Skip to content

cli: enhance the cockroach connect command#60854

Merged
craig[bot] merged 14 commits intocockroachdb:masterfrom
knz:20210221-secure-init
Mar 1, 2021
Merged

cli: enhance the cockroach connect command#60854
craig[bot] merged 14 commits intocockroachdb:masterfrom
knz:20210221-secure-init

Conversation

@knz
Copy link
Copy Markdown
Contributor

@knz knz commented Feb 21, 2021
edited
Loading

Puts pieces together for #60632.

See individual commits for details.

Release justification: low risk, high benefit changes to existing functionality

@knz knz requested a review from itsbilal February 21, 2021 18:09
@knz knz requested a review from a team as a code owner February 21, 2021 18:09
@cockroach-teamcity
Copy link
Copy Markdown
Member

cockroach-teamcity commented Feb 21, 2021

This change is Reviewable

@knz knz requested a review from aaron-crl February 21, 2021 18:09
@knz
Copy link
Copy Markdown
Contributor Author

knz commented Feb 21, 2021

@itsbilal this PR is not necessarily meant for merging separately from yours. Feel free to absorb it into #60766 if it makes your life easier. But I need to start from there to connect the start command to the logic here.

@knz knz mentioned this pull request Feb 21, 2021
Merged
2 tasks
@knz knz force-pushed the 20210221-secure-init branch 2 times, most recently from 5e3dc4e to 652c6de Compare February 25, 2021 16:42
itsbilal
itsbilal approved these changes Feb 25, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@itsbilal itsbilal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm: thanks!

Reviewed 5 of 5 files at r1, 5 of 5 files at r2.
Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @aaron-crl)

aaron-crl
aaron-crl reviewed Feb 25, 2021
View reviewed changes
Copy link
Copy Markdown

@aaron-crl aaron-crl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @knz)

pkg/base/config.go, line 172 at r2 (raw file):

	// InitToken is a shared initialization token for generating TLS certificates
	// across multiple nodes.
	InitToken string

Looks like this might clobber the InitToken in the Config struct. Is that ok?

@itsbilal
Copy link
Copy Markdown
Contributor

itsbilal commented Feb 26, 2021

pkg/base/config.go, line 172 at r2 (raw file):

Previously, aaron-crl wrote…

Looks like this might clobber the InitToken in the Config struct. Is that ok?

That got moved to startCtx as it is probably a more appropriate place for it anyway.

aaron-crl
aaron-crl approved these changes Feb 26, 2021
View reviewed changes
Copy link
Copy Markdown

@aaron-crl aaron-crl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewable status: :shipit: complete! 2 of 0 LGTMs obtained (waiting on @itsbilal)

pkg/base/config.go, line 172 at r2 (raw file):

Previously, itsbilal (Bilal Akhtar) wrote…

That got moved to startCtx as it is probably a more appropriate place for it anyway.

Thanks! I missed that.

@knz knz force-pushed the 20210221-secure-init branch 2 times, most recently from f451304 to ffce3a9 Compare February 28, 2021 15:05
@knz knz mentioned this pull request Feb 28, 2021
Open
@knz knz changed the title cli: rework the command-line flags for the 'connect' and 'start' commands cli: enhance the cockroach connect command Feb 28, 2021
aaron-crl
aaron-crl approved these changes Feb 28, 2021
View reviewed changes
Copy link
Copy Markdown

@aaron-crl aaron-crl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! :lgtm_strong:

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (and 1 stale) (waiting on @itsbilal)

@knz knz force-pushed the 20210221-secure-init branch 4 times, most recently from 67e94ac to c6c8909 Compare March 1, 2021 09:30
@aaron-crl aaron-crl mentioned this pull request Mar 1, 2021
Closed
25 tasks
knz added 8 commits March 1, 2021 18:20
@knz
cli: rework the command-line flags for the 'connect' and 'start' comm…
245ae54 
…ands

This PR ensures that the `connect` command recognizes the same
networking configuration flags as `start`.

It also makes the `start` command recognize the `--init-token`
flag (although it currently does nothing yet).

Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
cli,server: update the InitHandshake interface
ca1484b 
Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
server,security: ensure the certs dir exists before creating files
d383ea4 
Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
cli,security,server: plug the advertised addresses properly into certs
cfb1428 
Prior to this commit, the cert generation code improperly passed the
value of the `--listen-addr` directly as SAN into the generated
certificates, and failed to populate the CN. This caused multiple
problems:

- the node certs were outright invalid: they require CN=node.
  Also the UI cert require CN to be set to the advertised hostname.
  Fixing this required extending the interfaces with a commonName
  argument.

- all the certs had broken SANs: the addresses in the command line are
  hostname + portnumber, but SANs must contain only hostnames. Fixing
  this required splitting host/port again inside the init function.

- the SAN fields were invalid if the `--listen-addr` was left to its
  default, which is an empty string.
  To fix this requires opting into the semi-complicated dance
  around configured / actual addresses, specifically the
  sequence of the following 3 calls:

  - `baseCfg.ValidateAddrs` - populates defaults, resolves numeric port
    numbers.
  - `server.ListenAndUpdateAddrs` - performs the `net.Listen` calls
    and then back-propagates the actual listen address into the
    Addr fields, then populates the `Advertise` addresses from
    that if no advertise address was initially populated.
  - use the resulting advertised addr to configure the SAN field for
    each service.

Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
cli: validate the cmdline flags for 'connect'
586def6 
Release justification: low risk, high benefit changes to existing functionality

Release note (cli change): The new `cockroach connect` command
now recognizes `--single-node` to prepare a TLS configuration
suitable for e.g. a subsequent `start-single-node` command.

Additionally, the command checks that either `--single-node` is
specified, or both `--init-token` and `--num-expected-peers`.
@knz
cli: add some logging to the connect command
3dc9337 
Release justification: low risk, high benefit changes to existing functionality

Release note: None
@knz
cli,security,server: avoid doing work if node certs already exists
cae5cfb 
Release justification: low risk, high benefit changes to existing functionality

Release note: None
@knz
security: properly populate the issuer field in auto-gen certs
ab79ee7 
Release justification: low risk, high benefit changes to existing functionality

Release note: None
knz added 6 commits March 1, 2021 18:20
@knz
server: rename the service labels during cert auto-gen
2c9b43b 
This makes them look nicer in logging.

Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
cli,server,security: add logging to the cert auto-generation
c9a423c 
This commit adds `context.Context` arguments in the right places
and invokes logging to describe progress.

Release justification: low risk, high benefit changes to existing functionality

Release note: None
@knz
security,server: ensure that node-node certs are also valid as client
e1b2f22 
Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
server: avoid long tests under the short flag
06667d6 
Release justification: non-production code changes

Release note: None
@knz
cli/connect: flush logs before exit
9d2641e 
Release justification: bug fixes and low-risk updates to new functionality

Release note: None
@knz
cli/interactive_tests: new preliminary testing for the new connect co…
ac625de 
…mmand

Release justification: non-production code changes

Release note: None
@knz knz force-pushed the 20210221-secure-init branch from c6c8909 to ac625de Compare March 1, 2021 18:11
@knz
Copy link
Copy Markdown
Contributor Author

knz commented Mar 1, 2021

TFYR!

I even added a (preliminary) unit test using TCL that exercises the new connect command.

bors r=aaron-crl,itsbilal

@craig
Copy link
Copy Markdown
Contributor

craig bot commented Mar 1, 2021

Build succeeded:

@craig craig bot merged commit 09514e9 into cockroachdb:master Mar 1, 2021
@knz knz deleted the 20210221-secure-init branch March 1, 2021 20:38
@jseldess jseldess mentioned this pull request Mar 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@itsbilal itsbilal itsbilal approved these changes

@aaron-crl aaron-crl aaron-crl approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@knz @cockroach-teamcity @itsbilal @aaron-crl