Convert client.key to RSA format

[ihrasko]

GNMI app cannot read PEM encoded client key. Our only option is to use RSA encoding.

GH issue: #2355

(cherry picked from commit 52076cd)

[gemini-code-assist]

Summary of Changes

Hello @ihrasko, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical compatibility issue with the GNMI application by modifying the certificate generation process. The change ensures that the client.key is correctly formatted in RSA, allowing the GNMI app to successfully read and utilize it.

Highlights

• Client Key Format Conversion: The generate_certs.sh script has been updated to convert the client.key from PEM to RSA format using openssl rsa. This change addresses a known issue where the GNMI application was unable to read PEM encoded client keys, ensuring proper compatibility.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to convert the client.key to RSA format for compatibility with the GNMI application. The change in generate_certs.sh is functionally correct, but the implementation could be more robust. My feedback focuses on improving the shell command to handle temporary files more gracefully, preventing leftover files in case of an error during the key conversion process.

[gemini-code-assist]

The current command can leave a temporary file client_new.key behind if either the openssl or mv command fails. This can clutter the directory and potentially cause issues on subsequent runs.

A more robust approach is to use a subshell with a trap to ensure the temporary file is always cleaned up. Using set -e within the subshell further improves robustness by ensuring that the operation stops immediately if any command fails. This makes the key conversion process more atomic and resilient.

Suggested change

	openssl rsa -in client.key -out client_new.key -traditional && mv client_new.key client.key
	(
	set -e
	tmpfile="client_new.key"
	trap "rm -f '$tmpfile'" EXIT
	openssl rsa -in client.key -out "$tmpfile" -traditional
	mv "$tmpfile" client.key
	)