT -----END CERTIFICATE----- """ url = "localhost:7432" @@ -39,14 +39,14 @@ public_key = "4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d" [[peers]] certificate = """ -----BEGIN CERTIFICATE----- -MIIBZTCCAQugAwIBAgIITHy0LezBdSAwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6RRHfsIR -vC2Jk1Q6RrBUOXcvMIyHS1sgqwo3CmIiSB4ofm6A+DXgyQfenudTN51Lff2pHYF7 -16+UuamYQNxsCqNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE -AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -SAAwRQIgDKTyh8M5hbF1k0o5tAFMFd3NeSekm1P4fb6u+jH9LxcCIQDTIPObVtwc -B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g== +MIIBYzCCAQqgAwIBAgIHYwBqW8VtbjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls +b2NhbGhvc3QwHhcNMjQwMzE1MDExMzUyWhcNMjQwNjE0MDExMzUyWjAUMRIwEAYD +VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLqehLL42V +KHNmfZtY2BVehHsQNyGqfmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6G +lvM6AqqcjuVco0cwRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQD +AgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNH +ADBEAiAfszb6imTolbufxqBhMd5gmCRmdxLWVDYCCF3wpa0bLQIgVDzc0X3eqN5U +Ghgnqau5gaGAljARRWQNo8WVu6juWjs= -----END CERTIFICATE----- """ url = "localhost:7433" @@ -64,11 +64,13 @@ url = "localhost:7430" sidecar_url = "sidecar0.draft.test" certificate = """ -----BEGIN CERTIFICATE----- -MIIBHDCBwqADAgECAghMfLQt7MF1IDAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls -b2NhbGhvc3QwHhcNMjMxMjE1MTk1MTUwWhcNMjQwMzE1MTk1MTUwWjAUMRIwEAYD -VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASP4CHXZ0iC -uuWu0Cl3cczy8kpztvc2thbitqVR4o7G1rbifsTu+Iva9FD7wTWodq3pzvMAsTI8 -2QrGoB6cbELHMAoGCCqGSM49BAMCA0kAMEYCIQDavRFEtYwIR0lFZ0aZz0Pw4ZuJ -3AOJm90MaoL/Qwd0TAIhAM975+pAXYOZaXJNG3nhPKnXZRtcWLnNO3gXaMg9k6h0 +MIIBZDCCAQugAwIBAgIIechkxwTdoxUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ +bG9jYWxob3N0MB4XDTI0MDMxNTAxMTQzNloXDTI0MDYxNDAxMTQzNlowFDESMBAG +A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECDd9DJ5Y +9+8CGmIxSmFqhL3geQrGBoNwzgz9ohidaFVdh9tzG1X4PdqegHp4KsyIZPjPEewG +OnIeuQGl0FllcaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE +AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID +RwAwRAIgcwd2+uARHJA6GCp5FbUAVJDweRx6cC8QSjjY+aqxr2oCIEhSf5o5lbvj +01Um1sTpQaLMd0qRgsYs5mINziRFZBap -----END CERTIFICATE----- """ diff --git a/local_dev/config/pub/h1.pem b/local_dev/config/pub/h1.pem index 4a315ee..34e7c18 100644 --- a/local_dev/config/pub/h1.pem +++ b/local_dev/config/pub/h1.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBZTCCAQugAwIBAgIIHerS5sIdRy4wCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+tT/Svry -17vnVnY6Kihmrc2rIqW9IIC6jh4OTsGsxGp3jRMZr9MS5oNucbsC+3g/hGH6vQF4 -IsbOrzg4Ej4oa6NHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE +MIIBZTCCAQugAwIBAgIIRxb0DaIIjkkwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ +bG9jYWxob3N0MB4XDTI0MDMxNTAxMTI0M1oXDTI0MDYxNDAxMTI0M1owFDESMBAG +A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmuK3oS3R +RvMCHEch4NOHPEo+1xh8fYcGuuW5l4BBLKDaYf+7hVXWSICrMFl1/yEFO1E856lg +/FqVxhp25I/hKKNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -SAAwRQIgZyp9ReXpjC+ZVx/rZ8lk5kGgWsvNQhvidpE6EPD8wP4CIQD0hZSIXPEC -N0Gz2XisE0JNL5f0tEyrJf/PwSlnazeMxw== +SAAwRQIgYgv5V5unp9q0WSnuPttA5fNASFLKrvslL+T0BKfLjRoCIQC4B+fmHpqX +GVYq2Y0sGz79X+evTPmyJo7X3ye5DlSDeg== -----END CERTIFICATE----- diff --git a/local_dev/config/pub/h1_mk.pub b/local_dev/config/pub/h1_mk.pub index 9b00684..23ed86d 100644 --- a/local_dev/config/pub/h1_mk.pub +++ b/local_dev/config/pub/h1_mk.pub @@ -1 +1 @@ -fde0d0c958db9f49d3f1b49cb6830b867cc810bff9e7d0cbf17c777969f3c23e \ No newline at end of file +008eb82d82def11d250243bc06d96637e9fa73e362de92ae729b6a599cc15b5c \ No newline at end of file diff --git a/local_dev/config/pub/h2.pem b/local_dev/config/pub/h2.pem index ce6e3c2..0cdc58c 100644 --- a/local_dev/config/pub/h2.pem +++ b/local_dev/config/pub/h2.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBZDCCAQugAwIBAgIIVcv1NVaCs0swCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4onc6mKJ -9XnDM6MvoFtWX5cpYxFX4YdMADVnRkEFyUPJiaqOkUBoGfeSRjzuXB0SIphWRaku -dU+ZueVUQAlZLaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE +MIIBZDCCAQugAwIBAgIIIHqS6JxF2+AwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ +bG9jYWxob3N0MB4XDTI0MDMxNTAxMTMyMVoXDTI0MDYxNDAxMTMyMVowFDESMBAG +A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERNRL6q73 +biFMXWjz8WIFYuvKgPLlh72VTZI8sKQXH0OL3rwKL+Sls2JEdGggyPNiM4jUr9U+ +T0Iqbxh5hgcLuaNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -RwAwRAIgaX95X9bgeZHgbTCl73N2j61AnljyS8DXQ7mWb6fsQXECIFgvumh8TASD -9ylYODUrZag+pK4GCiq2UdjUVMuq/8l1 +RwAwRAIgUBVQLsrbhfoLfg6a2ATU+ulhYmFNvweQ/Xj1M9QgXaECIEbsLs0h4TRG +loU+/Eo4LOm5CkEd8fPOuSdZTp1s8IGT -----END CERTIFICATE----- diff --git a/local_dev/config/pub/h2_mk.pub b/local_dev/config/pub/h2_mk.pub index 48fe500..259093d 100644 --- a/local_dev/config/pub/h2_mk.pub +++ b/local_dev/config/pub/h2_mk.pub @@ -1 +1 @@ -4e8f1cd4114a8ee8adc58a33050782e2f8ded3336a9c65725f35998e765c4e2d \ No newline at end of file +d7cdae88176fd5ee2bef524b776a15fc52e4b9c3f986d34fe815c7463e7a425b \ No newline at end of file diff --git a/local_dev/config/pub/h3.pem b/local_dev/config/pub/h3.pem index 13fe584..d25c5d7 100644 --- a/local_dev/config/pub/h3.pem +++ b/local_dev/config/pub/h3.pem @@ -1,10 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBZTCCAQugAwIBAgIITHy0LezBdSAwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJ -bG9jYWxob3N0MB4XDTIzMTIxNTE5NTE1MFoXDTI0MDMxNTE5NTE1MFowFDESMBAG -A1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6RRHfsIR -vC2Jk1Q6RrBUOXcvMIyHS1sgqwo3CmIiSB4ofm6A+DXgyQfenudTN51Lff2pHYF7 -16+UuamYQNxsCqNHMEUwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA4GA1UdDwEB/wQE -AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwID -SAAwRQIgDKTyh8M5hbF1k0o5tAFMFd3NeSekm1P4fb6u+jH9LxcCIQDTIPObVtwc -B6Bgc2gw5JC/G6ahPglwIkjO2ew02/ax6g== +MIIBYzCCAQqgAwIBAgIHYwBqW8VtbjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAls +b2NhbGhvc3QwHhcNMjQwMzE1MDExMzUyWhcNMjQwNjE0MDExMzUyWjAUMRIwEAYD +VQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLqehLL42V +KHNmfZtY2BVehHsQNyGqfmOrs6V+DXrQ0eKgGF4ad1lrqXxJFMpVg2i1vOm/kq6G +lvM6AqqcjuVco0cwRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDgYDVR0PAQH/BAQD +AgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgNH +ADBEAiAfszb6imTolbufxqBhMd5gmCRmdxLWVDYCCF3wpa0bLQIgVDzc0X3eqN5U +Ghgnqau5gaGAljARRWQNo8WVu6juWjs= -----END CERTIFICATE----- diff --git a/local_dev/config/pub/h3_mk.pub b/local_dev/config/pub/h3_mk.pub index 4f594b5..b5e90a0 100644 --- a/local_dev/config/pub/h3_mk.pub +++ b/local_dev/config/pub/h3_mk.pub @@ -1 +1 @@ -ebedcfa02354a1d17aed80b0ed55028d0616152d5f8971291e030231dc92063d \ No newline at end of file +db0edf0d4148340a36a286c5dfcc99fe42fcbfb3a4d491fd961730adc4ca5545 \ No newline at end of file From 180abe2791b347ca56656cc0bf8f3b657db98de8 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Fri, 15 Mar 2024 18:36:14 -0700 Subject: [PATCH 50/52] fix bug with test directory not existing, wrap query run in exception handling to call crash on exception --- sidecar/app/query/base.py | 20 +++++++++++++------- sidecar/app/query/command.py | 8 +++----- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/sidecar/app/query/base.py b/sidecar/app/query/base.py index 981e67a..e0647e1 100644 --- a/sidecar/app/query/base.py +++ b/sidecar/app/query/base.py @@ -115,13 +115,19 @@ def steps(self) -> Iterable[Step]: def start(self): self.start_time = time.time() - for step in self.steps: - self.logger.info(f"Starting: {step}") - self.status = step.status - self.current_step = step - step.start() - if not step.success: - self.crash() + try: + for step in self.steps: + if self.finished: + break + self.logger.info(f"Starting: {step}") + self.status = step.status + self.current_step = step + step.start() + if not step.success: + self.crash() + except Exception as e: + self.logger.error(e) + self.crash() if not self.finished: self.finish() diff --git a/sidecar/app/query/command.py b/sidecar/app/query/command.py index bd3519e..137b23f 100644 --- a/sidecar/app/query/command.py +++ b/sidecar/app/query/command.py @@ -91,11 +91,6 @@ class FileOutputCommand(Command): output_file_path: Path output_file: Optional[TextIO] = field(repr=False, init=False) - def __post_init__(self): - # need to manually close in start method - # pylint: disable=consider-using-with - self.output_file = self.output_file_path.open("wb") - def build_process(self): return subprocess.Popen( shlex.split(self.cmd), @@ -105,6 +100,9 @@ def build_process(self): ) def start(self): + # build_process needs to return, so this needs to be manually closed + # pylint: disable=consider-using-with + self.output_file = self.output_file_path.open("wb") super().start() self.output_file.close() From 158d8100083152b053ff3714bd8e7cbc0f7b893a Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Sat, 16 Mar 2024 08:33:12 -0700 Subject: [PATCH 51/52] fix pylint and grammer error --- README.md | 15 ++++++++++++++- sidecar/app/query/base.py | 3 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 458b81c..1131dcf 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ draft is a project designed to help test [IPA](https://github.com/private-attribution/ipa) at scale. It contains 2 components: 1. draft-server: a web front end and service that starts queries an displays logs from the MPC helper servers -2. draft-sidecar: a sidecar back end API that runs next to the IPA binary on helper servers. this include a CLI for setup and running. +2. draft-sidecar: a sidecar back end API that runs next to the IPA binary on helper servers. this includes a CLI for setup and running. # Get started @@ -163,6 +163,19 @@ source .venv/bin/activate pip install --editable . ``` +### IPA specific certs + +We check in self signed certs that are only for local development (and are not secure! They are in a public repo!) + +They will periodically expire. You can regenerate them with a compiled helper binary: + +``` +target/release/helper keygen --name localhost --tls-key local_dev/config/h1.key --tls-cert local_dev/config/pub/h1.pem --mk-public-key local_dev/config/pub/h1_mk.pub --mk-private-key local_dev/config/h1_mk.key +target/release/helper keygen --name localhost --tls-key local_dev/config/h2.key --tls-cert local_dev/config/pub/h2.pem --mk-public-key local_dev/config/pub/h2_mk.pub --mk-private-key local_dev/config/h2_mk.key +target/release/helper keygen --name localhost --tls-key local_dev/config/h3.key --tls-cert local_dev/config/pub/h3.pem --mk-public-key local_dev/config/pub/h3_mk.pub --mk-private-key local_dev/config/h3_mk.key +``` + +The public content will also need to be pasted into `local_dev/config/network.toml` for each helper. ## Deployment diff --git a/sidecar/app/query/base.py b/sidecar/app/query/base.py index e0647e1..41d5b5e 100644 --- a/sidecar/app/query/base.py +++ b/sidecar/app/query/base.py @@ -125,7 +125,10 @@ def start(self): step.start() if not step.success: self.crash() + # pylint: disable=broad-exception-caught except Exception as e: + # intentially crash on any python exception + # as well as command failure self.logger.error(e) self.crash() if not self.finished: From 591d4b0c7f22dd3963dbd97aa6816c24e2834a14 Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Sat, 16 Mar 2024 20:05:46 -0700 Subject: [PATCH 52/52] update TODO in readme --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1131dcf..6ef0c07 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ draft is a project designed to help test [IPA](https://github.com/private-attribution/ipa) at scale. It contains 2 components: 1. draft-server: a web front end and service that starts queries an displays logs from the MPC helper servers -2. draft-sidecar: a sidecar back end API that runs next to the IPA binary on helper servers. this includes a CLI for setup and running. +2. draft-sidecar: a sidecar back end API that runs next to the IPA binary on helper servers. This includes a CLI for setup and running. # Get started @@ -228,7 +228,11 @@ One you know these: 3. Replace respective certificates with their public keys. 4. Move your Let's Encrypt key and cert into place: `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/fullchain.pem config/cert.pem` and `sudo ln -s /etc/letsencrypt/live/sidecar.example.com/privkey.pem key.pem` 5. Generate IPA specific keys: - 1. TODO + 1. Compile `ipa` with `cargo build --bin helper --features="web-app real-world-infra compact-gate stall-detection multi-threading" --no-default-features --release` + 2. Make the keys with `target/release/helper keygen --name localhost --tls-key h1.key --tls-cert h1.pem --mk-public-key h1_mk.pub --mk-private-key h1_mk.key` (replace h1 with for each helper) + 3. Add the public keys content into `network.toml` + 4. Add the public keys to `config/pub` (all helpers need all helper public keys). + 4. For each helper, put their private keys in `config`. ### Run draft