Say I start up an Omicron stack:
$ cargo run --bin=omicron-dev -- run-all
Updating git repository `https://github.com/oxidecomputer/dropshot?ref=dap/raw-tls`
Updating git repository `https://github.com/oxidecomputer/dropshot`
Finished dev [unoptimized + debuginfo] target(s) in 1.20s
Running `target/debug/omicron-dev run-all`
omicron-dev: setting up all services ...
log file: /dangerzone/omicron_tmp/omicron-dev-omicron-dev.24719.0.log
note: configured to log to "/dangerzone/omicron_tmp/omicron-dev-omicron-dev.24719.0.log"
omicron-dev: services are running.
omicron-dev: nexus external API: 127.0.0.1:12220
omicron-dev: nexus internal API: [::1]:12221
omicron-dev: cockroachdb pid: 24723
omicron-dev: cockroachdb URL: postgresql://root@127.0.0.1:33315/omicron?sslmode=disable
omicron-dev: cockroachdb directory: /dangerzone/omicron_tmp/.tmpQsIUsi
omicron-dev: external DNS name: oxide-dev.test
omicron-dev: external DNS HTTP: http://[::1]:58944
omicron-dev: external DNS: [::1]:51170
omicron-dev: e.g. `dig @::1 -p 51170 test-suite-silo.sys.oxide-dev.test`
omicron-dev: silo name: test-suite-silo
omicron-dev: privileged user name: test-privileged
omicron-dev does not support running with TLS yet, but say Nexus was listening for HTTPS on 127.0.0.1:12220 and the DNS name test-suite-silo.sys.oxide-dev.test. Nexus expects you to connect with something like https://test-suite-silo.sys.oxide-dev.test:12220/ . That involves (1) resolving that DNS name and (2) having a certificate for that domain. In development (or even CI or, like, dogfood) you probably have a self-signed certificate for that domain and you probably don't have an easy way to make the DNS part work.
curl does have some flags to make this work:
curl --resolve test-suite-silo.sys.oxide-dev.test:12220:127.0.0.1 --cacert /path/to/your/certificate.pem https://127.0.0.1:12220/
This causes curl to (1) resolve that DNS name to the address you gave it instead of using regular DNS, and (2) trust that certificate.
It'd be really neat if the Oxide CLI had this too so that we could use it against TLS servers in development.
Say I start up an Omicron stack:
omicron-devdoes not support running with TLS yet, but say Nexus was listening for HTTPS on 127.0.0.1:12220 and the DNS nametest-suite-silo.sys.oxide-dev.test. Nexus expects you to connect with something likehttps://test-suite-silo.sys.oxide-dev.test:12220/. That involves (1) resolving that DNS name and (2) having a certificate for that domain. In development (or even CI or, like, dogfood) you probably have a self-signed certificate for that domain and you probably don't have an easy way to make the DNS part work.curl does have some flags to make this work:
This causes curl to (1) resolve that DNS name to the address you gave it instead of using regular DNS, and (2) trust that certificate.
It'd be really neat if the Oxide CLI had this too so that we could use it against TLS servers in development.