Compare commits
135 Commits
testing
...
07a9df2952
| Author | SHA1 | Date | |
|---|---|---|---|
| 07a9df2952 | |||
| c8ad4c20a0 | |||
| 6d26fd9fa6 | |||
| 1a4d908bef | |||
| 78aa9ba20d | |||
| b0e84f6aa8 | |||
| 7a6310c93e | |||
| e89b164581 | |||
| 1ad9785d07 | |||
| 06a87a6d07 | |||
| d37c4c2f13 | |||
| 629bb21f12 | |||
| 6d9499ebb1 | |||
| 4ab136be68 | |||
| 0dbab431a0 | |||
| 183099f7da | |||
| 47f695a8cd | |||
| f57aa581f3 | |||
| 63a206f1ac | |||
| f2b23df97b | |||
| 3085dac359 | |||
| 2af7ff85c1 | |||
| 512177cab0 | |||
| 26d3d0faeb | |||
| 834510760f | |||
| a2a970f93b | |||
| 350e753ae0 | |||
| 436be67bfd | |||
| 8ae52501c9 | |||
| 98eb601fd3 | |||
| 8e87d406e4 | |||
| f83b1eab23 | |||
| d03a7ab4ec | |||
| cd69d9234e | |||
| 5fa367949b | |||
| cef4441208 | |||
| d4087d3534 | |||
| ab6f0b6358 | |||
| af2758dead | |||
| 899a0a9dab | |||
| 08cbccc756 | |||
| 62882e78d8 | |||
| 47843f202f | |||
| 216236c1eb | |||
| 6651ff0364 | |||
| d77588274b | |||
| 20b6769cbb | |||
| 9ad7715a29 | |||
| 5c91736202 | |||
| 73c533116c | |||
| c8759e03d5 | |||
| f5abdfdf3f | |||
| 7a55735cc4 | |||
| 48201132bd | |||
| 37713f8c16 | |||
| 85b9a45856 | |||
| af41df6ab4 | |||
| 4b05458cec | |||
| 84a0e286e7 | |||
| 58cfaa7d0f | |||
| 1871eac7bb | |||
| b12ce7299f | |||
| 82f7cbcc92 | |||
| ce8b7f01ef | |||
| edbe1641fd | |||
| aac792c341 | |||
| eaeb38b8c2 | |||
| e0f755ec42 | |||
| bb7c3835bc | |||
| 7c9334233d | |||
| 699b8e71a6 | |||
| d4dbe709e0 | |||
| 22a3e0b6c2 | |||
| e08bf0e99d | |||
| 1e904b7361 | |||
| 8ed0f12fb4 | |||
| f59eca6724 | |||
| b5b7272603 | |||
| 4f48866daa | |||
| b616b710cb | |||
| c02f701c04 | |||
| 7f429a863d | |||
| 29ed01a19f | |||
| 07e9dccd06 | |||
| 40d08139db | |||
| efa6193954 | |||
| f7b708ce4b | |||
| 41897c00b4 | |||
| ee5629643c | |||
| 34afe03818 | |||
| 25c2d20c19 | |||
| c338522b33 | |||
| b6fa941fcc | |||
| 7619998d8f | |||
| b6e7c55704 | |||
| 4ed50e3b78 | |||
| dac6613646 | |||
| a8ccb6990b | |||
| b1cdb30622 | |||
| 50bb60823f | |||
| 482d3c83ba | |||
| 74abbf9eda | |||
| 76c1861017 | |||
| 0d0494b825 | |||
| c6320049ff | |||
| 9e56acfc9a | |||
| 6197369e04 | |||
| d950bc6996 | |||
| 18dc85d6fb | |||
| 26953cf703 | |||
| 1f03315897 | |||
| 5a6c0fa3d8 | |||
| 4acdf88785 | |||
| bde41c9859 | |||
| 1e3ac9a0fb | |||
| 1672b901d4 | |||
| 11f3c953e2 | |||
| 3bc20e95cc | |||
| 1aefc5d2b7 | |||
| 5c432e3b42 | |||
| b6c714fac7 | |||
| e44303eab9 | |||
| 2a9295e8e8 | |||
| 52ffbe9727 | |||
| 811a3bddfd | |||
| 227c341f6b | |||
| 153c37b591 | |||
| 4ff85eaeb3 | |||
| 76e02c6f31 | |||
| 93b32eb52a | |||
| 0fcd219268 | |||
| 18d3c42fc7 | |||
| 645c617956 | |||
| dacfc8c6ce | |||
| 16a0ff0823 |
@@ -0,0 +1,3 @@
|
||||
tmp
|
||||
dist
|
||||
test-run
|
||||
@@ -1,2 +1,8 @@
|
||||
*.sw[po]
|
||||
modd-local.conf
|
||||
/tmp
|
||||
/test-dir2config
|
||||
/config.yaml
|
||||
/dist
|
||||
/go.work
|
||||
/go.work.sum
|
||||
|
||||
+32
-18
@@ -1,23 +1,37 @@
|
||||
# ------------------------------------------------------------------------
|
||||
from mcluseau/golang-builder:1.17.3 as build
|
||||
from novit.tech/direktil/dkl:v1.2.0 as dkl
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
from debian:stretch
|
||||
from golang:1.26.1-trixie as build
|
||||
|
||||
run apt-get update && apt-get install -y git
|
||||
|
||||
workdir /src
|
||||
|
||||
copy go.mod go.sum ./
|
||||
run \
|
||||
--mount=type=cache,id=gomod,target=/go/pkg/mod \
|
||||
--mount=type=cache,id=gobuild,target=/root/.cache/go-build \
|
||||
go mod download
|
||||
|
||||
arg GIT_TAG
|
||||
|
||||
copy . ./
|
||||
run \
|
||||
--mount=type=cache,id=gomod,target=/go/pkg/mod \
|
||||
--mount=type=cache,id=gobuild,target=/root/.cache/go-build \
|
||||
go test ./... && \
|
||||
hack/build ./...
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
from debian:trixie
|
||||
entrypoint ["/bin/dkl-local-server"]
|
||||
|
||||
env _uncache 1
|
||||
run apt-get update \
|
||||
&& apt-get install -y genisoimage gdisk dosfstools util-linux udev \
|
||||
&& apt-get clean
|
||||
env _uncache=1
|
||||
run apt update \
|
||||
&& yes |apt install -y genisoimage gdisk dosfstools util-linux udev binutils systemd \
|
||||
grub2 grub-pc-bin grub-efi-amd64-bin ca-certificates curl openssh-client qemu-utils wireguard-tools \
|
||||
erofs-utils erofsfuse cryptsetup systemd-boot-efi \
|
||||
&& apt clean
|
||||
|
||||
run yes |apt-get install -y grub2 grub-pc-bin grub-efi-amd64-bin \
|
||||
&& apt-get clean
|
||||
|
||||
run apt-get install -y ca-certificates curl openssh-client \
|
||||
&& apt-get clean
|
||||
|
||||
run curl -L https://github.com/vmware/govmomi/releases/download/v0.21.0/govc_linux_amd64.gz | gunzip > /bin/govc && chmod +x /bin/govc
|
||||
|
||||
copy upload-vmware.sh govc.env /var/lib/direktil/
|
||||
|
||||
copy --from=build /go/bin/ /bin/
|
||||
copy --from=dkl /bin/dkl /bin/dls /bin/
|
||||
copy --from=build /src/dist/ /bin/
|
||||
|
||||
@@ -0,0 +1,155 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
|
||||
"gopkg.in/yaml.v2"
|
||||
)
|
||||
|
||||
func mergeIn(tgt, add map[any]any) {
|
||||
mergeLoop:
|
||||
for k, v := range add {
|
||||
switch v := v.(type) {
|
||||
case map[any]any:
|
||||
if tgtV, ok := tgt[k]; ok {
|
||||
switch tgtV := tgtV.(type) {
|
||||
case map[any]any:
|
||||
mergeIn(tgtV, v)
|
||||
continue mergeLoop
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
tgt[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
func assemble(path string) (yamlBytes []byte, err error) {
|
||||
obj := map[any]any{}
|
||||
|
||||
if Debug {
|
||||
log.Printf("assemble %q", path)
|
||||
}
|
||||
|
||||
err = eachFragment(path, searchList, func(r io.Reader) (err error) {
|
||||
m := map[any]any{}
|
||||
err = yaml.NewDecoder(r).Decode(&m)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
mergeIn(obj, m)
|
||||
return
|
||||
})
|
||||
if err != nil {
|
||||
err = fmt.Errorf("failed to assemble %q: %w", path, err)
|
||||
return
|
||||
}
|
||||
|
||||
yamlBytes, err = yaml.Marshal(obj)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if Debug {
|
||||
log.Printf("assemble %q result:\n%s", path, yamlBytes)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func eachFragment(path string, searchList []FS, walk func(io.Reader) error) (err error) {
|
||||
var r io.ReadCloser
|
||||
|
||||
for len(searchList) != 0 {
|
||||
fs := searchList[0]
|
||||
|
||||
r, err = fs.Open(path + ".yaml")
|
||||
if os.IsNotExist(err) {
|
||||
searchList = searchList[1:]
|
||||
continue
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// found and open
|
||||
break
|
||||
}
|
||||
|
||||
if r == nil {
|
||||
err = fmt.Errorf("%s: %w", path, os.ErrNotExist)
|
||||
return
|
||||
}
|
||||
|
||||
ba, err := io.ReadAll(r)
|
||||
r.Close()
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if Debug {
|
||||
log.Print("fragment:\n", string(ba))
|
||||
}
|
||||
|
||||
in := bytes.NewBuffer(ba)
|
||||
|
||||
for {
|
||||
var line string
|
||||
line, err = in.ReadString('\n')
|
||||
if err == io.EOF {
|
||||
break
|
||||
}
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
line = strings.TrimSpace(line)
|
||||
if len(line) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
genCmd, found := strings.CutPrefix(line, "#!gen ")
|
||||
if found {
|
||||
cmdArgs := strings.Fields(genCmd)
|
||||
if Debug {
|
||||
log.Print("#!gen ", cmdArgs)
|
||||
}
|
||||
|
||||
cmd := *dir + "/gen/" + cmdArgs[0]
|
||||
args := cmdArgs[1:]
|
||||
genOutput, err := exec.Command(cmd, args...).Output()
|
||||
if err != nil {
|
||||
return fmt.Errorf("gen %v: %w", cmdArgs, err)
|
||||
}
|
||||
walk(bytes.NewBuffer(genOutput))
|
||||
continue
|
||||
}
|
||||
|
||||
includePath, found := strings.CutPrefix(line, "#!include ")
|
||||
if !found {
|
||||
continue
|
||||
}
|
||||
|
||||
includePath = strings.TrimSpace(includePath)
|
||||
if Debug {
|
||||
log.Print("#!include ", includePath)
|
||||
}
|
||||
err = eachFragment(includePath, searchList, walk)
|
||||
if err != nil {
|
||||
return fmt.Errorf("include %q: %w", includePath, err)
|
||||
}
|
||||
}
|
||||
|
||||
in = bytes.NewBuffer(ba)
|
||||
err = walk(in)
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,34 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"io"
|
||||
iofs "io/fs"
|
||||
)
|
||||
|
||||
type FS interface {
|
||||
Open(path string) (io.ReadCloser, error)
|
||||
List(path string) ([]string, error)
|
||||
}
|
||||
|
||||
type fsFS struct{ iofs.FS }
|
||||
|
||||
func (fs fsFS) Open(path string) (io.ReadCloser, error) {
|
||||
return fs.FS.Open(path)
|
||||
}
|
||||
|
||||
func (fs fsFS) List(path string) (entries []string, err error) {
|
||||
dirEnts, err := iofs.ReadDir(fs.FS, path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
entries = make([]string, 0, len(dirEnts))
|
||||
for _, ent := range dirEnts {
|
||||
if ent.IsDir() {
|
||||
continue
|
||||
}
|
||||
entries = append(entries, ent.Name())
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"io"
|
||||
"sort"
|
||||
|
||||
"github.com/go-git/go-git/v5/plumbing/object"
|
||||
)
|
||||
|
||||
type gitFS struct{ *object.Tree }
|
||||
|
||||
func (fs gitFS) Open(path string) (r io.ReadCloser, err error) {
|
||||
f, err := fs.Tree.File(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return f.Reader()
|
||||
}
|
||||
|
||||
func (fs gitFS) List(path string) (entries []string, err error) {
|
||||
tree, err := fs.Tree.Tree(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
entries = make([]string, 0, len(tree.Entries))
|
||||
|
||||
for _, ent := range tree.Entries {
|
||||
if !ent.Mode.IsFile() {
|
||||
continue
|
||||
}
|
||||
|
||||
entries = append(entries, ent.Name)
|
||||
}
|
||||
|
||||
sort.Strings(entries)
|
||||
return
|
||||
}
|
||||
+125
-15
@@ -1,28 +1,44 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"io/fs"
|
||||
"log"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/go-git/go-git/v5"
|
||||
"github.com/go-git/go-git/v5/plumbing"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
"novit.nc/direktil/pkg/localconfig"
|
||||
|
||||
"novit.nc/direktil/local-server/pkg/clustersconfig"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
|
||||
"novit.tech/direktil/local-server/pkg/clustersconfig"
|
||||
)
|
||||
|
||||
var Version = "dev"
|
||||
|
||||
var (
|
||||
Debug = false
|
||||
|
||||
dir = flag.String("in", ".", "Source directory")
|
||||
outPath = flag.String("out", "config.yaml", "Output file")
|
||||
defaultsPath = flag.String("defaults", "defaults", "Path to the defaults")
|
||||
|
||||
base fs.FS
|
||||
|
||||
src *clustersconfig.Config
|
||||
dst *localconfig.Config
|
||||
)
|
||||
|
||||
func init() {
|
||||
flag.BoolVar(&Debug, "debug", Debug, "debug")
|
||||
}
|
||||
|
||||
func loadSrc() {
|
||||
var err error
|
||||
src, err = clustersconfig.FromDir(*dir, *defaultsPath)
|
||||
src, err = clustersconfig.FromDir(read, assemble, listBase, listMerged)
|
||||
if err != nil {
|
||||
log.Fatal("failed to load config from dir: ", err)
|
||||
}
|
||||
@@ -33,6 +49,11 @@ func main() {
|
||||
|
||||
log.SetFlags(log.Ltime | log.Lmicroseconds | log.Lshortfile)
|
||||
|
||||
base = os.DirFS(*dir)
|
||||
searchList = append(searchList, fsFS{base})
|
||||
|
||||
openIncludes()
|
||||
|
||||
loadSrc()
|
||||
|
||||
dst = &localconfig.Config{
|
||||
@@ -44,14 +65,11 @@ func main() {
|
||||
dst.Clusters = append(dst.Clusters, &localconfig.Cluster{
|
||||
Name: cluster.Name,
|
||||
Addons: renderAddons(cluster),
|
||||
BootstrapPods: renderBootstrapPodsDS(cluster),
|
||||
})
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------
|
||||
for _, host := range src.Hosts {
|
||||
loadSrc() // FIXME ugly fix of some template caching or something
|
||||
|
||||
log.Print("rendering host ", host.Name)
|
||||
ctx, err := newRenderContext(host, src)
|
||||
|
||||
@@ -70,12 +88,12 @@ func main() {
|
||||
}
|
||||
ips = append(ips, host.IPs...)
|
||||
|
||||
if ctx.Group.Versions["modules"] == "" {
|
||||
if ctx.Host.Versions["modules"] == "" {
|
||||
// default modules' version to kernel's version
|
||||
ctx.Group.Versions["modules"] = ctx.Group.Kernel
|
||||
ctx.Host.Versions["modules"] = ctx.Host.Kernel
|
||||
}
|
||||
|
||||
dst.Hosts = append(dst.Hosts, &localconfig.Host{
|
||||
renderedHost := &localconfig.Host{
|
||||
Name: host.Name,
|
||||
|
||||
ClusterName: ctx.Cluster.Name,
|
||||
@@ -86,14 +104,21 @@ func main() {
|
||||
MACs: macs,
|
||||
IPs: ips,
|
||||
|
||||
IPXE: ctx.Group.IPXE, // TODO render
|
||||
IPXE: ctx.Host.IPXE, // TODO render
|
||||
|
||||
Kernel: ctx.Group.Kernel,
|
||||
Initrd: ctx.Group.Initrd,
|
||||
Versions: ctx.Group.Versions,
|
||||
Kernel: ctx.Host.Kernel,
|
||||
Initrd: ctx.Host.Initrd,
|
||||
Versions: ctx.Host.Versions,
|
||||
|
||||
BootstrapConfig: ctx.BootstrapConfig(),
|
||||
Config: ctx.Config(),
|
||||
})
|
||||
}
|
||||
|
||||
if host.Template {
|
||||
dst.HostTemplates = append(dst.HostTemplates, renderedHost)
|
||||
} else {
|
||||
dst.Hosts = append(dst.Hosts, renderedHost)
|
||||
}
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------
|
||||
@@ -104,8 +129,93 @@ func main() {
|
||||
|
||||
defer out.Close()
|
||||
|
||||
switch ext := path.Ext(*outPath); ext {
|
||||
case ".yaml":
|
||||
out.Write([]byte("# dkl-dir2config " + Version + "\n"))
|
||||
|
||||
if err = yaml.NewEncoder(out).Encode(dst); err != nil {
|
||||
log.Fatal("failed to render output: ", err)
|
||||
}
|
||||
|
||||
case ".json":
|
||||
if err = json.NewEncoder(out).Encode(dst); err != nil {
|
||||
log.Fatal("failed to render output: ", err)
|
||||
}
|
||||
|
||||
default:
|
||||
log.Fatal("unknown output file extension: ", ext)
|
||||
}
|
||||
}
|
||||
|
||||
func cfgPath(subPath string) string { return filepath.Join(*dir, subPath) }
|
||||
|
||||
func openIncludes() {
|
||||
includesFile, err := base.Open("includes.yaml")
|
||||
|
||||
if os.IsNotExist(err) {
|
||||
return
|
||||
}
|
||||
if err != nil {
|
||||
log.Fatal("failed to open includes: ", err)
|
||||
}
|
||||
|
||||
includes := make([]struct {
|
||||
Path string
|
||||
Branch string
|
||||
Tag string
|
||||
}, 0)
|
||||
|
||||
err = yaml.NewDecoder(includesFile).Decode(&includes)
|
||||
if err != nil {
|
||||
log.Fatal("failed to parse includes: ", err)
|
||||
}
|
||||
|
||||
for _, include := range includes {
|
||||
switch {
|
||||
case include.Branch != "" || include.Tag != "":
|
||||
p := cfgPath(include.Path) // FIXME parse git path to allow remote repos
|
||||
|
||||
var rev plumbing.Revision
|
||||
|
||||
switch {
|
||||
case include.Branch != "":
|
||||
log.Printf("opening include path %q as git, branch %q", p, include.Branch)
|
||||
rev = plumbing.Revision(plumbing.NewBranchReferenceName(include.Branch))
|
||||
|
||||
case include.Tag != "":
|
||||
log.Printf("opening include path %q as git, tag %q", p, include.Branch)
|
||||
rev = plumbing.Revision(plumbing.NewTagReferenceName(include.Branch))
|
||||
}
|
||||
|
||||
repo, err := git.PlainOpen(p)
|
||||
if err != nil {
|
||||
log.Fatal("failed to open: ", err)
|
||||
}
|
||||
|
||||
revH, err := repo.ResolveRevision(rev)
|
||||
if err != nil {
|
||||
log.Fatalf("failed to resolve revision %s: %v", rev, err)
|
||||
}
|
||||
|
||||
log.Print(" -> resolved to commit ", *revH)
|
||||
|
||||
commit, err := repo.CommitObject(*revH)
|
||||
if err != nil {
|
||||
log.Fatal("failed to get commit object: ", err)
|
||||
}
|
||||
|
||||
tree, err := commit.Tree()
|
||||
if err != nil {
|
||||
log.Fatal("failed to open git tree: ", err)
|
||||
}
|
||||
|
||||
searchList = append(searchList, gitFS{tree})
|
||||
|
||||
default:
|
||||
p := cfgPath(include.Path)
|
||||
log.Printf("opening include path %q as raw dir", p)
|
||||
|
||||
searchList = append(searchList, fsFS{os.DirFS(p)})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3,21 +3,18 @@ package main
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"path"
|
||||
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
|
||||
"novit.nc/direktil/local-server/pkg/clustersconfig"
|
||||
"novit.tech/direktil/local-server/pkg/clustersconfig"
|
||||
)
|
||||
|
||||
func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]interface{} {
|
||||
func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]any {
|
||||
cluster := clusterSpec.Name
|
||||
|
||||
return map[string]interface{}{
|
||||
"password": func(name string) (s string) {
|
||||
return fmt.Sprintf("{{ password %q %q }}", cluster, name)
|
||||
return map[string]any{
|
||||
"password": func(name, hash string) (s string) {
|
||||
return fmt.Sprintf("{{ password %q %q %q | quote }}", cluster, name, hash)
|
||||
},
|
||||
|
||||
"token": func(name string) (s string) {
|
||||
@@ -39,7 +36,7 @@ func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]interface{} {
|
||||
return fmt.Sprintf("{{ ca_dir %q %q }}", cluster, name), nil
|
||||
},
|
||||
|
||||
"hosts_by_cluster": func(cluster string) (hosts []interface{}) {
|
||||
"hosts_by_cluster": func(cluster string) (hosts []any) {
|
||||
for _, host := range src.Hosts {
|
||||
if host.Cluster == cluster {
|
||||
hosts = append(hosts, asMap(host))
|
||||
@@ -53,9 +50,9 @@ func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]interface{} {
|
||||
return
|
||||
},
|
||||
|
||||
"hosts_by_group": func(group string) (hosts []interface{}) {
|
||||
"hosts_by_group": func(group string) (hosts []any) {
|
||||
for _, host := range src.Hosts {
|
||||
if host.Group == group {
|
||||
if host.Cluster == cluster && host.Group == group {
|
||||
hosts = append(hosts, asMap(host))
|
||||
}
|
||||
}
|
||||
@@ -66,6 +63,26 @@ func clusterFuncs(clusterSpec *clustersconfig.Cluster) map[string]interface{} {
|
||||
|
||||
return
|
||||
},
|
||||
|
||||
"host_ip_from": func(hostName, net string) string {
|
||||
host := src.Host(hostName)
|
||||
if host == nil {
|
||||
log.Printf("WARNING: no host named %q", hostName)
|
||||
return "<no value>"
|
||||
}
|
||||
|
||||
ipFrom := host.IPFrom
|
||||
if ipFrom == nil {
|
||||
ipFrom = map[string]string{}
|
||||
}
|
||||
|
||||
ip, ok := ipFrom[net]
|
||||
if !ok {
|
||||
ip = host.IP
|
||||
}
|
||||
|
||||
return ip
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@@ -104,12 +121,18 @@ func renderAddons(cluster *clustersconfig.Cluster) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
addons := src.Addons[cluster.Addons]
|
||||
buf := new(bytes.Buffer)
|
||||
|
||||
for _, addonSet := range cluster.Addons {
|
||||
addons := src.Addons[addonSet]
|
||||
if addons == nil {
|
||||
log.Fatalf("cluster %q: no addons with name %q", cluster.Name, cluster.Addons)
|
||||
log.Fatalf("cluster %q: no addons with name %q", cluster.Name, addonSet)
|
||||
}
|
||||
|
||||
return string(renderClusterTemplates(cluster, "addons", addons))
|
||||
buf.Write(renderClusterTemplates(cluster, "addons", addons))
|
||||
}
|
||||
|
||||
return buf.String()
|
||||
}
|
||||
|
||||
type namePod struct {
|
||||
@@ -117,106 +140,3 @@ type namePod struct {
|
||||
Name string
|
||||
Pod map[string]interface{}
|
||||
}
|
||||
|
||||
func renderBootstrapPods(cluster *clustersconfig.Cluster) (pods []namePod) {
|
||||
if cluster.BootstrapPods == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
bootstrapPods := src.BootstrapPods[cluster.BootstrapPods]
|
||||
if bootstrapPods == nil {
|
||||
log.Fatalf("no bootstrap pods template named %q", cluster.BootstrapPods)
|
||||
}
|
||||
|
||||
// render bootstrap pods
|
||||
parts := bytes.Split(renderClusterTemplates(cluster, "bootstrap-pods", bootstrapPods), []byte("\n---\n"))
|
||||
for _, part := range parts {
|
||||
buf := bytes.NewBuffer(part)
|
||||
dec := yaml.NewDecoder(buf)
|
||||
|
||||
for n := 0; ; n++ {
|
||||
str := buf.String()
|
||||
|
||||
podMap := map[string]interface{}{}
|
||||
err := dec.Decode(podMap)
|
||||
|
||||
if err == io.EOF {
|
||||
break
|
||||
} else if err != nil {
|
||||
log.Fatalf("bootstrap pod %d: failed to parse: %v\n%s", n, err, str)
|
||||
}
|
||||
|
||||
if len(podMap) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
if podMap["metadata"] == nil {
|
||||
log.Fatalf("bootstrap pod %d: no metadata\n%s", n, buf.String())
|
||||
}
|
||||
|
||||
md := podMap["metadata"].(map[interface{}]interface{})
|
||||
|
||||
namespace := md["namespace"].(string)
|
||||
name := md["name"].(string)
|
||||
|
||||
pods = append(pods, namePod{namespace, name, podMap})
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func renderBootstrapPodsDS(cluster *clustersconfig.Cluster) string {
|
||||
buf := &bytes.Buffer{}
|
||||
enc := yaml.NewEncoder(buf)
|
||||
for _, namePod := range renderBootstrapPods(cluster) {
|
||||
pod := namePod.Pod
|
||||
|
||||
md := pod["metadata"].(map[interface{}]interface{})
|
||||
labels := md["labels"]
|
||||
|
||||
if labels == nil {
|
||||
labels = map[string]interface{}{
|
||||
"app": namePod.Name,
|
||||
}
|
||||
md["labels"] = labels
|
||||
}
|
||||
|
||||
ann := md["annotations"]
|
||||
annotations := map[interface{}]interface{}{}
|
||||
if ann != nil {
|
||||
annotations = ann.(map[interface{}]interface{})
|
||||
}
|
||||
annotations["node.kubernetes.io/bootstrap-checkpoint"] = "true"
|
||||
|
||||
md["annotations"] = annotations
|
||||
|
||||
delete(md, "name")
|
||||
delete(md, "namespace")
|
||||
|
||||
err := enc.Encode(map[string]interface{}{
|
||||
"apiVersion": "apps/v1",
|
||||
"kind": "DaemonSet",
|
||||
"metadata": map[string]interface{}{
|
||||
"namespace": namePod.Namespace,
|
||||
"name": namePod.Name,
|
||||
"labels": labels,
|
||||
},
|
||||
"spec": map[string]interface{}{
|
||||
"minReadySeconds": 60,
|
||||
"selector": map[string]interface{}{
|
||||
"matchLabels": labels,
|
||||
},
|
||||
"template": map[string]interface{}{
|
||||
"metadata": pod["metadata"],
|
||||
"spec": pod["spec"],
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
return buf.String()
|
||||
}
|
||||
|
||||
@@ -2,17 +2,21 @@ package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/sha1"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"math/rand"
|
||||
"path"
|
||||
"reflect"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/cespare/xxhash"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
|
||||
"novit.nc/direktil/local-server/pkg/clustersconfig"
|
||||
"novit.nc/direktil/pkg/config"
|
||||
"novit.tech/direktil/pkg/config"
|
||||
|
||||
"novit.tech/direktil/local-server/pkg/clustersconfig"
|
||||
)
|
||||
|
||||
type renderContext struct {
|
||||
@@ -20,9 +24,10 @@ type renderContext struct {
|
||||
Annotations map[string]string
|
||||
|
||||
Host *clustersconfig.Host
|
||||
Group *clustersconfig.Group
|
||||
Cluster *clustersconfig.Cluster
|
||||
Vars map[string]interface{}
|
||||
Vars map[string]any
|
||||
|
||||
BootstrapConfigTemplate *clustersconfig.Template
|
||||
ConfigTemplate *clustersconfig.Template
|
||||
StaticPodsTemplate *clustersconfig.Template
|
||||
|
||||
@@ -36,32 +41,25 @@ func newRenderContext(host *clustersconfig.Host, cfg *clustersconfig.Config) (ct
|
||||
return
|
||||
}
|
||||
|
||||
group := cfg.Group(host.Group)
|
||||
if group == nil {
|
||||
err = fmt.Errorf("no group named %q", host.Group)
|
||||
return
|
||||
}
|
||||
vars := make(map[string]any)
|
||||
|
||||
vars := make(map[string]interface{})
|
||||
|
||||
for _, oVars := range []map[string]interface{}{
|
||||
for _, oVars := range []map[string]any{
|
||||
cluster.Vars,
|
||||
group.Vars,
|
||||
host.Vars,
|
||||
} {
|
||||
mapMerge(vars, oVars)
|
||||
}
|
||||
|
||||
return &renderContext{
|
||||
Labels: mergeLabels(cluster.Labels, group.Labels, host.Labels),
|
||||
Annotations: mergeLabels(cluster.Annotations, group.Annotations, host.Annotations),
|
||||
Labels: mergeLabels(cluster.Labels, host.Labels),
|
||||
Annotations: mergeLabels(cluster.Annotations, host.Annotations),
|
||||
|
||||
Host: host,
|
||||
Group: group,
|
||||
Cluster: cluster,
|
||||
Vars: vars,
|
||||
ConfigTemplate: cfg.ConfigTemplate(group.Config),
|
||||
StaticPodsTemplate: cfg.StaticPodsTemplate(group.StaticPods),
|
||||
|
||||
BootstrapConfigTemplate: cfg.ConfigTemplate(host.BootstrapConfig),
|
||||
ConfigTemplate: cfg.ConfigTemplate(host.Config),
|
||||
|
||||
clusterConfig: cfg,
|
||||
}, nil
|
||||
@@ -125,8 +123,6 @@ func (ctx *renderContext) Name() string {
|
||||
switch {
|
||||
case ctx.Host != nil:
|
||||
return "host:" + ctx.Host.Name
|
||||
case ctx.Group != nil:
|
||||
return "group:" + ctx.Group.Name
|
||||
case ctx.Cluster != nil:
|
||||
return "cluster:" + ctx.Cluster.Name
|
||||
default:
|
||||
@@ -134,47 +130,35 @@ func (ctx *renderContext) Name() string {
|
||||
}
|
||||
}
|
||||
|
||||
func (ctx *renderContext) BootstrapConfig() string {
|
||||
if ctx.BootstrapConfigTemplate == nil {
|
||||
log.Fatalf("no such (bootstrap) config: %q", ctx.Host.BootstrapConfig)
|
||||
}
|
||||
return ctx.renderConfig(ctx.BootstrapConfigTemplate)
|
||||
}
|
||||
|
||||
func (ctx *renderContext) Config() string {
|
||||
if ctx.ConfigTemplate == nil {
|
||||
log.Fatalf("no such config: %q", ctx.Group.Config)
|
||||
log.Fatalf("no such config: %q", ctx.Host.Config)
|
||||
}
|
||||
return ctx.renderConfig(ctx.ConfigTemplate)
|
||||
}
|
||||
|
||||
func (ctx *renderContext) renderConfig(configTemplate *clustersconfig.Template) string {
|
||||
buf := new(strings.Builder)
|
||||
ctx.renderConfigTo(buf, configTemplate)
|
||||
return buf.String()
|
||||
}
|
||||
|
||||
func (ctx *renderContext) renderConfigTo(buf io.Writer, configTemplate *clustersconfig.Template) {
|
||||
ctxName := ctx.Name()
|
||||
|
||||
ctxMap := ctx.asMap()
|
||||
|
||||
templateFuncs := ctx.templateFuncs(ctxMap)
|
||||
|
||||
render := func(what string, t *clustersconfig.Template) (s string, err error) {
|
||||
buf := &bytes.Buffer{}
|
||||
err = t.Execute(ctxName, what, buf, ctxMap, templateFuncs)
|
||||
if err != nil {
|
||||
log.Printf("host %s: failed to render %s [%q]: %v", ctx.Host.Name, what, t.Name, err)
|
||||
return
|
||||
}
|
||||
|
||||
s = buf.String()
|
||||
return
|
||||
}
|
||||
|
||||
extraFuncs := ctx.templateFuncs(ctxMap)
|
||||
|
||||
extraFuncs["static_pods"] = func() (string, error) {
|
||||
name := ctx.Group.StaticPods
|
||||
if len(name) == 0 {
|
||||
return "", fmt.Errorf("group %q has no static pods defined", ctx.Group.Name)
|
||||
}
|
||||
|
||||
t := ctx.clusterConfig.StaticPodsTemplate(name)
|
||||
if t == nil {
|
||||
return "", fmt.Errorf("no static pods template named %q", name)
|
||||
}
|
||||
|
||||
return render("static-pods", t)
|
||||
}
|
||||
|
||||
extraFuncs["bootstrap_pods_files"] = func(dir string) (string, error) {
|
||||
namePods := renderBootstrapPods(ctx.Cluster)
|
||||
extraFuncs["static_pods_files"] = func(dir string) (string, error) {
|
||||
namePods := ctx.renderStaticPods()
|
||||
|
||||
defs := make([]config.FileDef, 0)
|
||||
|
||||
@@ -183,7 +167,7 @@ func (ctx *renderContext) Config() string {
|
||||
|
||||
ba, err := yaml.Marshal(namePod.Pod)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("bootstrap pod %s: failed to render: %v", name, err)
|
||||
return "", fmt.Errorf("static pod %s: failed to render: %v", name, err)
|
||||
}
|
||||
|
||||
defs = append(defs, config.FileDef{
|
||||
@@ -197,36 +181,30 @@ func (ctx *renderContext) Config() string {
|
||||
return string(ba), err
|
||||
}
|
||||
|
||||
extraFuncs["host_ip"] = func() string {
|
||||
if ctx.Host.Template {
|
||||
return "{{ host_ip }}"
|
||||
}
|
||||
return ctx.Host.IP
|
||||
}
|
||||
extraFuncs["host_name"] = func() string {
|
||||
if ctx.Host.Template {
|
||||
return "{{ host_name }}"
|
||||
}
|
||||
return ctx.Host.Name
|
||||
}
|
||||
extraFuncs["machine_id"] = func() string {
|
||||
ba := sha1.Sum([]byte(ctx.Cluster.Name + "/" + ctx.Host.Name)) // TODO: check semantics of machine-id
|
||||
return hex.EncodeToString(ba[:])
|
||||
return "{{ machine_id }}"
|
||||
}
|
||||
|
||||
buf := bytes.NewBuffer(make([]byte, 0, 4096))
|
||||
if err := ctx.ConfigTemplate.Execute(ctxName, "config", buf, ctxMap, extraFuncs); err != nil {
|
||||
log.Fatalf("failed to render config %q for host %q: %v", ctx.Group.Config, ctx.Host.Name, err)
|
||||
}
|
||||
extraFuncs["version"] = func() string { return Version }
|
||||
|
||||
return buf.String()
|
||||
if err := configTemplate.Execute(ctxName, "config", buf, ctxMap, extraFuncs); err != nil {
|
||||
log.Fatalf("failed to render config %q for host %q: %v", ctx.Host.Config, ctx.Host.Name, err)
|
||||
}
|
||||
}
|
||||
|
||||
func (ctx *renderContext) StaticPods() (ba []byte, err error) {
|
||||
if ctx.StaticPodsTemplate == nil {
|
||||
log.Fatalf("no such static-pods: %q", ctx.Group.StaticPods)
|
||||
}
|
||||
|
||||
ctxMap := ctx.asMap()
|
||||
|
||||
buf := bytes.NewBuffer(make([]byte, 0, 4096))
|
||||
if err = ctx.StaticPodsTemplate.Execute(ctx.Name(), "static-pods", buf, ctxMap, ctx.templateFuncs(ctxMap)); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
ba = buf.Bytes()
|
||||
return
|
||||
}
|
||||
|
||||
func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[string]interface{} {
|
||||
func (ctx *renderContext) templateFuncs(ctxMap map[string]any) map[string]any {
|
||||
cluster := ctx.Cluster.Name
|
||||
|
||||
getKeyCert := func(name, funcName string) (s string, err error) {
|
||||
@@ -246,31 +224,54 @@ func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[strin
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
reqJson := cleanJsonObject(buf.String())
|
||||
|
||||
key := name
|
||||
if req.PerHost {
|
||||
key += "/" + ctx.Host.Name
|
||||
}
|
||||
|
||||
if funcName == "tls_dir" {
|
||||
switch funcName {
|
||||
case "tls_dir":
|
||||
// needs the dir name
|
||||
dir := "/etc/tls/" + name
|
||||
|
||||
s = fmt.Sprintf("{{ %s %q %q %q %q %q %q %q }}", funcName,
|
||||
dir, cluster, req.CA, key, req.Profile, req.Label, buf.String())
|
||||
dir, cluster, req.CA, key, req.Profile, req.Label, reqJson)
|
||||
|
||||
} else {
|
||||
default:
|
||||
s = fmt.Sprintf("{{ %s %q %q %q %q %q %q }}", funcName,
|
||||
cluster, req.CA, key, req.Profile, req.Label, buf.String())
|
||||
cluster, req.CA, key, req.Profile, req.Label, reqJson)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
funcs := clusterFuncs(ctx.Cluster)
|
||||
for k, v := range map[string]interface{}{
|
||||
for k, v := range map[string]any{
|
||||
"default": func(value, defaultValue any) any {
|
||||
switch v := value.(type) {
|
||||
case string:
|
||||
if v != "" {
|
||||
return v
|
||||
}
|
||||
case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, float32, float64:
|
||||
if v != 0 {
|
||||
return v
|
||||
}
|
||||
|
||||
default:
|
||||
if v != nil {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return defaultValue
|
||||
},
|
||||
"tls_key": func(name string) (string, error) {
|
||||
return getKeyCert(name, "tls_key")
|
||||
},
|
||||
"tls_pubkey": func(name string) string {
|
||||
return fmt.Sprintf("{{ tls_pubkey %q %q }}", ctx.Cluster.Name, name)
|
||||
},
|
||||
|
||||
"tls_crt": func(name string) (s string, err error) {
|
||||
return getKeyCert(name, "tls_crt")
|
||||
@@ -280,16 +281,31 @@ func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[strin
|
||||
return getKeyCert(name, "tls_dir")
|
||||
},
|
||||
|
||||
"ssh_user_ca": func(path string) (s string) {
|
||||
return fmt.Sprintf("{{ ssh_user_ca %q %q }}",
|
||||
path, cluster)
|
||||
},
|
||||
"ssh_host_keys": func(dir string) (s string) {
|
||||
return fmt.Sprintf("{{ ssh_host_keys %q %q %q}}",
|
||||
dir, cluster, ctx.Host.Name)
|
||||
return fmt.Sprintf("{{ ssh_host_keys %q %q \"\" }}",
|
||||
dir, cluster)
|
||||
},
|
||||
"host_download_token": func() (s string) {
|
||||
return "{{ host_download_token }}"
|
||||
},
|
||||
"asset_download_token": func(args ...string) (s string) {
|
||||
argsStr := new(strings.Builder)
|
||||
for _, arg := range args {
|
||||
argsStr.WriteByte(' ')
|
||||
argsStr.WriteString(strconv.Quote(arg))
|
||||
}
|
||||
return "{{ asset_download_token" + argsStr.String() + " }}"
|
||||
},
|
||||
|
||||
"hosts_of_group": func() (hosts []interface{}) {
|
||||
hosts = make([]interface{}, 0)
|
||||
"hosts_of_group": func() (hosts []any) {
|
||||
hosts = make([]any, 0)
|
||||
|
||||
for _, host := range ctx.clusterConfig.Hosts {
|
||||
if host.Group != ctx.Host.Group {
|
||||
if host.Cluster == ctx.Cluster.Name && host.Group != ctx.Host.Group {
|
||||
continue
|
||||
}
|
||||
|
||||
@@ -301,12 +317,31 @@ func (ctx *renderContext) templateFuncs(ctxMap map[string]interface{}) map[strin
|
||||
|
||||
"hosts_of_group_count": func() (count int) {
|
||||
for _, host := range ctx.clusterConfig.Hosts {
|
||||
if host.Group == ctx.Host.Group {
|
||||
if host.Cluster == ctx.Cluster.Name && host.Group == ctx.Host.Group {
|
||||
count++
|
||||
}
|
||||
}
|
||||
return
|
||||
},
|
||||
|
||||
"shuffled_hosts_by_group": func(group string) (hosts []any) {
|
||||
for _, host := range src.Hosts {
|
||||
if host.Cluster == ctx.Cluster.Name && host.Group == group {
|
||||
hosts = append(hosts, asMap(host))
|
||||
}
|
||||
}
|
||||
|
||||
if len(hosts) == 0 {
|
||||
log.Printf("WARNING: no hosts in group %q", group)
|
||||
return
|
||||
}
|
||||
|
||||
seed := xxhash.Sum64String(ctx.Host.Name)
|
||||
rng := rand.New(rand.NewSource(int64(seed)))
|
||||
rng.Shuffle(len(hosts), func(i, j int) { hosts[i], hosts[j] = hosts[j], hosts[i] })
|
||||
|
||||
return
|
||||
},
|
||||
} {
|
||||
funcs[k] = v
|
||||
}
|
||||
|
||||
@@ -0,0 +1,77 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
"novit.tech/direktil/local-server/pkg/clustersconfig"
|
||||
)
|
||||
|
||||
func (ctx *renderContext) renderStaticPods() (pods []namePod) {
|
||||
if ctx.Host.StaticPods == "" {
|
||||
return
|
||||
}
|
||||
|
||||
staticPods, ok := src.StaticPods[ctx.Host.StaticPods]
|
||||
if !ok {
|
||||
log.Fatalf("no static pods template named %q", ctx.Host.StaticPods)
|
||||
}
|
||||
|
||||
// render static pods
|
||||
parts := bytes.Split(ctx.renderHostTemplates("static-pods", staticPods), []byte("\n---\n"))
|
||||
for _, part := range parts {
|
||||
buf := bytes.NewBuffer(part)
|
||||
dec := yaml.NewDecoder(buf)
|
||||
|
||||
for n := 0; ; n++ {
|
||||
str := buf.String()
|
||||
|
||||
podMap := map[string]any{}
|
||||
err := dec.Decode(podMap)
|
||||
|
||||
if err == io.EOF {
|
||||
break
|
||||
} else if err != nil {
|
||||
log.Fatalf("static pod %d: failed to parse: %v\n%s", n, err, str)
|
||||
}
|
||||
|
||||
if len(podMap) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
if podMap["metadata"] == nil {
|
||||
log.Fatalf("static pod %d: no metadata\n%s", n, buf.String())
|
||||
}
|
||||
|
||||
md := podMap["metadata"].(map[any]any)
|
||||
|
||||
namespace := md["namespace"].(string)
|
||||
name := md["name"].(string)
|
||||
|
||||
pods = append(pods, namePod{namespace, name, podMap})
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (ctx *renderContext) renderHostTemplates(setName string,
|
||||
templates []*clustersconfig.Template) []byte {
|
||||
|
||||
log.Print("rendering host templates in ", setName)
|
||||
|
||||
buf := bytes.NewBuffer(make([]byte, 0, 16<<10))
|
||||
|
||||
for _, t := range templates {
|
||||
log.Print("- template: ", setName, ": ", t.Name)
|
||||
fmt.Fprintf(buf, "---\n# %s: %s\n", setName, t.Name)
|
||||
|
||||
ctx.renderConfigTo(buf, t)
|
||||
fmt.Fprintln(buf)
|
||||
}
|
||||
|
||||
return buf.Bytes()
|
||||
}
|
||||
@@ -0,0 +1,59 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"sort"
|
||||
)
|
||||
|
||||
var searchList = make([]FS, 0)
|
||||
|
||||
// read the first file matching path in the search list
|
||||
func read(path string) (ba []byte, err error) {
|
||||
for _, fs := range searchList {
|
||||
var r io.ReadCloser
|
||||
r, err = fs.Open(path)
|
||||
if os.IsNotExist(err) {
|
||||
continue
|
||||
}
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer r.Close()
|
||||
return io.ReadAll(r)
|
||||
}
|
||||
|
||||
err = fmt.Errorf("%s: %w", path, os.ErrNotExist)
|
||||
return
|
||||
}
|
||||
|
||||
func listBase(path string) ([]string, error) {
|
||||
return fsFS{base}.List(path)
|
||||
}
|
||||
|
||||
func listMerged(path string) (entries []string, err error) {
|
||||
seen := map[string]bool{}
|
||||
for _, fs := range searchList {
|
||||
var fsEnts []string
|
||||
fsEnts, err = fs.List(path)
|
||||
if os.IsNotExist(err) {
|
||||
err = nil
|
||||
continue
|
||||
}
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
for _, ent := range fsEnts {
|
||||
if !seen[ent] {
|
||||
entries = append(entries, ent)
|
||||
seen[ent] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sort.Strings(entries)
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
func cleanJsonObject(raw string) string {
|
||||
v := map[string]any{}
|
||||
if err := json.Unmarshal([]byte(raw), &v); err != nil {
|
||||
panic(fmt.Errorf("invalid json: %w\n%s", err, raw))
|
||||
}
|
||||
clean, _ := json.Marshal(v)
|
||||
return string(clean)
|
||||
}
|
||||
@@ -1,36 +1,44 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"log"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
var (
|
||||
hostsToken = flag.String("hosts-token", "", "Token to give to access /hosts (open is none)")
|
||||
adminToken = flag.String("admin-token", "", "Token to give to access to admin actions (open is none)")
|
||||
)
|
||||
|
||||
func authorizeHosts(r *http.Request) bool {
|
||||
return authorizeToken(r, *hostsToken)
|
||||
}
|
||||
var adminToken string
|
||||
|
||||
func authorizeAdmin(r *http.Request) bool {
|
||||
return authorizeToken(r, *adminToken)
|
||||
return authorizeToken(r, adminToken)
|
||||
}
|
||||
|
||||
func authorizeToken(r *http.Request, token string) bool {
|
||||
if token == "" {
|
||||
// access is open
|
||||
return true
|
||||
return false
|
||||
}
|
||||
|
||||
reqToken := r.Header.Get("Authorization")
|
||||
|
||||
if reqToken != "" {
|
||||
return reqToken == "Bearer "+token
|
||||
}
|
||||
|
||||
return r.URL.Query().Get("token") == token
|
||||
}
|
||||
|
||||
func forbidden(w http.ResponseWriter, r *http.Request) {
|
||||
log.Printf("denied access to %s from %s", r.RequestURI, r.RemoteAddr)
|
||||
log.Printf("denied access to %s from %s", r.URL.Path, r.RemoteAddr)
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
}
|
||||
|
||||
func requireToken(token *string, handler http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
||||
if !authorizeToken(req, *token) {
|
||||
forbidden(w, req)
|
||||
return
|
||||
}
|
||||
handler.ServeHTTP(w, req)
|
||||
})
|
||||
}
|
||||
|
||||
func requireAdmin(handler http.Handler) http.Handler {
|
||||
return requireToken(&adminToken, handler)
|
||||
}
|
||||
|
||||
@@ -3,52 +3,39 @@ package main
|
||||
import (
|
||||
"archive/tar"
|
||||
"compress/gzip"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"github.com/pierrec/lz4"
|
||||
)
|
||||
|
||||
func buildBootImg(out io.Writer, ctx *renderContext) (err error) {
|
||||
bootImg, err := ioutil.TempFile(os.TempDir(), "boot.img-")
|
||||
func buildBootImg(out io.Writer, ctx *renderContext, uki bool, cmdline string) (err error) {
|
||||
bootImg, err := os.CreateTemp(os.TempDir(), "boot.img-")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer rmTempFile(bootImg)
|
||||
|
||||
err = setupBootImage(bootImg, ctx)
|
||||
err = setupBootImage(bootImg, ctx, uki, cmdline)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// send the result
|
||||
bootImg.Seek(0, os.SEEK_SET)
|
||||
bootImg.Seek(0, io.SeekStart)
|
||||
io.Copy(out, bootImg)
|
||||
return
|
||||
}
|
||||
|
||||
func buildBootImgLZ4(out io.Writer, ctx *renderContext) (err error) {
|
||||
lz4Out := lz4.NewWriter(out)
|
||||
|
||||
if err = buildBootImg(lz4Out, ctx); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
lz4Out.Close()
|
||||
return
|
||||
}
|
||||
|
||||
func buildBootImgGZ(out io.Writer, ctx *renderContext) (err error) {
|
||||
func buildBootImgGZ(out io.Writer, ctx *renderContext, uki bool, cmdline string) (err error) {
|
||||
gzOut := gzip.NewWriter(out)
|
||||
|
||||
if err = buildBootImg(gzOut, ctx); err != nil {
|
||||
if err = buildBootImg(gzOut, ctx, uki, cmdline); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
@@ -56,8 +43,77 @@ func buildBootImgGZ(out io.Writer, ctx *renderContext) (err error) {
|
||||
return
|
||||
}
|
||||
|
||||
func setupBootImage(bootImg *os.File, ctx *renderContext) (err error) {
|
||||
path, err := ctx.distFetch("grub-support", "1.0.0")
|
||||
func buildBootImgQemuConvert(out io.Writer, ctx *renderContext, format string, uki bool, cmdline string) (err error) {
|
||||
imgPath, err := func() (imgPath string, err error) {
|
||||
bootImg, err := os.CreateTemp(os.TempDir(), "boot.img-")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer rmTempFile(bootImg)
|
||||
|
||||
err = setupBootImage(bootImg, ctx, uki, cmdline)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = bootImg.Sync()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
imgPath = bootImg.Name() + "." + format
|
||||
|
||||
err = run("qemu-img", "convert", "-f", "raw", "-O", format, bootImg.Name(), imgPath)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return
|
||||
}()
|
||||
|
||||
if imgPath != "" {
|
||||
defer os.Remove(imgPath)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// send the result
|
||||
img, err := os.Open(imgPath)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
io.Copy(out, img)
|
||||
return
|
||||
}
|
||||
func qemuImgBootImg(format string, uki bool, cmdline string) func(out io.Writer, ctx *renderContext) (err error) {
|
||||
return func(out io.Writer, ctx *renderContext) (err error) {
|
||||
return buildBootImgQemuConvert(out, ctx, format, uki, cmdline)
|
||||
}
|
||||
}
|
||||
|
||||
var grubSupportVersion = flag.String("grub-support", "1.1.0", "GRUB support version")
|
||||
|
||||
func setupBootImage(bootImg *os.File, ctx *renderContext, uki bool, cmdline string) (err error) {
|
||||
if uki {
|
||||
err = bootImg.Truncate(128 << 20)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = bootImg.Sync()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = run("sgdisk", bootImg.Name(), "--clear", "--largest-new=1", "--typecode=1:EF00", "--change-name=1:ESP")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
} else {
|
||||
err = func() (err error) {
|
||||
path, err := distFetch("grub-support", *grubSupportVersion)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@@ -76,9 +132,11 @@ func setupBootImage(bootImg *os.File, ctx *renderContext) (err error) {
|
||||
|
||||
defer baseImageGz.Close()
|
||||
_, err = io.Copy(bootImg, baseImageGz)
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}()
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Print("running losetup...")
|
||||
@@ -96,6 +154,7 @@ func setupBootImage(bootImg *os.File, ctx *renderContext) (err error) {
|
||||
}()
|
||||
|
||||
log.Print("device: ", dev)
|
||||
syncSysToDev()
|
||||
|
||||
tempDir := bootImg.Name() + ".p1.mount"
|
||||
|
||||
@@ -109,9 +168,18 @@ func setupBootImage(bootImg *os.File, ctx *renderContext) (err error) {
|
||||
os.RemoveAll(tempDir)
|
||||
}()
|
||||
|
||||
err = syscall.Mount(dev+"p1", tempDir, "vfat", 0, "")
|
||||
devp1 := dev + "p1"
|
||||
|
||||
if uki {
|
||||
err = run("mkfs.vfat", "-F", "32", devp1)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to mount %s to %s: %v", dev+"p1", tempDir, err)
|
||||
return fmt.Errorf("mkfs.vfat: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
err = syscall.Mount(devp1, tempDir, "vfat", 0, "")
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to mount %s to %s: %v", devp1, tempDir, err)
|
||||
}
|
||||
|
||||
defer func() {
|
||||
@@ -122,10 +190,10 @@ func setupBootImage(bootImg *os.File, ctx *renderContext) (err error) {
|
||||
// add system elements
|
||||
tarOut, tarIn := io.Pipe()
|
||||
go func() {
|
||||
err2 := buildBootTar(tarIn, ctx)
|
||||
e := buildBootTar(tarIn, ctx, uki, cmdline)
|
||||
tarIn.Close()
|
||||
if err2 != nil {
|
||||
err = err2
|
||||
if e != nil {
|
||||
err = e
|
||||
}
|
||||
}()
|
||||
|
||||
|
||||
@@ -3,33 +3,29 @@ package main
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
|
||||
"github.com/cespare/xxhash"
|
||||
)
|
||||
|
||||
func buildBootISO(out io.Writer, ctx *renderContext) error {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "iso-")
|
||||
func buildBootISO(out io.Writer, ctx *renderContext) (err error) {
|
||||
tempDir, err := os.MkdirTemp("/tmp", "iso-v2-")
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
cp := func(src, dst string) error {
|
||||
log.Printf("iso: adding %s as %s", src, dst)
|
||||
in, err := os.Open(src)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer in.Close()
|
||||
buildRes := func(build func(out io.Writer, ctx *renderContext) error, dst string) (err error) {
|
||||
log.Printf("iso-v2: building %s", dst)
|
||||
|
||||
outPath := filepath.Join(tempDir, dst)
|
||||
|
||||
if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {
|
||||
if err = os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -37,32 +33,55 @@ func buildBootISO(out io.Writer, ctx *renderContext) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer out.Close()
|
||||
|
||||
_, err = io.Copy(out, in)
|
||||
err = build(out, ctx)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
err = func() error {
|
||||
err = func() (err error) {
|
||||
// grub
|
||||
|
||||
if err := os.MkdirAll(filepath.Join(tempDir, "grub"), 0755); err != nil {
|
||||
return err
|
||||
if err = os.MkdirAll(filepath.Join(tempDir, "grub"), 0755); err != nil {
|
||||
return
|
||||
}
|
||||
err = ioutil.WriteFile(filepath.Join(tempDir, "grub", "grub.cfg"), []byte(`
|
||||
search --set=root --file /config.yaml
|
||||
|
||||
// create a tag file
|
||||
bootstrapBytes, err := ctx.BootstrapConfig()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
h := xxhash.New()
|
||||
fmt.Fprintln(h, ctx.Host.Kernel)
|
||||
h.Write(bootstrapBytes)
|
||||
|
||||
tag := "dkl-" + strconv.FormatUint(h.Sum64(), 32) + ".tag"
|
||||
|
||||
f, err := os.Create(filepath.Join(tempDir, tag))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
f.Write([]byte("direktil marker file\n"))
|
||||
f.Close()
|
||||
|
||||
err = os.WriteFile(filepath.Join(tempDir, "grub", "grub.cfg"), []byte(`
|
||||
search --set=root --file /`+tag+`
|
||||
|
||||
insmod all_video
|
||||
set timeout=3
|
||||
|
||||
menuentry "Direktil" {
|
||||
linux /vmlinuz direktil.boot=DEVNAME=sr0 direktil.boot.fs=iso9660 `+ctx.CmdLine+`
|
||||
linux /vmlinuz `+ctx.CmdLine+`
|
||||
initrd /initrd
|
||||
}
|
||||
`), 0644)
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
coreImgPath := filepath.Join(tempDir, "grub", "core.img")
|
||||
@@ -93,7 +112,7 @@ menuentry "Direktil" {
|
||||
|
||||
defer out.Close()
|
||||
|
||||
b, err := ioutil.ReadFile("/usr/lib/grub/i386-pc/cdboot.img")
|
||||
b, err := os.ReadFile("/usr/lib/grub/i386-pc/cdboot.img")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -102,7 +121,7 @@ menuentry "Direktil" {
|
||||
return err
|
||||
}
|
||||
|
||||
b, err = ioutil.ReadFile(coreImgPath)
|
||||
b, err = os.ReadFile(coreImgPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -117,50 +136,9 @@ menuentry "Direktil" {
|
||||
return err
|
||||
}
|
||||
|
||||
// config
|
||||
cfgBytes, cfg, err := ctx.Config()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
ioutil.WriteFile(filepath.Join(tempDir, "config.yaml"), cfgBytes, 0600)
|
||||
|
||||
// kernel and initrd
|
||||
type distCopy struct {
|
||||
Src []string
|
||||
Dst string
|
||||
}
|
||||
|
||||
copies := []distCopy{
|
||||
{Src: []string{"kernels", ctx.Host.Kernel}, Dst: "vmlinuz"},
|
||||
{Src: []string{"initrd", ctx.Host.Initrd}, Dst: "initrd"},
|
||||
}
|
||||
|
||||
// layers
|
||||
for _, layer := range cfg.Layers {
|
||||
layerVersion := ctx.Host.Versions[layer]
|
||||
if layerVersion == "" {
|
||||
return fmt.Errorf("layer %q not mapped to a version", layer)
|
||||
}
|
||||
|
||||
copies = append(copies,
|
||||
distCopy{
|
||||
Src: []string{"layers", layer, layerVersion},
|
||||
Dst: filepath.Join("current", "layers", layer+".fs"),
|
||||
})
|
||||
}
|
||||
|
||||
for _, copy := range copies {
|
||||
outPath, err := ctx.distFetch(copy.Src...)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = cp(outPath, copy.Dst)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
buildRes(fetchKernel, "vmlinuz")
|
||||
buildRes(buildInitrd, "initrd")
|
||||
|
||||
// build the ISO
|
||||
mkisofs, err := exec.LookPath("genisoimage")
|
||||
|
||||
@@ -2,11 +2,14 @@ package main
|
||||
|
||||
import (
|
||||
"archive/tar"
|
||||
"bytes"
|
||||
"debug/pe"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"time"
|
||||
)
|
||||
|
||||
func rmTempFile(f *os.File) {
|
||||
@@ -16,12 +19,129 @@ func rmTempFile(f *os.File) {
|
||||
}
|
||||
}
|
||||
|
||||
func buildBootTar(out io.Writer, ctx *renderContext) (err error) {
|
||||
func buildUki(out io.Writer, ctx *renderContext, uki bool, cmdline string) error {
|
||||
if !uki {
|
||||
return fmt.Errorf("buildUki only builds UKI")
|
||||
}
|
||||
|
||||
const efiStubPath = "/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
|
||||
|
||||
stub, err := pe.Open(efiStubPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("efi stub open: %w", err)
|
||||
}
|
||||
|
||||
hdr := stub.OptionalHeader.(*pe.OptionalHeader64)
|
||||
align := uint64(hdr.SectionAlignment)
|
||||
|
||||
var offset uint64
|
||||
for _, s := range stub.Sections {
|
||||
end := uint64(s.VirtualAddress) + uint64(s.VirtualSize)
|
||||
if end > offset {
|
||||
offset = end
|
||||
}
|
||||
}
|
||||
|
||||
offset += hdr.ImageBase
|
||||
|
||||
stub.Close()
|
||||
|
||||
// kernel
|
||||
kernelPath, err := distFetch("kernels", ctx.Host.Kernel)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fetch kernel: %w", err)
|
||||
}
|
||||
|
||||
// temp dir
|
||||
tempDir, err := os.MkdirTemp(os.TempDir(), "uki-")
|
||||
if err != nil {
|
||||
return fmt.Errorf("mkdir temp: %w", err)
|
||||
}
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
// osrel
|
||||
osrelPath := filepath.Join(tempDir, "osrel")
|
||||
if err := os.WriteFile(osrelPath, fmt.Appendf(nil, "ID=direktil\nPRETTY_NAME='Direktil %s %s+0'\n", ctx.Host.Name,
|
||||
time.Now().UTC().Format(time.DateTime)), 0o600); err != nil {
|
||||
return fmt.Errorf("create osrel: %w", err)
|
||||
}
|
||||
|
||||
// cmdline
|
||||
cmdlinePath := filepath.Join(tempDir, "cmdline")
|
||||
if err := os.WriteFile(cmdlinePath, append([]byte(cmdline), 0), 0o600); err != nil {
|
||||
return fmt.Errorf("create cmdline: %w", err)
|
||||
}
|
||||
|
||||
// initrd
|
||||
initrdPath := filepath.Join(tempDir, "initrd")
|
||||
if err := func() (err error) {
|
||||
initrd, err := os.Create(initrdPath)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer initrd.Close()
|
||||
return buildInitrd(initrd, ctx)
|
||||
}(); err != nil {
|
||||
return fmt.Errorf("create initrd: %w", err)
|
||||
}
|
||||
|
||||
// assemble
|
||||
|
||||
args := make([]string, 0)
|
||||
for _, i := range []struct {
|
||||
section string
|
||||
path string
|
||||
}{
|
||||
{"osrel", osrelPath},
|
||||
{"cmdline", cmdlinePath},
|
||||
{"initrd", initrdPath},
|
||||
{"linux", kernelPath},
|
||||
} {
|
||||
offset += align - offset%align
|
||||
args = append(args,
|
||||
"--add-section", "."+i.section+"="+i.path, "--change-section-vma", fmt.Sprintf(".%s=0x%x", i.section, offset))
|
||||
|
||||
stat, err := os.Stat(i.path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("stat %s: %w", i.section, err)
|
||||
}
|
||||
|
||||
offset += uint64(stat.Size())
|
||||
}
|
||||
|
||||
ukiPath := filepath.Join(tempDir, "uki")
|
||||
args = append(args, efiStubPath, ukiPath)
|
||||
|
||||
if err := run("objcopy", args...); err != nil {
|
||||
return fmt.Errorf("objcopy: %w", err)
|
||||
}
|
||||
|
||||
// read
|
||||
ukiBytes, err := os.ReadFile(ukiPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("read uki: %w", err)
|
||||
}
|
||||
|
||||
io.Copy(out, bytes.NewBuffer(ukiBytes))
|
||||
|
||||
// done
|
||||
return nil
|
||||
}
|
||||
|
||||
func buildBootTar(out io.Writer, ctx *renderContext, uki bool, cmdline string) (err error) {
|
||||
if uki {
|
||||
return buildUkiBootTar(out, ctx, cmdline)
|
||||
} else {
|
||||
return buildGrubBootTar(out, ctx)
|
||||
}
|
||||
}
|
||||
|
||||
func buildGrubBootTar(out io.Writer, ctx *renderContext) (err error) {
|
||||
arch := tar.NewWriter(out)
|
||||
defer arch.Close()
|
||||
|
||||
archAdd := func(path string, ba []byte) (err error) {
|
||||
err = arch.WriteHeader(&tar.Header{Name: path, Size: int64(len(ba))})
|
||||
err = arch.WriteHeader(&tar.Header{Name: path, Mode: 0640, Size: int64(len(ba))})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@@ -29,70 +149,63 @@ func buildBootTar(out io.Writer, ctx *renderContext) (err error) {
|
||||
return
|
||||
}
|
||||
|
||||
// config
|
||||
cfgBytes, cfg, err := ctx.Config()
|
||||
// kernel
|
||||
kernelPath, err := distFetch("kernels", ctx.Host.Kernel)
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
archAdd("config.yaml", cfgBytes)
|
||||
|
||||
// add "current" elements
|
||||
type distCopy struct {
|
||||
Src []string
|
||||
Dst string
|
||||
}
|
||||
|
||||
// kernel and initrd
|
||||
copies := []distCopy{
|
||||
{Src: []string{"kernels", ctx.Host.Kernel}, Dst: "current/vmlinuz"},
|
||||
{Src: []string{"initrd", ctx.Host.Initrd}, Dst: "current/initrd"},
|
||||
}
|
||||
|
||||
// layers
|
||||
for _, layer := range cfg.Layers {
|
||||
layerVersion := ctx.Host.Versions[layer]
|
||||
if layerVersion == "" {
|
||||
return fmt.Errorf("layer %q not mapped to a version", layer)
|
||||
}
|
||||
|
||||
copies = append(copies,
|
||||
distCopy{
|
||||
Src: []string{"layers", layer, layerVersion},
|
||||
Dst: filepath.Join("current", "layers", layer+".fs"),
|
||||
})
|
||||
}
|
||||
|
||||
for _, copy := range copies {
|
||||
outPath, err := ctx.distFetch(copy.Src...)
|
||||
kernelBytes, err := os.ReadFile(kernelPath)
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
f, err := os.Open(outPath)
|
||||
err = archAdd("current/vmlinuz", kernelBytes)
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
stat, err := f.Stat()
|
||||
// initrd
|
||||
initrd := new(bytes.Buffer)
|
||||
err = buildInitrd(initrd, ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
if err = arch.WriteHeader(&tar.Header{
|
||||
Name: copy.Dst,
|
||||
Size: stat.Size(),
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = io.Copy(arch, f)
|
||||
err = archAdd("current/initrd", initrd.Bytes())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// done
|
||||
return nil
|
||||
}
|
||||
|
||||
func buildUkiBootTar(out io.Writer, ctx *renderContext, cmdline string) (err error) {
|
||||
arch := tar.NewWriter(out)
|
||||
defer arch.Close()
|
||||
|
||||
archAdd := func(path string, ba []byte) (err error) {
|
||||
err = arch.WriteHeader(&tar.Header{Name: path, Mode: 0640, Size: int64(len(ba))})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
_, err = arch.Write(ba)
|
||||
return
|
||||
}
|
||||
|
||||
// UKI
|
||||
uki := new(bytes.Buffer)
|
||||
err = buildUki(uki, ctx, true, cmdline)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = archAdd("EFI/BOOT/BOOTX64.EFI", uki.Bytes())
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// done
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -0,0 +1,492 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"archive/tar"
|
||||
"bytes"
|
||||
"crypto"
|
||||
"encoding/binary"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"slices"
|
||||
"strings"
|
||||
|
||||
"github.com/cavaliergopher/cpio"
|
||||
"github.com/klauspost/compress/zstd"
|
||||
|
||||
"novit.tech/direktil/pkg/base64"
|
||||
"novit.tech/direktil/pkg/config"
|
||||
"novit.tech/direktil/pkg/cpiocat"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
func renderBootstrapConfig(w http.ResponseWriter, ctx *renderContext) (err error) {
|
||||
log.Printf("sending bootstrap config for %q", ctx.Host.Name)
|
||||
|
||||
ba, err := ctx.BootstrapConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = w.Write(ba)
|
||||
return
|
||||
}
|
||||
|
||||
func buildInitrd(out io.Writer, ctx *renderContext) (err error) {
|
||||
_, cfg, err := ctx.Config()
|
||||
if err != nil {
|
||||
return fmt.Errorf("render config failed: %w", err)
|
||||
}
|
||||
|
||||
zout, err := zstd.NewWriter(out, zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(12)))
|
||||
if err != nil {
|
||||
return fmt.Errorf("zstd writer setup failed: %w", err)
|
||||
}
|
||||
|
||||
cat := cpiocat.New(zout)
|
||||
|
||||
// initrd
|
||||
initrdPath, err := distFetch("initrd", ctx.Host.Initrd)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fetch initrd failed: %w", err)
|
||||
}
|
||||
cat.AppendArchFile(initrdPath)
|
||||
|
||||
// copy config's udev rules (FIXME: too much logic for dls)
|
||||
for _, file := range cfg.Files {
|
||||
if !strings.HasPrefix(file.Path, "/etc/udev/rules.d/") {
|
||||
continue
|
||||
}
|
||||
|
||||
content := []byte(file.Content)
|
||||
if c := file.Content64; c != "" {
|
||||
content, err = base64.Decode(c)
|
||||
if err != nil {
|
||||
return fmt.Errorf("decode %s failed: %w", file.Path, err)
|
||||
}
|
||||
}
|
||||
|
||||
mode := file.Mode
|
||||
if mode == 0 {
|
||||
mode = 0o644
|
||||
}
|
||||
|
||||
cat.AppendBytes(content, file.Path, cpio.FileMode(mode))
|
||||
}
|
||||
|
||||
// embedded layers (modules)
|
||||
for _, layer := range cfg.Layers {
|
||||
switch layer {
|
||||
case "modules":
|
||||
layerVersion := ctx.Host.Versions[layer]
|
||||
if layerVersion == "" {
|
||||
layerVersion = ctx.Host.Kernel
|
||||
}
|
||||
modulesPath, err := distFetch("layers", layer, layerVersion)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fetch layer %s failed: %w", layer, err)
|
||||
}
|
||||
|
||||
cat.AppendFile(modulesPath, "modules.sqfs")
|
||||
}
|
||||
}
|
||||
|
||||
// config
|
||||
cfgBytes, err := ctx.BootstrapConfig()
|
||||
if err != nil {
|
||||
return fmt.Errorf("render bootstrap config failed: %w", err)
|
||||
}
|
||||
cat.AppendBytes(cfgBytes, "config.yaml", 0o600)
|
||||
|
||||
// ssh keys
|
||||
cat.AppendDir("/etc", 0o755)
|
||||
cat.AppendDir("/etc/ssh", 0o700)
|
||||
|
||||
// XXX do we want bootstrap-stage keys instead of the real host key?
|
||||
for _, format := range sshKeyTypes {
|
||||
keyPath := "/etc/ssh/ssh_host_" + format + "_key"
|
||||
cat.AppendBytes(cfg.FileContent(keyPath), keyPath, 0o600)
|
||||
}
|
||||
|
||||
// ssh user CA
|
||||
userCA, err := sshCAPubKey(ctx.Host.ClusterName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get SSH user CA: %w", err)
|
||||
}
|
||||
|
||||
cat.AppendBytes(userCA, "user_ca.pub", 0600)
|
||||
|
||||
if err = cat.Close(); err != nil {
|
||||
return fmt.Errorf("cpio close failed: %w", err)
|
||||
}
|
||||
|
||||
if err = zout.Close(); err != nil {
|
||||
return fmt.Errorf("zstd close failed: %w", err)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func getSigner(clusterName string) (signer crypto.Signer, err error) {
|
||||
ca, err := getUsableClusterCA(clusterName, "boot-signer")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return ca.ParseKey()
|
||||
}
|
||||
|
||||
func buildBootstrap(out io.Writer, ctx *renderContext) (err error) {
|
||||
arch := tar.NewWriter(out)
|
||||
defer arch.Close()
|
||||
|
||||
signer, err := getSigner(ctx.Host.ClusterName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
hash := crypto.SHA512
|
||||
|
||||
sign := func(name string, digest []byte) (err error) {
|
||||
sigBytes, err := signer.Sign(nil, digest, hash)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("signing to %s failed: %w", name, err)
|
||||
return err
|
||||
}
|
||||
|
||||
if err = arch.WriteHeader(&tar.Header{
|
||||
Name: name,
|
||||
Size: int64(len(sigBytes)),
|
||||
Mode: 0o644,
|
||||
}); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = io.Copy(arch, bytes.NewReader(sigBytes))
|
||||
return
|
||||
}
|
||||
|
||||
// config
|
||||
cfgBytes, cfg, err := ctx.Config()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = arch.WriteHeader(&tar.Header{
|
||||
Name: "config.yaml",
|
||||
Size: int64(len(cfgBytes)),
|
||||
Mode: 0o600,
|
||||
})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = arch.Write(cfgBytes)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
{
|
||||
h := hash.New()
|
||||
h.Write(cfgBytes)
|
||||
err = sign("config.yaml.sig", h.Sum(nil))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// layers
|
||||
appendSignedLayer := func(layer, layerPath string) (err error) {
|
||||
f, err := os.Open(layerPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
stat, err := f.Stat()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
h := hash.New()
|
||||
reader := io.TeeReader(f, h)
|
||||
|
||||
if err = arch.WriteHeader(&tar.Header{
|
||||
Name: layer,
|
||||
Size: stat.Size(),
|
||||
Mode: 0o600,
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = io.Copy(arch, reader)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
digest := h.Sum(nil)
|
||||
err = sign(layer+".sig", digest)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
allErofs := true
|
||||
|
||||
for _, layer := range cfg.Layers {
|
||||
if layer == "modules" {
|
||||
continue // modules are in the initrd with boot v2
|
||||
}
|
||||
|
||||
if !strings.HasSuffix(ctx.Host.Versions[layer], ".erofs") {
|
||||
allErofs = false
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if allErofs {
|
||||
layerPath, e := layersCombo(ctx.Host, cfg, signer)
|
||||
if e != nil {
|
||||
err = e
|
||||
return
|
||||
}
|
||||
|
||||
if err = appendSignedLayer("merged", layerPath); err != nil {
|
||||
return
|
||||
}
|
||||
} else {
|
||||
for _, layer := range cfg.Layers {
|
||||
if layer == "modules" {
|
||||
continue // modules are in the initrd with boot v2
|
||||
}
|
||||
|
||||
layerPath, e := fetchHostLayer(ctx.Host, layer)
|
||||
if e != nil {
|
||||
err = e
|
||||
return
|
||||
}
|
||||
|
||||
if err = appendSignedLayer(layer+".fs", layerPath); err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func layersCombo(host *localconfig.Host, cfg *config.Config, signer crypto.Signer) (path string, err error) {
|
||||
key := layersComboKey(host, cfg)
|
||||
return opMutex(key, func() (path string, err error) {
|
||||
return buildLayersCombo(host, cfg, signer)
|
||||
})
|
||||
}
|
||||
|
||||
func layersComboKey(host *localconfig.Host, cfg *config.Config) string {
|
||||
key := new(strings.Builder)
|
||||
key.WriteString("layers")
|
||||
for _, layer := range cfg.Layers {
|
||||
if layer == "modules" {
|
||||
continue
|
||||
}
|
||||
key.WriteByte(':')
|
||||
key.WriteString(layer)
|
||||
if v, ok := host.Versions[layer]; ok {
|
||||
key.WriteByte('@')
|
||||
key.WriteString(v)
|
||||
}
|
||||
}
|
||||
|
||||
return key.String()
|
||||
}
|
||||
|
||||
func buildLayersCombo(host *localconfig.Host, cfg *config.Config, signer crypto.Signer) (path string, err error) {
|
||||
path = filepath.Join(*dataDir, "cache")
|
||||
if err = os.MkdirAll(path, 0o700); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
key := layersComboKey(host, cfg)
|
||||
path = filepath.Join(path, key) + ".fs"
|
||||
|
||||
if _, statErr := os.Stat(path); statErr == nil {
|
||||
return // exists -> already done
|
||||
}
|
||||
|
||||
workdir, err := os.MkdirTemp("/tmp", "layers")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer os.RemoveAll(workdir)
|
||||
|
||||
tmpTar := filepath.Join(workdir, "output.tar")
|
||||
|
||||
layers := slices.Clone(cfg.Layers)
|
||||
slices.Reverse(layers)
|
||||
|
||||
cmdOut := new(bytes.Buffer)
|
||||
|
||||
run := func(prog string, arg ...string) bool {
|
||||
cmdOut.Reset()
|
||||
|
||||
cmd := exec.Command(prog, arg...)
|
||||
cmd.Stdout = cmdOut // os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
if e := cmd.Run(); e != nil {
|
||||
err = fmt.Errorf("%s %q failed: %w", cmd.Path, cmd.Args, e)
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
for i, layer := range layers {
|
||||
if layer == "modules" {
|
||||
continue // modules are in the initrd with boot v2
|
||||
}
|
||||
|
||||
layerFile, e := fetchHostLayer(host, layer)
|
||||
if e != nil {
|
||||
err = e
|
||||
return
|
||||
}
|
||||
|
||||
mountPoint := filepath.Join(workdir, layer)
|
||||
os.MkdirAll(mountPoint, 0700)
|
||||
|
||||
if e := exec.Command("erofsfuse", layerFile, mountPoint).Run(); e != nil {
|
||||
err = fmt.Errorf("erofsfuse %s %s failed: %w", layerFile, mountPoint, e)
|
||||
return
|
||||
}
|
||||
|
||||
defer func() {
|
||||
if err := exec.Command("umount", mountPoint).Run(); err != nil {
|
||||
log.Printf("umount %s failed: %v", mountPoint, err)
|
||||
}
|
||||
}()
|
||||
|
||||
mode := "--append"
|
||||
if i == 0 {
|
||||
mode = "--create"
|
||||
}
|
||||
|
||||
if !run("tar", mode, "-p", "-f", tmpTar, "-C", mountPoint, ".") {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
fsOut := filepath.Join(workdir, "output.fs")
|
||||
if !run("mkfs.erofs", "-z", "lzma", "-C131072", "-Efragments,ztailpacking",
|
||||
"-T0", "--all-time", "--ignore-mtime", "--tar=f", fsOut, tmpTar) {
|
||||
return
|
||||
}
|
||||
|
||||
hashOut := filepath.Join(workdir, "output.hash")
|
||||
|
||||
if !run("veritysetup", "format", fsOut, hashOut) {
|
||||
return
|
||||
}
|
||||
|
||||
var rootHash []byte
|
||||
for line := range strings.SplitSeq(cmdOut.String(), "\n") {
|
||||
v, ok := strings.CutPrefix(line, "Root hash:")
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
v = strings.TrimSpace(v)
|
||||
|
||||
b, e := hex.DecodeString(v)
|
||||
if e != nil {
|
||||
err = fmt.Errorf("invalid root hash: %w", e)
|
||||
return
|
||||
}
|
||||
|
||||
rootHash = b
|
||||
break
|
||||
}
|
||||
|
||||
if len(rootHash) == 0 {
|
||||
err = fmt.Errorf("root hash not found in output")
|
||||
return
|
||||
}
|
||||
|
||||
sigBytes, err := signer.Sign(nil, rootHash, crypto.SHA256)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("root hash signature failed: %w", err)
|
||||
return
|
||||
}
|
||||
|
||||
outPath := path + ".tmp"
|
||||
err = func() (err error) {
|
||||
fsRd, e := os.Open(fsOut)
|
||||
if e != nil {
|
||||
return e
|
||||
}
|
||||
defer fsRd.Close()
|
||||
hashRd, e := os.Open(hashOut)
|
||||
if e != nil {
|
||||
return e
|
||||
}
|
||||
defer hashRd.Close()
|
||||
|
||||
fsStat, e := fsRd.Stat()
|
||||
if e != nil {
|
||||
return e
|
||||
}
|
||||
hashStat, e := hashRd.Stat()
|
||||
if e != nil {
|
||||
return e
|
||||
}
|
||||
|
||||
out, err := os.Create(outPath)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer out.Close()
|
||||
|
||||
append := func(sz uint64, rd io.Reader) {
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
szB := make([]byte, 8)
|
||||
binary.BigEndian.PutUint64(szB, sz)
|
||||
_, err = out.Write(szB)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = io.Copy(out, rd)
|
||||
}
|
||||
|
||||
append(uint64(len(sigBytes)), bytes.NewBuffer(sigBytes))
|
||||
append(uint64(len(rootHash)), bytes.NewBuffer(rootHash))
|
||||
append(uint64(fsStat.Size()), fsRd)
|
||||
append(uint64(hashStat.Size()), hashRd)
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = out.Close()
|
||||
return
|
||||
}()
|
||||
if err != nil {
|
||||
err = fmt.Errorf("assembly failed: %w", err)
|
||||
return
|
||||
}
|
||||
|
||||
err = os.Rename(outPath, path)
|
||||
return
|
||||
}
|
||||
|
||||
func fetchHostLayer(host *localconfig.Host, layer string) (path string, err error) {
|
||||
layerVersion := host.Versions[layer]
|
||||
if layerVersion == "" {
|
||||
return "", fmt.Errorf("layer %q not mapped to a version", layer)
|
||||
}
|
||||
|
||||
return distFetch("layers", layer, layerVersion)
|
||||
}
|
||||
@@ -0,0 +1,113 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"io/fs"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func updateCache() {
|
||||
log.Print("updating cache")
|
||||
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
log.Printf("update cache failed: read config failed: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
errs := 0
|
||||
inUse := map[string]bool{}
|
||||
|
||||
fetch := func(path ...string) {
|
||||
assetPath, err := distFetch(path...)
|
||||
if err != nil {
|
||||
log.Printf("update cache: dist fetch failed: %v", err)
|
||||
errs += 1
|
||||
}
|
||||
inUse[assetPath] = true
|
||||
}
|
||||
|
||||
fetch("grub-support", *grubSupportVersion)
|
||||
|
||||
for _, host := range cfg.Hosts {
|
||||
ctx, err := newRenderContext(host, cfg)
|
||||
if err != nil {
|
||||
log.Printf("update cache: %s: build context failed: %v", host.Name, err)
|
||||
errs += 1
|
||||
continue
|
||||
}
|
||||
|
||||
_, cfg, err := ctx.Config()
|
||||
if err != nil {
|
||||
log.Printf("update cache: %s: render config failed: %v", host.Name, err)
|
||||
errs += 1
|
||||
continue
|
||||
}
|
||||
|
||||
signer, err := getSigner(host.ClusterName)
|
||||
if err != nil {
|
||||
log.Printf("update cache: %s: get signer failed: %v", host.Name, err)
|
||||
errs += 1
|
||||
continue
|
||||
}
|
||||
|
||||
fetch("kernels", host.Kernel)
|
||||
fetch("layers", "modules", host.Kernel)
|
||||
fetch("initrd", host.Initrd)
|
||||
|
||||
allErofs := true
|
||||
for layer, version := range host.Versions {
|
||||
fetch("layers", layer, version)
|
||||
|
||||
if layer != "modules" && !strings.HasSuffix(version, ".erofs") {
|
||||
allErofs = false
|
||||
}
|
||||
}
|
||||
|
||||
if allErofs {
|
||||
path, err := layersCombo(host, cfg, signer)
|
||||
if err != nil {
|
||||
log.Printf("update cache: layer combo failed: %v", err)
|
||||
continue
|
||||
}
|
||||
inUse[path] = true
|
||||
}
|
||||
}
|
||||
|
||||
if errs != 0 {
|
||||
log.Printf("update cache: %d errors, not cleaning", errs)
|
||||
return
|
||||
}
|
||||
|
||||
distDir := filepath.Join(*dataDir, "dist")
|
||||
cacheDir := filepath.Join(*dataDir, "cache")
|
||||
|
||||
existing := []string{}
|
||||
|
||||
for _, dir := range []string{distDir, cacheDir} {
|
||||
fs.WalkDir(os.DirFS(dir), ".", func(path string, d fs.DirEntry, err error) error {
|
||||
if err != nil {
|
||||
log.Printf("update cache: walking %s failed: %v", dir, err)
|
||||
return nil
|
||||
}
|
||||
if !d.IsDir() {
|
||||
existing = append(existing, filepath.Join(dir, path))
|
||||
}
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
log.Printf("update cache: %d/%d assets in use", len(inUse), len(existing))
|
||||
|
||||
for _, path := range existing {
|
||||
if inUse[path] {
|
||||
continue
|
||||
}
|
||||
log.Print("update cache: removing ", path)
|
||||
if err := os.Remove(path); err != nil {
|
||||
log.Print("update cache: failed to remove: ", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,75 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"log"
|
||||
"sort"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
cacheCleanDelay = flag.Duration("cache-clean-delay", 10*time.Minute, "Time between cache cleanups")
|
||||
)
|
||||
|
||||
func casCleaner() {
|
||||
for {
|
||||
err := cleanCAS()
|
||||
if err != nil {
|
||||
log.Print("warn: couldn't clean cache: ", err)
|
||||
}
|
||||
|
||||
time.Sleep(*cacheCleanDelay)
|
||||
}
|
||||
}
|
||||
|
||||
func cleanCAS() error {
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
activeTags := make([]string, len(cfg.Hosts))
|
||||
|
||||
for i, host := range cfg.Hosts {
|
||||
// FIXME ugly hack, same as in dir2config
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
ctx, err := newRenderContext(host, cfg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
tag, err := ctx.Tag()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
activeTags[i] = tag
|
||||
}
|
||||
|
||||
tags, err := casStore.Tags()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
sort.Strings(activeTags)
|
||||
|
||||
for _, tag := range tags {
|
||||
idx := sort.SearchStrings(activeTags, tag)
|
||||
|
||||
if idx < len(activeTags) && activeTags[idx] == tag {
|
||||
continue
|
||||
}
|
||||
|
||||
// tag is not present in active tags
|
||||
log.Print("cache cleaner: removing tag ", tag)
|
||||
if err := casStore.Remove(tag); err != nil {
|
||||
log.Printf("cache cleaner: failed to remove tag %s: %v", tag, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -1,31 +1,108 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/x509"
|
||||
"encoding/base32"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
cfsslconfig "github.com/cloudflare/cfssl/config"
|
||||
"github.com/cloudflare/cfssl/csr"
|
||||
"github.com/cloudflare/cfssl/helpers"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
"novit.nc/direktil/pkg/config"
|
||||
|
||||
"novit.tech/direktil/pkg/bootstrapconfig"
|
||||
"novit.tech/direktil/pkg/config"
|
||||
)
|
||||
|
||||
var templateFuncs = map[string]interface{}{
|
||||
"password": func(cluster, name string) (password string, err error) {
|
||||
password = secretData.Password(cluster, name)
|
||||
if len(password) == 0 {
|
||||
err = fmt.Errorf("password %q not defined for cluster %q", name, cluster)
|
||||
}
|
||||
func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
|
||||
getKey := func(cluster, caName string) (key crypto.Signer, err error) {
|
||||
ca, err := getUsableClusterCA(cluster, caName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
key, err = helpers.ParsePrivateKeyPEM(ca.Key)
|
||||
return
|
||||
}
|
||||
getKeyCert := func(cluster, caName, name, profile, label, reqJson string) (kc KeyCert, err error) {
|
||||
certReq := &csr.CertificateRequest{
|
||||
KeyRequest: csr.NewKeyRequest(),
|
||||
}
|
||||
|
||||
err = json.Unmarshal([]byte(reqJson), certReq)
|
||||
if err != nil {
|
||||
log.Print("CSR unmarshal failed on: ", reqJson)
|
||||
return
|
||||
}
|
||||
|
||||
return getUsableKeyCert(cluster, caName, name, profile, label, certReq, sslCfg)
|
||||
}
|
||||
|
||||
hash := func(plain, seed []byte, hashAlg string) (hashed string, err error) {
|
||||
switch hashAlg {
|
||||
case "sha512crypt":
|
||||
return sha512crypt(plain, seed)
|
||||
|
||||
case "bootstrap":
|
||||
return bootstrapconfig.JoinSeedAndHash(seed, bootstrapconfig.PasswordHashFromSeed(seed, plain)), nil
|
||||
|
||||
default:
|
||||
return "", fmt.Errorf("unknown hash alg: %q", hashAlg)
|
||||
}
|
||||
}
|
||||
|
||||
return map[string]any{
|
||||
"quote": strconv.Quote,
|
||||
"yaml": asYaml,
|
||||
"indent": func(s, indent string) string {
|
||||
buf := new(strings.Builder)
|
||||
for _, line := range strings.Split(s, "\n") {
|
||||
buf.WriteString(indent + line + "\n")
|
||||
}
|
||||
return buf.String()
|
||||
},
|
||||
|
||||
"token": func(cluster, name string) (s string, err error) {
|
||||
return secretData.Token(cluster, name)
|
||||
"password": func(cluster, name, hashAlg string) (password string, err error) {
|
||||
key := cluster + "/" + name
|
||||
|
||||
seed, err := seeds.GetOrCreate(key, func() (seed []byte, err error) {
|
||||
seed = make([]byte, 16)
|
||||
_, err = rand.Read(seed)
|
||||
return
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to get seed: %w", err)
|
||||
}
|
||||
|
||||
password, err = clusterPasswords.GetOrCreate(key, func() (password string, err error) {
|
||||
raw := make([]byte, 10)
|
||||
_, err = rand.Read(raw)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to generate password: %w", err)
|
||||
}
|
||||
|
||||
password = strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(raw))
|
||||
return
|
||||
})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return hash([]byte(password), seed, hashAlg)
|
||||
},
|
||||
|
||||
"token": getOrCreateClusterToken,
|
||||
|
||||
"ca_key": func(cluster, name string) (s string, err error) {
|
||||
ca, err := secretData.CA(cluster, name)
|
||||
ca, err := getUsableClusterCA(cluster, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@@ -35,17 +112,27 @@ var templateFuncs = map[string]interface{}{
|
||||
},
|
||||
|
||||
"ca_crt": func(cluster, name string) (s string, err error) {
|
||||
ca, err := secretData.CA(cluster, name)
|
||||
ca, err := getUsableClusterCA(cluster, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
s = string(ca.Cert)
|
||||
extra, err := caExtraCerts(cluster, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
s = string(ca.Cert) + extra
|
||||
return
|
||||
},
|
||||
|
||||
"ca_dir": func(cluster, name string) (s string, err error) {
|
||||
ca, err := secretData.CA(cluster, name)
|
||||
ca, err := getUsableClusterCA(cluster, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
extra, err := caExtraCerts(cluster, name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@@ -56,7 +143,7 @@ var templateFuncs = map[string]interface{}{
|
||||
{
|
||||
Path: path.Join(dir, "ca.crt"),
|
||||
Mode: 0644,
|
||||
Content: string(ca.Cert),
|
||||
Content: string(ca.Cert) + extra,
|
||||
},
|
||||
{
|
||||
Path: path.Join(dir, "ca.key"),
|
||||
@@ -76,6 +163,22 @@ var templateFuncs = map[string]interface{}{
|
||||
return
|
||||
},
|
||||
|
||||
"tls_pubkey": func(cluster, caName string) (s string, err error) {
|
||||
priv, err := getKey(cluster, caName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
ba, err := x509.MarshalPKIXPublicKey(priv.Public())
|
||||
if err != nil {
|
||||
err = fmt.Errorf("marshal public key failed: %w", err)
|
||||
return
|
||||
}
|
||||
|
||||
s = base64.StdEncoding.EncodeToString(ba)
|
||||
return
|
||||
},
|
||||
|
||||
"tls_crt": func(cluster, caName, name, profile, label, reqJson string) (s string, err error) {
|
||||
kc, err := getKeyCert(cluster, caName, name, profile, label, reqJson)
|
||||
if err != nil {
|
||||
@@ -85,80 +188,10 @@ var templateFuncs = map[string]interface{}{
|
||||
s = string(kc.Cert)
|
||||
return
|
||||
},
|
||||
|
||||
"tls_dir": func(dir, cluster, caName, name, profile, label, reqJson string) (s string, err error) {
|
||||
ca, err := secretData.CA(cluster, caName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
kc, err := getKeyCert(cluster, caName, name, profile, label, reqJson)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return asYaml([]config.FileDef{
|
||||
{
|
||||
Path: path.Join(dir, "ca.crt"),
|
||||
Mode: 0644,
|
||||
Content: string(ca.Cert),
|
||||
},
|
||||
{
|
||||
Path: path.Join(dir, "tls.crt"),
|
||||
Mode: 0644,
|
||||
Content: string(kc.Cert),
|
||||
},
|
||||
{
|
||||
Path: path.Join(dir, "tls.key"),
|
||||
Mode: 0600,
|
||||
Content: string(kc.Key),
|
||||
},
|
||||
})
|
||||
},
|
||||
|
||||
"ssh_host_keys": func(dir, cluster, host string) (s string, err error) {
|
||||
pairs, err := secretData.SSHKeyPairs(cluster, host)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
files := make([]config.FileDef, 0, len(pairs)*2)
|
||||
|
||||
for _, pair := range pairs {
|
||||
basePath := path.Join(dir, "ssh_host_"+pair.Type+"_key")
|
||||
files = append(files, []config.FileDef{
|
||||
{
|
||||
Path: basePath,
|
||||
Mode: 0600,
|
||||
Content: pair.Private,
|
||||
},
|
||||
{
|
||||
Path: basePath + ".pub",
|
||||
Mode: 0644,
|
||||
Content: pair.Public,
|
||||
},
|
||||
}...)
|
||||
}
|
||||
|
||||
return asYaml(files)
|
||||
},
|
||||
}
|
||||
|
||||
func getKeyCert(cluster, caName, name, profile, label, reqJson string) (kc *KeyCert, err error) {
|
||||
certReq := &csr.CertificateRequest{
|
||||
KeyRequest: csr.NewBasicKeyRequest(),
|
||||
}
|
||||
|
||||
err = json.Unmarshal([]byte(reqJson), certReq)
|
||||
if err != nil {
|
||||
log.Print("CSR unmarshal failed on: ", reqJson)
|
||||
return
|
||||
}
|
||||
|
||||
return secretData.KeyCert(cluster, caName, name, profile, label, certReq)
|
||||
}
|
||||
|
||||
func asYaml(v interface{}) (string, error) {
|
||||
func asYaml(v any) (string, error) {
|
||||
ba, err := yaml.Marshal(v)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
||||
@@ -4,7 +4,7 @@ import (
|
||||
"flag"
|
||||
"path/filepath"
|
||||
|
||||
"novit.nc/direktil/pkg/localconfig"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
var (
|
||||
|
||||
@@ -6,7 +6,7 @@ import (
|
||||
"encoding/json"
|
||||
)
|
||||
|
||||
func hash(values ...interface{}) string {
|
||||
func hash(values ...any) string {
|
||||
ba, err := json.Marshal(values)
|
||||
if err != nil {
|
||||
panic(err) // should not happen
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
package main
|
||||
|
||||
var hostDownloadTokens = KVSecrets[string]{"hosts/download-tokens"}
|
||||
@@ -0,0 +1,15 @@
|
||||
package main
|
||||
|
||||
func htmlHeader(title string) string {
|
||||
return `<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<title>` + title + `</title>
|
||||
<style>@import url('/ui/style.css');@import url('/ui/app.css');</style>
|
||||
</head>
|
||||
<body><h1>` + title + `</h1>
|
||||
`
|
||||
}
|
||||
|
||||
var htmlFooter = `</body>
|
||||
</html>`
|
||||
@@ -0,0 +1,16 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"m.cluseau.fr/go/httperr"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrNotFound = httperr.NotFound
|
||||
ErrUnauthorized = httperr.StdStatus(http.StatusUnauthorized)
|
||||
ErrForbidden = httperr.StdStatus(http.StatusForbidden)
|
||||
ErrInternal = httperr.StdStatus(http.StatusInternalServerError)
|
||||
ErrInvalidToken = httperr.NewStd(1000, http.StatusForbidden, "invalid token")
|
||||
ErrStoreLocked = httperr.NewStd(1001, http.StatusServiceUnavailable, "store is locked")
|
||||
)
|
||||
@@ -2,20 +2,14 @@ package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
cpio "github.com/cavaliercoder/go-cpio"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
)
|
||||
|
||||
func renderConfig(w http.ResponseWriter, r *http.Request, ctx *renderContext, asJson bool) (err error) {
|
||||
func renderConfig(w http.ResponseWriter, _ *http.Request, ctx *renderContext, asJson bool) (err error) {
|
||||
log.Printf("sending config for %q", ctx.Host.Name)
|
||||
|
||||
_, cfg, err := ctx.Config()
|
||||
cfgBytes, cfg, err := ctx.Config()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -23,89 +17,8 @@ func renderConfig(w http.ResponseWriter, r *http.Request, ctx *renderContext, as
|
||||
if asJson {
|
||||
err = json.NewEncoder(w).Encode(cfg)
|
||||
} else {
|
||||
err = yaml.NewEncoder(w).Encode(cfg)
|
||||
_, err = w.Write(cfgBytes)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func buildInitrd(out io.Writer, ctx *renderContext) error {
|
||||
_, cfg, err := ctx.Config()
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// send initrd basis
|
||||
initrdPath, err := ctx.distFetch("initrd", ctx.Host.Initrd)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = writeFile(out, initrdPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// and our extra archive
|
||||
archive := cpio.NewWriter(out)
|
||||
|
||||
// - required dirs
|
||||
for _, dir := range []string{
|
||||
"boot",
|
||||
"boot/current",
|
||||
"boot/current/layers",
|
||||
} {
|
||||
archive.WriteHeader(&cpio.Header{
|
||||
Name: dir,
|
||||
Mode: 0600 | cpio.ModeDir,
|
||||
})
|
||||
}
|
||||
|
||||
// - the layers
|
||||
for _, layer := range cfg.Layers {
|
||||
layerVersion := ctx.Host.Versions[layer]
|
||||
if layerVersion == "" {
|
||||
return fmt.Errorf("layer %q not mapped to a version", layer)
|
||||
}
|
||||
|
||||
path, err := ctx.distFetch("layers", layer, layerVersion)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
stat, err := os.Stat(path)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
archive.WriteHeader(&cpio.Header{
|
||||
Name: "boot/current/layers/" + layer + ".fs",
|
||||
Mode: 0600,
|
||||
Size: stat.Size(),
|
||||
})
|
||||
|
||||
if err = writeFile(archive, path); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// - the configuration
|
||||
ba, err := yaml.Marshal(cfg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
archive.WriteHeader(&cpio.Header{
|
||||
Name: "boot/config.yaml",
|
||||
Mode: 0600,
|
||||
Size: int64(len(ba)),
|
||||
})
|
||||
|
||||
archive.Write(ba)
|
||||
|
||||
// finalize the archive
|
||||
archive.Flush()
|
||||
archive.Close()
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -1,12 +1,14 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"io"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
)
|
||||
|
||||
func renderKernel(w http.ResponseWriter, r *http.Request, ctx *renderContext) error {
|
||||
path, err := ctx.distFetch("kernels", ctx.Host.Kernel)
|
||||
path, err := distFetch("kernels", ctx.Host.Kernel)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -15,3 +17,19 @@ func renderKernel(w http.ResponseWriter, r *http.Request, ctx *renderContext) er
|
||||
http.ServeFile(w, r, path)
|
||||
return nil
|
||||
}
|
||||
|
||||
func fetchKernel(out io.Writer, ctx *renderContext) (err error) {
|
||||
path, err := distFetch("kernels", ctx.Host.Kernel)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
in, err := os.Open(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer in.Close()
|
||||
|
||||
_, err = io.Copy(out, in)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -4,26 +4,32 @@ import (
|
||||
"flag"
|
||||
"log"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
"os"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
swaggerui "github.com/mcluseau/go-swagger-ui"
|
||||
"novit.nc/direktil/pkg/cas"
|
||||
"m.cluseau.fr/go/watchable/streamsse"
|
||||
|
||||
"novit.nc/direktil/local-server/pkg/apiutils"
|
||||
dlshtml "novit.tech/direktil/local-server/html"
|
||||
"novit.tech/direktil/local-server/pkg/apiutils"
|
||||
)
|
||||
|
||||
const (
|
||||
etcDir = "/etc/direktil"
|
||||
)
|
||||
|
||||
var (
|
||||
Version = "dev"
|
||||
Date = "now"
|
||||
)
|
||||
|
||||
var (
|
||||
address = flag.String("address", ":7606", "HTTP listen address")
|
||||
tlsAddress = flag.String("tls-address", "", "HTTPS listen address")
|
||||
certFile = flag.String("tls-cert", etcDir+"/server.crt", "Server TLS certificate")
|
||||
keyFile = flag.String("tls-key", etcDir+"/server.key", "Server TLS key")
|
||||
|
||||
casStore cas.Store
|
||||
autoUnlock = flag.String("auto-unlock", "", "Auto-unlock store (testing only!) env: DLS_AUTO_UNLOCK")
|
||||
)
|
||||
|
||||
func main() {
|
||||
@@ -35,8 +41,30 @@ func main() {
|
||||
log.Fatal("no listen address given")
|
||||
}
|
||||
|
||||
casStore = cas.NewDir(filepath.Join(*dataDir, "cache"))
|
||||
go casCleaner()
|
||||
log.Print("Direktil local-server version ", Version, " (", Date, ")")
|
||||
wPublicState.Change(func(s *PublicState) { s.ServerVersion = Version })
|
||||
|
||||
computeUIHash()
|
||||
|
||||
openSecretStore()
|
||||
|
||||
{
|
||||
autoUnlock := *autoUnlock
|
||||
if autoUnlock == "" {
|
||||
autoUnlock = os.Getenv("DLS_AUTO_UNLOCK")
|
||||
}
|
||||
if autoUnlock != "" {
|
||||
log.Printf("auto-unlocking the store")
|
||||
err := unlockSecretStore("test", []byte(autoUnlock))
|
||||
if err.Any() {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
log.Print("store auto-unlocked")
|
||||
}
|
||||
|
||||
os.Setenv("DLS_AUTO_UNLOCK", "")
|
||||
}
|
||||
|
||||
apiutils.Setup(func() {
|
||||
registerWS(restful.DefaultContainer)
|
||||
@@ -44,6 +72,14 @@ func main() {
|
||||
|
||||
swaggerui.HandleAt("/swagger-ui/")
|
||||
|
||||
staticHandler := http.FileServer(http.FS(dlshtml.FS))
|
||||
http.Handle("/favicon.ico", staticHandler)
|
||||
http.Handle("/ui/", staticHandler)
|
||||
http.Handle("/dist/", http.StripPrefix("/dist/", upstreamServer{}))
|
||||
|
||||
http.Handle("/public-state", streamsse.StreamHandler(wPublicState))
|
||||
http.Handle("/state", requireAdmin(streamsse.StreamHandler(wState)))
|
||||
|
||||
if *address != "" {
|
||||
log.Print("HTTP listening on ", *address)
|
||||
go log.Fatal(http.ListenAndServe(*address, nil))
|
||||
|
||||
@@ -0,0 +1,28 @@
|
||||
package main
|
||||
|
||||
import "sync"
|
||||
|
||||
var (
|
||||
opMutexes = map[string]*sync.Mutex{}
|
||||
opsLock sync.Mutex
|
||||
)
|
||||
|
||||
func opMutex[T any](key string, op func() (T, error)) (T, error) {
|
||||
lock := func() *sync.Mutex {
|
||||
opsLock.Lock()
|
||||
defer opsLock.Unlock()
|
||||
|
||||
lock, ok := opMutexes[key]
|
||||
if !ok {
|
||||
lock = new(sync.Mutex)
|
||||
opMutexes[key] = lock
|
||||
}
|
||||
|
||||
return lock
|
||||
}()
|
||||
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
|
||||
return op()
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
)
|
||||
|
||||
func Example_parseCertDuration() {
|
||||
now := time.Date(2020, time.April, 28, 12, 30, 0, 0, time.UTC)
|
||||
|
||||
fmt.Println(parseCertDuration("", now))
|
||||
fmt.Println(parseCertDuration("hi!", now))
|
||||
fmt.Println(parseCertDuration("-2d3h", now))
|
||||
fmt.Println(parseCertDuration("2d3h", now))
|
||||
fmt.Println(parseCertDuration("+1y-1s", now))
|
||||
|
||||
// output:
|
||||
// 0001-01-01 00:00:00 +0000 UTC <nil>
|
||||
// 0001-01-01 00:00:00 +0000 UTC invalid duration: "hi!"
|
||||
// 2020-04-26 09:30:00 +0000 UTC <nil>
|
||||
// 2020-04-30 15:30:00 +0000 UTC <nil>
|
||||
// 2021-04-28 12:29:59 +0000 UTC <nil>
|
||||
}
|
||||
@@ -2,40 +2,44 @@ package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"text/template"
|
||||
"time"
|
||||
|
||||
cfsslconfig "github.com/cloudflare/cfssl/config"
|
||||
"github.com/cloudflare/cfssl/csr"
|
||||
restful "github.com/emicklei/go-restful"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
|
||||
"novit.nc/direktil/pkg/config"
|
||||
"novit.nc/direktil/pkg/localconfig"
|
||||
"novit.tech/direktil/pkg/config"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
var cmdlineParam = restful.QueryParameter("cmdline", "Linux kernel cmdline addition")
|
||||
|
||||
type renderContext struct {
|
||||
Host *localconfig.Host
|
||||
SSLConfig string
|
||||
SSLConfig *cfsslconfig.Config
|
||||
|
||||
// Linux kernel extra cmdline
|
||||
CmdLine string `yaml:"-"`
|
||||
}
|
||||
|
||||
func renderCtx(w http.ResponseWriter, r *http.Request, ctx *renderContext, what string,
|
||||
create func(out io.Writer, ctx *renderContext) error) error {
|
||||
|
||||
tag, err := ctx.Tag()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
create func(out io.Writer, ctx *renderContext) error) (err error) {
|
||||
|
||||
ctx.CmdLine = r.URL.Query().Get(cmdlineParam.Data().Name)
|
||||
|
||||
@@ -44,27 +48,29 @@ func renderCtx(w http.ResponseWriter, r *http.Request, ctx *renderContext, what
|
||||
}
|
||||
|
||||
// get it or create it
|
||||
content, meta, err := casStore.GetOrCreate(tag, what, func(out io.Writer) error {
|
||||
log.Printf("building %s for %q", what, ctx.Host.Name)
|
||||
return create(out, ctx)
|
||||
})
|
||||
|
||||
outfile, err := os.CreateTemp("/tmp", "dls."+what+".")
|
||||
if err != nil {
|
||||
return err
|
||||
return
|
||||
}
|
||||
|
||||
defer os.Remove(outfile.Name())
|
||||
|
||||
log.Printf("building %s for %q", what, ctx.Host.Name)
|
||||
err = create(outfile, ctx)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// serve it
|
||||
log.Printf("sending %s for %q", what, ctx.Host.Name)
|
||||
http.ServeContent(w, r, what, meta.ModTime(), content)
|
||||
return nil
|
||||
|
||||
outfile.Seek(0, io.SeekStart)
|
||||
io.Copy(w, outfile)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
var prevSSLConfig = "-"
|
||||
|
||||
func newRenderContext(host *localconfig.Host, cfg *localconfig.Config) (ctx *renderContext, err error) {
|
||||
if prevSSLConfig != cfg.SSLConfig {
|
||||
var sslCfg *cfsslconfig.Config
|
||||
|
||||
func sslConfigFromLocalConfig(cfg *localconfig.Config) (sslCfg *cfsslconfig.Config, err error) {
|
||||
if len(cfg.SSLConfig) == 0 {
|
||||
sslCfg = &cfsslconfig.Config{}
|
||||
} else {
|
||||
@@ -73,25 +79,45 @@ func newRenderContext(host *localconfig.Host, cfg *localconfig.Config) (ctx *ren
|
||||
return
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
err = loadSecretData(sslCfg)
|
||||
func newRenderContext(host *localconfig.Host, cfg *localconfig.Config) (ctx *renderContext, err error) {
|
||||
sslCfg, err := sslConfigFromLocalConfig(cfg)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
prevSSLConfig = cfg.SSLConfig
|
||||
}
|
||||
|
||||
return &renderContext{
|
||||
SSLConfig: cfg.SSLConfig,
|
||||
Host: host,
|
||||
SSLConfig: sslCfg,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (ctx *renderContext) Config() (ba []byte, cfg *config.Config, err error) {
|
||||
ba, err = ctx.render(ctx.Host.Config)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// log.Print("rendered config:\n", string(ba))
|
||||
|
||||
cfg = &config.Config{}
|
||||
if err = yaml.Unmarshal(ba, cfg); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (ctx *renderContext) BootstrapConfig() (ba []byte, err error) {
|
||||
return ctx.render(ctx.Host.BootstrapConfig)
|
||||
}
|
||||
|
||||
func (ctx *renderContext) render(templateText string) (ba []byte, err error) {
|
||||
tmpl, err := template.New(ctx.Host.Name + "/config").
|
||||
Funcs(templateFuncs).
|
||||
Parse(ctx.Host.Config)
|
||||
Funcs(ctx.TemplateFuncs()).
|
||||
Parse(templateText)
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
@@ -102,25 +128,11 @@ func (ctx *renderContext) Config() (ba []byte, cfg *config.Config, err error) {
|
||||
return
|
||||
}
|
||||
|
||||
if secretData.Changed() {
|
||||
err = secretData.Save()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
ba = buf.Bytes()
|
||||
|
||||
cfg = &config.Config{}
|
||||
|
||||
if err = yaml.Unmarshal(buf.Bytes(), cfg); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (ctx *renderContext) distFilePath(path ...string) string {
|
||||
func distFilePath(path ...string) string {
|
||||
return filepath.Join(append([]string{*dataDir, "dist"}, path...)...)
|
||||
}
|
||||
|
||||
@@ -134,7 +146,7 @@ func (ctx *renderContext) Tag() (string, error) {
|
||||
|
||||
enc := yaml.NewEncoder(h)
|
||||
|
||||
for _, o := range []interface{}{cfg, ctx} {
|
||||
for _, o := range []any{cfg, ctx} {
|
||||
if err := enc.Encode(o); err != nil {
|
||||
return "", err
|
||||
}
|
||||
@@ -143,17 +155,213 @@ func (ctx *renderContext) Tag() (string, error) {
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
}
|
||||
|
||||
func asMap(v interface{}) map[string]interface{} {
|
||||
ba, err := yaml.Marshal(v)
|
||||
func (ctx *renderContext) TemplateFuncs() map[string]any {
|
||||
funcs := templateFuncs(ctx.SSLConfig)
|
||||
|
||||
// FIXME duplicate from cluster-render-context
|
||||
getKeyCert := func(cluster, caName, name, profile, label, reqJson string) (kc KeyCert, err error) {
|
||||
certReq := &csr.CertificateRequest{
|
||||
KeyRequest: csr.NewKeyRequest(),
|
||||
}
|
||||
|
||||
err = json.Unmarshal([]byte(reqJson), certReq)
|
||||
if err != nil {
|
||||
panic(err) // shouldn't happen
|
||||
log.Print("CSR unmarshal failed on: ", reqJson)
|
||||
return
|
||||
}
|
||||
|
||||
result := make(map[string]interface{})
|
||||
|
||||
if err := yaml.Unmarshal(ba, result); err != nil {
|
||||
panic(err) // shouldn't happen
|
||||
return getUsableKeyCert(cluster, caName, name, profile, label, certReq, ctx.SSLConfig)
|
||||
}
|
||||
|
||||
return result
|
||||
for name, method := range map[string]any{
|
||||
"base64": func(input string) string {
|
||||
return base64.StdEncoding.EncodeToString([]byte(input))
|
||||
},
|
||||
|
||||
"host_ip": func() (s string) {
|
||||
return ctx.Host.IPs[0]
|
||||
},
|
||||
"host_name": func() (s string) {
|
||||
return ctx.Host.Name
|
||||
},
|
||||
"machine_id": func() (s string) {
|
||||
ba := sha1.Sum([]byte(ctx.Host.ClusterName + "/" + ctx.Host.Name))
|
||||
return hex.EncodeToString(ba[:])
|
||||
},
|
||||
|
||||
"tls_dir": func(dir, cluster, caName, name, profile, label, reqJson string) (s string, err error) {
|
||||
ca, err := getUsableClusterCA(cluster, caName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
reqJson = strings.ReplaceAll(reqJson, "${host_ip}", ctx.Host.IPs[0])
|
||||
reqJson = strings.ReplaceAll(reqJson, "${host_name}", ctx.Host.Name)
|
||||
|
||||
kc, err := getKeyCert(cluster, caName, name, profile, label, reqJson)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return asYaml([]config.FileDef{
|
||||
{
|
||||
Path: path.Join(dir, "ca.crt"),
|
||||
Mode: 0644,
|
||||
Content: string(ca.Cert),
|
||||
},
|
||||
{
|
||||
Path: path.Join(dir, "tls.crt"),
|
||||
Mode: 0644,
|
||||
Content: string(kc.Cert),
|
||||
},
|
||||
{
|
||||
Path: path.Join(dir, "tls.key"),
|
||||
Mode: 0600,
|
||||
Content: string(kc.Key),
|
||||
},
|
||||
})
|
||||
},
|
||||
|
||||
"ssh_user_ca": func(path, cluster string) (s string, err error) {
|
||||
userCA, err := sshCAPubKey(cluster)
|
||||
return asYaml([]config.FileDef{{
|
||||
Path: path,
|
||||
Mode: 0644,
|
||||
Content: string(userCA),
|
||||
}})
|
||||
},
|
||||
"ssh_user_ca_pub": func(cluster string) (s string, err error) {
|
||||
userCA, err := sshCAPubKey(cluster)
|
||||
return string(userCA), err
|
||||
},
|
||||
"ssh_host_keys": func(dir, cluster, host string) (s string, err error) {
|
||||
if host == "" {
|
||||
host = ctx.Host.Name
|
||||
}
|
||||
if host != ctx.Host.Name {
|
||||
err = fmt.Errorf("wrong host name")
|
||||
return
|
||||
}
|
||||
|
||||
pairs, err := getSSHKeyPairs(host)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
files := make([]config.FileDef, 0, len(pairs)*2)
|
||||
|
||||
for _, pair := range pairs {
|
||||
basePath := path.Join(dir, "ssh_host_"+pair.Type+"_key")
|
||||
files = append(files, []config.FileDef{
|
||||
{
|
||||
Path: basePath,
|
||||
Mode: 0600,
|
||||
Content: pair.Private,
|
||||
},
|
||||
{
|
||||
Path: basePath + ".pub",
|
||||
Mode: 0644,
|
||||
Content: pair.Public,
|
||||
},
|
||||
}...)
|
||||
}
|
||||
|
||||
return asYaml(files)
|
||||
},
|
||||
"ssh_host_key": func(type_ string) (s string, err error) {
|
||||
pair, err := ctx.sshHostKeyPair(type_)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return pair.Private, nil
|
||||
},
|
||||
"ssh_host_pubkey": func(type_ string) (s string, err error) {
|
||||
pair, err := ctx.sshHostKeyPair(type_)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return pair.Public, nil
|
||||
},
|
||||
"host_download_token": func() (token string, err error) {
|
||||
key := ctx.Host.Name
|
||||
token, found, err := hostDownloadTokens.Get(key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if !found {
|
||||
token, err = newToken(32)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = hostDownloadTokens.Put(key, token)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
},
|
||||
"asset_download_token": func(asset string, params ...string) (token string, err error) {
|
||||
now := time.Now()
|
||||
exp := now.Add(24 * time.Hour) // expire in 24h by default
|
||||
if len(params) != 0 {
|
||||
exp, err = parseCertDuration(params[0], now)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
set := DownloadSet{
|
||||
Expiry: exp,
|
||||
Items: []DownloadSetItem{
|
||||
{
|
||||
Kind: "host",
|
||||
Name: ctx.Host.Name,
|
||||
Assets: []string{asset},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
privKey, _ := dlsSigningKeys()
|
||||
token = set.Signed(privKey)
|
||||
|
||||
return
|
||||
},
|
||||
"wg_key": func(name string) (key string, err error) {
|
||||
return wgKey(name + "/hosts/" + ctx.Host.Name)
|
||||
},
|
||||
"wg_psk": func(name, peerName string) (key string, err error) {
|
||||
a := ctx.Host.Name
|
||||
b := peerName
|
||||
if a > b {
|
||||
a, b = b, a
|
||||
}
|
||||
return wgKey(name + "/psks/" + a + " " + b)
|
||||
},
|
||||
"wg_pubkey": func(name, host string) (key string, err error) {
|
||||
return wgKey(name + "/hosts/" + host)
|
||||
},
|
||||
} {
|
||||
funcs[name] = method
|
||||
}
|
||||
|
||||
return funcs
|
||||
}
|
||||
|
||||
func (ctx *renderContext) sshHostKeyPair(type_ string) (kp SSHKeyPair, err error) {
|
||||
pairs, err := getSSHKeyPairs(ctx.Host.Name)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
for _, pair := range pairs {
|
||||
if pair.Type == type_ {
|
||||
return pair, nil
|
||||
}
|
||||
}
|
||||
|
||||
err = fmt.Errorf("no key pair with type %q", type_)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -0,0 +1,399 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
"m.cluseau.fr/go/httperr"
|
||||
|
||||
"novit.tech/direktil/local-server/secretstore"
|
||||
)
|
||||
|
||||
var secStore *secretstore.Store
|
||||
|
||||
func secStoreRoot() string { return filepath.Join(*dataDir, "secrets") }
|
||||
func secStorePath(name string) string { return filepath.Join(secStoreRoot(), name) }
|
||||
func secKeysStorePath() string { return secStorePath(".keys") }
|
||||
|
||||
func openSecretStore() {
|
||||
var err error
|
||||
|
||||
keysPath := secKeysStorePath()
|
||||
|
||||
if err := os.MkdirAll(filepath.Dir(filepath.Dir(keysPath)), 0755); err != nil {
|
||||
log.Fatal("failed to create dirs: ", err)
|
||||
}
|
||||
|
||||
if err := os.MkdirAll(filepath.Dir(keysPath), 0700); err != nil {
|
||||
log.Fatal("failed to secret store dir: ", err)
|
||||
}
|
||||
|
||||
secStore, err = secretstore.Open(keysPath)
|
||||
|
||||
switch {
|
||||
case err == nil:
|
||||
wPublicState.Change(func(v *PublicState) {
|
||||
v.Store.New = false
|
||||
v.Store.Open = false
|
||||
})
|
||||
|
||||
case os.IsNotExist(err):
|
||||
secStore = secretstore.New()
|
||||
wPublicState.Change(func(v *PublicState) {
|
||||
v.Store.New = true
|
||||
v.Store.Open = false
|
||||
})
|
||||
|
||||
default:
|
||||
log.Fatal("failed to open keys store: ", err)
|
||||
}
|
||||
}
|
||||
|
||||
var (
|
||||
unlockMutex = sync.Mutex{}
|
||||
|
||||
ErrStoreAlreadyUnlocked = httperr.NewStd(1, http.StatusConflict, "store already unlocked")
|
||||
ErrInvalidPassphrase = httperr.NewStd(2, http.StatusBadRequest, "invalid passphrase")
|
||||
)
|
||||
|
||||
func unlockSecretStore(name string, passphrase []byte) (err httperr.Error) {
|
||||
unlockMutex.Lock()
|
||||
defer unlockMutex.Unlock()
|
||||
|
||||
if secStore.Unlocked() {
|
||||
return ErrStoreAlreadyUnlocked
|
||||
}
|
||||
|
||||
if secStore.IsNew() {
|
||||
err := secStore.Init(name, passphrase)
|
||||
if err != nil {
|
||||
return httperr.Internal(err)
|
||||
}
|
||||
|
||||
err = secStore.SaveTo(secKeysStorePath())
|
||||
if err != nil {
|
||||
log.Print("secret store save error: ", err)
|
||||
secStore.Close()
|
||||
|
||||
return httperr.Internal(err)
|
||||
}
|
||||
|
||||
} else {
|
||||
if !secStore.Unlock([]byte(passphrase)) {
|
||||
return ErrInvalidPassphrase
|
||||
}
|
||||
}
|
||||
|
||||
token := ""
|
||||
if err := readSecret("admin-token", &token); err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
log.Print("failed to read admin token: ", err)
|
||||
secStore.Close()
|
||||
|
||||
return httperr.Internal(err)
|
||||
}
|
||||
|
||||
token, err = newToken(32)
|
||||
if err != nil {
|
||||
secStore.Close()
|
||||
return httperr.Internal(err)
|
||||
}
|
||||
|
||||
err = writeSecret("admin-token", token)
|
||||
if err != nil {
|
||||
log.Print("write error: ", err)
|
||||
secStore.Close()
|
||||
|
||||
return httperr.Internal(err)
|
||||
}
|
||||
|
||||
log.Print("wrote new admin token")
|
||||
}
|
||||
|
||||
adminToken = token
|
||||
|
||||
{
|
||||
token, err := newToken(16)
|
||||
if err != nil {
|
||||
secStore.Close()
|
||||
return httperr.Internal(err)
|
||||
}
|
||||
|
||||
wState.Change(func(v *State) {
|
||||
v.Store.DownloadToken = token
|
||||
})
|
||||
}
|
||||
|
||||
wPublicState.Change(func(v *PublicState) {
|
||||
v.Store.New = false
|
||||
v.Store.Open = true
|
||||
})
|
||||
|
||||
go updateState()
|
||||
|
||||
migrateSecrets() // we can probably remove it now
|
||||
go updateCache()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func readSecret(name string, value any) (err error) {
|
||||
f, err := os.Open(secStorePath(name + ".data"))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
in, err := secStore.NewReader(f)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return json.NewDecoder(in).Decode(value)
|
||||
}
|
||||
|
||||
func writeSecret(name string, value any) (err error) {
|
||||
path := secStorePath(name + ".data.new")
|
||||
|
||||
if err = os.MkdirAll(filepath.Dir(path), 0700); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
f, err := os.Create(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = func() (err error) {
|
||||
defer f.Close()
|
||||
|
||||
out, err := secStore.NewWriter(f)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return json.NewEncoder(out).Encode(value)
|
||||
}()
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = os.Rename(f.Name(), secStorePath(name+".data"))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
go updateState()
|
||||
return
|
||||
}
|
||||
|
||||
var secL sync.Mutex
|
||||
|
||||
func updateSecret[T any](name string, update func(*T)) (err error) {
|
||||
secL.Lock()
|
||||
defer secL.Unlock()
|
||||
|
||||
v := new(T)
|
||||
err = readSecret(name, v)
|
||||
if err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return
|
||||
}
|
||||
err = nil
|
||||
}
|
||||
|
||||
update(v)
|
||||
|
||||
return writeSecret(name, *v)
|
||||
}
|
||||
|
||||
func updateSecretWithKey[T any](name, key string, update func(v *T)) (err error) {
|
||||
secL.Lock()
|
||||
defer secL.Unlock()
|
||||
|
||||
kvs := map[string]*T{}
|
||||
|
||||
err = readSecret(name, &kvs)
|
||||
if err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return
|
||||
}
|
||||
err = nil
|
||||
}
|
||||
|
||||
update(kvs[key])
|
||||
|
||||
return writeSecret(name, kvs)
|
||||
}
|
||||
|
||||
type KVSecrets[T any] struct{ Name string }
|
||||
|
||||
func (s KVSecrets[T]) Data() (kvs map[string]T, err error) {
|
||||
kvs = make(map[string]T)
|
||||
err = readSecret(s.Name, &kvs)
|
||||
if err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
return
|
||||
}
|
||||
err = nil
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
type KV[T any] struct {
|
||||
K string
|
||||
V T
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) List(prefix string) (list []KV[T], err error) {
|
||||
data, err := s.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
list = make([]KV[T], 0, len(data))
|
||||
|
||||
for k, v := range data {
|
||||
if !strings.HasPrefix(k, prefix) {
|
||||
continue
|
||||
}
|
||||
list = append(list, KV[T]{k, v})
|
||||
}
|
||||
|
||||
sort.Slice(list, func(i, j int) bool { return list[i].K < list[j].K })
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) Keys(prefix string) (keys []string, err error) {
|
||||
kvs, err := s.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
keys = make([]string, 0, len(kvs))
|
||||
|
||||
for k := range kvs {
|
||||
if !strings.HasPrefix(k, prefix) {
|
||||
continue
|
||||
}
|
||||
keys = append(keys, k[len(prefix):])
|
||||
}
|
||||
|
||||
sort.Strings(keys)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) Get(key string) (v T, found bool, err error) {
|
||||
kvs, err := s.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
v, found = kvs[key]
|
||||
return
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) Put(key string, v T) (err error) {
|
||||
secL.Lock()
|
||||
defer secL.Unlock()
|
||||
|
||||
kvs, err := s.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
kvs[key] = v
|
||||
err = writeSecret(s.Name, kvs)
|
||||
return
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) Del(key string) (err error) {
|
||||
secL.Lock()
|
||||
defer secL.Unlock()
|
||||
|
||||
kvs, err := s.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
delete(kvs, key)
|
||||
err = writeSecret(s.Name, kvs)
|
||||
return
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) GetOrCreate(key string, create func() (T, error)) (v T, err error) {
|
||||
v, found, err := s.Get(key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if !found {
|
||||
v, err = create()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = s.Put(key, v)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) WsList(resp *restful.Response, prefix string) {
|
||||
keys, err := s.Keys(prefix)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(keys)
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) WsGet(resp *restful.Response, key string) {
|
||||
keys, found, err := s.Get(key)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
if !found {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(keys)
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) WsPut(req *restful.Request, resp *restful.Response, key string) {
|
||||
v := new(T)
|
||||
err := req.ReadEntity(v)
|
||||
if err != nil {
|
||||
wsBadRequest(resp, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
err = s.Put(key, *v)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (s KVSecrets[T]) WsDel(req *restful.Request, resp *restful.Response, key string) {
|
||||
err := s.Del(key)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,88 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"log"
|
||||
"os"
|
||||
|
||||
cfsslconfig "github.com/cloudflare/cfssl/config"
|
||||
)
|
||||
|
||||
func migrateSecrets() {
|
||||
if _, err := os.Stat(secretDataPath()); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return
|
||||
}
|
||||
|
||||
log.Print("not migrating old secrets: ", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
log.Print("migrating old secrets")
|
||||
|
||||
log := log.New(log.Default().Writer(), "secrets migration: ", log.Flags()|log.Lmsgprefix)
|
||||
|
||||
// load secrets
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
return
|
||||
}
|
||||
|
||||
var sslCfg *cfsslconfig.Config
|
||||
|
||||
if len(cfg.SSLConfig) == 0 {
|
||||
sslCfg = &cfsslconfig.Config{}
|
||||
} else {
|
||||
sslCfg, err = cfsslconfig.LoadConfig([]byte(cfg.SSLConfig))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
secretData, err := loadSecretData(sslCfg)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
return
|
||||
}
|
||||
|
||||
for clusterName, cluster := range secretData.clusters {
|
||||
for k, v := range cluster.Tokens {
|
||||
err = clusterTokens.Put(clusterName+"/"+k, v)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
for k, v := range cluster.Passwords {
|
||||
err = clusterPasswords.Put(clusterName+"/"+k, v)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
for caName, ca := range cluster.CAs {
|
||||
clusterCAs.Put(clusterName+"/"+caName, CA{Key: ca.Key, Cert: ca.Cert})
|
||||
|
||||
for signedName, signed := range ca.Signed {
|
||||
err = clusterCASignedKeys.Put(clusterName+"/"+caName+"/"+signedName, *signed)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for hostName, pairs := range cluster.SSHKeyPairs {
|
||||
err = sshHostKeys.Put(hostName, pairs)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if err := os.Rename(secretDataPath(), secretDataPath()+".migrated"); err != nil {
|
||||
log.Fatal("failed to rename migrated secrets: ", err)
|
||||
}
|
||||
}
|
||||
+21
-330
@@ -1,46 +1,21 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/x509"
|
||||
"encoding/base32"
|
||||
"crypto/ed25519"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/cespare/xxhash"
|
||||
"github.com/cloudflare/cfssl/certinfo"
|
||||
"github.com/cloudflare/cfssl/config"
|
||||
"github.com/cloudflare/cfssl/csr"
|
||||
"github.com/cloudflare/cfssl/helpers"
|
||||
"github.com/cloudflare/cfssl/initca"
|
||||
"github.com/cloudflare/cfssl/helpers/derhelpers"
|
||||
"github.com/cloudflare/cfssl/log"
|
||||
"github.com/cloudflare/cfssl/signer"
|
||||
"github.com/cloudflare/cfssl/signer/local"
|
||||
"k8s.io/apimachinery/pkg/util/validation"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
)
|
||||
|
||||
var (
|
||||
secretData *SecretData
|
||||
DontSave = false
|
||||
)
|
||||
|
||||
type SecretData struct {
|
||||
l sync.Mutex
|
||||
|
||||
prevHash uint64
|
||||
|
||||
clusters map[string]*ClusterSecrets
|
||||
changed bool
|
||||
config *config.Config
|
||||
}
|
||||
|
||||
@@ -51,13 +26,6 @@ type ClusterSecrets struct {
|
||||
SSHKeyPairs map[string][]SSHKeyPair
|
||||
}
|
||||
|
||||
type CA struct {
|
||||
Key []byte
|
||||
Cert []byte
|
||||
|
||||
Signed map[string]*KeyCert
|
||||
}
|
||||
|
||||
type KeyCert struct {
|
||||
Key []byte
|
||||
Cert []byte
|
||||
@@ -68,21 +36,18 @@ func secretDataPath() string {
|
||||
return filepath.Join(*dataDir, "secret-data.json")
|
||||
}
|
||||
|
||||
func loadSecretData(config *config.Config) (err error) {
|
||||
func loadSecretData(config *config.Config) (sd *SecretData, err error) {
|
||||
log.Info("Loading secret data")
|
||||
|
||||
sd := &SecretData{
|
||||
sd = &SecretData{
|
||||
clusters: make(map[string]*ClusterSecrets),
|
||||
changed: false,
|
||||
config: config,
|
||||
}
|
||||
|
||||
ba, err := ioutil.ReadFile(secretDataPath())
|
||||
ba, err := os.ReadFile(secretDataPath())
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
sd.changed = true
|
||||
err = nil
|
||||
secretData = sd
|
||||
return
|
||||
}
|
||||
return
|
||||
@@ -92,209 +57,6 @@ func loadSecretData(config *config.Config) (err error) {
|
||||
return
|
||||
}
|
||||
|
||||
sd.prevHash = xxhash.Sum64(ba)
|
||||
|
||||
secretData = sd
|
||||
return
|
||||
}
|
||||
|
||||
func (sd *SecretData) Changed() bool {
|
||||
return sd.changed
|
||||
}
|
||||
|
||||
func (sd *SecretData) Save() (err error) {
|
||||
if DontSave {
|
||||
return
|
||||
}
|
||||
|
||||
sd.l.Lock()
|
||||
defer sd.l.Unlock()
|
||||
|
||||
ba, err := json.Marshal(sd.clusters)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
h := xxhash.Sum64(ba)
|
||||
if h == sd.prevHash {
|
||||
return
|
||||
}
|
||||
|
||||
log.Info("Saving secret data")
|
||||
err = ioutil.WriteFile(secretDataPath(), ba, 0600)
|
||||
|
||||
if err == nil {
|
||||
sd.prevHash = h
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func newClusterSecrets() *ClusterSecrets {
|
||||
return &ClusterSecrets{
|
||||
CAs: make(map[string]*CA),
|
||||
Tokens: make(map[string]string),
|
||||
Passwords: make(map[string]string),
|
||||
}
|
||||
}
|
||||
|
||||
func (sd *SecretData) cluster(name string) (cs *ClusterSecrets) {
|
||||
cs, ok := sd.clusters[name]
|
||||
if ok {
|
||||
return
|
||||
}
|
||||
|
||||
sd.l.Lock()
|
||||
defer sd.l.Unlock()
|
||||
|
||||
log.Info("secret-data: new cluster: ", name)
|
||||
|
||||
cs = newClusterSecrets()
|
||||
sd.clusters[name] = cs
|
||||
sd.changed = true
|
||||
return
|
||||
}
|
||||
|
||||
func (sd *SecretData) Passwords(cluster string) (passwords []string) {
|
||||
cs := sd.cluster(cluster)
|
||||
|
||||
passwords = make([]string, 0, len(cs.Passwords))
|
||||
for name := range cs.Passwords {
|
||||
passwords = append(passwords, name)
|
||||
}
|
||||
|
||||
sort.Strings(passwords)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (sd *SecretData) Password(cluster, name string) (password string) {
|
||||
cs := sd.cluster(cluster)
|
||||
|
||||
if cs.Passwords == nil {
|
||||
cs.Passwords = make(map[string]string)
|
||||
}
|
||||
|
||||
password = cs.Passwords[name]
|
||||
return
|
||||
}
|
||||
|
||||
func (sd *SecretData) SetPassword(cluster, name, password string) {
|
||||
cs := sd.cluster(cluster)
|
||||
|
||||
if cs.Passwords == nil {
|
||||
cs.Passwords = make(map[string]string)
|
||||
}
|
||||
|
||||
cs.Passwords[name] = password
|
||||
sd.changed = true
|
||||
}
|
||||
|
||||
func (sd *SecretData) Token(cluster, name string) (token string, err error) {
|
||||
cs := sd.cluster(cluster)
|
||||
|
||||
token = cs.Tokens[name]
|
||||
if token != "" {
|
||||
return
|
||||
}
|
||||
|
||||
sd.l.Lock()
|
||||
defer sd.l.Unlock()
|
||||
|
||||
log.Info("secret-data: new token in cluster ", cluster, ": ", name)
|
||||
|
||||
b := make([]byte, 16)
|
||||
_, err = rand.Read(b)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b)
|
||||
|
||||
cs.Tokens[name] = token
|
||||
sd.changed = true
|
||||
return
|
||||
}
|
||||
|
||||
func (sd *SecretData) RenewCACert(cluster, name string) (err error) {
|
||||
cs := sd.cluster(cluster)
|
||||
|
||||
ca := cs.CAs[name]
|
||||
|
||||
var cert *x509.Certificate
|
||||
cert, err = helpers.ParseCertificatePEM(ca.Cert)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
var signer crypto.Signer
|
||||
signer, err = helpers.ParsePrivateKeyPEM(ca.Key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
newCert, err := initca.RenewFromSigner(cert, signer)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
sd.l.Lock()
|
||||
defer sd.l.Unlock()
|
||||
|
||||
cs.CAs[name].Cert = newCert
|
||||
sd.changed = true
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (sd *SecretData) CA(cluster, name string) (ca *CA, err error) {
|
||||
cs := sd.cluster(cluster)
|
||||
|
||||
ca, ok := cs.CAs[name]
|
||||
if ok {
|
||||
checkErr := checkCertUsable(ca.Cert)
|
||||
if checkErr != nil {
|
||||
log.Infof("secret-data cluster %s: CA %s: regenerating certificate: %v", cluster, name, checkErr)
|
||||
|
||||
err = sd.RenewCACert(cluster, name)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
sd.l.Lock()
|
||||
defer sd.l.Unlock()
|
||||
|
||||
log.Info("secret-data: new CA in cluster ", cluster, ": ", name)
|
||||
|
||||
req := &csr.CertificateRequest{
|
||||
CN: "Direktil Local Server",
|
||||
KeyRequest: &csr.BasicKeyRequest{
|
||||
A: "ecdsa",
|
||||
S: 521, // 256, 384, 521
|
||||
},
|
||||
Names: []csr.Name{
|
||||
{
|
||||
C: "NC",
|
||||
O: "novit.nc",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
cert, _, key, err := initca.New(req)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
ca = &CA{
|
||||
Key: key,
|
||||
Cert: cert,
|
||||
Signed: make(map[string]*KeyCert),
|
||||
}
|
||||
|
||||
cs.CAs[name] = ca
|
||||
sd.changed = true
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
@@ -314,103 +76,32 @@ func checkCertUsable(certPEM []byte) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (sd *SecretData) KeyCert(cluster, caName, name, profile, label string, req *csr.CertificateRequest) (kc *KeyCert, err error) {
|
||||
for idx, host := range req.Hosts {
|
||||
if ip := net.ParseIP(host); ip != nil {
|
||||
// valid IP (v4 or v6)
|
||||
continue
|
||||
}
|
||||
func dlsSigningKeys() (ed25519.PrivateKey, ed25519.PublicKey) {
|
||||
var signerDER []byte
|
||||
|
||||
if host == "*" {
|
||||
continue
|
||||
}
|
||||
|
||||
if errs := validation.IsDNS1123Subdomain(host); len(errs) == 0 {
|
||||
continue
|
||||
}
|
||||
if errs := validation.IsWildcardDNS1123Subdomain(host); len(errs) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
path := field.NewPath(cluster, name, "hosts").Index(idx)
|
||||
return nil, fmt.Errorf("%v: %q is not an IP or FQDN", path, host)
|
||||
}
|
||||
|
||||
if req.CA != nil {
|
||||
err = errors.New("no CA section allowed here")
|
||||
return
|
||||
}
|
||||
|
||||
ca, err := sd.CA(cluster, caName)
|
||||
if err := readSecret("signer", &signerDER); os.IsNotExist(err) {
|
||||
_, key, err := ed25519.GenerateKey(nil)
|
||||
if err != nil {
|
||||
return
|
||||
panic(err)
|
||||
}
|
||||
|
||||
logPrefix := fmt.Sprintf("secret-data: cluster %s: CA %s:", cluster, caName)
|
||||
|
||||
rh := hash(req)
|
||||
kc, ok := ca.Signed[name]
|
||||
if ok && rh == kc.ReqHash {
|
||||
err = checkCertUsable(kc.Cert)
|
||||
if err == nil {
|
||||
return
|
||||
}
|
||||
log.Infof("%s regenerating certificate: ", err)
|
||||
|
||||
} else if ok {
|
||||
log.Infof("%s CSR changed for %s: hash=%q previous=%q", name, rh, kc.ReqHash)
|
||||
} else {
|
||||
log.Infof("%s new CSR for %s", logPrefix, name)
|
||||
}
|
||||
|
||||
sd.l.Lock()
|
||||
defer sd.l.Unlock()
|
||||
|
||||
sgr, err := ca.Signer(sd.config.Signing)
|
||||
signerDER, err = derhelpers.MarshalEd25519PrivateKey(key)
|
||||
if err != nil {
|
||||
return
|
||||
panic(err)
|
||||
}
|
||||
|
||||
generator := &csr.Generator{Validator: func(_ *csr.CertificateRequest) error { return nil }}
|
||||
writeSecret("signer", signerDER)
|
||||
} else if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
csr, key, err := generator.ProcessRequest(req)
|
||||
pkeyGeneric, err := derhelpers.ParseEd25519PrivateKey(signerDER)
|
||||
if err != nil {
|
||||
return
|
||||
panic(err)
|
||||
}
|
||||
|
||||
signReq := signer.SignRequest{
|
||||
Request: string(csr),
|
||||
Profile: profile,
|
||||
Label: label,
|
||||
}
|
||||
pkey := pkeyGeneric.(ed25519.PrivateKey)
|
||||
pubkey := pkey.Public().(ed25519.PublicKey)
|
||||
|
||||
cert, err := sgr.Sign(signReq)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
kc = &KeyCert{
|
||||
Key: key,
|
||||
Cert: cert,
|
||||
ReqHash: rh,
|
||||
}
|
||||
|
||||
ca.Signed[name] = kc
|
||||
sd.changed = true
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (ca *CA) Signer(policy *config.Signing) (result *local.Signer, err error) {
|
||||
caCert, err := helpers.ParseCertificatePEM(ca.Cert)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
caKey, err := helpers.ParsePrivateKeyPEM(ca.Key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return local.NewSigner(caKey, caCert, signer.DefaultSigAlgo(caKey), policy)
|
||||
return pkey, pubkey
|
||||
}
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
|
||||
crypthash "github.com/sergeymakinen/go-crypt/hash"
|
||||
"github.com/sergeymakinen/go-crypt/sha512"
|
||||
)
|
||||
|
||||
// for some reason, no implementation of crypt's sha512 is clean enough :(
|
||||
|
||||
func sha512crypt(password, seed []byte) (string, error) {
|
||||
// loose salt entropy because of character restriction in the salt
|
||||
salt := []byte(base64.RawStdEncoding.EncodeToString(seed))[:sha512.MaxSaltLength]
|
||||
// - base64 allows '+' where the salt accepts '.'
|
||||
for i, c := range salt {
|
||||
if c == '+' {
|
||||
salt[i] = '.'
|
||||
}
|
||||
}
|
||||
|
||||
scheme := struct {
|
||||
HashPrefix string
|
||||
Rounds uint32 `hash:"param:rounds,omitempty"`
|
||||
Salt []byte
|
||||
Sum [86]byte
|
||||
}{
|
||||
HashPrefix: sha512.Prefix,
|
||||
Rounds: sha512.DefaultRounds,
|
||||
Salt: salt,
|
||||
}
|
||||
|
||||
key, err := sha512.Key([]byte(password), scheme.Salt, scheme.Rounds)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
crypthash.LittleEndianEncoding.Encode(scheme.Sum[:], key)
|
||||
return crypthash.Marshal(scheme)
|
||||
}
|
||||
@@ -1,34 +1,48 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/dsa"
|
||||
"crypto/ecdsa"
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/asn1"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"io"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
var sshHostKeys = KVSecrets[[]SSHKeyPair]{"hosts/ssh-host-keys"}
|
||||
|
||||
type SSHKeyPair struct {
|
||||
Type string
|
||||
Public string
|
||||
Private string
|
||||
}
|
||||
|
||||
func (sd *SecretData) SSHKeyPairs(cluster, host string) (pairs []SSHKeyPair, err error) {
|
||||
cs := sd.cluster(cluster)
|
||||
func getSSHKeyPairs(host string) (pairs []SSHKeyPair, err error) {
|
||||
pairs, _, err = sshHostKeys.Get(host)
|
||||
|
||||
if cs.SSHKeyPairs == nil {
|
||||
cs.SSHKeyPairs = map[string][]SSHKeyPair{}
|
||||
didGenerate := false
|
||||
|
||||
genLoop:
|
||||
for _, keyType := range []string{
|
||||
"rsa",
|
||||
"ecdsa",
|
||||
"ed25519",
|
||||
} {
|
||||
for _, pair := range pairs {
|
||||
if pair.Type == keyType {
|
||||
continue genLoop
|
||||
}
|
||||
}
|
||||
|
||||
outFile, err := ioutil.TempFile("/tmp", "dls-key.")
|
||||
err = func() (err error) {
|
||||
outFile, err := os.CreateTemp("/tmp", "dls-key.")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@@ -40,128 +54,154 @@ func (sd *SecretData) SSHKeyPairs(cluster, host string) (pairs []SSHKeyPair, err
|
||||
os.Remove(outPath + ".pub")
|
||||
}
|
||||
|
||||
defer removeTemp()
|
||||
|
||||
pairs = cs.SSHKeyPairs[host]
|
||||
|
||||
didGenerate := false
|
||||
|
||||
genLoop:
|
||||
for _, keyType := range []string{
|
||||
"rsa",
|
||||
"dsa",
|
||||
"ecdsa",
|
||||
"ed25519",
|
||||
} {
|
||||
for _, pair := range pairs {
|
||||
if pair.Type == keyType {
|
||||
continue genLoop
|
||||
}
|
||||
}
|
||||
|
||||
didGenerate = true
|
||||
|
||||
removeTemp()
|
||||
defer removeTemp()
|
||||
|
||||
var out, privKey, pubKey []byte
|
||||
|
||||
out, err = exec.Command("ssh-keygen",
|
||||
cmd := exec.Command("ssh-keygen",
|
||||
"-N", "",
|
||||
"-C", "root@"+host,
|
||||
"-f", outPath,
|
||||
"-t", keyType).CombinedOutput()
|
||||
"-t", keyType)
|
||||
out, err = cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
err = fmt.Errorf("ssh-keygen failed: %v: %s", err, string(out))
|
||||
return
|
||||
}
|
||||
|
||||
privKey, err = ioutil.ReadFile(outPath)
|
||||
privKey, err = os.ReadFile(outPath)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
os.Remove(outPath)
|
||||
|
||||
pubKey, err = ioutil.ReadFile(outPath + ".pub")
|
||||
pubKey, err = os.ReadFile(outPath + ".pub")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
os.Remove(outPath + ".pub")
|
||||
|
||||
pairs = append(pairs, SSHKeyPair{
|
||||
Type: keyType,
|
||||
Public: string(pubKey),
|
||||
Private: string(privKey),
|
||||
})
|
||||
didGenerate = true
|
||||
|
||||
return
|
||||
}()
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if didGenerate {
|
||||
cs.SSHKeyPairs[host] = pairs
|
||||
err = sd.Save()
|
||||
err = sshHostKeys.Put(host, pairs)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func sshKeyGenDSA() (data []byte, pubKey interface{}, err error) {
|
||||
privKey := &dsa.PrivateKey{}
|
||||
var sshCAKeys = KVSecrets[string]{"ssh-ca-keys"}
|
||||
|
||||
err = dsa.GenerateParameters(&privKey.Parameters, rand.Reader, dsa.L1024N160)
|
||||
func sshCAKey(cluster string) (caKeyPem string, err error) {
|
||||
storeKey := "clusters/" + cluster
|
||||
caKeyPem, _, err = sshCAKeys.Get(storeKey)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = dsa.GenerateKey(privKey, rand.Reader)
|
||||
if caKeyPem == "" {
|
||||
_, pk, err := ed25519.GenerateKey(nil)
|
||||
if err != nil {
|
||||
return
|
||||
return "", err
|
||||
}
|
||||
|
||||
data, err = asn1.Marshal(*privKey)
|
||||
//data, err = x509.MarshalPKCS8PrivateKey(privKey)
|
||||
pemBlock, err := ssh.MarshalPrivateKey(crypto.PrivateKey(pk), "")
|
||||
if err != nil {
|
||||
return
|
||||
return "", err
|
||||
}
|
||||
|
||||
pubKey = privKey.PublicKey
|
||||
return
|
||||
}
|
||||
|
||||
func sshKeyGenRSA() (data []byte, pubKey interface{}, err error) {
|
||||
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
data = x509.MarshalPKCS1PrivateKey(privKey)
|
||||
pubKey = privKey.Public()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func sshKeyGenECDSA() (data []byte, pubKey interface{}, err error) {
|
||||
privKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
data, err = x509.MarshalPKCS8PrivateKey(privKey)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
pubKey = privKey.Public()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func sshKeyGenED25519() (data []byte, pubKey interface{}, err error) {
|
||||
pubKey, privKey, err := ed25519.GenerateKey(rand.Reader)
|
||||
|
||||
data, err = x509.MarshalPKCS8PrivateKey(privKey)
|
||||
if err != nil {
|
||||
return
|
||||
caKeyPem = string(pem.EncodeToMemory(pemBlock))
|
||||
sshCAKeys.Put(storeKey, caKeyPem)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func sshCAPubKey(cluster string) (pubKey []byte, err error) {
|
||||
keyPem, err := sshCAKey(cluster)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
k, err := ssh.ParsePrivateKey([]byte(keyPem))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
pubKey = ssh.MarshalAuthorizedKey(k.PublicKey())
|
||||
return
|
||||
}
|
||||
|
||||
// principal: user (login) to allow (ie: "root")
|
||||
// validity: ssh-keygen validity string (ie: "+1h", "202506280811:202506281011", ""=forever)
|
||||
// options: ssh-keygen options (ie: "force-command=/bin/date +\"%F %T\"", "source-address=192.168.1.0/24,192.168.42.0/24"
|
||||
func sshCASign(cluster string, userPubKey []byte, principal, validity string, options ...string) (cert []byte, err error) {
|
||||
caKey, err := sshCAKey(cluster)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
pubkey, identity, _, _, err := ssh.ParseAuthorizedKey(bytes.TrimSpace(userPubKey))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
ak := ssh.MarshalAuthorizedKey(pubkey)
|
||||
|
||||
userPubKeyFile, err := os.CreateTemp("/tmp", "user.pub")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer os.Remove(userPubKeyFile.Name())
|
||||
|
||||
_, err = io.Copy(userPubKeyFile, bytes.NewBuffer(ak))
|
||||
userPubKeyFile.Close()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
serial := strconv.FormatInt(time.Now().Unix(), 10)
|
||||
cmd := exec.Command("ssh-keygen", "-q", "-s", "/dev/stdin", "-I", identity, "-z", serial, "-n", principal)
|
||||
|
||||
if validity != "" {
|
||||
cmd.Args = append(cmd.Args, "-V", validity)
|
||||
}
|
||||
|
||||
for _, opt := range options {
|
||||
cmd.Args = append(cmd.Args, "-O", opt)
|
||||
}
|
||||
|
||||
cmd.Args = append(cmd.Args, userPubKeyFile.Name())
|
||||
|
||||
stderr := new(bytes.Buffer)
|
||||
cmd.Stdin = bytes.NewBuffer([]byte(caKey))
|
||||
cmd.Stderr = stderr
|
||||
|
||||
err = cmd.Run()
|
||||
if err != nil {
|
||||
err = fmt.Errorf("ssh-keygen sign failed: %s", strings.TrimSpace(stderr.String()))
|
||||
return
|
||||
}
|
||||
|
||||
certFile := userPubKeyFile.Name() + "-cert.pub"
|
||||
cert, err = os.ReadFile(certFile)
|
||||
|
||||
os.Remove(certFile)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
@@ -2,16 +2,9 @@ package main
|
||||
|
||||
import "testing"
|
||||
|
||||
func init() {
|
||||
DontSave = true
|
||||
}
|
||||
|
||||
func TestSSHKeyGet(t *testing.T) {
|
||||
sd := &SecretData{
|
||||
clusters: make(map[string]*ClusterSecrets),
|
||||
}
|
||||
|
||||
if _, err := sd.SSHKeyPairs("test", "host"); err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
// TODO needs fake secret store
|
||||
// if _, err := getSSHKeyPairs("host"); err != nil {
|
||||
// t.Error(err)
|
||||
// }
|
||||
}
|
||||
|
||||
@@ -0,0 +1,166 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"log"
|
||||
|
||||
"m.cluseau.fr/go/watchable"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
type PublicState struct {
|
||||
ServerVersion string
|
||||
UIHash string
|
||||
Store struct {
|
||||
New bool
|
||||
Open bool
|
||||
}
|
||||
}
|
||||
|
||||
var wPublicState = watchable.New[PublicState]()
|
||||
|
||||
type State struct {
|
||||
HasConfig bool
|
||||
|
||||
Store struct {
|
||||
DownloadToken string
|
||||
KeyNames []string
|
||||
Salt []byte
|
||||
}
|
||||
|
||||
Clusters []ClusterState
|
||||
Hosts []HostState
|
||||
Config *localconfig.Config
|
||||
|
||||
Downloads map[string]DownloadSpec
|
||||
|
||||
HostTemplates []string
|
||||
}
|
||||
|
||||
type ClusterState struct {
|
||||
Name string
|
||||
Addons bool
|
||||
Passwords []string
|
||||
Tokens []string
|
||||
CAs []CAState
|
||||
}
|
||||
|
||||
type HostState struct {
|
||||
Name string
|
||||
Cluster string
|
||||
IPs []string
|
||||
|
||||
Template string `json:",omitempty"`
|
||||
}
|
||||
|
||||
type CAState struct {
|
||||
Name string
|
||||
Signed []string
|
||||
}
|
||||
|
||||
var wState = watchable.New[State]()
|
||||
|
||||
func init() {
|
||||
wState.Set(State{Downloads: map[string]DownloadSpec{}})
|
||||
}
|
||||
|
||||
func updateState() {
|
||||
log.Print("updating state")
|
||||
|
||||
// store key names
|
||||
keyNames := make([]string, 0, len(secStore.Keys))
|
||||
for _, key := range secStore.Keys {
|
||||
keyNames = append(keyNames, key.Name)
|
||||
}
|
||||
|
||||
// config
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
wState.Change(func(v *State) { v.HasConfig = false; v.Config = nil; v.Store.KeyNames = keyNames })
|
||||
return
|
||||
}
|
||||
|
||||
if secStore.IsNew() || !secStore.Unlocked() {
|
||||
wState.Change(func(v *State) { v.HasConfig = false; v.Config = nil; v.Store.KeyNames = keyNames })
|
||||
return
|
||||
}
|
||||
|
||||
// remove heavy data
|
||||
clusters := make([]ClusterState, 0, len(cfg.Clusters))
|
||||
for _, cluster := range cfg.Clusters {
|
||||
c := ClusterState{
|
||||
Name: cluster.Name,
|
||||
Addons: len(cluster.Addons) != 0,
|
||||
}
|
||||
|
||||
c.Passwords, err = clusterPasswords.Keys(c.Name + "/")
|
||||
if err != nil {
|
||||
log.Print("failed to read cluster passwords: ", err)
|
||||
}
|
||||
c.Tokens, err = clusterTokens.Keys(c.Name + "/")
|
||||
if err != nil {
|
||||
log.Print("failed to read cluster tokens: ", err)
|
||||
}
|
||||
|
||||
caNames, err := clusterCAs.Keys(c.Name + "/")
|
||||
if err != nil {
|
||||
log.Print("failed to read cluster CAs: ", err)
|
||||
}
|
||||
for _, caName := range caNames {
|
||||
ca := CAState{Name: caName}
|
||||
|
||||
signedNames, err := clusterCASignedKeys.Keys(c.Name + "/" + caName + "/")
|
||||
if err != nil {
|
||||
log.Print("failed to read cluster CA signed keys: ", err)
|
||||
}
|
||||
for _, signedName := range signedNames {
|
||||
ca.Signed = append(ca.Signed, signedName)
|
||||
}
|
||||
|
||||
c.CAs = append(c.CAs, ca)
|
||||
}
|
||||
|
||||
clusters = append(clusters, c)
|
||||
}
|
||||
|
||||
hfts, err := hostsFromTemplate.List("")
|
||||
if err != nil {
|
||||
log.Print("failed to read hosts from template: ", err)
|
||||
}
|
||||
|
||||
hosts := make([]HostState, 0, len(cfg.Hosts)+len(hfts))
|
||||
for _, host := range cfg.Hosts {
|
||||
h := HostState{
|
||||
Name: host.Name,
|
||||
Cluster: host.ClusterName,
|
||||
IPs: host.IPs,
|
||||
}
|
||||
hosts = append(hosts, h)
|
||||
}
|
||||
|
||||
for _, kv := range hfts {
|
||||
name, hft := kv.K, kv.V
|
||||
h := HostState{
|
||||
Name: name,
|
||||
Cluster: hft.ClusterName(cfg),
|
||||
IPs: []string{hft.IP},
|
||||
|
||||
Template: hft.Template,
|
||||
}
|
||||
hosts = append(hosts, h)
|
||||
}
|
||||
|
||||
hostTemplates := make([]string, len(cfg.HostTemplates))
|
||||
for i, ht := range cfg.HostTemplates {
|
||||
hostTemplates[i] = ht.Name
|
||||
}
|
||||
|
||||
// done
|
||||
wState.Change(func(v *State) {
|
||||
v.HasConfig = true
|
||||
v.Store.KeyNames = keyNames
|
||||
v.Store.Salt = secStore.Salt[:]
|
||||
v.Clusters = clusters
|
||||
v.Hosts = hosts
|
||||
v.HostTemplates = hostTemplates
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,206 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"net"
|
||||
|
||||
"github.com/cloudflare/cfssl/config"
|
||||
"github.com/cloudflare/cfssl/csr"
|
||||
"github.com/cloudflare/cfssl/helpers"
|
||||
"github.com/cloudflare/cfssl/initca"
|
||||
"github.com/cloudflare/cfssl/signer"
|
||||
"github.com/cloudflare/cfssl/signer/local"
|
||||
"k8s.io/apimachinery/pkg/util/validation"
|
||||
)
|
||||
|
||||
type CA struct {
|
||||
Key []byte
|
||||
Cert []byte
|
||||
|
||||
Signed map[string]*KeyCert
|
||||
}
|
||||
|
||||
func (ca *CA) Init() (err error) {
|
||||
req := ca.newReq()
|
||||
|
||||
cert, _, key, err := initca.New(req)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("initca: %w", err)
|
||||
return
|
||||
}
|
||||
|
||||
ca.Key = key
|
||||
ca.Cert = cert
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (ca *CA) RenewCert() (err error) {
|
||||
var signer crypto.Signer
|
||||
signer, err = helpers.ParsePrivateKeyPEM(ca.Key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
newCert, _, err := initca.NewFromSigner(ca.newReq(), signer)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
ca.Cert = newCert
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (_ CA) newReq() *csr.CertificateRequest {
|
||||
return &csr.CertificateRequest{
|
||||
CN: "Direktil Local Server",
|
||||
KeyRequest: &csr.KeyRequest{
|
||||
A: "ecdsa",
|
||||
S: 521, // 256, 384, 521
|
||||
},
|
||||
Names: []csr.Name{
|
||||
{
|
||||
O: "novit.io",
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (ca CA) ParseKey() (key crypto.Signer, err error) {
|
||||
return helpers.ParsePrivateKeyPEM(ca.Key)
|
||||
}
|
||||
func (ca CA) ParseCert() (cert *x509.Certificate, err error) {
|
||||
return helpers.ParseCertificatePEM(ca.Cert)
|
||||
}
|
||||
|
||||
func (ca CA) Signer(policy *config.Signing) (result *local.Signer, err error) {
|
||||
caCert, err := ca.ParseCert()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
caKey, err := ca.ParseKey()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return local.NewSigner(caKey, caCert, signer.DefaultSigAlgo(caKey), policy)
|
||||
}
|
||||
|
||||
func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.CertificateRequest, cfg *config.Config) (kc KeyCert, err error) {
|
||||
log := log.New(log.Default().Writer(), cluster+": CA "+caName+": ", log.Flags()|log.Lmsgprefix)
|
||||
|
||||
ca, err := getUsableClusterCA(cluster, caName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
for _, host := range req.Hosts {
|
||||
if ip := net.ParseIP(host); ip != nil {
|
||||
// valid IP (v4 or v6)
|
||||
continue
|
||||
}
|
||||
|
||||
if host == "*" {
|
||||
continue
|
||||
}
|
||||
|
||||
if errs := validation.IsDNS1123Subdomain(host); len(errs) == 0 {
|
||||
continue
|
||||
}
|
||||
if errs := validation.IsWildcardDNS1123Subdomain(host); len(errs) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
err = fmt.Errorf("%q is not an IP or FQDN", host)
|
||||
return
|
||||
}
|
||||
|
||||
if req.CA != nil {
|
||||
err = errors.New("no CA section allowed here")
|
||||
return
|
||||
}
|
||||
|
||||
rh := hash(req)
|
||||
|
||||
key := cluster + "/" + caName + "/" + name
|
||||
|
||||
kc, found, err := clusterCASignedKeys.Get(key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if found {
|
||||
if rh == kc.ReqHash {
|
||||
err = func() (err error) {
|
||||
err = checkCertUsable(kc.Cert)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
pool := x509.NewCertPool()
|
||||
if !pool.AppendCertsFromPEM(ca.Cert) {
|
||||
panic("unexpected invalid CA certificate at this point")
|
||||
}
|
||||
|
||||
certBlock, _ := pem.Decode(kc.Cert)
|
||||
cert, err := x509.ParseCertificate(certBlock.Bytes)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = cert.Verify(x509.VerifyOptions{Roots: pool, KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}})
|
||||
return
|
||||
}()
|
||||
if err == nil {
|
||||
return // all good, no need to create or renew
|
||||
}
|
||||
|
||||
log.Print("regenerating certificate: ", err)
|
||||
|
||||
} else {
|
||||
log.Printf("CSR changed for %s: hash=%q previous=%q", name, rh, kc.ReqHash)
|
||||
}
|
||||
} else {
|
||||
log.Print("new CSR for ", name)
|
||||
}
|
||||
|
||||
sgr, err := ca.Signer(cfg.Signing)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
generator := &csr.Generator{Validator: func(_ *csr.CertificateRequest) error { return nil }}
|
||||
|
||||
csr, tlsKey, err := generator.ProcessRequest(req)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
signReq := signer.SignRequest{
|
||||
Request: string(csr),
|
||||
Profile: profile,
|
||||
Label: label,
|
||||
}
|
||||
|
||||
cert, err := sgr.Sign(signReq)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
kc = KeyCert{
|
||||
Key: tlsKey,
|
||||
Cert: cert,
|
||||
ReqHash: rh,
|
||||
}
|
||||
|
||||
err = clusterCASignedKeys.Put(key, kc)
|
||||
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/base32"
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"m.cluseau.fr/go/httperr"
|
||||
)
|
||||
|
||||
func newToken(sizeInBytes int) (token string, err error) {
|
||||
randBytes := make([]byte, sizeInBytes)
|
||||
|
||||
_, err = rand.Read(randBytes)
|
||||
if err != nil {
|
||||
log.Print("rand read error: ", err)
|
||||
err = httperr.New(http.StatusInternalServerError, err)
|
||||
return
|
||||
}
|
||||
|
||||
token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(randBytes)
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,63 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// Simulate a udev run for our needs
|
||||
func syncSysToDev() {
|
||||
// loop devices
|
||||
sysPaths, _ := filepath.Glob("/sys/devices/virtual/block/loop*/**/dev")
|
||||
for _, sysPath := range sysPaths {
|
||||
mknodBlk(sysPath)
|
||||
}
|
||||
}
|
||||
|
||||
func mknodBlk(sysPath string) {
|
||||
devPath := "/dev/" + filepath.Base(filepath.Dir(sysPath))
|
||||
if _, err := os.Stat(devPath); os.IsNotExist(err) {
|
||||
// ok
|
||||
} else if err != nil {
|
||||
log.Printf("stat %s failed: %v", devPath, err)
|
||||
return
|
||||
} else {
|
||||
return // exists
|
||||
}
|
||||
|
||||
devBytes, err := os.ReadFile(sysPath)
|
||||
if err != nil {
|
||||
log.Printf("read %s failed: %v", sysPath, err)
|
||||
return
|
||||
}
|
||||
devBytes = bytes.TrimSpace(devBytes)
|
||||
|
||||
// rust: let Some(dev) = devBytes.split_once(':').filter_map(|a,b| Some(mkdev(a.parse().ok()?, b.parse().ok()?)));
|
||||
majorStr, minorStr, ok := strings.Cut(string(devBytes), ":")
|
||||
if !ok {
|
||||
log.Printf("%s: invalid dev string: %s", sysPath, string(devBytes))
|
||||
return
|
||||
}
|
||||
major, err := strconv.ParseUint(majorStr, 10, 32)
|
||||
if err != nil {
|
||||
log.Printf("%s: invalid major: %q", sysPath, majorStr)
|
||||
return
|
||||
}
|
||||
minor, err := strconv.ParseUint(minorStr, 10, 32)
|
||||
if err != nil {
|
||||
log.Printf("%s: invalid minor: %q", sysPath, minorStr)
|
||||
return
|
||||
}
|
||||
|
||||
devMajMin := int(unix.Mkdev(uint32(major), uint32(minor)))
|
||||
|
||||
log.Printf("mknod %s b %d %d", devPath, major, minor)
|
||||
unix.Mknod(devPath, syscall.S_IFBLK|0o0600, devMajMin)
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/base32"
|
||||
"io"
|
||||
"io/fs"
|
||||
"log"
|
||||
"strings"
|
||||
|
||||
"github.com/cespare/xxhash"
|
||||
dlshtml "novit.tech/direktil/local-server/html"
|
||||
)
|
||||
|
||||
func computeUIHash() {
|
||||
xxh := xxhash.New()
|
||||
|
||||
err := fs.WalkDir(dlshtml.FS, "ui", func(path string, entry fs.DirEntry, walkErr error) (err error) {
|
||||
if walkErr != nil {
|
||||
err = walkErr
|
||||
return
|
||||
}
|
||||
|
||||
if entry.IsDir() {
|
||||
return
|
||||
}
|
||||
|
||||
f, err := dlshtml.FS.Open(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
io.Copy(xxh, f)
|
||||
|
||||
return nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
log.Fatal("failed to hash UI: ", err)
|
||||
}
|
||||
|
||||
h := strings.ToLower(base32.HexEncoding.WithPadding(base32.NoPadding).EncodeToString(xxh.Sum(nil)))[:5]
|
||||
log.Printf("UI hash: %s", h)
|
||||
wPublicState.Change(func(v *PublicState) { v.UIHash = h })
|
||||
}
|
||||
@@ -9,9 +9,11 @@ import (
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
"path"
|
||||
gopath "path"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/dustin/go-humanize"
|
||||
@@ -19,11 +21,25 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
upstreamURL = flag.String("upstream", "https://direktil.novit.nc/dist", "Upstream server for dist elements")
|
||||
upstreamURL = flag.String("upstream", "https://dkl.novit.io/dist", "Upstream server for dist elements")
|
||||
)
|
||||
|
||||
func (ctx *renderContext) distFetch(path ...string) (outPath string, err error) {
|
||||
outPath = ctx.distFilePath(path...)
|
||||
type upstreamServer struct{}
|
||||
|
||||
func (_ upstreamServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
||||
path := path.Clean(req.URL.Path)
|
||||
outPath, err := distFetch(strings.Split(path, "/")...)
|
||||
if err != nil {
|
||||
w.WriteHeader(http.StatusBadGateway)
|
||||
w.Write([]byte(err.Error() + "\n"))
|
||||
return
|
||||
}
|
||||
|
||||
http.ServeFile(w, req, outPath)
|
||||
}
|
||||
|
||||
func distFetch(path ...string) (outPath string, err error) {
|
||||
outPath = distFilePath(path...)
|
||||
|
||||
if _, err = os.Stat(outPath); err == nil {
|
||||
return
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
||||
)
|
||||
|
||||
var wgKeys = KVSecrets[string]{"wireguard"}
|
||||
|
||||
func wgKey(path string) (key string, err error) {
|
||||
return wgKeys.GetOrCreate(path, func() (key string, err error) {
|
||||
k, err := wgtypes.GeneratePrivateKey()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
key = k.String()
|
||||
return
|
||||
})
|
||||
}
|
||||
|
||||
func wgPSKey(path string) (key string, err error) {
|
||||
return wgKeys.GetOrCreate(path, func() (key string, err error) {
|
||||
k, err := wgtypes.GenerateKey()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
key = k.String()
|
||||
return
|
||||
})
|
||||
}
|
||||
|
||||
func wgPubKey(path string) (pubkey string, err error) {
|
||||
key, err := wgKey(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
k, err := wgtypes.ParseKey(key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
pubkey = k.PublicKey().String()
|
||||
return
|
||||
}
|
||||
@@ -7,24 +7,20 @@ import (
|
||||
)
|
||||
|
||||
func adminAuth(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
|
||||
tokenAuth(req, resp, chain, *adminToken)
|
||||
}
|
||||
|
||||
func hostsAuth(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
|
||||
tokenAuth(req, resp, chain, *hostsToken, *adminToken)
|
||||
tokenAuth(req, resp, chain, adminToken)
|
||||
}
|
||||
|
||||
func tokenAuth(req *restful.Request, resp *restful.Response, chain *restful.FilterChain, allowedTokens ...string) {
|
||||
token := getToken(req)
|
||||
|
||||
for _, allowedToken := range allowedTokens {
|
||||
if allowedToken == "" || token == allowedToken {
|
||||
if allowedToken != "" && token == allowedToken {
|
||||
chain.ProcessFilter(req, resp)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
resp.WriteErrorString(401, "401: Not Authorized")
|
||||
wsError(resp, ErrUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -33,8 +29,12 @@ func getToken(req *restful.Request) string {
|
||||
|
||||
token := req.HeaderParameter("Authorization")
|
||||
|
||||
if token == "" {
|
||||
return req.QueryParameter("token")
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(token, bearerPrefix) {
|
||||
return ""
|
||||
return token
|
||||
}
|
||||
|
||||
return token[len(bearerPrefix):]
|
||||
|
||||
@@ -0,0 +1,107 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/cloudflare/cfssl/helpers"
|
||||
"github.com/cloudflare/cfssl/log"
|
||||
restful "github.com/emicklei/go-restful"
|
||||
)
|
||||
|
||||
var clusterCAs = newClusterSecretKV[CA]("CAs")
|
||||
|
||||
func wsClusterCAs(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
clusterCAs.WsList(resp, clusterName+"/")
|
||||
}
|
||||
|
||||
func wsClusterCA(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
name := req.PathParameter("ca-name")
|
||||
|
||||
clusterCAs.WsGet(resp, clusterName+"/"+name)
|
||||
}
|
||||
|
||||
func getUsableClusterCA(cluster, name string) (ca CA, err error) {
|
||||
defer func() {
|
||||
if err != nil {
|
||||
err = fmt.Errorf("cluster %s CA %s: %w", cluster, name, err)
|
||||
}
|
||||
}()
|
||||
|
||||
key := cluster + "/" + name
|
||||
|
||||
ca, found, err := clusterCAs.Get(key)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if !found {
|
||||
log.Info("new CA in cluster ", cluster, ": ", name)
|
||||
|
||||
err = ca.Init()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = clusterCAs.Put(key, ca)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
checkErr := checkCertUsable(ca.Cert)
|
||||
if checkErr != nil {
|
||||
log.Infof("cluster %s: CA %s: regenerating certificate: %v", cluster, name, checkErr)
|
||||
|
||||
prevCerts, _ := helpers.ParseCertificatesPEM(ca.Cert)
|
||||
|
||||
err = ca.RenewCert()
|
||||
if err != nil {
|
||||
err = fmt.Errorf("renew: %w", err)
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
for _, cert := range prevCerts {
|
||||
if cert.NotAfter.After(now) {
|
||||
continue
|
||||
}
|
||||
certPEM := helpers.EncodeCertificatePEM(cert)
|
||||
ca.Cert = append(ca.Cert, certPEM...)
|
||||
}
|
||||
|
||||
err = clusterCAs.Put(key, ca)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func caExtraCerts(cluster, name string) (extra string, err error) {
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if cfg.ExtraCaCerts != nil {
|
||||
extra = cfg.ExtraCaCerts[cluster+"/"+name]
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
var clusterCASignedKeys = newClusterSecretKV[KeyCert]("CA-signed-keys")
|
||||
|
||||
func wsClusterCASignedKeys(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
caName := req.PathParameter("ca-name")
|
||||
clusterCASignedKeys.WsList(resp, clusterName+"/"+caName+"/")
|
||||
}
|
||||
|
||||
func wsClusterCASignedKey(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
caName := req.PathParameter("ca-name")
|
||||
name := req.PathParameter("signed-name")
|
||||
|
||||
clusterCASignedKeys.WsGet(resp, clusterName+"/"+caName+"/"+name)
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
restful "github.com/emicklei/go-restful"
|
||||
)
|
||||
|
||||
var seeds = newClusterSecretKV[[]byte]("seeds")
|
||||
|
||||
var clusterPasswords = newClusterSecretKV[string]("passwords")
|
||||
|
||||
func wsClusterPasswords(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
clusterPasswords.WsList(resp, clusterName+"/")
|
||||
}
|
||||
|
||||
func wsClusterPassword(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
name := req.PathParameter("password-name")
|
||||
|
||||
clusterPasswords.WsGet(resp, clusterName+"/"+name)
|
||||
}
|
||||
|
||||
func wsClusterSetPassword(req *restful.Request, resp *restful.Response) {
|
||||
cluster := wsReadCluster(req, resp)
|
||||
if cluster == nil {
|
||||
return
|
||||
}
|
||||
|
||||
name := req.PathParameter("password-name")
|
||||
|
||||
clusterPasswords.WsPut(req, resp, cluster.Name+"/"+name)
|
||||
}
|
||||
@@ -0,0 +1,43 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/base32"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
)
|
||||
|
||||
var clusterTokens = newClusterSecretKV[string]("tokens")
|
||||
|
||||
func getOrCreateClusterToken(cluster, name string) (token string, err error) {
|
||||
key := cluster + "/" + name
|
||||
|
||||
token, found, err := clusterTokens.Get(key)
|
||||
|
||||
if err != nil || found {
|
||||
return
|
||||
}
|
||||
|
||||
b := make([]byte, 16)
|
||||
_, err = rand.Read(b)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
token = base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(b)
|
||||
|
||||
err = clusterTokens.Put(key, token)
|
||||
return
|
||||
}
|
||||
|
||||
func wsClusterTokens(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
clusterTokens.WsList(resp, clusterName+"/")
|
||||
}
|
||||
|
||||
func wsClusterToken(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
name := req.PathParameter("token-name")
|
||||
|
||||
clusterTokens.WsGet(resp, clusterName+"/"+name)
|
||||
}
|
||||
+246
-123
@@ -1,14 +1,31 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"sort"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/cloudflare/cfssl/config"
|
||||
"github.com/cloudflare/cfssl/csr"
|
||||
"github.com/cloudflare/cfssl/signer"
|
||||
restful "github.com/emicklei/go-restful"
|
||||
|
||||
"novit.nc/direktil/pkg/localconfig"
|
||||
"novit.tech/direktil/local-server/pkg/mime"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
var clusterSecretKVs = []string{}
|
||||
|
||||
func newClusterSecretKV[T any](name string) KVSecrets[T] {
|
||||
clusterSecretKVs = append(clusterSecretKVs, name)
|
||||
return KVSecrets[T]{"clusters/" + name}
|
||||
}
|
||||
|
||||
func wsListClusters(req *restful.Request, resp *restful.Response) {
|
||||
cfg := wsReadConfig(resp)
|
||||
if cfg == nil {
|
||||
@@ -33,7 +50,7 @@ func wsReadCluster(req *restful.Request, resp *restful.Response) (cluster *local
|
||||
|
||||
cluster = cfg.Cluster(clusterName)
|
||||
if cluster == nil {
|
||||
wsNotFound(req, resp)
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -57,152 +74,258 @@ func wsClusterAddons(req *restful.Request, resp *restful.Response) {
|
||||
|
||||
if len(cluster.Addons) == 0 {
|
||||
log.Printf("cluster %q has no addons defined", cluster.Name)
|
||||
wsNotFound(req, resp)
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
wsRender(resp, cluster.Addons, cluster)
|
||||
}
|
||||
|
||||
func wsClusterPasswords(req *restful.Request, resp *restful.Response) {
|
||||
cluster := wsReadCluster(req, resp)
|
||||
if cluster == nil {
|
||||
cfg := wsReadConfig(resp)
|
||||
if cfg == nil {
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(secretData.Passwords(cluster.Name))
|
||||
}
|
||||
|
||||
func wsClusterPassword(req *restful.Request, resp *restful.Response) {
|
||||
cluster := wsReadCluster(req, resp)
|
||||
if cluster == nil {
|
||||
return
|
||||
}
|
||||
|
||||
name := req.PathParameter("password-name")
|
||||
|
||||
resp.WriteEntity(secretData.Password(cluster.Name, name))
|
||||
}
|
||||
|
||||
func wsClusterSetPassword(req *restful.Request, resp *restful.Response) {
|
||||
cluster := wsReadCluster(req, resp)
|
||||
if cluster == nil {
|
||||
return
|
||||
}
|
||||
|
||||
name := req.PathParameter("password-name")
|
||||
|
||||
var password string
|
||||
if err := req.ReadEntity(&password); err != nil {
|
||||
wsError(resp, err) // FIXME this is a BadRequest
|
||||
return
|
||||
}
|
||||
|
||||
secretData.SetPassword(cluster.Name, name, password)
|
||||
|
||||
if err := secretData.Save(); err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func wsClusterToken(req *restful.Request, resp *restful.Response) {
|
||||
cluster := wsReadCluster(req, resp)
|
||||
if cluster == nil {
|
||||
return
|
||||
}
|
||||
|
||||
name := req.PathParameter("token-name")
|
||||
|
||||
token, err := secretData.Token(cluster.Name, name)
|
||||
sslCfg, err := sslConfigFromLocalConfig(cfg)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(token)
|
||||
}
|
||||
|
||||
func wsClusterBootstrapPods(req *restful.Request, resp *restful.Response) {
|
||||
cluster := wsReadCluster(req, resp)
|
||||
if cluster == nil {
|
||||
return
|
||||
}
|
||||
|
||||
if len(cluster.BootstrapPods) == 0 {
|
||||
log.Printf("cluster %q has no bootstrap pods defined", cluster.Name)
|
||||
wsNotFound(req, resp)
|
||||
return
|
||||
}
|
||||
|
||||
wsRender(resp, cluster.BootstrapPods, cluster)
|
||||
}
|
||||
|
||||
func wsClusterCAs(req *restful.Request, resp *restful.Response) {
|
||||
cs := secretData.clusters[req.PathParameter("cluster-name")]
|
||||
if cs == nil {
|
||||
wsNotFound(req, resp)
|
||||
return
|
||||
}
|
||||
|
||||
keys := make([]string, 0, len(cs.CAs))
|
||||
for k := range cs.CAs {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
|
||||
sort.Strings(keys)
|
||||
|
||||
resp.WriteJson(keys, restful.MIME_JSON)
|
||||
wsRender(resp, sslCfg, cluster.Addons, cluster)
|
||||
}
|
||||
|
||||
func wsClusterCACert(req *restful.Request, resp *restful.Response) {
|
||||
cs := secretData.clusters[req.PathParameter("cluster-name")]
|
||||
if cs == nil {
|
||||
wsNotFound(req, resp)
|
||||
return
|
||||
}
|
||||
|
||||
ca := cs.CAs[req.PathParameter("ca-name")]
|
||||
if ca == nil {
|
||||
wsNotFound(req, resp)
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
caName := req.PathParameter("ca-name")
|
||||
|
||||
ca, found, err := clusterCAs.Get(clusterName + "/" + caName)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
if !found {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
resp.Header().Set("Content-Type", mime.CERT)
|
||||
resp.Write(ca.Cert)
|
||||
}
|
||||
|
||||
func wsClusterSignedCert(req *restful.Request, resp *restful.Response) {
|
||||
cs := secretData.clusters[req.PathParameter("cluster-name")]
|
||||
if cs == nil {
|
||||
wsNotFound(req, resp)
|
||||
return
|
||||
}
|
||||
|
||||
ca := cs.CAs[req.PathParameter("ca-name")]
|
||||
if ca == nil {
|
||||
wsNotFound(req, resp)
|
||||
return
|
||||
}
|
||||
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
caName := req.PathParameter("ca-name")
|
||||
name := req.QueryParameter("name")
|
||||
|
||||
if name == "" {
|
||||
keys := make([]string, 0, len(ca.Signed))
|
||||
for k := range ca.Signed {
|
||||
keys = append(keys, k)
|
||||
kc, found, err := clusterCASignedKeys.Get(clusterName + "/" + caName + "/" + name)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
sort.Strings(keys)
|
||||
|
||||
resp.WriteJson(keys, restful.MIME_JSON)
|
||||
return
|
||||
}
|
||||
|
||||
kc := ca.Signed[name]
|
||||
if kc == nil {
|
||||
wsNotFound(req, resp)
|
||||
if !found {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
resp.AddHeader("Content-Type", mime.CERT)
|
||||
resp.AddHeader("Content-Disposition", "attachment; filename="+strconv.Quote(clusterName+"_"+caName+"_"+url.PathEscape(name)+".crt"))
|
||||
resp.Write(kc.Cert)
|
||||
}
|
||||
|
||||
type SSHSignReq struct {
|
||||
PubKey string
|
||||
Principal string
|
||||
Validity string
|
||||
Options []string
|
||||
}
|
||||
|
||||
func wsClusterSSHUserCAPubKey(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
|
||||
pubkey, err := sshCAPubKey(clusterName)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
resp.Write(pubkey)
|
||||
}
|
||||
|
||||
func wsClusterSSHUserCASign(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
|
||||
signReq := SSHSignReq{}
|
||||
err := req.ReadEntity(&signReq)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
now := time.Now().Truncate(time.Second)
|
||||
notBefore, notAfter, err := parseCertDurationRange(signReq.Validity, now)
|
||||
if err != nil {
|
||||
wsError(resp, fmt.Errorf("invalid validity: %w", err))
|
||||
return
|
||||
}
|
||||
|
||||
const sshTimestamp = "20060102150405Z"
|
||||
|
||||
validity := notBefore.Format(sshTimestamp) + ":"
|
||||
if notAfter.IsZero() {
|
||||
validity += "forever"
|
||||
} else {
|
||||
validity += notAfter.Format(sshTimestamp)
|
||||
}
|
||||
|
||||
log.Printf("sign ssh public key, validity %s -> %s", signReq.Validity, validity)
|
||||
|
||||
cert, err := sshCASign(clusterName, []byte(signReq.PubKey), signReq.Principal, validity, signReq.Options...)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
resp.Write(cert)
|
||||
}
|
||||
|
||||
type KubeSignReq struct {
|
||||
CSR string
|
||||
User string
|
||||
Group string
|
||||
Validity string
|
||||
}
|
||||
|
||||
func wsClusterKubeCASign(req *restful.Request, resp *restful.Response) {
|
||||
clusterName := req.PathParameter("cluster-name")
|
||||
|
||||
signReq := KubeSignReq{}
|
||||
err := req.ReadEntity(&signReq)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
now := time.Now().Truncate(time.Second)
|
||||
notBefore, notAfter, err := parseCertDurationRange(signReq.Validity, now)
|
||||
if err != nil {
|
||||
wsError(resp, fmt.Errorf("invalid validity: %w", err))
|
||||
return
|
||||
}
|
||||
|
||||
var names []csr.Name
|
||||
if signReq.Group != "" {
|
||||
names = []csr.Name{{O: signReq.Group}}
|
||||
}
|
||||
|
||||
ca, err := getUsableClusterCA(clusterName, "cluster")
|
||||
if err != nil {
|
||||
wsError(resp, fmt.Errorf("get cluster CA failed: %w", err))
|
||||
return
|
||||
}
|
||||
|
||||
caSigner, err := ca.Signer(&config.Signing{
|
||||
Default: &config.SigningProfile{
|
||||
Usage: []string{"client auth"},
|
||||
Expiry: notAfter.Sub(now),
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
csr := signer.SignRequest{
|
||||
Request: signReq.CSR,
|
||||
Subject: &signer.Subject{
|
||||
CN: signReq.User,
|
||||
Names: names,
|
||||
},
|
||||
NotBefore: notBefore,
|
||||
NotAfter: notAfter,
|
||||
}
|
||||
|
||||
cert, err := caSigner.Sign(csr)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
resp.Write(cert)
|
||||
}
|
||||
|
||||
func parseCertDurationRange(d string, now time.Time) (notBefore, notAfter time.Time, err error) {
|
||||
if d == "" {
|
||||
return
|
||||
}
|
||||
|
||||
d1, d2, ok := strings.Cut(d, ":")
|
||||
|
||||
if ok {
|
||||
notBefore, err = parseCertDuration(d1, now)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
notAfter, err = parseCertDuration(d2, now)
|
||||
} else {
|
||||
notAfter, err = parseCertDuration(d, now)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if notBefore.IsZero() {
|
||||
notBefore = now.Add(-5 * time.Minute)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
var durRegex = regexp.MustCompile("^([+-]?)([0-9]+)([yMdwhms])")
|
||||
|
||||
func parseCertDuration(d string, now time.Time) (t time.Time, err error) {
|
||||
if d == "" {
|
||||
return
|
||||
}
|
||||
|
||||
direction := 1
|
||||
t = now
|
||||
|
||||
for d != "" {
|
||||
match := durRegex.FindStringSubmatch(d)
|
||||
if match == nil {
|
||||
t = time.Time{}
|
||||
err = errors.New("invalid duration: " + strconv.Quote(d))
|
||||
return
|
||||
}
|
||||
|
||||
d = d[len(match[0]):]
|
||||
|
||||
switch match[1] {
|
||||
case "+":
|
||||
direction = 1
|
||||
case "-":
|
||||
direction = -1
|
||||
}
|
||||
|
||||
qty, _ := strconv.Atoi(match[2])
|
||||
unit := match[3]
|
||||
|
||||
switch unit {
|
||||
case "y":
|
||||
t = t.AddDate(qty*direction, 0, 0)
|
||||
case "M":
|
||||
t = t.AddDate(0, qty*direction, 0)
|
||||
case "d":
|
||||
t = t.AddDate(0, 0, qty*direction)
|
||||
case "w":
|
||||
t = t.AddDate(0, 0, 7*qty*direction)
|
||||
case "h":
|
||||
t = t.Add(time.Duration(qty*direction) * time.Hour)
|
||||
case "m":
|
||||
t = t.Add(time.Duration(qty*direction) * time.Minute)
|
||||
case "s":
|
||||
t = t.Add(time.Duration(qty*direction) * time.Second)
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
@@ -1,35 +1,49 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
"gopkg.in/yaml.v2"
|
||||
"m.cluseau.fr/go/httperr"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
func wsUploadConfig(req *restful.Request, resp *restful.Response) {
|
||||
body := req.Request.Body
|
||||
|
||||
err := writeNewConfig(body)
|
||||
body.Close()
|
||||
cfg := &localconfig.Config{}
|
||||
if err := req.ReadEntity(cfg); err != nil {
|
||||
wsError(resp, httperr.BadRequest(err.Error()))
|
||||
return
|
||||
}
|
||||
|
||||
cfgBytes, err := yaml.Marshal(cfg)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
err = writeNewConfig(cfgBytes)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(true)
|
||||
}
|
||||
|
||||
func writeNewConfig(reader io.Reader) (err error) {
|
||||
out, err := ioutil.TempFile(*dataDir, ".config-upload")
|
||||
func writeNewConfig(cfgBytes []byte) (err error) {
|
||||
out, err := os.CreateTemp(*dataDir, ".config-upload")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer os.Remove(out.Name())
|
||||
|
||||
_, err = io.Copy(out, reader)
|
||||
_, err = io.Copy(out, bytes.NewReader(cfgBytes))
|
||||
out.Close()
|
||||
if err != nil {
|
||||
return
|
||||
@@ -38,13 +52,24 @@ func writeNewConfig(reader io.Reader) (err error) {
|
||||
cfgPath := configFilePath()
|
||||
in, err := os.Open(cfgPath)
|
||||
|
||||
if err == nil {
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
// nothing to backup
|
||||
} else {
|
||||
return // real error
|
||||
}
|
||||
} else {
|
||||
err = backupCurrentConfig(in)
|
||||
} else if !os.IsNotExist(err) {
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
err = os.Rename(out.Name(), cfgPath)
|
||||
|
||||
updateState()
|
||||
go updateCache()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,305 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/ed25519"
|
||||
"encoding/base32"
|
||||
"fmt"
|
||||
"io"
|
||||
"path/filepath"
|
||||
"slices"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
"github.com/pierrec/lz4"
|
||||
"m.cluseau.fr/go/httperr"
|
||||
)
|
||||
|
||||
func globMatch(pattern, value string) bool {
|
||||
ok, _ := filepath.Match(pattern, value)
|
||||
return ok
|
||||
}
|
||||
|
||||
type DownloadSet struct {
|
||||
Expiry time.Time
|
||||
Items []DownloadSetItem
|
||||
}
|
||||
|
||||
func (s DownloadSet) Contains(kind, name, asset string) bool {
|
||||
for _, item := range s.Items {
|
||||
if item.Kind == kind && globMatch(item.Name, name) &&
|
||||
slices.Contains(item.Assets, asset) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (s DownloadSet) Encode() string {
|
||||
buf := new(strings.Builder)
|
||||
s.EncodeTo(buf)
|
||||
return buf.String()
|
||||
}
|
||||
|
||||
func (s DownloadSet) EncodeTo(buf *strings.Builder) {
|
||||
buf.WriteString(strconv.FormatInt(s.Expiry.Unix(), 16))
|
||||
|
||||
for _, item := range s.Items {
|
||||
buf.WriteByte('|')
|
||||
item.EncodeTo(buf)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *DownloadSet) Decode(encoded string) (err error) {
|
||||
exp, rem, _ := strings.Cut(encoded, "|")
|
||||
|
||||
expUnix, err := strconv.ParseInt(exp, 16, 64)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
s.Expiry = time.Unix(expUnix, 0)
|
||||
|
||||
if rem == "" {
|
||||
s.Items = nil
|
||||
} else {
|
||||
itemStrs := strings.Split(rem, "|")
|
||||
s.Items = make([]DownloadSetItem, len(itemStrs))
|
||||
for i, itemStr := range itemStrs {
|
||||
s.Items[i].Decode(itemStr)
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s DownloadSet) Signed(privKey ed25519.PrivateKey) string {
|
||||
buf := new(bytes.Buffer)
|
||||
{
|
||||
setBytes := []byte(s.Encode())
|
||||
|
||||
w := lz4.NewWriter(buf)
|
||||
w.Write(setBytes)
|
||||
w.Close()
|
||||
}
|
||||
|
||||
setBytes := buf.Bytes()
|
||||
sig := ed25519.Sign(privKey, setBytes)
|
||||
|
||||
buf = bytes.NewBuffer(make([]byte, 0, 1+len(sig)+len(setBytes)))
|
||||
buf.WriteByte(byte(len(sig)))
|
||||
buf.Write(sig)
|
||||
buf.Write(setBytes)
|
||||
|
||||
enc := base32.StdEncoding.WithPadding(base32.NoPadding)
|
||||
return enc.EncodeToString(buf.Bytes())
|
||||
}
|
||||
|
||||
type DownloadSetItem struct {
|
||||
Kind string
|
||||
Name string
|
||||
Assets []string
|
||||
}
|
||||
|
||||
func (i DownloadSetItem) EncodeTo(buf *strings.Builder) {
|
||||
kind := i.Kind
|
||||
switch kind {
|
||||
case "host":
|
||||
kind = "h"
|
||||
case "cluster":
|
||||
kind = "c"
|
||||
}
|
||||
|
||||
buf.WriteString(kind)
|
||||
buf.WriteByte(':')
|
||||
buf.WriteString(i.Name)
|
||||
|
||||
for _, asset := range i.Assets {
|
||||
buf.WriteByte(':')
|
||||
buf.WriteString(asset)
|
||||
}
|
||||
}
|
||||
|
||||
func (i *DownloadSetItem) Decode(encoded string) {
|
||||
rem := encoded
|
||||
i.Kind, rem, _ = strings.Cut(rem, ":")
|
||||
|
||||
switch i.Kind {
|
||||
case "h":
|
||||
i.Kind = "host"
|
||||
case "c":
|
||||
i.Kind = "cluster"
|
||||
}
|
||||
|
||||
i.Name, rem, _ = strings.Cut(rem, ":")
|
||||
|
||||
if rem == "" {
|
||||
i.Assets = nil
|
||||
} else {
|
||||
i.Assets = strings.Split(rem, ":")
|
||||
}
|
||||
}
|
||||
|
||||
type DownloadSetReq struct {
|
||||
Expiry string
|
||||
Items []DownloadSetItem
|
||||
}
|
||||
|
||||
func wsSignDownloadSet(req *restful.Request, resp *restful.Response) {
|
||||
setReq := DownloadSetReq{}
|
||||
if err := req.ReadEntity(&setReq); err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
exp, err := parseCertDuration(setReq.Expiry, time.Now())
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
set := DownloadSet{
|
||||
Expiry: exp,
|
||||
Items: setReq.Items,
|
||||
}
|
||||
|
||||
privKey, _ := dlsSigningKeys()
|
||||
resp.WriteEntity(set.Signed(privKey))
|
||||
}
|
||||
|
||||
func getDlSet(req *restful.Request) (*DownloadSet, *httperr.Error) {
|
||||
setStr := req.QueryParameter("set")
|
||||
|
||||
setBytes, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(setStr)
|
||||
if err != nil {
|
||||
err := httperr.BadRequest("invalid set")
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
if len(setBytes) == 0 {
|
||||
err := httperr.BadRequest("invalid set")
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
sigLen := int(setBytes[0])
|
||||
setBytes = setBytes[1:]
|
||||
|
||||
if len(setBytes) < sigLen {
|
||||
err := httperr.BadRequest("invalid set")
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
sig := setBytes[:sigLen]
|
||||
setBytes = setBytes[sigLen:]
|
||||
|
||||
_, pubkey := dlsSigningKeys()
|
||||
if !ed25519.Verify(pubkey, setBytes, sig) {
|
||||
err := httperr.BadRequest("invalid signature")
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
setBytes, err = io.ReadAll(lz4.NewReader(bytes.NewBuffer(setBytes)))
|
||||
if err != nil {
|
||||
err := httperr.BadRequest("invalid data")
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
fmt.Println(string(setBytes))
|
||||
|
||||
set := DownloadSet{}
|
||||
if err := set.Decode(string(setBytes)); err != nil {
|
||||
err := httperr.BadRequest("invalid set: " + err.Error())
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
if time.Now().After(set.Expiry) {
|
||||
err := httperr.BadRequest("set expired")
|
||||
return nil, &err
|
||||
}
|
||||
|
||||
return &set, nil
|
||||
}
|
||||
|
||||
func wsDownloadSetAsset(req *restful.Request, resp *restful.Response) {
|
||||
set, err := getDlSet(req)
|
||||
if err != nil {
|
||||
wsError(resp, *err)
|
||||
return
|
||||
}
|
||||
|
||||
kind := req.PathParameter("kind")
|
||||
name := req.PathParameter("name")
|
||||
asset := req.PathParameter("asset")
|
||||
|
||||
if !set.Contains(kind, name, asset) {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
downloadAsset(req, resp, kind, name, asset)
|
||||
}
|
||||
|
||||
func wsDownloadSet(req *restful.Request, resp *restful.Response) {
|
||||
setStr := req.QueryParameter("set")
|
||||
set, err := getDlSet(req)
|
||||
if err != nil {
|
||||
resp.WriteHeader(err.Status)
|
||||
resp.Write([]byte(htmlHeader(err.Error())))
|
||||
resp.Write([]byte(htmlFooter))
|
||||
return
|
||||
}
|
||||
|
||||
buf := new(bytes.Buffer)
|
||||
buf.WriteString(htmlHeader("Download set"))
|
||||
|
||||
cfg, err2 := readConfig()
|
||||
if err2 != nil {
|
||||
wsError(resp, err2)
|
||||
return
|
||||
}
|
||||
|
||||
for _, item := range set.Items {
|
||||
names := make([]string, 0)
|
||||
section := ""
|
||||
switch item.Kind {
|
||||
case "cluster":
|
||||
section = "Cluster"
|
||||
for _, c := range cfg.Clusters {
|
||||
if globMatch(item.Name, c.Name) {
|
||||
names = append(names, c.Name)
|
||||
}
|
||||
}
|
||||
case "host":
|
||||
section = "Host"
|
||||
for _, h := range cfg.Hosts {
|
||||
if globMatch(item.Name, h.Name) {
|
||||
names = append(names, h.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for _, name := range names {
|
||||
buf.WriteString("<p>")
|
||||
fmt.Fprintf(buf, "<strong>%s %s:</strong>", section, name)
|
||||
buf.WriteString(" <span class=\"download-links\">")
|
||||
for _, asset := range item.Assets {
|
||||
for _, v := range hostAssetVariants(asset) {
|
||||
url := fmt.Sprintf("/public/download-set/%s/%s/%s", item.Kind, name, v.url)
|
||||
if strings.Contains(url, "?") {
|
||||
url += "&"
|
||||
} else {
|
||||
url += "?"
|
||||
}
|
||||
url += "set=" + setStr
|
||||
fmt.Fprintf(buf, " <a href=\"%s\" download>%s</a>\n", url, v.name)
|
||||
}
|
||||
}
|
||||
buf.WriteString("</span></p>\n")
|
||||
}
|
||||
}
|
||||
|
||||
buf.WriteString(htmlFooter)
|
||||
buf.WriteTo(resp)
|
||||
}
|
||||
@@ -0,0 +1,203 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"encoding/base32"
|
||||
"fmt"
|
||||
"log"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
"m.cluseau.fr/go/cow"
|
||||
)
|
||||
|
||||
type DownloadSpec struct {
|
||||
Kind string
|
||||
Name string
|
||||
Assets []string
|
||||
|
||||
createdAt time.Time
|
||||
}
|
||||
|
||||
func wsAuthorizeDownload(req *restful.Request, resp *restful.Response) {
|
||||
var spec DownloadSpec
|
||||
|
||||
if err := req.ReadEntity(&spec); err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
if spec.Kind == "" || spec.Name == "" || len(spec.Assets) == 0 {
|
||||
resp.WriteErrorString(http.StatusBadRequest, "missing data")
|
||||
return
|
||||
}
|
||||
|
||||
randBytes := make([]byte, 32)
|
||||
_, err := rand.Read(randBytes)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
token := base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString(randBytes)
|
||||
|
||||
spec.createdAt = time.Now()
|
||||
|
||||
wState.Change(func(v *State) {
|
||||
cow.MapSet(&v.Downloads, token, spec)
|
||||
})
|
||||
|
||||
log.Printf("download token created for %s %q, assets %q", spec.Kind, spec.Name, spec.Assets)
|
||||
|
||||
resp.WriteAsJson(token)
|
||||
}
|
||||
|
||||
func wsDownloadAsset(req *restful.Request, resp *restful.Response) {
|
||||
token := req.PathParameter("token")
|
||||
asset := req.PathParameter("asset")
|
||||
|
||||
if token == "" || asset == "" {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
var spec DownloadSpec
|
||||
found := false
|
||||
wState.Change(func(v *State) {
|
||||
var ok bool
|
||||
spec, ok = v.Downloads[token]
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
|
||||
newAssets := make([]string, 0, len(spec.Assets))
|
||||
for _, a := range spec.Assets {
|
||||
if a == asset {
|
||||
found = true
|
||||
} else {
|
||||
newAssets = append(newAssets, a)
|
||||
}
|
||||
}
|
||||
|
||||
if !found {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
cow.Map(&v.Downloads)
|
||||
|
||||
if len(newAssets) == 0 {
|
||||
delete(v.Downloads, token)
|
||||
} else {
|
||||
spec.Assets = newAssets
|
||||
v.Downloads[token] = spec
|
||||
}
|
||||
})
|
||||
|
||||
if !found {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
log.Printf("download via token: %s %q asset %q", spec.Kind, spec.Name, asset)
|
||||
|
||||
downloadAsset(req, resp, spec.Kind, spec.Name, asset)
|
||||
}
|
||||
|
||||
func downloadAsset(req *restful.Request, resp *restful.Response, kind, name, asset string) {
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
setHeader := func(ext string) {
|
||||
resp.AddHeader("Content-Disposition", "attachment; filename="+strconv.Quote(kind+"_"+name+"_"+asset+ext))
|
||||
}
|
||||
|
||||
switch kind {
|
||||
case "cluster":
|
||||
cluster := cfg.ClusterByName(name)
|
||||
if cluster == nil {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
switch asset {
|
||||
case "addons":
|
||||
setHeader(".yaml")
|
||||
resp.Write([]byte(cluster.Addons))
|
||||
|
||||
default:
|
||||
wsNotFound(resp)
|
||||
}
|
||||
|
||||
case "host":
|
||||
host := hostOrTemplate(cfg, name)
|
||||
if host == nil {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
switch asset {
|
||||
case "config", "bootstrap-config":
|
||||
setHeader(".yaml")
|
||||
default:
|
||||
setHeader("")
|
||||
}
|
||||
|
||||
renderHost(resp.ResponseWriter, req.Request, asset, host, cfg)
|
||||
|
||||
default:
|
||||
wsNotFound(resp)
|
||||
}
|
||||
}
|
||||
|
||||
func wsDownload(req *restful.Request, resp *restful.Response) {
|
||||
if strings.HasSuffix(req.Request.URL.Path, "/") {
|
||||
wsDownloadPage(req, resp)
|
||||
return
|
||||
}
|
||||
|
||||
token := req.PathParameter("token")
|
||||
|
||||
spec, ok := wState.Get().Downloads[token]
|
||||
if !ok {
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(spec)
|
||||
}
|
||||
|
||||
func wsDownloadPage(req *restful.Request, resp *restful.Response) {
|
||||
token := req.PathParameter("token")
|
||||
|
||||
spec, ok := wState.Get().Downloads[token]
|
||||
if !ok {
|
||||
resp.WriteHeader(http.StatusNotFound)
|
||||
resp.Write([]byte(htmlHeader("Token not found")))
|
||||
resp.Write([]byte(htmlFooter))
|
||||
return
|
||||
}
|
||||
|
||||
buf := new(bytes.Buffer)
|
||||
buf.WriteString(htmlHeader(fmt.Sprintf("Token assets: %s %s", spec.Kind, spec.Name)))
|
||||
|
||||
buf.WriteString("<table class=\"download-table\">")
|
||||
for _, asset := range spec.Assets {
|
||||
buf.WriteString("<tr>")
|
||||
for _, v := range hostAssetVariants(asset) {
|
||||
fmt.Fprintf(buf, "<td><a href=\"%s\" download>%s</a></td>", v.url, v.name)
|
||||
}
|
||||
buf.WriteString("</tr>\n")
|
||||
}
|
||||
buf.WriteString("</table>")
|
||||
|
||||
buf.WriteString(htmlFooter)
|
||||
buf.WriteTo(resp)
|
||||
}
|
||||
+195
-47
@@ -1,32 +1,66 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"bytes"
|
||||
"io"
|
||||
"log"
|
||||
"net/http"
|
||||
"path"
|
||||
"strings"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
|
||||
"novit.nc/direktil/local-server/pkg/mime"
|
||||
"novit.nc/direktil/pkg/localconfig"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
|
||||
"novit.tech/direktil/local-server/pkg/mime"
|
||||
)
|
||||
|
||||
var trustXFF = flag.Bool("trust-xff", true, "Trust the X-Forwarded-For header")
|
||||
var sshKeyTypes = []string{"rsa", "ecdsa", "ed25519"}
|
||||
|
||||
type wsHost struct {
|
||||
prefix string
|
||||
hostDoc string
|
||||
getHost func(req *restful.Request) string
|
||||
type AssetVariant struct {
|
||||
name string
|
||||
url string
|
||||
}
|
||||
|
||||
func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteBuilder)) {
|
||||
func hostAssetVariants(asset string) []AssetVariant {
|
||||
switch asset {
|
||||
case "uki":
|
||||
return []AssetVariant{
|
||||
{asset, asset},
|
||||
{asset + " (serial)", asset + "?serial=0"},
|
||||
}
|
||||
case "boot.img",
|
||||
"boot.img.gz",
|
||||
"boot.qcow2",
|
||||
"boot.qed",
|
||||
"boot.vdi",
|
||||
"boot.vmdk",
|
||||
"boot.vpc",
|
||||
"boot.iso",
|
||||
"boot.tar":
|
||||
return []AssetVariant{
|
||||
{asset, asset},
|
||||
{asset + " (UKI)", asset + "?uki"},
|
||||
{asset + " (UKI+serial)", asset + "?uki&serial=0"},
|
||||
}
|
||||
default:
|
||||
return []AssetVariant{{asset, asset}}
|
||||
}
|
||||
}
|
||||
|
||||
type wsHost struct {
|
||||
hostDoc string
|
||||
getHost func(req *restful.Request) (hostName string, err error)
|
||||
}
|
||||
|
||||
func (ws wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteBuilder)) {
|
||||
b := func(what string) *restful.RouteBuilder {
|
||||
return rws.GET(ws.prefix + "/" + what).To(ws.render)
|
||||
return rws.GET("/" + what).To(ws.render)
|
||||
}
|
||||
|
||||
for _, rb := range []*restful.RouteBuilder{
|
||||
rws.GET(ws.prefix).To(ws.get).
|
||||
rws.GET("").To(ws.get).
|
||||
Produces(mime.JSON).
|
||||
Doc("Get the "+ws.hostDoc+"'s details").
|
||||
Returns(200, "OK", localconfig.Host{}),
|
||||
|
||||
@@ -43,18 +77,32 @@ func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteB
|
||||
Produces(mime.DISK).
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image"),
|
||||
|
||||
// - raw + compressed
|
||||
b("boot.img.gz").
|
||||
Produces(mime.DISK + "+gzip").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image (gzip compressed)"),
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image, gzip compressed"),
|
||||
|
||||
b("boot.img.lz4").
|
||||
Produces(mime.DISK + "+lz4").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image (lz4 compressed)"),
|
||||
// - other formats
|
||||
b("boot.qcow2").
|
||||
Produces(mime.DISK + "+qcow2").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image, QCOW2 (KVM, Xen)"),
|
||||
b("boot.qed").
|
||||
Produces(mime.DISK + "+qed").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image, QED (KVM)"),
|
||||
b("boot.vdi").
|
||||
Produces(mime.DISK + "+vdi").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image, VDI (VirtualBox)"),
|
||||
b("boot.vpc").
|
||||
Produces(mime.DISK + "+vpc").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image, VHD (Hyper-V)"),
|
||||
b("boot.vmdk").
|
||||
Produces(mime.DISK + "+vmdk").
|
||||
Doc("Get the " + ws.hostDoc + "'s boot disk image, VMDK (VMware)"),
|
||||
|
||||
// metal/local HDD upgrades
|
||||
b("boot.tar").
|
||||
Produces(mime.TAR).
|
||||
Doc("Get the " + ws.hostDoc + "'s /boot archive (ie: for metal upgrades)"),
|
||||
Doc("Get the " + ws.hostDoc + "'s /boot archive"),
|
||||
|
||||
// read-only ISO support
|
||||
b("boot.iso").
|
||||
@@ -67,42 +115,64 @@ func (ws *wsHost) register(rws *restful.WebService, alterRB func(*restful.RouteB
|
||||
Produces(mime.IPXE).
|
||||
Doc("Get the " + ws.hostDoc + "'s IPXE code (for netboot)"),
|
||||
|
||||
// boot support
|
||||
b("kernel").
|
||||
Produces(mime.OCTET).
|
||||
Doc("Get the " + ws.hostDoc + "'s kernel (ie: for netboot)"),
|
||||
|
||||
b("initrd").
|
||||
Produces(mime.OCTET).
|
||||
Doc("Get the " + ws.hostDoc + "'s initial RAM disk (ie: for netboot)"),
|
||||
b("uki").
|
||||
Produces(mime.OCTET).
|
||||
Doc("Get the " + ws.hostDoc + "'s Unified Kernel Image"),
|
||||
|
||||
// - bootstrap config
|
||||
b("bootstrap-config").
|
||||
Produces(mime.YAML).
|
||||
Doc("Get the " + ws.hostDoc + "'s bootstrap configuration"),
|
||||
b("bootstrap-config.json").
|
||||
Doc("Get the " + ws.hostDoc + "'s bootstrap configuration (as JSON)"),
|
||||
// - bootstrap
|
||||
b("bootstrap.tar").
|
||||
Produces(mime.TAR).
|
||||
Doc("Get the " + ws.hostDoc + "'s bootstrap seed archive"),
|
||||
|
||||
// ssh
|
||||
b("ssh.pub").Produces("text/plain").Doc("Get the " + ws.hostDoc + "'s ssh public keys"),
|
||||
b("known_hosts").Produces("text/plain").Doc("Get the " + ws.hostDoc + "'s ssh known_hosts fragment"),
|
||||
} {
|
||||
alterRB(rb)
|
||||
rws.Route(rb)
|
||||
}
|
||||
}
|
||||
|
||||
func (ws *wsHost) host(req *restful.Request, resp *restful.Response) (host *localconfig.Host, cfg *localconfig.Config) {
|
||||
hostname := ws.getHost(req)
|
||||
func (ws wsHost) host(req *restful.Request, resp *restful.Response) (host *localconfig.Host, cfg *localconfig.Config) {
|
||||
hostname, err := ws.getHost(req)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
if hostname == "" {
|
||||
wsNotFound(req, resp)
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
cfg, err := readConfig()
|
||||
cfg, err = readConfig()
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
host = cfg.Host(hostname)
|
||||
host = hostOrTemplate(cfg, hostname)
|
||||
if host == nil {
|
||||
log.Print("no host named ", hostname)
|
||||
wsNotFound(req, resp)
|
||||
wsNotFound(resp)
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (ws *wsHost) get(req *restful.Request, resp *restful.Response) {
|
||||
func (ws wsHost) get(req *restful.Request, resp *restful.Response) {
|
||||
host, _ := ws.host(req, resp)
|
||||
if host == nil {
|
||||
return
|
||||
@@ -111,7 +181,7 @@ func (ws *wsHost) get(req *restful.Request, resp *restful.Response) {
|
||||
resp.WriteEntity(host)
|
||||
}
|
||||
|
||||
func (ws *wsHost) render(req *restful.Request, resp *restful.Response) {
|
||||
func (ws wsHost) render(req *restful.Request, resp *restful.Response) {
|
||||
host, cfg := ws.host(req, resp)
|
||||
if host == nil {
|
||||
return
|
||||
@@ -130,36 +200,71 @@ func renderHost(w http.ResponseWriter, r *http.Request, what string, host *local
|
||||
return
|
||||
}
|
||||
|
||||
cmdline := r.FormValue("cmdline")
|
||||
|
||||
if s := r.FormValue("serial"); s != "" {
|
||||
if cmdline != "" {
|
||||
cmdline += " "
|
||||
}
|
||||
cmdline += "console=tty0 console=ttyS" + s + ",115200"
|
||||
}
|
||||
|
||||
_, uki := r.Form["uki"]
|
||||
|
||||
withUki := func(callback func(out io.Writer, ctx *renderContext, uki bool, cmdline string) (err error)) func(io.Writer, *renderContext) error {
|
||||
return func(out io.Writer, ctx *renderContext) error {
|
||||
return callback(out, ctx, uki, cmdline)
|
||||
}
|
||||
}
|
||||
|
||||
switch what {
|
||||
case "kernel":
|
||||
err = renderKernel(w, r, ctx)
|
||||
case "initrd":
|
||||
err = renderCtx(w, r, ctx, what, buildInitrd)
|
||||
case "uki":
|
||||
uki = true
|
||||
err = renderCtx(w, r, ctx, what, withUki(buildUki))
|
||||
|
||||
case "bootstrap.tar":
|
||||
err = renderCtx(w, r, ctx, what, buildBootstrap)
|
||||
|
||||
case "boot.img":
|
||||
err = renderCtx(w, r, ctx, what, withUki(buildBootImg))
|
||||
case "boot.img.gz":
|
||||
err = renderCtx(w, r, ctx, what, withUki(buildBootImgGZ))
|
||||
case "boot.qcow2":
|
||||
err = renderCtx(w, r, ctx, what, qemuImgBootImg("qcow2", uki, cmdline))
|
||||
case "boot.qed":
|
||||
err = renderCtx(w, r, ctx, what, qemuImgBootImg("qed", uki, cmdline))
|
||||
case "boot.vdi":
|
||||
err = renderCtx(w, r, ctx, what, qemuImgBootImg("vdi", uki, cmdline))
|
||||
case "boot.vmdk":
|
||||
err = renderCtx(w, r, ctx, what, qemuImgBootImg("vmdk", uki, cmdline))
|
||||
case "boot.vpc":
|
||||
err = renderCtx(w, r, ctx, what, qemuImgBootImg("vpc", uki, cmdline))
|
||||
case "boot.iso":
|
||||
err = renderCtx(w, r, ctx, what, buildBootISO)
|
||||
|
||||
case "boot.tar":
|
||||
err = renderCtx(w, r, ctx, what, withUki(buildBootTar))
|
||||
|
||||
// boot v2
|
||||
case "bootstrap-config":
|
||||
err = renderBootstrapConfig(w, ctx)
|
||||
|
||||
case "config":
|
||||
err = renderConfig(w, r, ctx, false)
|
||||
|
||||
case "config.json":
|
||||
err = renderConfig(w, r, ctx, true)
|
||||
|
||||
case "ipxe":
|
||||
err = renderIPXE(w, ctx)
|
||||
|
||||
case "kernel":
|
||||
err = renderKernel(w, r, ctx)
|
||||
|
||||
case "initrd":
|
||||
err = renderCtx(w, r, ctx, what, buildInitrd)
|
||||
|
||||
case "boot.iso":
|
||||
err = renderCtx(w, r, ctx, what, buildBootISO)
|
||||
|
||||
case "boot.tar":
|
||||
err = renderCtx(w, r, ctx, what, buildBootTar)
|
||||
|
||||
case "boot.img":
|
||||
err = renderCtx(w, r, ctx, what, buildBootImg)
|
||||
|
||||
case "boot.img.gz":
|
||||
err = renderCtx(w, r, ctx, what, buildBootImgGZ)
|
||||
|
||||
case "boot.img.lz4":
|
||||
err = renderCtx(w, r, ctx, what, buildBootImgLZ4)
|
||||
case "ssh.pub":
|
||||
err = renderSshPub(w, ctx)
|
||||
case "known_hosts":
|
||||
err = renderKnownHosts(w, ctx)
|
||||
|
||||
default:
|
||||
http.NotFound(w, r)
|
||||
@@ -170,3 +275,46 @@ func renderHost(w http.ResponseWriter, r *http.Request, what string, host *local
|
||||
http.Error(w, "", http.StatusServiceUnavailable)
|
||||
}
|
||||
}
|
||||
|
||||
func renderSshPub(w http.ResponseWriter, ctx *renderContext) (err error) {
|
||||
buf := new(bytes.Buffer)
|
||||
|
||||
for _, t := range sshKeyTypes {
|
||||
k, err := ctx.sshHostKeyPair(t)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
buf.WriteString(k.Public)
|
||||
}
|
||||
|
||||
_, err = w.Write(buf.Bytes())
|
||||
return
|
||||
}
|
||||
|
||||
func renderKnownHosts(w http.ResponseWriter, ctx *renderContext) (err error) {
|
||||
buf := new(bytes.Buffer)
|
||||
|
||||
names := append([]string{ctx.Host.Name},
|
||||
ctx.Host.IPs...)
|
||||
|
||||
for _, name := range names {
|
||||
for _, t := range sshKeyTypes {
|
||||
k, err := ctx.sshHostKeyPair(t)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
fields := strings.Fields(k.Public)
|
||||
|
||||
buf.WriteString(name)
|
||||
buf.WriteByte(' ')
|
||||
buf.WriteString(fields[0])
|
||||
buf.WriteByte(' ')
|
||||
buf.WriteString(fields[1])
|
||||
buf.WriteByte('\n')
|
||||
}
|
||||
}
|
||||
|
||||
_, err = w.Write(buf.Bytes())
|
||||
return
|
||||
}
|
||||
|
||||
@@ -0,0 +1,116 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"log"
|
||||
"net/netip"
|
||||
|
||||
"github.com/emicklei/go-restful"
|
||||
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
)
|
||||
|
||||
var hostsFromTemplate = KVSecrets[HostFromTemplate]{"hosts-from-template"}
|
||||
|
||||
type HostFromTemplate struct {
|
||||
Template string
|
||||
IP string
|
||||
}
|
||||
|
||||
func (hft HostFromTemplate) ClusterName(cfg *localconfig.Config) string {
|
||||
for _, ht := range cfg.HostTemplates {
|
||||
if ht.Name == hft.Template {
|
||||
return ht.ClusterName
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func hostOrTemplate(cfg *localconfig.Config, name string) (host *localconfig.Host) {
|
||||
host = cfg.Host(name)
|
||||
if host != nil {
|
||||
return
|
||||
}
|
||||
|
||||
hft, found, err := hostsFromTemplate.Get(name)
|
||||
if err != nil {
|
||||
log.Print("failed to read store: ", err)
|
||||
return
|
||||
}
|
||||
|
||||
if !found {
|
||||
log.Print("no host named ", name)
|
||||
return
|
||||
}
|
||||
|
||||
ht := cfg.HostTemplate(hft.Template)
|
||||
if ht == nil {
|
||||
log.Print("host ", name, " found but no template named ", hft.Template)
|
||||
return
|
||||
}
|
||||
|
||||
host = &localconfig.Host{}
|
||||
*host = *ht
|
||||
host.Name = name
|
||||
host.IPs = []string{hft.IP}
|
||||
return
|
||||
}
|
||||
|
||||
func wsHostsFromTemplateList(req *restful.Request, resp *restful.Response) {
|
||||
hostsFromTemplate.WsList(resp, "")
|
||||
}
|
||||
|
||||
func wsHostsFromTemplateSet(req *restful.Request, resp *restful.Response) {
|
||||
name := req.PathParameter("name")
|
||||
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
v := HostFromTemplate{}
|
||||
if err := req.ReadEntity(&v); err != nil {
|
||||
wsBadRequest(resp, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if v.Template == "" {
|
||||
wsBadRequest(resp, "template is required")
|
||||
return
|
||||
}
|
||||
if v.IP == "" {
|
||||
wsBadRequest(resp, "ip is required")
|
||||
return
|
||||
}
|
||||
if _, err := netip.ParseAddr(v.IP); err != nil {
|
||||
wsBadRequest(resp, "bad IP: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
found := false
|
||||
for _, ht := range cfg.HostTemplates {
|
||||
if ht.Name != v.Template {
|
||||
continue
|
||||
}
|
||||
found = true
|
||||
break
|
||||
}
|
||||
|
||||
if !found {
|
||||
wsBadRequest(resp, "no host template with this name")
|
||||
return
|
||||
}
|
||||
|
||||
if err := hostsFromTemplate.Put(name, v); err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
updateState()
|
||||
}
|
||||
|
||||
func wsHostsFromTemplateDelete(req *restful.Request, resp *restful.Response) {
|
||||
name := req.PathParameter("name")
|
||||
hostsFromTemplate.WsDel(req, resp, name)
|
||||
updateState()
|
||||
}
|
||||
@@ -0,0 +1,195 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"archive/tar"
|
||||
"bytes"
|
||||
"io"
|
||||
"io/fs"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
"m.cluseau.fr/go/httperr"
|
||||
"novit.tech/direktil/local-server/secretstore"
|
||||
)
|
||||
|
||||
type NamedPassphrase struct {
|
||||
Name string
|
||||
Passphrase []byte
|
||||
}
|
||||
|
||||
func wsUnlockStore(req *restful.Request, resp *restful.Response) {
|
||||
np := NamedPassphrase{}
|
||||
err := req.ReadEntity(&np)
|
||||
if err != nil {
|
||||
resp.WriteError(http.StatusBadRequest, err)
|
||||
return
|
||||
}
|
||||
|
||||
defer secretstore.Memzero(np.Passphrase)
|
||||
|
||||
if secStore.IsNew() {
|
||||
if len(np.Name) == 0 {
|
||||
wsBadRequest(resp, "no name given")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if len(np.Passphrase) == 0 {
|
||||
wsBadRequest(resp, "no passphrase given")
|
||||
return
|
||||
}
|
||||
|
||||
if secStore.Unlocked() {
|
||||
if secStore.HasKey(np.Passphrase) {
|
||||
resp.WriteEntity(adminToken)
|
||||
} else {
|
||||
wsError(resp, ErrUnauthorized)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
if err := unlockSecretStore(np.Name, np.Passphrase); err.Any() {
|
||||
err.WriteJSON(resp.ResponseWriter)
|
||||
return
|
||||
}
|
||||
|
||||
resp.WriteEntity(adminToken)
|
||||
}
|
||||
|
||||
func wsStoreDownload(req *restful.Request, resp *restful.Response) {
|
||||
token := req.QueryParameter("token")
|
||||
if token != wState.Get().Store.DownloadToken {
|
||||
wsError(resp, ErrInvalidToken)
|
||||
return
|
||||
}
|
||||
|
||||
buf := new(bytes.Buffer)
|
||||
arch := tar.NewWriter(buf)
|
||||
|
||||
root := os.DirFS(secStoreRoot())
|
||||
|
||||
err := fs.WalkDir(root, ".", func(path string, d fs.DirEntry, readErr error) (err error) {
|
||||
if readErr != nil {
|
||||
err = readErr
|
||||
return
|
||||
}
|
||||
|
||||
if path == "." {
|
||||
return
|
||||
}
|
||||
|
||||
fi, err := d.Info()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
hdr, err := tar.FileInfoHeader(fi, "")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
hdr.Name = path
|
||||
hdr.Uid = 0
|
||||
hdr.Gid = 0
|
||||
|
||||
err = arch.WriteHeader(hdr)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if fi.IsDir() {
|
||||
return
|
||||
}
|
||||
|
||||
f, err := root.Open(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
io.Copy(arch, f)
|
||||
|
||||
return
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
err = arch.Close()
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
buf.WriteTo(resp)
|
||||
}
|
||||
|
||||
func wsStoreUpload(req *restful.Request, resp *restful.Response) {
|
||||
if !secStore.IsNew() {
|
||||
wsError(resp, httperr.BadRequest("store is not new"))
|
||||
return
|
||||
}
|
||||
|
||||
buf := new(bytes.Buffer)
|
||||
|
||||
_, err := io.Copy(buf, req.Request.Body)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
arch := tar.NewReader(buf)
|
||||
|
||||
root := secStoreRoot()
|
||||
|
||||
for {
|
||||
hdr, err := arch.Next()
|
||||
if err == io.EOF {
|
||||
err = nil
|
||||
break
|
||||
} else if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
log.Print(hdr.Name)
|
||||
|
||||
fullPath := filepath.Join(root, hdr.Name)
|
||||
|
||||
switch {
|
||||
case hdr.FileInfo().IsDir():
|
||||
err = os.MkdirAll(fullPath, 0700)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
default:
|
||||
content, err := io.ReadAll(io.LimitReader(arch, hdr.Size))
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
err = os.WriteFile(fullPath, content, 0600)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
|
||||
openSecretStore()
|
||||
|
||||
resp.WriteEntity(map[string]any{"ok": true})
|
||||
}
|
||||
@@ -1,44 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
)
|
||||
|
||||
type SSH_ACL struct {
|
||||
Keys []string
|
||||
Clusters []string
|
||||
Groups []string
|
||||
Hosts []string
|
||||
}
|
||||
|
||||
func loadSSH_ACLs() (acls []SSH_ACL, err error) {
|
||||
f, err := os.Open(filepath.Join(*dataDir, "ssh-acls.yaml"))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
err = yaml.NewDecoder(f).Decode(&acls)
|
||||
return
|
||||
}
|
||||
|
||||
func wsSSH_ACL_List(req *restful.Request, resp *restful.Response) {
|
||||
// TODO
|
||||
http.NotFound(resp.ResponseWriter, req.Request)
|
||||
}
|
||||
|
||||
func wsSSH_ACL_Get(req *restful.Request, resp *restful.Response) {
|
||||
// TODO
|
||||
http.NotFound(resp.ResponseWriter, req.Request)
|
||||
}
|
||||
|
||||
func wsSSH_ACL_Set(req *restful.Request, resp *restful.Response) {
|
||||
// TODO
|
||||
http.NotFound(resp.ResponseWriter, req.Request)
|
||||
}
|
||||
@@ -0,0 +1,97 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
restful "github.com/emicklei/go-restful"
|
||||
"novit.tech/direktil/local-server/secretstore"
|
||||
)
|
||||
|
||||
type AddKeyReq struct {
|
||||
NamedPassphrase `json:",inline"`
|
||||
Hash []byte `json:",omitempty"`
|
||||
}
|
||||
|
||||
func wsStoreAddKey(req *restful.Request, resp *restful.Response) {
|
||||
np := AddKeyReq{}
|
||||
|
||||
err := req.ReadEntity(&np)
|
||||
if err != nil {
|
||||
wsBadRequest(resp, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
np.Name = strings.TrimSpace(np.Name)
|
||||
|
||||
if len(np.Name) == 0 {
|
||||
wsBadRequest(resp, "no name given")
|
||||
return
|
||||
}
|
||||
|
||||
if len(np.Hash) == 0 && len(np.Passphrase) == 0 {
|
||||
wsBadRequest(resp, "no hash or passphrase given")
|
||||
return
|
||||
}
|
||||
|
||||
if len(np.Hash) != 0 && len(np.Hash) != 32 {
|
||||
wsBadRequest(resp, "hash of a wrong length")
|
||||
return
|
||||
}
|
||||
|
||||
for _, k := range secStore.Keys {
|
||||
if k.Name == np.Name {
|
||||
wsBadRequest(resp, "there's already a passphrase named "+strconv.Quote(np.Name))
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if len(np.Hash) != 0 {
|
||||
hash := [32]byte{}
|
||||
copy(hash[:], np.Hash[:32])
|
||||
secStore.AddRawKey(np.Name, hash)
|
||||
} else {
|
||||
secStore.AddKey(np.Name, np.Passphrase)
|
||||
}
|
||||
|
||||
defer updateState()
|
||||
|
||||
err = secStore.SaveTo(secKeysStorePath())
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func wsStoreDelKey(req *restful.Request, resp *restful.Response) {
|
||||
name := ""
|
||||
|
||||
err := req.ReadEntity(&name)
|
||||
if err != nil {
|
||||
wsBadRequest(resp, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
newKeys := make([]secretstore.KeyEntry, 0, len(secStore.Keys))
|
||||
for _, k := range secStore.Keys {
|
||||
if k.Name == name {
|
||||
continue
|
||||
}
|
||||
|
||||
newKeys = append(newKeys, k)
|
||||
}
|
||||
|
||||
if len(newKeys) == 0 {
|
||||
wsBadRequest(resp, "can't remove the last key from the store")
|
||||
return
|
||||
}
|
||||
|
||||
secStore.Keys = newKeys
|
||||
defer updateState()
|
||||
|
||||
err = secStore.SaveTo(secKeysStorePath())
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
+199
-85
@@ -1,131 +1,213 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
"text/template"
|
||||
|
||||
cfsslconfig "github.com/cloudflare/cfssl/config"
|
||||
"github.com/emicklei/go-restful"
|
||||
"gopkg.in/yaml.v2"
|
||||
"m.cluseau.fr/go/httperr"
|
||||
|
||||
"novit.nc/direktil/local-server/pkg/mime"
|
||||
"novit.nc/direktil/pkg/localconfig"
|
||||
"novit.tech/direktil/pkg/localconfig"
|
||||
|
||||
"novit.tech/direktil/local-server/pkg/mime"
|
||||
)
|
||||
|
||||
func registerWS(rest *restful.Container) {
|
||||
// Admin-level APIs
|
||||
// public-level APIs
|
||||
{
|
||||
ws := &restful.WebService{}
|
||||
ws.Filter(adminAuth).
|
||||
HeaderParameter("Authorization", "Admin bearer token")
|
||||
ws.
|
||||
Path("/public").
|
||||
Produces(mime.JSON).
|
||||
Consumes(mime.JSON).
|
||||
Route(ws.POST("/unlock-store").To(wsUnlockStore).
|
||||
Reads(NamedPassphrase{}).
|
||||
Writes("").
|
||||
Doc("Try to unlock the store")).
|
||||
Route(ws.GET("/store.tar").To(wsStoreDownload).
|
||||
Produces(mime.TAR).
|
||||
Param(ws.QueryParameter("token", "the download token")).
|
||||
Doc("Fetch the encrypted store")).
|
||||
Route(ws.POST("/store.tar").To(wsStoreUpload).
|
||||
Consumes(mime.TAR).
|
||||
Doc("Upload an existing store")).
|
||||
Route(ws.GET("/downloads/{token}").To(wsDownload)).
|
||||
Route(ws.GET("/downloads/{token}/{asset}").To(wsDownloadAsset).
|
||||
Param(ws.PathParameter("token", "the download token")).
|
||||
Param(ws.PathParameter("asset", "the requested asset")).
|
||||
Doc("Fetch an asset via a download token")).
|
||||
Route(ws.GET("/download-set").To(wsDownloadSet)).
|
||||
Route(ws.GET("/download-set/{kind}/{name}/{asset}").To(wsDownloadSetAsset))
|
||||
|
||||
rest.Add(ws)
|
||||
}
|
||||
|
||||
// Admin-level APIs
|
||||
ws := (&restful.WebService{}).
|
||||
Filter(requireSecStore).
|
||||
Filter(adminAuth).
|
||||
Param(restful.HeaderParameter("Authorization", "Admin bearer token").Required(true)).
|
||||
Produces(mime.JSON)
|
||||
|
||||
// - store management
|
||||
ws.Route(ws.POST("/store/add-key").To(wsStoreAddKey).
|
||||
Consumes(mime.JSON).Reads(NamedPassphrase{}).
|
||||
Doc("Add an unlock key to the store"))
|
||||
ws.Route(ws.POST("/store/delete-key").To(wsStoreDelKey).
|
||||
Consumes(mime.JSON).Reads("").
|
||||
Doc("Remove an unlock key to the store (by its name)"))
|
||||
|
||||
// - downloads
|
||||
ws.Route(ws.POST("/authorize-download").To(wsAuthorizeDownload).
|
||||
Consumes(mime.JSON).Reads(DownloadSpec{}).
|
||||
Produces(mime.JSON).
|
||||
Doc("Create a download token for the given download"))
|
||||
ws.Route(ws.POST("/sign-download-set").To(wsSignDownloadSet).
|
||||
Consumes(mime.JSON).Reads(DownloadSetReq{}).
|
||||
Produces(mime.JSON).
|
||||
Doc("Sign a download set"))
|
||||
|
||||
// - configs API
|
||||
ws.Route(ws.POST("/configs").To(wsUploadConfig).
|
||||
Consumes(mime.YAML, mime.JSON).Param(ws.BodyParameter("config", "The new full configuration")).
|
||||
Produces(mime.JSON).Writes(true).
|
||||
Doc("Upload a new current configuration, archiving the previous one"))
|
||||
|
||||
// - clusters API
|
||||
ws.Route(ws.GET("/clusters").To(wsListClusters).
|
||||
Doc("List clusters"))
|
||||
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}").To(wsCluster).
|
||||
Doc("Get cluster details"))
|
||||
ws.Route(ws.GET("/hosts-from-template").To(wsHostsFromTemplateList).
|
||||
Doc("List host template instances"))
|
||||
ws.Route(ws.POST("/hosts-from-template/{name}").To(wsHostsFromTemplateSet).
|
||||
Reads(HostFromTemplate{}).
|
||||
Doc("Create or update a host template instance"))
|
||||
ws.Route(ws.DELETE("/hosts-from-template/{name}").To(wsHostsFromTemplateDelete).
|
||||
Reads(HostFromTemplate{}).
|
||||
Doc("Delete a host template instance"))
|
||||
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/addons").To(wsClusterAddons).
|
||||
const (
|
||||
GET = http.MethodGet
|
||||
PUT = http.MethodPut
|
||||
POST = http.MethodPost
|
||||
)
|
||||
|
||||
cluster := func(method, subPath string) *restful.RouteBuilder {
|
||||
return ws.Method(method).Path("/clusters/{cluster-name}" + subPath).
|
||||
Param(ws.PathParameter("cluster-name", "name of the cluster"))
|
||||
}
|
||||
|
||||
for _, builder := range []*restful.RouteBuilder{
|
||||
cluster(GET, "").To(wsCluster).
|
||||
Doc("Get cluster details"),
|
||||
|
||||
cluster(GET, "/addons").To(wsClusterAddons).
|
||||
Produces(mime.YAML).
|
||||
Doc("Get cluster addons").
|
||||
Returns(http.StatusOK, "OK", nil).
|
||||
Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil))
|
||||
Returns(http.StatusNotFound, "The cluster does not exists or does not have addons defined", nil),
|
||||
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/bootstrap-pods").To(wsClusterBootstrapPods).
|
||||
Produces(mime.YAML).
|
||||
Doc("Get cluster bootstrap pods YAML definitions").
|
||||
Returns(http.StatusOK, "OK", nil).
|
||||
Returns(http.StatusNotFound, "The cluster does not exists or does not have bootstrap pods defined", nil))
|
||||
cluster(GET, "/tokens").To(wsClusterTokens).
|
||||
Doc("List cluster's tokens"),
|
||||
cluster(GET, "/tokens/{token-name}").To(wsClusterToken).
|
||||
Doc("Get cluster's token"),
|
||||
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/passwords").To(wsClusterPasswords).
|
||||
Doc("List cluster's passwords"))
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/passwords/{password-name}").To(wsClusterPassword).
|
||||
Doc("Get cluster's password"))
|
||||
ws.Route(ws.PUT("/clusters/{cluster-name}/passwords/{password-name}").To(wsClusterSetPassword).
|
||||
Doc("Set cluster's password"))
|
||||
cluster(GET, "/passwords").To(wsClusterPasswords).
|
||||
Doc("List cluster's passwords"),
|
||||
cluster(GET, "/passwords/{password-name}").To(wsClusterPassword).
|
||||
Doc("Get cluster's password"),
|
||||
cluster(PUT, "/passwords/{password-name}").To(wsClusterSetPassword).
|
||||
Doc("Set cluster's password"),
|
||||
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/ca").To(wsClusterCAs).
|
||||
Doc("Get cluster CAs"))
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/ca/{ca-name}/certificate").To(wsClusterCACert).
|
||||
cluster(GET, "/CAs").To(wsClusterCAs).
|
||||
Doc("Get cluster CAs"),
|
||||
cluster(GET, "/CAs/{ca-name}/certificate").To(wsClusterCACert).
|
||||
Produces(mime.CACERT).
|
||||
Doc("Get cluster CA's certificate"))
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/ca/{ca-name}/signed").To(wsClusterSignedCert).
|
||||
Doc("Get cluster CA's certificate"),
|
||||
cluster(GET, "/CAs/{ca-name}/signed").To(wsClusterSignedCert).
|
||||
Produces(mime.CERT).
|
||||
Param(ws.QueryParameter("name", "signed reference name").Required(true)).
|
||||
Doc("Get cluster's certificate signed by the CA"))
|
||||
Doc("Get cluster's certificate signed by the CA"),
|
||||
|
||||
ws.Route(ws.GET("/clusters/{cluster-name}/tokens/{token-name}").To(wsClusterToken).
|
||||
Doc("Get cluster's token"))
|
||||
cluster(GET, "/ssh/user-ca").To(wsClusterSSHUserCAPubKey).
|
||||
Produces(mime.OCTET).
|
||||
Doc("User CA public key for this cluster"),
|
||||
cluster(POST, "/ssh/user-ca/sign").To(wsClusterSSHUserCASign).
|
||||
Produces(mime.OCTET).
|
||||
Doc("Sign a user's SSH public key for this cluster"),
|
||||
cluster(POST, "/kube/sign").To(wsClusterKubeCASign).
|
||||
Produces(mime.OCTET).
|
||||
Doc("Sign a user's public key for this cluster's Kubernetes API server"),
|
||||
} {
|
||||
ws.Route(builder)
|
||||
}
|
||||
|
||||
ws.Route(ws.GET("/hosts").To(wsListHosts).
|
||||
Doc("List hosts"))
|
||||
|
||||
(&wsHost{
|
||||
prefix: "/hosts/{host-name}",
|
||||
hostDoc: "given host",
|
||||
getHost: func(req *restful.Request) string {
|
||||
return req.PathParameter("host-name")
|
||||
},
|
||||
}).register(ws, func(rb *restful.RouteBuilder) {
|
||||
})
|
||||
|
||||
ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))
|
||||
ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))
|
||||
ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))
|
||||
|
||||
rest.Add(ws)
|
||||
|
||||
// Hosts API
|
||||
ws = &restful.WebService{}
|
||||
ws.Path("/me")
|
||||
ws.Filter(hostsAuth).
|
||||
HeaderParameter("Authorization", "Host or admin bearer token")
|
||||
ws = (&restful.WebService{}).
|
||||
Filter(requireSecStore).
|
||||
Filter(adminAuth).
|
||||
Path("/hosts/{host-name}").
|
||||
Param(ws.HeaderParameter("Authorization", "Host or admin bearer token"))
|
||||
|
||||
(&wsHost{
|
||||
hostDoc: "detected host",
|
||||
getHost: detectHost,
|
||||
hostDoc: "given host",
|
||||
getHost: func(req *restful.Request) (string, error) {
|
||||
return req.PathParameter("host-name"), nil
|
||||
},
|
||||
}).register(ws, func(rb *restful.RouteBuilder) {
|
||||
rb.Notes("In this case, the host is detected from the remote IP")
|
||||
rb.Param(ws.PathParameter("host-name", "host's name"))
|
||||
})
|
||||
|
||||
rest.Add(ws)
|
||||
|
||||
// Hosts by token API
|
||||
ws = (&restful.WebService{}).
|
||||
Filter(requireSecStore).
|
||||
Path("/hosts-by-token/{host-token}").
|
||||
Param(ws.PathParameter("host-token", "host's download token"))
|
||||
|
||||
(&wsHost{
|
||||
hostDoc: "token's host",
|
||||
getHost: func(req *restful.Request) (host string, err error) {
|
||||
reqToken := req.PathParameter("host-token")
|
||||
|
||||
data, err := hostDownloadTokens.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
for h, token := range data {
|
||||
if token == reqToken {
|
||||
host = h
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
},
|
||||
}).register(ws, func(rb *restful.RouteBuilder) {
|
||||
rb.Notes("In this case, the host is detected from the token")
|
||||
})
|
||||
|
||||
rest.Add(ws)
|
||||
}
|
||||
|
||||
func detectHost(req *restful.Request) string {
|
||||
r := req.Request
|
||||
remoteAddr := r.RemoteAddr
|
||||
|
||||
if *trustXFF {
|
||||
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
|
||||
remoteAddr = strings.Split(xff, ",")[0]
|
||||
func requireSecStore(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
|
||||
if !secStore.Unlocked() {
|
||||
wsError(resp, ErrStoreLocked)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
hostIP, _, err := net.SplitHostPort(remoteAddr)
|
||||
|
||||
if err != nil {
|
||||
hostIP = remoteAddr
|
||||
}
|
||||
|
||||
cfg, err := readConfig()
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
|
||||
host := cfg.HostByIP(hostIP)
|
||||
|
||||
if host == nil {
|
||||
log.Print("no host found for IP ", hostIP)
|
||||
return ""
|
||||
}
|
||||
|
||||
return host.Name
|
||||
chain.ProcessFilter(req, resp)
|
||||
}
|
||||
|
||||
func wsReadConfig(resp *restful.Response) *localconfig.Config {
|
||||
@@ -139,19 +221,28 @@ func wsReadConfig(resp *restful.Response) *localconfig.Config {
|
||||
return cfg
|
||||
}
|
||||
|
||||
func wsNotFound(req *restful.Request, resp *restful.Response) {
|
||||
http.NotFound(resp.ResponseWriter, req.Request)
|
||||
func wsNotFound(resp *restful.Response) {
|
||||
wsError(resp, ErrNotFound)
|
||||
}
|
||||
|
||||
func wsBadRequest(resp *restful.Response, err string) {
|
||||
httperr.New(http.StatusBadRequest, errors.New(err)).WriteJSON(resp.ResponseWriter)
|
||||
}
|
||||
|
||||
func wsError(resp *restful.Response, err error) {
|
||||
log.Output(2, fmt.Sprint("request failed: ", err))
|
||||
resp.WriteErrorString(
|
||||
http.StatusInternalServerError,
|
||||
http.StatusText(http.StatusInternalServerError))
|
||||
|
||||
switch err := err.(type) {
|
||||
case httperr.Error:
|
||||
err.WriteJSON(resp.ResponseWriter)
|
||||
|
||||
default:
|
||||
httperr.Internal(err).WriteJSON(resp.ResponseWriter)
|
||||
}
|
||||
}
|
||||
|
||||
func wsRender(resp *restful.Response, tmplStr string, value interface{}) {
|
||||
tmpl, err := template.New("wsRender").Funcs(templateFuncs).Parse(tmplStr)
|
||||
func wsRender(resp *restful.Response, sslCfg *cfsslconfig.Config, tmplStr string, value any) {
|
||||
tmpl, err := template.New("wsRender").Funcs(templateFuncs(sslCfg)).Parse(tmplStr)
|
||||
if err != nil {
|
||||
wsError(resp, err)
|
||||
return
|
||||
@@ -163,3 +254,26 @@ func wsRender(resp *restful.Response, tmplStr string, value interface{}) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func init() {
|
||||
restful.RegisterEntityAccessor(mime.YAML, yamlEntityAccessor{})
|
||||
}
|
||||
|
||||
type yamlEntityAccessor struct{}
|
||||
|
||||
var _ restful.EntityReaderWriter = yamlEntityAccessor{}
|
||||
|
||||
func (_ yamlEntityAccessor) Read(req *restful.Request, v any) error {
|
||||
decoder := yaml.NewDecoder(req.Request.Body)
|
||||
return decoder.Decode(v)
|
||||
}
|
||||
func (_ yamlEntityAccessor) Write(resp *restful.Response, status int, v any) error {
|
||||
if v == nil {
|
||||
resp.WriteHeader(status)
|
||||
// do not write a nil representation
|
||||
return nil
|
||||
}
|
||||
resp.Header().Set("Content-Type", mime.YAML)
|
||||
resp.WriteHeader(status)
|
||||
return yaml.NewEncoder(resp.ResponseWriter).Encode(v)
|
||||
}
|
||||
|
||||
Executable
+1
@@ -0,0 +1 @@
|
||||
docker run --rm --net=host --user $(id -u) -v ${PWD}:/local swaggerapi/swagger-codegen-cli generate -i http://[::1]:7606/swagger.json -l javascript -o /local/js/api/
|
||||
@@ -1,55 +1,83 @@
|
||||
module novit.nc/direktil/local-server
|
||||
module novit.tech/direktil/local-server
|
||||
|
||||
go 1.17
|
||||
go 1.24.0
|
||||
|
||||
toolchain go1.24.4
|
||||
|
||||
require (
|
||||
github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e
|
||||
github.com/cespare/xxhash v1.1.0
|
||||
github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e
|
||||
github.com/dustin/go-humanize v1.0.0
|
||||
github.com/emicklei/go-restful v2.10.0+incompatible
|
||||
github.com/emicklei/go-restful-openapi v1.2.0
|
||||
github.com/cloudflare/cfssl v1.6.5
|
||||
github.com/dustin/go-humanize v1.0.1
|
||||
github.com/emicklei/go-restful v2.16.0+incompatible
|
||||
github.com/emicklei/go-restful-openapi v1.4.1
|
||||
github.com/go-git/go-git/v5 v5.16.2
|
||||
github.com/klauspost/compress v1.18.0
|
||||
github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34
|
||||
github.com/miolini/datacounter v1.0.1
|
||||
github.com/miolini/datacounter v1.0.3
|
||||
github.com/oklog/ulid v1.3.1
|
||||
github.com/pierrec/lz4 v2.3.0+incompatible
|
||||
github.com/pierrec/lz4 v2.6.1+incompatible
|
||||
github.com/sergeymakinen/go-crypt v1.0.1
|
||||
golang.org/x/crypto v0.39.0
|
||||
golang.org/x/sys v0.33.0
|
||||
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
|
||||
gopkg.in/src-d/go-billy.v4 v4.3.2
|
||||
gopkg.in/src-d/go-git.v4 v4.13.1
|
||||
gopkg.in/yaml.v2 v2.2.4
|
||||
k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d
|
||||
novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2
|
||||
gopkg.in/yaml.v2 v2.4.0
|
||||
k8s.io/apimachinery v0.33.2
|
||||
m.cluseau.fr/go v0.0.0-20230809064045-12c5a121c766
|
||||
novit.tech/direktil/pkg v0.0.0-20260508111456-5a75785cfbbf
|
||||
)
|
||||
|
||||
replace github.com/zmap/zlint/v3 => github.com/zmap/zlint/v3 v3.3.1
|
||||
|
||||
require (
|
||||
github.com/PuerkitoBio/purell v1.1.1 // indirect
|
||||
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
|
||||
github.com/emirpasic/gods v1.12.0 // indirect
|
||||
dario.cat/mergo v1.0.2 // indirect
|
||||
github.com/Microsoft/go-winio v0.6.2 // indirect
|
||||
github.com/ProtonMail/go-crypto v1.3.0 // indirect
|
||||
github.com/cavaliergopher/cpio v1.0.1 // indirect
|
||||
github.com/cloudflare/circl v1.6.1 // indirect
|
||||
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
|
||||
github.com/emirpasic/gods v1.18.1 // indirect
|
||||
github.com/frankban/quicktest v1.5.0 // indirect
|
||||
github.com/go-openapi/jsonpointer v0.19.3 // indirect
|
||||
github.com/go-openapi/jsonreference v0.19.3 // indirect
|
||||
github.com/go-openapi/spec v0.19.3 // indirect
|
||||
github.com/go-openapi/swag v0.19.5 // indirect
|
||||
github.com/gobuffalo/envy v1.7.1 // indirect
|
||||
github.com/gobuffalo/packd v0.3.0 // indirect
|
||||
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
|
||||
github.com/go-git/go-billy/v5 v5.6.2 // indirect
|
||||
github.com/go-logr/logr v1.4.3 // indirect
|
||||
github.com/go-openapi/jsonpointer v0.21.1 // indirect
|
||||
github.com/go-openapi/jsonreference v0.21.0 // indirect
|
||||
github.com/go-openapi/spec v0.21.0 // indirect
|
||||
github.com/go-openapi/swag v0.23.1 // indirect
|
||||
github.com/gobuffalo/envy v1.10.2 // indirect
|
||||
github.com/gobuffalo/packd v1.0.2 // indirect
|
||||
github.com/gobuffalo/packr v1.30.1 // indirect
|
||||
github.com/golang/protobuf v1.3.2 // indirect
|
||||
github.com/google/certificate-transparency-go v1.0.21 // indirect
|
||||
github.com/google/go-cmp v0.3.1 // indirect
|
||||
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
|
||||
github.com/google/certificate-transparency-go v1.3.2 // indirect
|
||||
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
|
||||
github.com/joho/godotenv v1.3.0 // indirect
|
||||
github.com/json-iterator/go v1.1.8 // indirect
|
||||
github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
|
||||
github.com/mailru/easyjson v0.7.0 // indirect
|
||||
github.com/jmoiron/sqlx v1.4.0 // indirect
|
||||
github.com/joho/godotenv v1.5.1 // indirect
|
||||
github.com/josharian/intern v1.0.0 // indirect
|
||||
github.com/json-iterator/go v1.1.12 // indirect
|
||||
github.com/kevinburke/ssh_config v1.2.0 // indirect
|
||||
github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023 // indirect
|
||||
github.com/mailru/easyjson v0.9.0 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
|
||||
github.com/modern-go/reflect2 v1.0.1 // indirect
|
||||
github.com/rogpeppe/go-internal v1.5.0 // indirect
|
||||
github.com/sergi/go-diff v1.0.0 // indirect
|
||||
github.com/modern-go/reflect2 v1.0.2 // indirect
|
||||
github.com/pjbgf/sha1cd v0.3.2 // indirect
|
||||
github.com/rogpeppe/go-internal v1.14.1 // indirect
|
||||
github.com/sergi/go-diff v1.4.0 // indirect
|
||||
github.com/skeema/knownhosts v1.3.1 // indirect
|
||||
github.com/src-d/gcfg v1.4.0 // indirect
|
||||
github.com/xanzy/ssh-agent v0.2.1 // indirect
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
|
||||
golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect
|
||||
golang.org/x/sys v0.0.0-20191018095205-727590c5006e // indirect
|
||||
golang.org/x/text v0.3.2 // indirect
|
||||
github.com/weppos/publicsuffix-go v0.40.3-0.20250617082559-9b2e24a9e482 // indirect
|
||||
github.com/xanzy/ssh-agent v0.3.3 // indirect
|
||||
github.com/zmap/zcrypto v0.0.0-20250627161936-38850a079d72 // indirect
|
||||
github.com/zmap/zlint/v3 v3.5.0 // indirect
|
||||
golang.org/x/mod v0.25.0 // indirect
|
||||
golang.org/x/net v0.41.0 // indirect
|
||||
golang.org/x/text v0.26.0 // indirect
|
||||
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
|
||||
google.golang.org/protobuf v1.36.6 // indirect
|
||||
gopkg.in/warnings.v0 v0.1.2 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
k8s.io/klog/v2 v2.130.1 // indirect
|
||||
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
|
||||
)
|
||||
|
||||
@@ -1,270 +1,354 @@
|
||||
dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
|
||||
dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
|
||||
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
|
||||
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
|
||||
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
|
||||
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
|
||||
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
|
||||
github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
|
||||
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
|
||||
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
|
||||
github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
|
||||
github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
|
||||
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
|
||||
github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
|
||||
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
|
||||
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
|
||||
github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
|
||||
github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
|
||||
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
|
||||
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
|
||||
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
|
||||
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
|
||||
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
|
||||
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
|
||||
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
|
||||
github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
|
||||
github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
|
||||
github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM=
|
||||
github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc=
|
||||
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
|
||||
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
|
||||
github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e h1:Qux+lbuMaRzkQyTdzgtz8MgzPtzmaPQy6DXmxpdxT3U=
|
||||
github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
|
||||
github.com/cloudflare/cfssl v1.6.5 h1:46zpNkm6dlNkMZH/wMW22ejih6gIaJbzL2du6vD7ZeI=
|
||||
github.com/cloudflare/cfssl v1.6.5/go.mod h1:Bk1si7sq8h2+yVEDrFJiz3d7Aw+pfjjJSZVaD+Taky4=
|
||||
github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
|
||||
github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
|
||||
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
|
||||
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
|
||||
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
|
||||
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
|
||||
github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
|
||||
github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
|
||||
github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
|
||||
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
|
||||
github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
|
||||
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
|
||||
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
|
||||
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
|
||||
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
|
||||
github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
|
||||
github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
|
||||
github.com/emicklei/go-restful v2.9.6+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
|
||||
github.com/emicklei/go-restful v2.10.0+incompatible h1:l6Soi8WCOOVAeCo4W98iBFC6Og7/X8bpRt51oNLZ2C8=
|
||||
github.com/emicklei/go-restful v2.10.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
|
||||
github.com/emicklei/go-restful-openapi v1.2.0 h1:ohRZ1yEZERGzqaozBgxa3A0lt6c6KF14xhs3IL9ECwg=
|
||||
github.com/emicklei/go-restful-openapi v1.2.0/go.mod h1:cy7o3Ge8ZWZ5E90mpEY81sJZZFs2pkuYcLvfngYy1l0=
|
||||
github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
|
||||
github.com/emicklei/go-restful v2.16.0+incompatible h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM=
|
||||
github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
|
||||
github.com/emicklei/go-restful-openapi v1.4.1 h1:SocVTIQWnXyit4dotTrwmncBAjtRaBmfcHjo3XGcCm4=
|
||||
github.com/emicklei/go-restful-openapi v1.4.1/go.mod h1:kWQ8rQMVQ6G6lePwjDveJ00KjAUr/jq6z1X8DrDP3Gc=
|
||||
github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
|
||||
github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
|
||||
github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
|
||||
github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
|
||||
github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
|
||||
github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
|
||||
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
|
||||
github.com/frankban/quicktest v1.5.0 h1:Tb4jWdSpdjKzTUicPnY61PZxKbDoGa7ABbrReT3gQVY=
|
||||
github.com/frankban/quicktest v1.5.0/go.mod h1:jaStnuzAqU1AJdCO0l53JDCJrVDKcS03DbaAcR7Ks/o=
|
||||
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||
github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
|
||||
github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
|
||||
github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
|
||||
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
|
||||
github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
|
||||
github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
|
||||
github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
|
||||
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
|
||||
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
|
||||
github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
|
||||
github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
|
||||
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
|
||||
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
|
||||
github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
|
||||
github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
|
||||
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
|
||||
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
||||
github.com/go-openapi/jsonpointer v0.0.0-20180322222829-3a0015ad55fa/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
|
||||
github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
|
||||
github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
|
||||
github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
|
||||
github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
|
||||
github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic=
|
||||
github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
|
||||
github.com/go-openapi/jsonreference v0.0.0-20180322222742-3fb327e6747d/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
|
||||
github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
|
||||
github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
|
||||
github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
|
||||
github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
|
||||
github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
|
||||
github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
|
||||
github.com/go-openapi/spec v0.0.0-20180415031709-bcff419492ee/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
|
||||
github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
|
||||
github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
|
||||
github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
|
||||
github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
|
||||
github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
|
||||
github.com/go-openapi/swag v0.0.0-20180405201759-811b1089cde9/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
|
||||
github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
|
||||
github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
|
||||
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
|
||||
github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
|
||||
github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
|
||||
github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
|
||||
github.com/go-sql-driver/mysql v1.9.2 h1:4cNKDYQ1I84SXslGddlsrMhc8k4LeDVj6Ad6WRjiHuU=
|
||||
github.com/go-sql-driver/mysql v1.9.2/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
|
||||
github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
|
||||
github.com/gobuffalo/envy v1.7.1 h1:OQl5ys5MBea7OGCdvPbBJWRgnhC/fGona6QKfvFeau8=
|
||||
github.com/gobuffalo/envy v1.7.1/go.mod h1:FurDp9+EDPE4aIUS3ZLyD+7/9fpx7YRt/ukY6jIHf0w=
|
||||
github.com/gobuffalo/envy v1.10.2 h1:EIi03p9c3yeuRCFPOKcSfajzkLb3hrRjEpHGI8I2Wo4=
|
||||
github.com/gobuffalo/envy v1.10.2/go.mod h1:qGAGwdvDsaEtPhfBzb3o0SfDea8ByGn9j8bKmVft9z8=
|
||||
github.com/gobuffalo/logger v1.0.0/go.mod h1:2zbswyIUa45I+c+FLXuWl9zSWEiVuthsk8ze5s8JvPs=
|
||||
github.com/gobuffalo/packd v0.3.0 h1:eMwymTkA1uXsqxS0Tpoop3Lc0u3kTfiMBE6nKtQU4g4=
|
||||
github.com/gobuffalo/packd v0.3.0/go.mod h1:zC7QkmNkYVGKPw4tHpBQ+ml7W/3tIebgeo1b36chA3Q=
|
||||
github.com/gobuffalo/packd v1.0.2 h1:Yg523YqnOxGIWCp69W12yYBKsoChwI7mtu6ceM9Bwfw=
|
||||
github.com/gobuffalo/packd v1.0.2/go.mod h1:sUc61tDqGMXON80zpKGp92lDb86Km28jfvX7IAyxFT8=
|
||||
github.com/gobuffalo/packr v1.30.1 h1:hu1fuVR3fXEZR7rXNW3h8rqSML8EVAf6KNm0NKO/wKg=
|
||||
github.com/gobuffalo/packr v1.30.1/go.mod h1:ljMyFO2EcrnzsHsN99cvbq055Y9OhRrIaviy289eRuk=
|
||||
github.com/gobuffalo/packr/v2 v2.5.1/go.mod h1:8f9c96ITobJlPzI44jj+4tHnEKNt0xXWSVlXRN9X1Iw=
|
||||
github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
|
||||
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
|
||||
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/google/certificate-transparency-go v1.0.21 h1:Yf1aXowfZ2nuboBsg7iYGLmwsOARdV86pfH3g95wXmE=
|
||||
github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
|
||||
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
|
||||
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
|
||||
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
|
||||
github.com/google/certificate-transparency-go v1.3.2 h1:9ahSNZF2o7SYMaKaXhAumVEzXB2QaayzII9C8rv7v+A=
|
||||
github.com/google/certificate-transparency-go v1.3.2/go.mod h1:H5FpMUaGa5Ab2+KCYsxg6sELw3Flkl7pGZzWdBoYLXs=
|
||||
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
|
||||
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
|
||||
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
|
||||
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
|
||||
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
|
||||
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
||||
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
|
||||
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
|
||||
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
|
||||
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
|
||||
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
|
||||
github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
|
||||
github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
|
||||
github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
|
||||
github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
|
||||
github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||
github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
|
||||
github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
|
||||
github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
|
||||
github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
|
||||
github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
|
||||
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
|
||||
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
|
||||
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
|
||||
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
|
||||
github.com/karrick/godirwalk v1.10.12/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
|
||||
github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
|
||||
github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
|
||||
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
|
||||
github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
|
||||
github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023 h1:/pb3UJ+3ZtSEUKWnufwsoVF7f0AX5ytPULbTwHMgbq4=
|
||||
github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023/go.mod h1:yyMNCyc/Ib3bDTKd379tNMpB/7/H5TjM2Y9QJ5THLbE=
|
||||
github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
|
||||
github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
|
||||
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
|
||||
github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
|
||||
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
|
||||
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
|
||||
github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
|
||||
github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
|
||||
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
||||
github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.0.0-20180323154445-8b799c424f57/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
|
||||
github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
|
||||
github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
|
||||
github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
|
||||
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
|
||||
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
|
||||
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||
github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
|
||||
github.com/mattn/go-sqlite3 v1.14.28 h1:ThEiQrnbtumT+QMknw63Befp/ce/nUPgBPMlRFEum7A=
|
||||
github.com/mattn/go-sqlite3 v1.14.28/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
|
||||
github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34 h1:F3u4DKQ4T30mlBNFmSGzTqdkmVqbfVORv34ZRvc7PuE=
|
||||
github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34/go.mod h1:lcyE8C83VRamH/oTpikU4+yVCCxLthWgDOqjHSsu+ZY=
|
||||
github.com/miolini/datacounter v1.0.1 h1:4hs8Sc03o2jADLol/aWgesWS565mV9h8314QGA+gss4=
|
||||
github.com/miolini/datacounter v1.0.1/go.mod h1:C45dc2hBumHjDpEU64IqPwR6TDyPVpzOqqRTN7zmBUA=
|
||||
github.com/miolini/datacounter v1.0.3 h1:tanOZPVblGXQl7/bSZWoEM8l4KK83q24qwQLMrO/HOA=
|
||||
github.com/miolini/datacounter v1.0.3/go.mod h1:C45dc2hBumHjDpEU64IqPwR6TDyPVpzOqqRTN7zmBUA=
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
|
||||
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||
github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
|
||||
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
|
||||
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
|
||||
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
|
||||
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
|
||||
github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
|
||||
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
||||
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
|
||||
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
|
||||
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
|
||||
github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
|
||||
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
|
||||
github.com/pierrec/lz4 v2.3.0+incompatible h1:CZzRn4Ut9GbUkHlQ7jqBXeZQV41ZSKWFc302ZU6lUTk=
|
||||
github.com/pierrec/lz4 v2.3.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
|
||||
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
|
||||
github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
|
||||
github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
|
||||
github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
|
||||
github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
|
||||
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
|
||||
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
|
||||
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/rogpeppe/go-internal v1.3.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
|
||||
github.com/rogpeppe/go-internal v1.5.0 h1:Usqs0/lDK/NqTkvrmKSwA/3XkZAs7ZAW/eLeQ2MVBTw=
|
||||
github.com/rogpeppe/go-internal v1.5.0/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
|
||||
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
|
||||
github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
|
||||
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
|
||||
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
|
||||
github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
|
||||
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
|
||||
github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
|
||||
github.com/sergeymakinen/go-crypt v1.0.1 h1:InrJqCaOzWHN7Pv27V1c/MeW6ydQqdrDjU99dXHaoNY=
|
||||
github.com/sergeymakinen/go-crypt v1.0.1/go.mod h1:sTVy1KCTr+ot85sw2h2fMalv5QRD1cgIWqlBFI/8axg=
|
||||
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
|
||||
github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
|
||||
github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
|
||||
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
|
||||
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
|
||||
github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
|
||||
github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
|
||||
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ=
|
||||
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
|
||||
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
|
||||
github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
|
||||
github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
|
||||
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
|
||||
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
|
||||
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
|
||||
github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
|
||||
github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
|
||||
github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
|
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
|
||||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
|
||||
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
|
||||
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
||||
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
|
||||
github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
|
||||
github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
|
||||
github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
|
||||
github.com/weppos/publicsuffix-go v0.40.3-0.20250617082559-9b2e24a9e482 h1:0HudNf74HwwerH9HSlQYxfK+53VqFo6U04lQuTxfRf8=
|
||||
github.com/weppos/publicsuffix-go v0.40.3-0.20250617082559-9b2e24a9e482/go.mod h1:Efaen92I7hksG9EA+bsuHPWscS8ePs86CXxNFfG2cG4=
|
||||
github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
|
||||
github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
|
||||
github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
|
||||
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
|
||||
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
|
||||
github.com/zmap/zcrypto v0.0.0-20250627161936-38850a079d72 h1:QcaEozNpjw8LcvzepkftwJ3kevF6qY7qRMikCvxWhpg=
|
||||
github.com/zmap/zcrypto v0.0.0-20250627161936-38850a079d72/go.mod h1:uvqhJWCdbMIHIXZSKcqnJYy0yR/9v/TON/JQFbM2g6Q=
|
||||
github.com/zmap/zlint/v3 v3.3.1 h1:IrIY2Qd2Wr9ZHhdQ3mszehSydz+x6OROClztMEK+2bU=
|
||||
github.com/zmap/zlint/v3 v3.3.1/go.mod h1:fPCW5acxhqw4HU1Vm0t9oFEPo1/uH9hI0sci/Z++hEI=
|
||||
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
|
||||
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
|
||||
golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
|
||||
golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
|
||||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
|
||||
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
|
||||
golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
|
||||
golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 h1:p9xBe/w/OzkeYVKm234g55gMdD1nSIooTir5kV11kfA=
|
||||
golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
|
||||
golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
|
||||
golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191018095205-727590c5006e h1:ZtoklVMHQy6BFRHkbG6JzK+S6rX82//Yeok1vMlizfQ=
|
||||
golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
|
||||
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
||||
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
|
||||
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
|
||||
golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
|
||||
golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
|
||||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
|
||||
golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
|
||||
golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
||||
golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
||||
golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
|
||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
|
||||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
|
||||
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
|
||||
gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
|
||||
gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
|
||||
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
|
||||
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
|
||||
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
||||
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
|
||||
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
|
||||
gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg=
|
||||
gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
|
||||
gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOAJK+LsJg=
|
||||
gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
|
||||
gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE=
|
||||
gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
|
||||
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
|
||||
gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
|
||||
gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
|
||||
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
|
||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d h1:q+OZmYewHJeMCzwpHkXlNTtk5bvaUMPCikKvf77RBlo=
|
||||
k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
|
||||
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
|
||||
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
|
||||
k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
|
||||
novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc=
|
||||
novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=
|
||||
sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
|
||||
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
|
||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
|
||||
k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
|
||||
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
|
||||
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
|
||||
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
|
||||
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
|
||||
m.cluseau.fr/go v0.0.0-20230809064045-12c5a121c766 h1:JRzMBDbUwrTTGDJaJSH0ap4vRL0Q9CN1bG8a6n49eaQ=
|
||||
m.cluseau.fr/go v0.0.0-20230809064045-12c5a121c766/go.mod h1:BMv3aOSYpupuiiG3Ch3ND88aB5CfAks3YZuRLE8j1ls=
|
||||
novit.tech/direktil/pkg v0.0.0-20260210141740-4d5661fa8ecd h1:proGf8Cid9tzJzoRbqQHGGpZZKTpUDFwOREbjYrCbkM=
|
||||
novit.tech/direktil/pkg v0.0.0-20260210141740-4d5661fa8ecd/go.mod h1:zjezU6tELE880oYHs/WAauGBupKIEQQ7KqWTB69RW10=
|
||||
novit.tech/direktil/pkg v0.0.0-20260221072850-b72bed72bb51 h1:NBcpvWcTBMzFos0pkuLsbVCQ+mHf8KqNOdVywMX6FFk=
|
||||
novit.tech/direktil/pkg v0.0.0-20260221072850-b72bed72bb51/go.mod h1:zjezU6tELE880oYHs/WAauGBupKIEQQ7KqWTB69RW10=
|
||||
novit.tech/direktil/pkg v0.0.0-20260508111456-5a75785cfbbf h1:Qt4aaB1R/BjQGEAhhNoIhzQwzaycxPgxHiA9M7aEujk=
|
||||
novit.tech/direktil/pkg v0.0.0-20260508111456-5a75785cfbbf/go.mod h1:zjezU6tELE880oYHs/WAauGBupKIEQQ7KqWTB69RW10=
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
export GOVC_DATACENTER=
|
||||
export GOVC_PASSWORD=
|
||||
export GOVC_URL=
|
||||
export GOVC_USERNAME=
|
||||
export GOVC_INSECURE=1
|
||||
export GOVC_DATASTORE=
|
||||
export NOVIT_VM_FOLDER=
|
||||
export NOVIT_ISO_FOLDER=
|
||||
Executable
+3
@@ -0,0 +1,3 @@
|
||||
#! /bin/sh
|
||||
set -ex
|
||||
go build -o dist/ -trimpath -ldflags "-X main.Version=${GIT_TAG:-$(git describe --always --dirty)} -X main.Date=$(date --utc +%Y%m%d_%H%M%S)" $*
|
||||
Executable
+11
@@ -0,0 +1,11 @@
|
||||
#! /bin/bash
|
||||
set -ex
|
||||
|
||||
GIT_TAG=$(git describe --always --dirty)
|
||||
|
||||
case "$1" in
|
||||
commit) tag=$GIT_TAG ;;
|
||||
"") tag=latest ;;
|
||||
*) tag=$1 ;;
|
||||
esac
|
||||
docker build --network=host -t novit.tech/direktil/local-server:$tag . --build-arg GIT_TAG=$GIT_TAG
|
||||
Executable
+4
@@ -0,0 +1,4 @@
|
||||
#! /bin/sh
|
||||
set -ex
|
||||
go install -trimpath -ldflags "-X main.Version=$(git describe --always --dirty)" \
|
||||
./cmd/dkl-dir2config
|
||||
@@ -0,0 +1,6 @@
|
||||
package dlshtml
|
||||
|
||||
import "embed"
|
||||
|
||||
//go:embed ui
|
||||
var FS embed.FS
|
||||
@@ -0,0 +1,131 @@
|
||||
const Cluster = {
|
||||
components: { Downloads, GetCopy },
|
||||
props: [ 'cluster', 'token', 'state' ],
|
||||
data() {
|
||||
return {
|
||||
signReqValidity: "1d",
|
||||
sshSignReq: {
|
||||
PubKey: "",
|
||||
Principal: "root",
|
||||
},
|
||||
sshUserCert: null,
|
||||
kubeSignReq: {
|
||||
CSR: "",
|
||||
User: "",
|
||||
Group: "system:masters",
|
||||
},
|
||||
kubeUserCert: null,
|
||||
};
|
||||
},
|
||||
methods: {
|
||||
sshCASign() {
|
||||
event.preventDefault();
|
||||
fetch(`/clusters/${this.cluster.Name}/ssh/user-ca/sign`, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({ ...this.sshSignReq, Validity: this.signReqValidity }),
|
||||
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
|
||||
}).then((resp) => {
|
||||
if (resp.ok) {
|
||||
resp.blob().then((cert) => { this.sshUserCert = URL.createObjectURL(cert) })
|
||||
} else {
|
||||
resp.json().then((resp) => alert('failed to sign: '+resp.message))
|
||||
}
|
||||
})
|
||||
.catch((e) => { alert('failed to sign: '+e); })
|
||||
},
|
||||
kubeCASign() {
|
||||
event.preventDefault();
|
||||
fetch(`/clusters/${this.cluster.Name}/kube/sign`, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({ ...this.kubeSignReq, Validity: this.signReqValidity }),
|
||||
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
|
||||
}).then((resp) => {
|
||||
if (resp.ok) {
|
||||
resp.blob().then((cert) => { this.kubeUserCert = URL.createObjectURL(cert) })
|
||||
} else {
|
||||
resp.json().then((resp) => alert('failed to sign: '+resp.message))
|
||||
}
|
||||
})
|
||||
.catch((e) => { alert('failed to sign: '+e); })
|
||||
},
|
||||
readFile(e, onload) {
|
||||
const file = e.target.files[0];
|
||||
if (!file) { return; }
|
||||
const reader = new FileReader();
|
||||
reader.onload = () => { onload(reader.result) };
|
||||
reader.onerror = () => { alert("error reading file"); };
|
||||
reader.readAsText(file);
|
||||
},
|
||||
loadPubKey(e) {
|
||||
this.readFile(e, (v) => {
|
||||
this.sshSignReq.PubKey = v;
|
||||
});
|
||||
},
|
||||
loadCSR(e) {
|
||||
this.readFile(e, (v) => {
|
||||
this.kubeSignReq.CSR = v;
|
||||
});
|
||||
},
|
||||
},
|
||||
template: `
|
||||
<h3>Access</h3>
|
||||
|
||||
<p>Allow cluster access from a public key</p>
|
||||
|
||||
<h4>Grant SSH access</h4>
|
||||
|
||||
<p>Validity: <input type="text" v-model="signReqValidity"/> <small>time range, ie: -5m:1w, 5m, 1M, 1y, 1d-1s, etc.</small></p>
|
||||
<p>User: <input type="text" v-model="sshSignReq.Principal"/></p>
|
||||
<p>Public key (OpenSSH format):<br/>
|
||||
<span class="text-and-file"><textarea v-model="sshSignReq.PubKey" style="height:3lh"></textarea>
|
||||
<input type="file" accept=".pub" @change="loadPubKey" /></span>
|
||||
</p>
|
||||
|
||||
<p><button @click="sshCASign">Sign SSH access</button>
|
||||
<template v-if="sshUserCert">
|
||||
=> <a :href="sshUserCert" download="ssh-cert.pub">Get certificate</a>
|
||||
</template>
|
||||
</p>
|
||||
|
||||
<h4>Grant Kubernetes API access</h4>
|
||||
|
||||
<p>Validity: <input type="text" v-model="signReqValidity"/> <small>time range, ie: -5m:1w, 5m, 1M, 1y, 1d-1s, etc.</small></p>
|
||||
<p>User: <input type="text" v-model="kubeSignReq.User"/> (by default, from the CSR)</p>
|
||||
<p>Group: <input type="text" v-model="kubeSignReq.Group"/></p>
|
||||
<p>Certificate signing request (PEM format):<br/>
|
||||
<span class="text-and-file"><textarea v-model="kubeSignReq.CSR" style="height:7lh;"></textarea>
|
||||
<input type="file" accept=".csr" @change="loadCSR" /></span>
|
||||
</p>
|
||||
|
||||
<p><button @click="kubeCASign">Sign Kubernetes API access</button>
|
||||
<template v-if="kubeUserCert">
|
||||
=> <a :href="kubeUserCert" download="kube-cert.pub">Get certificate</a>
|
||||
</template>
|
||||
</p>
|
||||
|
||||
<h3>Tokens</h3>
|
||||
<section class="links">
|
||||
<GetCopy v-for="n in cluster.Tokens" :token="token" :name="n" :href="'/clusters/'+cluster.Name+'/tokens/'+n" />
|
||||
</section>
|
||||
|
||||
<h3>Passwords</h3>
|
||||
<section class="links">
|
||||
<GetCopy v-for="n in cluster.Passwords" :token="token" :name="n" :href="'/clusters/'+cluster.Name+'/passwords/'+n" />
|
||||
</section>
|
||||
|
||||
<h3>Downloads</h3>
|
||||
<Downloads :token="token" :state="state" kind="cluster" :name="cluster.Name" />
|
||||
|
||||
<h3>CAs</h3>
|
||||
<table><tr><th>Name</th><th>Certificate</th><th>Signed certificates</th></tr>
|
||||
<tr v-for="ca in cluster.CAs">
|
||||
<td>{{ ca.Name }}</td>
|
||||
<td><GetCopy :token="token" name="cert" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/certificate'" /></td>
|
||||
<td><template v-for="signed in ca.Signed">
|
||||
{{" "}}
|
||||
<GetCopy :token="token" :name="signed" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/signed?name='+signed" />
|
||||
</template></td>
|
||||
</tr></table>
|
||||
|
||||
`
|
||||
}
|
||||
@@ -0,0 +1,70 @@
|
||||
const Downloads = {
|
||||
props: [ 'kind', 'name', 'token', 'state' ],
|
||||
data() {
|
||||
return { createDisabled: false, selectedAssets: {} }
|
||||
},
|
||||
computed: {
|
||||
availableAssets() {
|
||||
return {
|
||||
cluster: ['addons'],
|
||||
host: [
|
||||
"kernel",
|
||||
"initrd",
|
||||
"uki",
|
||||
"bootstrap.tar",
|
||||
"boot.img.gz",
|
||||
"boot.img",
|
||||
"boot.qcow2",
|
||||
"boot.vmdk",
|
||||
"boot.iso",
|
||||
"boot.tar",
|
||||
"bootstrap-config",
|
||||
"config",
|
||||
"config.json",
|
||||
"ipxe",
|
||||
],
|
||||
}[this.kind]
|
||||
},
|
||||
downloads() {
|
||||
return Object.entries(this.state.Downloads)
|
||||
.filter(e => { let d=e[1]; return d.Kind == this.kind && d.Name == this.name })
|
||||
.map(e => {
|
||||
const token= e[0];
|
||||
return {
|
||||
text: token.substring(0, 5) + '...',
|
||||
url: '/public/downloads/'+token+"/",
|
||||
}
|
||||
})
|
||||
},
|
||||
assets() {
|
||||
return this.availableAssets.filter(a => this.selectedAssets[a])
|
||||
},
|
||||
},
|
||||
methods: {
|
||||
createToken() {
|
||||
event.preventDefault()
|
||||
this.createDisabled = true
|
||||
|
||||
fetch('/authorize-download', {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({Kind: this.kind, Name: this.name, Assets: this.assets}),
|
||||
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
|
||||
}).then((resp) => resp.json())
|
||||
.then((token) => { this.selectedAssets = {}; this.createDisabled = false })
|
||||
.catch((e) => { alert('failed to create link'); this.createDisabled = false })
|
||||
},
|
||||
},
|
||||
template: `
|
||||
<h4>Available assets</h4>
|
||||
<p class="downloads">
|
||||
<template v-for="asset in availableAssets">
|
||||
<label :class="{selected: selectedAssets[asset]}"><input type="checkbox" v-model="selectedAssets[asset]" /> {{ asset }}</label>
|
||||
{{" "}}
|
||||
</template>
|
||||
</p>
|
||||
<p><button :disabled="createDisabled || assets.length==0" @click="createToken">Create link</button></p>
|
||||
<template v-if="downloads.length">
|
||||
<h4>Active links</h4>
|
||||
<p class="download-links"><template v-for="d in downloads"><a :href="d.url" target="_blank">{{ d.text }}</a>{{" "}}</template></p>
|
||||
</template>`
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
const GetCopy = {
|
||||
props: [ 'name', 'href', 'token' ],
|
||||
data() { return {showCopied: false} },
|
||||
template: `<span class="notif"><div v-if="showCopied">copied!</div><a :href="href" @click="fetchAndSave()">{{name}}</a> <a href="#" class="copy" @click="fetchAndCopy()">🗐</a></span>`,
|
||||
methods: {
|
||||
fetch() {
|
||||
event.preventDefault()
|
||||
return fetch(this.href, {
|
||||
method: 'GET',
|
||||
headers: { 'Authorization': 'Bearer ' + this.token },
|
||||
})
|
||||
},
|
||||
handleFetchError(e) {
|
||||
console.log("failed to get value:", e)
|
||||
alert('failed to get value')
|
||||
},
|
||||
fetchAndSave() {
|
||||
this.fetch().then(resp => resp.blob()).then((value) => {
|
||||
window.open(URL.createObjectURL(value), "_blank")
|
||||
}).catch(this.handleFetchError)
|
||||
},
|
||||
fetchAndCopy() {
|
||||
this.fetch()
|
||||
.then((resp) => resp.headers.get("content-type") == "application/json" ? resp.json() : resp.text())
|
||||
.then((value) => {
|
||||
window.navigator.clipboard.writeText(value)
|
||||
this.showCopied = true
|
||||
setTimeout(() => { this.showCopied = false }, 1000)
|
||||
}).catch(this.handleFetchError)
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
const Host = {
|
||||
components: { Downloads },
|
||||
props: [ 'host', 'token', 'state' ],
|
||||
template: `
|
||||
<p>Cluster: {{ host.Cluster }}<template v-if="host.Template"> ({{ host.Template }})</template></p>
|
||||
<p>IPs:
|
||||
<code v-for="ip in host.IPs">
|
||||
{{ ip }}{{" "}}
|
||||
</code>
|
||||
</p>
|
||||
<h3>Downloads</h3>
|
||||
<Downloads :token="token" :state="state" kind="host" :name="host.Name" />
|
||||
`
|
||||
}
|
||||
@@ -0,0 +1,272 @@
|
||||
|
||||
import { createApp } from './vue.esm-browser.js';
|
||||
|
||||
createApp({
|
||||
components: { Cluster, Host },
|
||||
data() {
|
||||
return {
|
||||
forms: {
|
||||
store: {},
|
||||
storeUpload: {},
|
||||
delKey: {},
|
||||
hostFromTemplate: {},
|
||||
hostFromTemplateDel: "",
|
||||
},
|
||||
view: "",
|
||||
viewFilter: "",
|
||||
session: {},
|
||||
error: null,
|
||||
publicState: null,
|
||||
serverVersion: null,
|
||||
uiHash: null,
|
||||
watchingState: false,
|
||||
state: null,
|
||||
}
|
||||
},
|
||||
mounted() {
|
||||
this.session = JSON.parse(sessionStorage.state || "{}")
|
||||
this.watchPublicState()
|
||||
},
|
||||
watch: {
|
||||
session: {
|
||||
deep: true,
|
||||
handler(v) {
|
||||
sessionStorage.state = JSON.stringify(v)
|
||||
|
||||
if (v.token && !this.watchingState) {
|
||||
this.watchState()
|
||||
this.watchingState = true
|
||||
}
|
||||
}
|
||||
},
|
||||
publicState: {
|
||||
deep: true,
|
||||
handler(v) {
|
||||
if (v) {
|
||||
this.serverVersion = v.ServerVersion
|
||||
if (this.uiHash && v.UIHash != this.uiHash) {
|
||||
console.log("reloading")
|
||||
location.reload()
|
||||
} else {
|
||||
this.uiHash = v.UIHash
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
computed: {
|
||||
views() {
|
||||
var views = [{type: "actions", name: "admin", title: "Admin actions"}];
|
||||
|
||||
(this.state.Clusters||[]).forEach((c) => views.push({type: "cluster", name: c.Name, title: `Cluster ${c.Name}`}));
|
||||
(this.state.Hosts ||[]).forEach((c) => views.push({type: "host", name: c.Name, title: `Host ${c.Name}`}));
|
||||
|
||||
return views.filter((v) => v.type != "host" || v.name.includes(this.viewFilter));
|
||||
},
|
||||
viewObj() {
|
||||
if (this.view) {
|
||||
if (this.view.type == "cluster") {
|
||||
return this.state.Clusters.find((c) => c.Name == this.view.name);
|
||||
}
|
||||
if (this.view.type == "host") {
|
||||
return this.state.Hosts.find((h) => h.Name == this.view.name);
|
||||
}
|
||||
}
|
||||
return undefined;
|
||||
},
|
||||
hostsFromTemplate() {
|
||||
return (this.state.Hosts||[]).filter((h) => h.Template);
|
||||
},
|
||||
},
|
||||
|
||||
methods: {
|
||||
any(array) {
|
||||
return array && array.length != 0;
|
||||
},
|
||||
copyText(text) {
|
||||
event.preventDefault()
|
||||
window.navigator.clipboard.writeText(text)
|
||||
},
|
||||
setToken() {
|
||||
event.preventDefault()
|
||||
this.session.token = this.forms.setToken
|
||||
this.forms.setToken = null
|
||||
},
|
||||
uploadStore() {
|
||||
event.preventDefault()
|
||||
this.apiPost('/public/store.tar', this.$refs.storeUpload.files[0], (v) => {
|
||||
this.forms.store = {}
|
||||
}, "application/tar")
|
||||
},
|
||||
namedPassphrase(name, passphrase) {
|
||||
return {Name: this.forms.store.name, Passphrase: btoa(this.forms.store.pass1)}
|
||||
},
|
||||
storeAddKey() {
|
||||
const params = this.namedPassphrase();
|
||||
if (this.forms.store.byHash) {
|
||||
params.Hash = this.forms.store.hash;
|
||||
}
|
||||
|
||||
this.apiPost('/store/add-key', params, (v) => {
|
||||
this.forms.store = {}
|
||||
})
|
||||
},
|
||||
storeDelKey() {
|
||||
event.preventDefault()
|
||||
|
||||
let name = this.forms.delKey.name
|
||||
|
||||
if (!confirm("Remove key named "+JSON.stringify(name)+"?")) {
|
||||
return
|
||||
}
|
||||
this.apiPost('/store/delete-key', name , (v) => {
|
||||
this.forms.delKey = {}
|
||||
})
|
||||
},
|
||||
unlockStore() {
|
||||
this.apiPost('/public/unlock-store', this.namedPassphrase(), (v) => {
|
||||
this.forms.store = {}
|
||||
|
||||
if (v) {
|
||||
this.session.token = v
|
||||
if (!this.watchingState) {
|
||||
this.watchState()
|
||||
this.watchingState = true
|
||||
}
|
||||
}
|
||||
})
|
||||
},
|
||||
uploadConfig() {
|
||||
const file = this.$refs.configUpload.files[0];
|
||||
let contentType = "text/vnd.yaml";
|
||||
if (file.name.endsWith(".json")) {
|
||||
contentType = "application/json";
|
||||
}
|
||||
this.apiPost('/configs', file, (v) => {}, contentType, true)
|
||||
},
|
||||
hostFromTemplateAdd() {
|
||||
let v = this.forms.hostFromTemplate;
|
||||
this.apiPost('/hosts-from-template/'+v.name, v, (v) => { this.forms.hostFromTemplate = {} });
|
||||
},
|
||||
hostFromTemplateDel() {
|
||||
event.preventDefault()
|
||||
|
||||
let v = this.forms.hostFromTemplateDel;
|
||||
if (!confirm("delete host template instance "+v+"?")) {
|
||||
return
|
||||
}
|
||||
this.apiDelete('/hosts-from-template/'+v, (v) => { this.forms.hostFromTemplateDel = "" });
|
||||
},
|
||||
apiPost(action, data, onload, contentType = 'application/json', raw = false) {
|
||||
event.preventDefault()
|
||||
|
||||
if (data === undefined) {
|
||||
throw("action " + action + ": no data")
|
||||
}
|
||||
|
||||
/* TODO
|
||||
fetch(action, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify(data),
|
||||
})
|
||||
.then((response) => response.json())
|
||||
.then((result) => onload)
|
||||
// */
|
||||
|
||||
var xhr = new XMLHttpRequest()
|
||||
|
||||
xhr.responseType = 'json'
|
||||
// TODO spinner, pending action notification, or something
|
||||
xhr.onerror = () => {
|
||||
// this.actionResults.splice(idx, 1, {...item, done: true, failed: true })
|
||||
}
|
||||
xhr.onload = (r) => {
|
||||
if (xhr.status != 200) {
|
||||
this.error = xhr.response
|
||||
return
|
||||
}
|
||||
// this.actionResults.splice(idx, 1, {...item, done: true, resp: xhr.responseText})
|
||||
this.error = null
|
||||
if (onload) {
|
||||
onload(xhr.response)
|
||||
}
|
||||
}
|
||||
|
||||
xhr.open("POST", action)
|
||||
xhr.setRequestHeader('Accept', 'application/json')
|
||||
xhr.setRequestHeader('Content-Type', contentType)
|
||||
if (this.session.token) {
|
||||
xhr.setRequestHeader('Authorization', 'Bearer '+this.session.token)
|
||||
}
|
||||
|
||||
if (!raw && contentType == "application/json") {
|
||||
xhr.send(JSON.stringify(data))
|
||||
} else {
|
||||
xhr.send(data)
|
||||
}
|
||||
},
|
||||
apiDelete(action, data, onload) {
|
||||
event.preventDefault()
|
||||
|
||||
var xhr = new XMLHttpRequest()
|
||||
xhr.onload = (r) => {
|
||||
if (xhr.status != 200) {
|
||||
this.error = xhr.response
|
||||
return
|
||||
}
|
||||
this.error = null
|
||||
if (onload) {
|
||||
onload(xhr.response)
|
||||
}
|
||||
}
|
||||
xhr.open("DELETE", action)
|
||||
xhr.setRequestHeader('Accept', 'application/json')
|
||||
if (this.session.token) {
|
||||
xhr.setRequestHeader('Authorization', 'Bearer '+this.session.token)
|
||||
}
|
||||
xhr.send()
|
||||
},
|
||||
download(url) {
|
||||
event.target.target = '_blank'
|
||||
event.target.href = this.downloadLink(url)
|
||||
},
|
||||
downloadLink(url) {
|
||||
// TODO once-shot download link
|
||||
return url + '?token=' + this.session.token
|
||||
},
|
||||
watchPublicState() {
|
||||
this.watchStream('publicState', '/public-state')
|
||||
},
|
||||
watchState() {
|
||||
this.watchStream('state', '/state', true)
|
||||
},
|
||||
watchStream(field, path, withToken) {
|
||||
let evtSrc = new EventSource(path + (withToken ? '?token='+this.session.token : ''));
|
||||
evtSrc.onmessage = (e) => {
|
||||
let update = JSON.parse(e.data)
|
||||
|
||||
console.log("watch "+path+":", update)
|
||||
|
||||
if (update.err) {
|
||||
console.log("watch error from server:", err)
|
||||
}
|
||||
if (update.set) {
|
||||
this[field] = update.set
|
||||
}
|
||||
if (update.p) { // patch
|
||||
new jsonpatch.JSONPatch(update.p, true).apply(this[field])
|
||||
}
|
||||
}
|
||||
evtSrc.onerror = (e) => {
|
||||
// console.log("event source " + path + " error:", e)
|
||||
if (evtSrc) evtSrc.close()
|
||||
|
||||
this[field] = null
|
||||
|
||||
window.setTimeout(() => { this.watchStream(field, path, withToken) }, 1000)
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
}).mount('#app');
|
||||
@@ -0,0 +1,47 @@
|
||||
|
||||
.view-links > span {
|
||||
display: inline-block;
|
||||
white-space: nowrap;
|
||||
margin-right: 1ex;
|
||||
margin-bottom: 1ex;
|
||||
padding: 0.5ex;
|
||||
border: 1pt solid;
|
||||
border-radius: 1ex;
|
||||
cursor: pointer;
|
||||
}
|
||||
|
||||
.downloads, .download-links, .download-table td {
|
||||
& > * {
|
||||
display: inline-block;
|
||||
margin-right: 1ex;
|
||||
margin-bottom: 1ex;
|
||||
padding: 0.5ex;
|
||||
border: 1px solid !important;
|
||||
border-radius: 1ex;
|
||||
cursor: pointer;
|
||||
}
|
||||
}
|
||||
|
||||
.download-table th,
|
||||
.download-table td {
|
||||
border: none !important;
|
||||
}
|
||||
|
||||
.downloads, .view-links {
|
||||
& > .selected {
|
||||
color: var(--link);
|
||||
}
|
||||
}
|
||||
|
||||
.text-and-file {
|
||||
position:relative;
|
||||
|
||||
textarea {
|
||||
width: 64em;
|
||||
}
|
||||
|
||||
input[type="file"] {
|
||||
position:absolute;
|
||||
bottom:0;right:0;
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 8.7 KiB |
@@ -0,0 +1,151 @@
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Direktil Local Server</title>
|
||||
<base href="/ui/" />
|
||||
|
||||
<link rel="icon" href="favicon.ico" />
|
||||
|
||||
|
||||
|
||||
<style>@import url('/ui/style.css');@import url('/ui/app.css');</style>
|
||||
<script src="/ui/jsonpatch.min-942279a1c4209cc2.js" integrity="sha384-GcPrkRS12jtrElEkbJcrZ8asvvb9s3mc+CUq9UW/8bL4L0bpkmh9M+oFnWN6qLq2"></script>
|
||||
<script src="/ui/app-e7fb26679b9aa0f2.js" defer integrity="sha384-4oRQalb7IIBcqQzfDkeCj53qYOP6dLsTwqcjnm3EiBa92oNDD3chUw38W2gEC+3p" type="module"></script>
|
||||
<script src="/ui/Downloads-29497c61f1fe9bf0.js" integrity="sha384-xwn49JflUBaZlQCHCn55Q9qSGqsw01Job+TXk53HLhvNhKAALN18+gNCdF0bUJW0"></script>
|
||||
<script src="/ui/GetCopy-7e3c9678f9647d40.js" integrity="sha384-LzxUXylxE/t25HyTch8y2qvKcehvP2nqCo37swIBGEKZZUzHVJVQrS5UJDWNskTA"></script>
|
||||
<script src="/ui/Cluster-703dcdca97841304.js" integrity="sha384-ifGpq/GB1nDfqczm5clTRtcfnc9UMkT+SptMyS3UG9Di3xoKORtOGGjmK5RnJx+v"></script>
|
||||
<script src="/ui/Host-61916516a854adff.js" integrity="sha384-/wh3KrC0sb4MT7ekO2U84rswxI42WSH/0jB4dbDaaGaGhX60xTEZHFsdQAf7UgTG"></script>
|
||||
<body>
|
||||
|
||||
<div id="app">
|
||||
<header>
|
||||
<div id="logo">
|
||||
<img src="favicon.ico" />
|
||||
<span>Direktil Local Server</span>
|
||||
</div>
|
||||
<div class="utils">
|
||||
<span id="login-hdr" v-if="session.token">
|
||||
Logged in
|
||||
<button class="link" @click="copyText(session.token)">🗐</button>
|
||||
</span>
|
||||
|
||||
<span>server <code>{{ serverVersion || '-----' }}</code></span>
|
||||
<span>ui <code>{{ uiHash || '-----' }}</code></span>
|
||||
|
||||
<span :class="publicState ? 'green' : 'red'">🗲</span>
|
||||
</div>
|
||||
</header>
|
||||
|
||||
<div class="error" v-if="error">
|
||||
<button class="btn-close" @click="error=null">×</button>
|
||||
<div class="code" v-if="error.code">{{ error.code }}</div>
|
||||
<div class="message">{{ error.message }}</div>
|
||||
</div>
|
||||
|
||||
<template v-if="!publicState">
|
||||
<p>Not connected.</p>
|
||||
</template>
|
||||
|
||||
<template v-else-if="publicState.Store.New">
|
||||
<p>Store is new.</p>
|
||||
<p>Option 1: initialize a new store</p>
|
||||
<form @submit="unlockStore">
|
||||
<input type="text" v-model="forms.store.name" name="name" placeholder="Name" /><br/>
|
||||
<input type="password" v-model="forms.store.pass1" name="passphrase" required placeholder="Passphrase" />
|
||||
<input type="password" v-model="forms.store.pass2" required placeholder="Passphrase confirmation" />
|
||||
<input type="submit" value="initialize" :disabled="!forms.store.pass1 || forms.store.pass1 != forms.store.pass2" />
|
||||
</form>
|
||||
<p>Option 2: upload a previously downloaded store</p>
|
||||
<form @submit="uploadStore">
|
||||
<input type="file" ref="storeUpload" />
|
||||
<input type="submit" value="upload" />
|
||||
</form>
|
||||
</template>
|
||||
|
||||
<template v-else-if="!publicState.Store.Open">
|
||||
<p>Store is not open.</p>
|
||||
<form @submit="unlockStore">
|
||||
<input type="password" name="passphrase" v-model="forms.store.pass1" required placeholder="Passphrase" />
|
||||
<input type="submit" value="unlock" :disabled="!forms.store.pass1" />
|
||||
</form>
|
||||
</template>
|
||||
|
||||
<template v-else-if="!state">
|
||||
<p v-if="!session.token">Not logged in.</p>
|
||||
<p v-else>Invalid token</p>
|
||||
|
||||
<form @submit="unlockStore">
|
||||
<input type="password" v-model="forms.store.pass1" required placeholder="Passphrase" />
|
||||
<input type="submit" value="log in"/>
|
||||
</form>
|
||||
</template>
|
||||
|
||||
<template v-else>
|
||||
<div style="float:right;"><input type="search" placeholder="Filter" v-model="viewFilter"/></div>
|
||||
<p class="view-links"><span v-for="v in views" @click="view = v" :class="{selected: view.type==v.type && view.name==v.name}">{{v.title}}</span></p>
|
||||
|
||||
<h2 v-if="view">{{view.title}}</h2>
|
||||
|
||||
<div v-if="view.type == 'cluster'" id="clusters">
|
||||
<Cluster :cluster="viewObj" :token="session.token" :state="state" />
|
||||
</div>
|
||||
|
||||
<div v-if="view.type == 'host'" id="hosts">
|
||||
<Host :host="viewObj" :token="session.token" :state="state" />
|
||||
</div>
|
||||
|
||||
<div v-if="view.type == 'actions' && view.name == 'admin'">
|
||||
<h3>Config</h3>
|
||||
<form @submit="uploadConfig">
|
||||
<input type="file" ref="configUpload" required />
|
||||
<input type="submit" value="upload config" />
|
||||
</form>
|
||||
|
||||
<h3>Store</h3>
|
||||
<p><a :href="'/public/store.tar?token='+state.Store.DownloadToken" target="_blank">Download</a></p>
|
||||
<form @submit="storeAddKey" action="/store/add-key">
|
||||
<p>Add an unlock phrase:</p>
|
||||
<input type="text" v-model="forms.store.name" name="name" required placeholder="Name" /><br/>
|
||||
<label><input type="checkbox" v-model="forms.store.byHash"> {{ forms.store.byHash ? "hash (base64)" : "passphrase"}}</label>
|
||||
<div v-if="forms.store.byHash">
|
||||
<input type="hash" v-model="forms.store.hash" name="passphrase" required placeholder="Hash" />
|
||||
{{" "}}generate with <code>dls hash '{{state.Store.Salt}}'</code>
|
||||
</div><div v-else>
|
||||
<input type="password" v-model="forms.store.pass1" name="passphrase" autocomplete="new-password" required placeholder="Phrase" />
|
||||
<input type="password" v-model="forms.store.pass2" autocomplete="new-password" required placeholder="Phrase confirmation" />
|
||||
</div>
|
||||
<input type="submit" value="add unlock phrase" :disabled="!((forms.store.pass1 && forms.store.pass1 == forms.store.pass2) || forms.store.hash)" />
|
||||
</form>
|
||||
<form @submit="storeDelKey" action="/store/delete-key">
|
||||
<p>Remove an unlock phrase:</p>
|
||||
<input type="text" v-model="forms.delKey.name" name="name" required placeholder="Name" />
|
||||
<input type="submit" value="remove unlock phrase" />
|
||||
|
||||
<p v-if="state.Store.KeyNames">Available names:
|
||||
<template v-for="k,i in state.Store.KeyNames">{{i?", ":""}}<code @click="forms.delKey.name=k">{{k}}</code></template>.</p>
|
||||
</form>
|
||||
|
||||
<template v-if="any(state.HostTemplates) || any(hostsFromTemplate)">
|
||||
<h3>Hosts from template</h3>
|
||||
<form @submit="hostFromTemplateAdd" action="" v-if="any(state.HostTemplates)">
|
||||
<p>Add a host from template instance:</p>
|
||||
<input type="text" v-model="forms.hostFromTemplate.name" required placeholder="Name" />
|
||||
<select v-model="forms.hostFromTemplate.Template" required>
|
||||
<option v-for="name in state.HostTemplates" :value="name">{{name}}</option>
|
||||
</select>
|
||||
<input type="text" v-model="forms.hostFromTemplate.IP" required placeholder="IP" />
|
||||
<input type="submit" value="add instance" />
|
||||
</form>
|
||||
<form @submit="hostFromTemplateDel" action="" v-if="any(hostsFromTemplate)">
|
||||
<p>Remove a host from template instance:</p>
|
||||
<select v-model="forms.hostFromTemplateDel" required>
|
||||
<option v-for="h in hostsFromTemplate" :value="h.Name">{{h.Name}}</option>
|
||||
</select>
|
||||
<input type="submit" value="delete instance" :disabled="!forms.hostFromTemplateDel" />
|
||||
</form>
|
||||
</template>
|
||||
</div>
|
||||
</template>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
File diff suppressed because one or more lines are too long
@@ -0,0 +1,197 @@
|
||||
:root {
|
||||
--bg: #eee;
|
||||
--color: black;
|
||||
--bevel-dark: darkgray;
|
||||
--bevel-light: lightgray;
|
||||
--link: blue;
|
||||
--input-bg: #ddd;
|
||||
--input-text: white;
|
||||
--btn-bg: #eee;
|
||||
}
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
:root {
|
||||
--bg: black;
|
||||
--color: orange;
|
||||
--bevel-dark: #402900;
|
||||
--bevel-light: #805300;
|
||||
--link: #31b0fa;
|
||||
--input-bg: #111;
|
||||
--input-text: #ddd;
|
||||
--btn-bg: #222;
|
||||
}
|
||||
}
|
||||
|
||||
body {
|
||||
background: var(--bg);
|
||||
color: var(--color);
|
||||
}
|
||||
|
||||
button[disabled] {
|
||||
opacity: 0.5;
|
||||
}
|
||||
|
||||
a[href], a[href]:visited, button.link {
|
||||
border: none;
|
||||
color: var(--link);
|
||||
background: none;
|
||||
cursor: pointer;
|
||||
text-decoration: none;
|
||||
}
|
||||
|
||||
table {
|
||||
border-collapse: collapse;
|
||||
}
|
||||
th, td {
|
||||
border-left: dotted 1pt;
|
||||
border-right: dotted 1pt;
|
||||
border-bottom: dotted 1pt;
|
||||
padding: 2pt 4pt;
|
||||
}
|
||||
tr:first-child {
|
||||
th, td {
|
||||
border-top: dotted 1pt;
|
||||
}
|
||||
}
|
||||
th, tr:last-child > td {
|
||||
border-bottom: solid 1pt;
|
||||
}
|
||||
|
||||
.flat > * { margin-left: 1ex; }
|
||||
.flat > *:first-child { margin-left: 0; }
|
||||
|
||||
.green { color: green; }
|
||||
.red { color: red; }
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
.red { color: #c00; }
|
||||
}
|
||||
|
||||
textarea, select, input {
|
||||
background: var(--input-bg);
|
||||
color: var(--input-text);
|
||||
border: solid 1pt;
|
||||
border-color: var(--bevel-light);
|
||||
border-top-color: var(--bevel-dark);
|
||||
border-left-color: var(--bevel-dark);
|
||||
margin: 1pt;
|
||||
|
||||
&:focus {
|
||||
outline: solid 1pt var(--color);
|
||||
}
|
||||
}
|
||||
|
||||
button, input[type=button], input[type=submit], ::file-selector-button {
|
||||
background: var(--btn-bg);
|
||||
color: var(--color);
|
||||
border: solid 2pt;
|
||||
border-color: var(--bevel-dark);
|
||||
border-top-color: var(--bevel-light);
|
||||
border-left-color: var(--bevel-light);
|
||||
|
||||
&:hover {
|
||||
background: var(--bevel-dark);
|
||||
}
|
||||
&:active {
|
||||
background: var(--bevel-dark);
|
||||
border-color: var(--bevel-light);
|
||||
}
|
||||
}
|
||||
|
||||
header {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
border-bottom: 2pt solid;
|
||||
margin: 0 0 1em 0;
|
||||
padding: 1ex;
|
||||
justify-content: space-between;
|
||||
}
|
||||
#logo > img {
|
||||
vertical-align: middle;
|
||||
}
|
||||
header .utils > * {
|
||||
margin-left: 1ex;
|
||||
}
|
||||
|
||||
.error {
|
||||
display: flex;
|
||||
position: relative;
|
||||
background: rgba(255,0,0,0.2);
|
||||
border: 1pt solid red;
|
||||
justify-content: space-between;
|
||||
align-items: center;
|
||||
}
|
||||
.error .btn-close,
|
||||
.error .code {
|
||||
background: #600;
|
||||
color: white;
|
||||
font-weight: bold;
|
||||
border: none;
|
||||
align-self: stretch;
|
||||
padding: 1ex 1em;
|
||||
}
|
||||
.error .code {
|
||||
order: 1;
|
||||
|
||||
display: flex;
|
||||
align-items: center;
|
||||
text-align: center;
|
||||
}
|
||||
.error .message {
|
||||
order: 2;
|
||||
padding: 1ex 2em;
|
||||
}
|
||||
.error .btn-close {
|
||||
order: 3;
|
||||
}
|
||||
|
||||
.sheets {
|
||||
display: flex;
|
||||
align-items: stretch;
|
||||
}
|
||||
.sheets > div {
|
||||
margin: 0 1ex;
|
||||
border: 1pt solid;
|
||||
border-radius: 6pt;
|
||||
}
|
||||
.sheets .title {
|
||||
text-align: center;
|
||||
font-weight: bold;
|
||||
font-size: large;
|
||||
padding: 2pt 6pt;
|
||||
background: rgba(127,127,127,0.5);
|
||||
}
|
||||
.sheets .section {
|
||||
padding: 2pt 6pt 2pt 6pt;
|
||||
font-weight: bold;
|
||||
border-top: 1px dotted;
|
||||
}
|
||||
.sheets section {
|
||||
margin: 2pt 6pt 6pt 6pt;
|
||||
}
|
||||
.sheets > *:last-child > table:last-child > tr:last-child > td {
|
||||
border-bottom: none;
|
||||
}
|
||||
|
||||
.notif {
|
||||
display: inline-block;
|
||||
position: relative;
|
||||
}
|
||||
.notif > div:first-child {
|
||||
position: absolute;
|
||||
min-width: 100%; height: 100%;
|
||||
background: white;
|
||||
opacity: 75%;
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
.links > * { margin-left: 1ex; }
|
||||
.links > *:first-child { margin-left: 0; }
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
.notif > div:first-child {
|
||||
background: black;
|
||||
}
|
||||
}
|
||||
|
||||
.copy { font-size: small; }
|
||||
File diff suppressed because it is too large
Load Diff
+7
-21
@@ -1,37 +1,23 @@
|
||||
#! /bin/sh
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "USAGE: $0 <device> <base url>"
|
||||
echo "USAGE: $0 <device>"
|
||||
fi
|
||||
|
||||
dev=$1
|
||||
base_url=$2
|
||||
|
||||
: ${MP:=/mnt}
|
||||
|
||||
set -ex
|
||||
|
||||
mkdir -p $MP
|
||||
zcat boot.img.gz | dd of=$dev
|
||||
|
||||
apk add sgdisk
|
||||
|
||||
[[ $dev =~ nvme ]] &&
|
||||
devp=${dev}p ||
|
||||
devp=${dev}
|
||||
|
||||
if vgdisplay storage; then
|
||||
# the system is already installed, just upgrade
|
||||
mount -t vfat ${devp}1 $MP
|
||||
curl ${base_url}/boot.tar |tar xv -C $MP
|
||||
umount $MP
|
||||
sgdisk --move-second-header --new=3:0:0 $dev
|
||||
|
||||
else
|
||||
sgdisk --clear $dev
|
||||
pvcreate ${devp}3
|
||||
vgcreate storage ${devp}3
|
||||
|
||||
curl ${base_url}/boot.img.lz4 |lz4cat >$dev
|
||||
|
||||
sgdisk --move-second-header --new=3:0:0 $dev
|
||||
|
||||
pvcreate ${devp}3
|
||||
vgcreate storage ${devp}3
|
||||
fi
|
||||
|
||||
while umount $MP; do true; done
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
**/*.go go.mod go.sum Dockerfile {
|
||||
modd.conf {}
|
||||
|
||||
**/*.go go.mod go.sum {
|
||||
prep: go test ./...
|
||||
prep: go install -trimpath ./cmd/...
|
||||
prep: docker build --build-arg GOPROXY=$GOPROXY -t dls .
|
||||
#daemon +sigterm: /var/lib/direktil/test-run
|
||||
prep: mkdir -p dist
|
||||
prep: hack/build ./...
|
||||
#daemon +sigterm: bash test-run
|
||||
}
|
||||
|
||||
**/*.proto !dist/**/* {
|
||||
prep: for mod in @mods; do protoc -I ./ --go_out=plugins=grpc,paths=source_relative:. $mod; done
|
||||
html/**/* {
|
||||
prep: hack/build ./cmd/dkl-local-server
|
||||
}
|
||||
|
||||
@@ -4,7 +4,6 @@ import (
|
||||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
@@ -25,11 +24,9 @@ var (
|
||||
|
||||
type Config struct {
|
||||
Hosts []*Host
|
||||
Groups []*Group
|
||||
Clusters []*Cluster
|
||||
Configs []*Template
|
||||
StaticPods []*Template `yaml:"static_pods"`
|
||||
BootstrapPods map[string][]*Template `yaml:"bootstrap_pods"`
|
||||
StaticPods map[string][]*Template `yaml:"static_pods"`
|
||||
Addons map[string][]*Template
|
||||
SSLConfig string `yaml:"ssl_config"`
|
||||
CertRequests []*CertRequest `yaml:"cert_requests"`
|
||||
@@ -44,7 +41,7 @@ func FromBytes(data []byte) (*Config, error) {
|
||||
}
|
||||
|
||||
func FromFile(path string) (*Config, error) {
|
||||
ba, err := ioutil.ReadFile(path)
|
||||
ba, err := os.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -89,15 +86,6 @@ func (c *Config) HostByMAC(mac string) *Host {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Config) Group(name string) *Group {
|
||||
for _, group := range c.Groups {
|
||||
if group.Name == name {
|
||||
return group
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Config) Cluster(name string) *Cluster {
|
||||
for _, cluster := range c.Clusters {
|
||||
if cluster.Name == name {
|
||||
@@ -116,15 +104,6 @@ func (c *Config) ConfigTemplate(name string) *Template {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Config) StaticPodsTemplate(name string) *Template {
|
||||
for _, s := range c.StaticPods {
|
||||
if s.Name == name {
|
||||
return s
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Config) CSR(name string) *CertRequest {
|
||||
for _, s := range c.CertRequests {
|
||||
if s.Name == name {
|
||||
@@ -140,23 +119,25 @@ func (c *Config) SaveTo(path string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
return ioutil.WriteFile(path, ba, 0600)
|
||||
return os.WriteFile(path, ba, 0600)
|
||||
}
|
||||
|
||||
type Template struct {
|
||||
Name string
|
||||
Template string
|
||||
|
||||
parsedTemplate *template.Template
|
||||
}
|
||||
|
||||
func (t *Template) Execute(contextName, elementName string, wr io.Writer, data interface{}, extraFuncs map[string]interface{}) error {
|
||||
if t.parsedTemplate == nil {
|
||||
var templateFuncs = map[string]interface{}{
|
||||
"indent": func(indent, s string) (indented string) {
|
||||
indented = indent + strings.Replace(s, "\n", "\n"+indent, -1)
|
||||
return
|
||||
},
|
||||
"yaml": func(v any) (s string, err error) {
|
||||
ba, err := yaml.Marshal(v)
|
||||
s = string(ba)
|
||||
return
|
||||
},
|
||||
}
|
||||
|
||||
for name, f := range extraFuncs {
|
||||
@@ -169,8 +150,6 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
t.parsedTemplate = tmpl
|
||||
}
|
||||
|
||||
if *templateDetailsDir != "" {
|
||||
templateID++
|
||||
@@ -181,7 +160,7 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
|
||||
base += string(filepath.Separator)
|
||||
log.Print("writing template details: ", base, "{in,data,out}")
|
||||
|
||||
if err := ioutil.WriteFile(base+"in", []byte(t.Template), 0600); err != nil {
|
||||
if err := os.WriteFile(base+"in", []byte(t.Template), 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -190,7 +169,7 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
|
||||
return err
|
||||
}
|
||||
|
||||
if err := ioutil.WriteFile(base+"data", yamlBytes, 0600); err != nil {
|
||||
if err := os.WriteFile(base+"data", yamlBytes, 0600); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -204,40 +183,37 @@ func (t *Template) Execute(contextName, elementName string, wr io.Writer, data i
|
||||
wr = io.MultiWriter(wr, out)
|
||||
}
|
||||
|
||||
return t.parsedTemplate.Execute(wr, data)
|
||||
return tmpl.Execute(wr, data)
|
||||
}
|
||||
|
||||
// Host represents a host served by this server.
|
||||
type Host struct {
|
||||
WithRev
|
||||
|
||||
Name string
|
||||
Labels map[string]string
|
||||
Annotations map[string]string
|
||||
Template bool `json:",omitempty"`
|
||||
|
||||
MAC string
|
||||
Name string
|
||||
Labels map[string]string `json:",omitempty"`
|
||||
Annotations map[string]string `json:",omitempty"`
|
||||
|
||||
MAC string `json:",omitempty"`
|
||||
IP string
|
||||
IPs []string
|
||||
IPs []string `json:",omitempty"`
|
||||
Cluster string
|
||||
Group string
|
||||
Vars Vars
|
||||
}
|
||||
|
||||
// Group represents a group of hosts and provides their configuration.
|
||||
type Group struct {
|
||||
WithRev
|
||||
Net string
|
||||
IPFrom map[string]string `json:",omitempty" yaml:"ip_from"`
|
||||
|
||||
Name string
|
||||
Labels map[string]string
|
||||
Annotations map[string]string
|
||||
|
||||
Master bool
|
||||
IPXE string
|
||||
IPXE string `json:",omitempty"`
|
||||
Kernel string
|
||||
Initrd string
|
||||
BootstrapConfig string `yaml:"bootstrap_config"`
|
||||
Config string
|
||||
StaticPods string `yaml:"static_pods"`
|
||||
Versions map[string]string
|
||||
|
||||
StaticPods string `yaml:"static_pods"`
|
||||
|
||||
Vars Vars
|
||||
}
|
||||
|
||||
@@ -253,12 +229,12 @@ type Cluster struct {
|
||||
Annotations map[string]string
|
||||
|
||||
Domain string
|
||||
Addons string
|
||||
BootstrapPods string `yaml:"bootstrap_pods"`
|
||||
Addons []string
|
||||
Subnets struct {
|
||||
Services string
|
||||
Pods string
|
||||
}
|
||||
|
||||
Vars Vars
|
||||
}
|
||||
|
||||
@@ -273,7 +249,7 @@ func (c *Cluster) DNSSvcIP() net.IP {
|
||||
func (c *Cluster) NthSvcIP(n byte) net.IP {
|
||||
_, cidr, err := net.ParseCIDR(c.Subnets.Services)
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("Invalid services CIDR: %v", err))
|
||||
panic(fmt.Errorf("invalid services CIDR: %v", err))
|
||||
}
|
||||
|
||||
ip := cidr.IP
|
||||
|
||||
+38
-130
@@ -2,8 +2,6 @@ package clustersconfig
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
@@ -15,40 +13,38 @@ import (
|
||||
// Debug enables debug logs from this package.
|
||||
var Debug = false
|
||||
|
||||
func FromDir(dirPath, defaultsPath string) (*Config, error) {
|
||||
if Debug {
|
||||
log.Printf("loading config from dir %s (defaults from %s)", dirPath, defaultsPath)
|
||||
}
|
||||
func FromDir(
|
||||
read func(path string) ([]byte, error),
|
||||
assemble func(path string) ([]byte, error),
|
||||
listBase func(path string) ([]string, error),
|
||||
listMerged func(path string) ([]string, error),
|
||||
) (*Config, error) {
|
||||
|
||||
defaults, err := NewDefaults(defaultsPath)
|
||||
load := func(dir, name string, out any) (err error) {
|
||||
ba, err := assemble(filepath.Join(dir, name))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load defaults: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
store := &dirStore{dirPath}
|
||||
load := func(dir, name string, out Rev) error {
|
||||
ba, err := store.Get(path.Join(dir, name))
|
||||
err = yaml.UnmarshalStrict(ba, out)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load %s/%s from dir: %v", dir, name, err)
|
||||
}
|
||||
if err = defaults.Load(dir, ".yaml", out, ba); err != nil {
|
||||
return fmt.Errorf("failed to enrich %s/%s from defaults: %v", dir, name, err)
|
||||
return
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
config := &Config{
|
||||
Addons: make(map[string][]*Template),
|
||||
BootstrapPods: make(map[string][]*Template),
|
||||
StaticPods: make(map[string][]*Template),
|
||||
}
|
||||
|
||||
// load clusters
|
||||
names, err := store.List("clusters")
|
||||
names, err := listBase("clusters")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list clusters: %v", err)
|
||||
}
|
||||
|
||||
for _, name := range names {
|
||||
name, _ = strings.CutSuffix(name, ".yaml")
|
||||
cluster := &Cluster{Name: name}
|
||||
if err := load("clusters", name, cluster); err != nil {
|
||||
return nil, err
|
||||
@@ -57,98 +53,14 @@ func FromDir(dirPath, defaultsPath string) (*Config, error) {
|
||||
config.Clusters = append(config.Clusters, cluster)
|
||||
}
|
||||
|
||||
// load groups
|
||||
names, err = store.List("groups")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list groups: %v", err)
|
||||
}
|
||||
|
||||
read := func(rev, filePath string) (data []byte, fromDefaults bool, err error) {
|
||||
data, err = store.Get(filePath)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("faild to read %s: %v", filePath, err)
|
||||
return
|
||||
}
|
||||
|
||||
if data != nil {
|
||||
return // ok
|
||||
}
|
||||
|
||||
if len(rev) == 0 {
|
||||
err = fmt.Errorf("entry not found: %s", filePath)
|
||||
return
|
||||
}
|
||||
|
||||
data, err = defaults.ReadAll(rev, filePath+".yaml")
|
||||
if err != nil {
|
||||
err = fmt.Errorf("failed to read %s:%s: %v", rev, filePath, err)
|
||||
return
|
||||
}
|
||||
|
||||
fromDefaults = true
|
||||
return
|
||||
}
|
||||
|
||||
template := func(rev, dir, name string, templates *[]*Template) (ref string, err error) {
|
||||
ref = name
|
||||
if len(name) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
ba, fromDefaults, err := read(rev, path.Join(dir, name))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if fromDefaults {
|
||||
ref = rev + ":" + name
|
||||
}
|
||||
|
||||
if !hasTemplate(ref, *templates) {
|
||||
if Debug {
|
||||
log.Printf("new template in %s: %s", dir, ref)
|
||||
}
|
||||
|
||||
*templates = append(*templates, &Template{
|
||||
Name: ref,
|
||||
Template: string(ba),
|
||||
})
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
for _, name := range names {
|
||||
group := &Group{Name: name}
|
||||
if err := load("groups", name, group); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
group.Config, err = template(group.Rev(), "configs", group.Config, &config.Configs)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load config for group %q: %v", name, err)
|
||||
}
|
||||
|
||||
if Debug {
|
||||
log.Printf("group %q: config=%q static_pods=%q",
|
||||
group.Name, group.Config, group.StaticPods)
|
||||
}
|
||||
|
||||
group.StaticPods, err = template(group.Rev(), "static-pods", group.StaticPods, &config.StaticPods)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load static pods for group %q: %v", name, err)
|
||||
}
|
||||
|
||||
config.Groups = append(config.Groups, group)
|
||||
}
|
||||
|
||||
// load hosts
|
||||
names, err = store.List("hosts")
|
||||
names, err = listBase("hosts")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list hosts: %v", err)
|
||||
}
|
||||
|
||||
for _, name := range names {
|
||||
name, _ = strings.CutSuffix(name, ".yaml")
|
||||
o := &Host{Name: name}
|
||||
if err := load("hosts", name, o); err != nil {
|
||||
return nil, err
|
||||
@@ -158,28 +70,20 @@ func FromDir(dirPath, defaultsPath string) (*Config, error) {
|
||||
}
|
||||
|
||||
// load config templates
|
||||
loadTemplates := func(rev, dir string, templates *[]*Template) error {
|
||||
names, err := store.List(dir)
|
||||
loadTemplates := func(dir string, templates *[]*Template) error {
|
||||
names, err := listMerged(dir)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to list %s: %v", dir, err)
|
||||
}
|
||||
|
||||
if len(rev) != 0 {
|
||||
var defaultsNames []string
|
||||
defaultsNames, err = defaults.List(rev, dir)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to list %s:%s: %v", rev, dir, err)
|
||||
}
|
||||
for _, fullName := range names {
|
||||
name, _ := strings.CutSuffix(fullName, ".yaml")
|
||||
|
||||
names = append(names, defaultsNames...)
|
||||
}
|
||||
|
||||
for _, name := range names {
|
||||
if hasTemplate(name, *templates) {
|
||||
continue
|
||||
}
|
||||
|
||||
ba, _, err := read(rev, path.Join(dir, name))
|
||||
ba, err := read(path.Join(dir, fullName))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -193,53 +97,57 @@ func FromDir(dirPath, defaultsPath string) (*Config, error) {
|
||||
return nil
|
||||
}
|
||||
|
||||
loadTemplates("configs", &config.Configs)
|
||||
|
||||
// cluster addons
|
||||
for _, cluster := range config.Clusters {
|
||||
addonSet := cluster.Addons
|
||||
if len(addonSet) == 0 {
|
||||
addonSets := cluster.Addons
|
||||
if len(addonSets) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
for _, addonSet := range addonSets {
|
||||
if _, ok := config.Addons[addonSet]; ok {
|
||||
continue
|
||||
}
|
||||
|
||||
templates := make([]*Template, 0)
|
||||
if err = loadTemplates(cluster.Rev(), path.Join("addons", addonSet), &templates); err != nil {
|
||||
if err = loadTemplates(path.Join("addons", addonSet), &templates); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
config.Addons[addonSet] = templates
|
||||
}
|
||||
}
|
||||
|
||||
// cluster bootstrap pods
|
||||
for _, cluster := range config.Clusters {
|
||||
bpSet := cluster.BootstrapPods
|
||||
// cluster static pods
|
||||
for _, host := range config.Hosts {
|
||||
bpSet := host.StaticPods
|
||||
if bpSet == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
if _, ok := config.BootstrapPods[bpSet]; ok {
|
||||
if _, ok := config.StaticPods[bpSet]; ok {
|
||||
continue
|
||||
}
|
||||
|
||||
templates := make([]*Template, 0)
|
||||
if err = loadTemplates(cluster.Rev(), path.Join("bootstrap-pods", bpSet), &templates); err != nil {
|
||||
if err = loadTemplates(path.Join("static-pods", bpSet), &templates); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
config.BootstrapPods[bpSet] = templates
|
||||
config.StaticPods[bpSet] = templates
|
||||
}
|
||||
|
||||
// load SSL configuration
|
||||
if ba, err := ioutil.ReadFile(filepath.Join(dirPath, "ssl-config.json")); err == nil {
|
||||
if ba, err := read("ssl-config.json"); err == nil {
|
||||
config.SSLConfig = string(ba)
|
||||
|
||||
} else if !os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if ba, err := ioutil.ReadFile(filepath.Join(dirPath, "cert-requests.yaml")); err == nil {
|
||||
if ba, err := read("cert-requests.yaml"); err == nil {
|
||||
reqs := make([]*CertRequest, 0)
|
||||
if err = yaml.Unmarshal(ba, &reqs); err != nil {
|
||||
return nil, err
|
||||
@@ -269,7 +177,7 @@ type dirStore struct {
|
||||
|
||||
// listDir
|
||||
func (b *dirStore) listDir(prefix string) (subDirs []string, err error) {
|
||||
entries, err := ioutil.ReadDir(filepath.Join(b.path, prefix))
|
||||
entries, err := os.ReadDir(filepath.Join(b.path, prefix))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@@ -317,7 +225,7 @@ func (b *dirStore) List(prefix string) ([]string, error) {
|
||||
|
||||
// Load is part of the DataBackend interface
|
||||
func (b *dirStore) Get(key string) (ba []byte, err error) {
|
||||
ba, err = ioutil.ReadFile(filepath.Join(b.path, filepath.Join(path.Split(key))+".yaml"))
|
||||
ba, err = os.ReadFile(filepath.Join(b.path, filepath.Join(path.Split(key))+".yaml"))
|
||||
if os.IsNotExist(err) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
@@ -0,0 +1,61 @@
|
||||
package config
|
||||
|
||||
type Config struct {
|
||||
AntiPhishingCode string `json:"anti_phishing_code"`
|
||||
|
||||
Keymap string
|
||||
Modules string
|
||||
|
||||
Auths []Auth
|
||||
|
||||
Networks []struct {
|
||||
Name string
|
||||
Interfaces []struct {
|
||||
Var string
|
||||
N int
|
||||
Regexps []string
|
||||
}
|
||||
Script string
|
||||
}
|
||||
|
||||
LVM []LvmVG
|
||||
Bootstrap Bootstrap
|
||||
}
|
||||
|
||||
type Auth struct {
|
||||
Name string
|
||||
SSHKey string `yaml:"sshKey"`
|
||||
Password string `yaml:"password"`
|
||||
}
|
||||
|
||||
type LvmVG struct {
|
||||
VG string
|
||||
PVs struct {
|
||||
N int
|
||||
Regexps []string
|
||||
}
|
||||
|
||||
Defaults struct {
|
||||
FS string
|
||||
Raid *RaidConfig
|
||||
}
|
||||
|
||||
LVs []struct {
|
||||
Name string
|
||||
Crypt string
|
||||
FS string
|
||||
Raid *RaidConfig
|
||||
Size string
|
||||
Extents string
|
||||
}
|
||||
}
|
||||
|
||||
type RaidConfig struct {
|
||||
Mirrors int
|
||||
Stripes int
|
||||
}
|
||||
|
||||
type Bootstrap struct {
|
||||
Dev string
|
||||
Seed string
|
||||
}
|
||||
@@ -1,6 +1,7 @@
|
||||
package mime
|
||||
|
||||
const (
|
||||
JSON = "application/json"
|
||||
YAML = "text/vnd.yaml"
|
||||
TAR = "application/tar"
|
||||
DISK = "application/x-diskimage"
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
package utf16
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"unicode/utf8"
|
||||
)
|
||||
|
||||
func FromUTF8(data []byte) (res []byte) {
|
||||
endian := binary.LittleEndian
|
||||
|
||||
res = make([]byte, (len(data)+1)*2)
|
||||
|
||||
res = res[:2]
|
||||
endian.PutUint16(res, 0xfeff)
|
||||
|
||||
for len(data) > 0 {
|
||||
r, size := utf8.DecodeRune(data)
|
||||
if r > 65535 {
|
||||
panic(fmt.Errorf("r=0x%x > 0xffff", r))
|
||||
}
|
||||
|
||||
slen := len(res)
|
||||
res = res[:slen+2]
|
||||
endian.PutUint16(res[slen:], uint16(r))
|
||||
data = data[size:]
|
||||
}
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
package secretstore
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"io"
|
||||
)
|
||||
|
||||
func readFull(in io.Reader, ba []byte) (err error) {
|
||||
_, err = io.ReadFull(in, ba)
|
||||
return
|
||||
}
|
||||
|
||||
func read[T any](in io.Reader) (v T, err error) {
|
||||
err = binary.Read(in, binary.BigEndian, &v)
|
||||
return
|
||||
}
|
||||
|
||||
var readSize = read[uint16]
|
||||
|
||||
func randRead(ba []byte) (err error) {
|
||||
err = readFull(rand.Reader, ba)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("failed to read random bytes: %w", err)
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
package secretstore
|
||||
|
||||
func Memzero(ba []byte) { memzero(ba) }
|
||||
|
||||
func memzero(ba []byte) {
|
||||
for i := range ba {
|
||||
ba[i] = 0
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,68 @@
|
||||
package secretstore
|
||||
|
||||
import (
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"io"
|
||||
)
|
||||
|
||||
func (s *Store) NewReader(reader io.Reader) (r io.Reader, err error) {
|
||||
iv := [aes.BlockSize]byte{}
|
||||
|
||||
err = readFull(reader, iv[:])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
r = storeReader{reader, s.NewDecrypter(iv)}
|
||||
return
|
||||
}
|
||||
|
||||
type storeReader struct {
|
||||
reader io.Reader
|
||||
decrypter cipher.Stream
|
||||
}
|
||||
|
||||
func (r storeReader) Read(ba []byte) (n int, err error) {
|
||||
n, err = r.reader.Read(ba)
|
||||
|
||||
if n > 0 {
|
||||
r.decrypter.XORKeyStream(ba[:n], ba[:n])
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s *Store) NewWriter(writer io.Writer) (r io.Writer, err error) {
|
||||
iv := [aes.BlockSize]byte{}
|
||||
|
||||
if err = randRead(iv[:]); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = writer.Write(iv[:])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
r = storeWriter{writer, s.NewEncrypter(iv)}
|
||||
return
|
||||
}
|
||||
|
||||
type storeWriter struct {
|
||||
writer io.Writer
|
||||
encrypter cipher.Stream
|
||||
}
|
||||
|
||||
func (r storeWriter) Write(ba []byte) (n int, err error) {
|
||||
if len(ba) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
encBA := make([]byte, len(ba))
|
||||
r.encrypter.XORKeyStream(encBA, ba)
|
||||
|
||||
n, err = r.writer.Write(encBA)
|
||||
|
||||
return
|
||||
}
|
||||
@@ -0,0 +1,282 @@
|
||||
package secretstore
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/sha512"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"strconv"
|
||||
"syscall"
|
||||
|
||||
"golang.org/x/crypto/argon2"
|
||||
)
|
||||
|
||||
type Store struct {
|
||||
Salt [aes.BlockSize]byte
|
||||
Keys []KeyEntry
|
||||
|
||||
unlocked bool
|
||||
key [32]byte
|
||||
}
|
||||
|
||||
type KeyEntry struct {
|
||||
Name string
|
||||
Hash [64]byte
|
||||
EncKey [32]byte
|
||||
}
|
||||
|
||||
func New() (s *Store) {
|
||||
s = &Store{}
|
||||
syscall.Mlock(s.key[:])
|
||||
return
|
||||
}
|
||||
|
||||
func Open(path string) (s *Store, err error) {
|
||||
f, err := os.Open(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
s = New()
|
||||
_, err = s.ReadFrom(bufio.NewReader(f))
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s *Store) SaveTo(path string) (err error) {
|
||||
f, err := os.OpenFile(path, syscall.O_CREAT|syscall.O_TRUNC|syscall.O_WRONLY, 0600)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
defer f.Close()
|
||||
|
||||
out := bufio.NewWriter(f)
|
||||
|
||||
_, err = s.WriteTo(out)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = out.Flush()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s *Store) Close() {
|
||||
memzero(s.key[:])
|
||||
syscall.Munlock(s.key[:])
|
||||
s.unlocked = false
|
||||
}
|
||||
|
||||
func (s *Store) IsNew() bool {
|
||||
return len(s.Keys) == 0
|
||||
}
|
||||
|
||||
func (s *Store) Unlocked() bool {
|
||||
return s.unlocked
|
||||
}
|
||||
|
||||
func (s *Store) Init(name string, passphrase []byte) (err error) {
|
||||
err = randRead(s.key[:])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = randRead(s.Salt[:])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
s.AddKey(name, passphrase)
|
||||
|
||||
s.unlocked = true
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
var jsonFormatHdr = []byte("{json}")
|
||||
|
||||
func (s *Store) ReadFrom(in io.Reader) (n int64, err error) {
|
||||
memzero(s.key[:])
|
||||
s.unlocked = false
|
||||
|
||||
defer func() {
|
||||
if err != nil {
|
||||
log.Output(2, fmt.Sprintf("failed after %d bytes", n))
|
||||
}
|
||||
}()
|
||||
|
||||
readFull := func(ba []byte) {
|
||||
var nr int
|
||||
nr, err = io.ReadFull(in, ba)
|
||||
n += int64(nr)
|
||||
}
|
||||
|
||||
// read the file's start (json header or start of salt)
|
||||
|
||||
readFull(s.Salt[:len(jsonFormatHdr)])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if !bytes.Equal(s.Salt[:len(jsonFormatHdr)], jsonFormatHdr) {
|
||||
// old key file
|
||||
|
||||
// finish reading the salt
|
||||
readFull(s.Salt[len(jsonFormatHdr):])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// read the (encrypted) keys
|
||||
s.Keys = make([]KeyEntry, 0)
|
||||
for {
|
||||
k := KeyEntry{Name: "key-" + strconv.Itoa(len(s.Keys))}
|
||||
readFull(k.Hash[:])
|
||||
if err != nil {
|
||||
if err == io.EOF {
|
||||
err = nil
|
||||
}
|
||||
return
|
||||
}
|
||||
readFull(k.EncKey[:])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
s.Keys = append(s.Keys, k)
|
||||
}
|
||||
}
|
||||
|
||||
err = json.NewDecoder(in).Decode(s)
|
||||
return
|
||||
}
|
||||
|
||||
func (s *Store) WriteTo(out io.Writer) (n int64, err error) {
|
||||
_, err = out.Write(jsonFormatHdr)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = json.NewEncoder(out).Encode(s)
|
||||
return
|
||||
}
|
||||
|
||||
var ErrNoSuchKey = errors.New("no such key")
|
||||
|
||||
func (s *Store) HasKey(passphrase []byte) bool {
|
||||
key, hash := s.keyPairFromPassword(passphrase)
|
||||
defer memzero(key[:])
|
||||
|
||||
for _, k := range s.Keys {
|
||||
if k.Hash == hash {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func (s *Store) Unlock(passphrase []byte) (ok bool) {
|
||||
key, hash := s.keyPairFromPassword(passphrase)
|
||||
defer memzero(key[:])
|
||||
|
||||
var idx = -1
|
||||
for i := range s.Keys {
|
||||
if hash == s.Keys[i].Hash {
|
||||
idx = i
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if idx == -1 {
|
||||
return
|
||||
}
|
||||
|
||||
s.decryptTo(s.key[:], s.Keys[idx].EncKey[:], &key)
|
||||
|
||||
s.unlocked = true
|
||||
return true
|
||||
}
|
||||
|
||||
func (s *Store) AddKey(name string, passphrase []byte) {
|
||||
key, _ := s.keyPairFromPassword(passphrase)
|
||||
memzero(passphrase)
|
||||
s.AddRawKey(name, key)
|
||||
}
|
||||
|
||||
func (s *Store) AddRawKey(name string, key [32]byte) {
|
||||
hash := sha512.Sum512(key[:])
|
||||
|
||||
k := KeyEntry{Name: name, Hash: hash}
|
||||
|
||||
encKey := s.encrypt(s.key[:], &key)
|
||||
copy(k.EncKey[:], encKey)
|
||||
|
||||
s.Keys = append(s.Keys, k)
|
||||
memzero(key[:])
|
||||
}
|
||||
|
||||
func (s *Store) keyPairFromPassword(password []byte) (key [32]byte, hash [64]byte) {
|
||||
keySlice := argon2.IDKey(password, s.Salt[:], 1, 64*1024, 4, 32)
|
||||
|
||||
copy(key[:], keySlice)
|
||||
memzero(keySlice)
|
||||
|
||||
hash = sha512.Sum512(key[:])
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s *Store) NewEncrypter(iv [aes.BlockSize]byte) cipher.Stream {
|
||||
if !s.unlocked {
|
||||
panic("not unlocked")
|
||||
}
|
||||
return newEncrypter(iv, &s.key)
|
||||
}
|
||||
|
||||
func (s *Store) NewDecrypter(iv [aes.BlockSize]byte) cipher.Stream {
|
||||
if !s.unlocked {
|
||||
panic("not unlocked")
|
||||
}
|
||||
return newDecrypter(iv, &s.key)
|
||||
}
|
||||
|
||||
func (s *Store) encrypt(src []byte, key *[32]byte) (dst []byte) {
|
||||
dst = make([]byte, len(src))
|
||||
newEncrypter(s.Salt, key).XORKeyStream(dst, src)
|
||||
return
|
||||
}
|
||||
|
||||
func (s *Store) decryptTo(dst []byte, src []byte, key *[32]byte) {
|
||||
newDecrypter(s.Salt, key).XORKeyStream(dst, src)
|
||||
}
|
||||
|
||||
func newEncrypter(iv [aes.BlockSize]byte, key *[32]byte) cipher.Stream {
|
||||
c, err := aes.NewCipher(key[:])
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to init AES: %w", err))
|
||||
}
|
||||
|
||||
return cipher.NewCFBEncrypter(c, iv[:])
|
||||
}
|
||||
|
||||
func newDecrypter(iv [aes.BlockSize]byte, key *[32]byte) cipher.Stream {
|
||||
c, err := aes.NewCipher(key[:])
|
||||
if err != nil {
|
||||
panic(fmt.Errorf("failed to init AES: %w", err))
|
||||
}
|
||||
|
||||
return cipher.NewCFBDecrypter(c, iv[:])
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
[build]
|
||||
public_url = "/ui"
|
||||
dist = "../html/ui"
|
||||
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/public-state"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/state"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/public"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/store"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/authorize-download"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/sign-download-set"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/configs"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/clusters"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/hosts-from-template"
|
||||
[[proxy]]
|
||||
backend = "http://localhost:7606/hosts"
|
||||
+47
@@ -0,0 +1,47 @@
|
||||
|
||||
.view-links > span {
|
||||
display: inline-block;
|
||||
white-space: nowrap;
|
||||
margin-right: 1ex;
|
||||
margin-bottom: 1ex;
|
||||
padding: 0.5ex;
|
||||
border: 1pt solid;
|
||||
border-radius: 1ex;
|
||||
cursor: pointer;
|
||||
}
|
||||
|
||||
.downloads, .download-links, .download-table td {
|
||||
& > * {
|
||||
display: inline-block;
|
||||
margin-right: 1ex;
|
||||
margin-bottom: 1ex;
|
||||
padding: 0.5ex;
|
||||
border: 1px solid !important;
|
||||
border-radius: 1ex;
|
||||
cursor: pointer;
|
||||
}
|
||||
}
|
||||
|
||||
.download-table th,
|
||||
.download-table td {
|
||||
border: none !important;
|
||||
}
|
||||
|
||||
.downloads, .view-links {
|
||||
& > .selected {
|
||||
color: var(--link);
|
||||
}
|
||||
}
|
||||
|
||||
.text-and-file {
|
||||
position:relative;
|
||||
|
||||
textarea {
|
||||
width: 64em;
|
||||
}
|
||||
|
||||
input[type="file"] {
|
||||
position:absolute;
|
||||
bottom:0;right:0;
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 8.7 KiB |
+151
@@ -0,0 +1,151 @@
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Direktil Local Server</title>
|
||||
<base data-trunk-public-url />
|
||||
<link data-trunk rel="copy-file" href="favicon.ico" />
|
||||
<link rel="icon" href="favicon.ico" />
|
||||
<link data-trunk rel="copy-file" href="js/vue.esm-browser.js" />
|
||||
<link data-trunk rel="copy-file" href="style.css" />
|
||||
<link data-trunk rel="copy-file" href="app.css" />
|
||||
<style>@import url('/ui/style.css');@import url('/ui/app.css');</style>
|
||||
<script data-trunk src="js/jsonpatch.min.js"></script>
|
||||
<script data-trunk src="js/app.js" type="module" defer></script>
|
||||
<script data-trunk src="js/Downloads.js"></script>
|
||||
<script data-trunk src="js/GetCopy.js"></script>
|
||||
<script data-trunk src="js/Cluster.js"></script>
|
||||
<script data-trunk src="js/Host.js"></script>
|
||||
<body>
|
||||
|
||||
<div id="app">
|
||||
<header>
|
||||
<div id="logo">
|
||||
<img src="favicon.ico" />
|
||||
<span>Direktil Local Server</span>
|
||||
</div>
|
||||
<div class="utils">
|
||||
<span id="login-hdr" v-if="session.token">
|
||||
Logged in
|
||||
<button class="link" @click="copyText(session.token)">🗐</button>
|
||||
</span>
|
||||
|
||||
<span>server <code>{{ serverVersion || '-----' }}</code></span>
|
||||
<span>ui <code>{{ uiHash || '-----' }}</code></span>
|
||||
|
||||
<span :class="publicState ? 'green' : 'red'">🗲</span>
|
||||
</div>
|
||||
</header>
|
||||
|
||||
<div class="error" v-if="error">
|
||||
<button class="btn-close" @click="error=null">×</button>
|
||||
<div class="code" v-if="error.code">{{ error.code }}</div>
|
||||
<div class="message">{{ error.message }}</div>
|
||||
</div>
|
||||
|
||||
<template v-if="!publicState">
|
||||
<p>Not connected.</p>
|
||||
</template>
|
||||
|
||||
<template v-else-if="publicState.Store.New">
|
||||
<p>Store is new.</p>
|
||||
<p>Option 1: initialize a new store</p>
|
||||
<form @submit="unlockStore">
|
||||
<input type="text" v-model="forms.store.name" name="name" placeholder="Name" /><br/>
|
||||
<input type="password" v-model="forms.store.pass1" name="passphrase" required placeholder="Passphrase" />
|
||||
<input type="password" v-model="forms.store.pass2" required placeholder="Passphrase confirmation" />
|
||||
<input type="submit" value="initialize" :disabled="!forms.store.pass1 || forms.store.pass1 != forms.store.pass2" />
|
||||
</form>
|
||||
<p>Option 2: upload a previously downloaded store</p>
|
||||
<form @submit="uploadStore">
|
||||
<input type="file" ref="storeUpload" />
|
||||
<input type="submit" value="upload" />
|
||||
</form>
|
||||
</template>
|
||||
|
||||
<template v-else-if="!publicState.Store.Open">
|
||||
<p>Store is not open.</p>
|
||||
<form @submit="unlockStore">
|
||||
<input type="password" name="passphrase" v-model="forms.store.pass1" required placeholder="Passphrase" />
|
||||
<input type="submit" value="unlock" :disabled="!forms.store.pass1" />
|
||||
</form>
|
||||
</template>
|
||||
|
||||
<template v-else-if="!state">
|
||||
<p v-if="!session.token">Not logged in.</p>
|
||||
<p v-else>Invalid token</p>
|
||||
|
||||
<form @submit="unlockStore">
|
||||
<input type="password" v-model="forms.store.pass1" required placeholder="Passphrase" />
|
||||
<input type="submit" value="log in"/>
|
||||
</form>
|
||||
</template>
|
||||
|
||||
<template v-else>
|
||||
<div style="float:right;"><input type="search" placeholder="Filter" v-model="viewFilter"/></div>
|
||||
<p class="view-links"><span v-for="v in views" @click="view = v" :class="{selected: view.type==v.type && view.name==v.name}">{{v.title}}</span></p>
|
||||
|
||||
<h2 v-if="view">{{view.title}}</h2>
|
||||
|
||||
<div v-if="view.type == 'cluster'" id="clusters">
|
||||
<Cluster :cluster="viewObj" :token="session.token" :state="state" />
|
||||
</div>
|
||||
|
||||
<div v-if="view.type == 'host'" id="hosts">
|
||||
<Host :host="viewObj" :token="session.token" :state="state" />
|
||||
</div>
|
||||
|
||||
<div v-if="view.type == 'actions' && view.name == 'admin'">
|
||||
<h3>Config</h3>
|
||||
<form @submit="uploadConfig">
|
||||
<input type="file" ref="configUpload" required />
|
||||
<input type="submit" value="upload config" />
|
||||
</form>
|
||||
|
||||
<h3>Store</h3>
|
||||
<p><a :href="'/public/store.tar?token='+state.Store.DownloadToken" target="_blank">Download</a></p>
|
||||
<form @submit="storeAddKey" action="/store/add-key">
|
||||
<p>Add an unlock phrase:</p>
|
||||
<input type="text" v-model="forms.store.name" name="name" required placeholder="Name" /><br/>
|
||||
<label><input type="checkbox" v-model="forms.store.byHash"> {{ forms.store.byHash ? "hash (base64)" : "passphrase"}}</label>
|
||||
<div v-if="forms.store.byHash">
|
||||
<input type="hash" v-model="forms.store.hash" name="passphrase" required placeholder="Hash" />
|
||||
{{" "}}generate with <code>dls hash '{{state.Store.Salt}}'</code>
|
||||
</div><div v-else>
|
||||
<input type="password" v-model="forms.store.pass1" name="passphrase" autocomplete="new-password" required placeholder="Phrase" />
|
||||
<input type="password" v-model="forms.store.pass2" autocomplete="new-password" required placeholder="Phrase confirmation" />
|
||||
</div>
|
||||
<input type="submit" value="add unlock phrase" :disabled="!((forms.store.pass1 && forms.store.pass1 == forms.store.pass2) || forms.store.hash)" />
|
||||
</form>
|
||||
<form @submit="storeDelKey" action="/store/delete-key">
|
||||
<p>Remove an unlock phrase:</p>
|
||||
<input type="text" v-model="forms.delKey.name" name="name" required placeholder="Name" />
|
||||
<input type="submit" value="remove unlock phrase" />
|
||||
|
||||
<p v-if="state.Store.KeyNames">Available names:
|
||||
<template v-for="k,i in state.Store.KeyNames">{{i?", ":""}}<code @click="forms.delKey.name=k">{{k}}</code></template>.</p>
|
||||
</form>
|
||||
|
||||
<template v-if="any(state.HostTemplates) || any(hostsFromTemplate)">
|
||||
<h3>Hosts from template</h3>
|
||||
<form @submit="hostFromTemplateAdd" action="" v-if="any(state.HostTemplates)">
|
||||
<p>Add a host from template instance:</p>
|
||||
<input type="text" v-model="forms.hostFromTemplate.name" required placeholder="Name" />
|
||||
<select v-model="forms.hostFromTemplate.Template" required>
|
||||
<option v-for="name in state.HostTemplates" :value="name">{{name}}</option>
|
||||
</select>
|
||||
<input type="text" v-model="forms.hostFromTemplate.IP" required placeholder="IP" />
|
||||
<input type="submit" value="add instance" />
|
||||
</form>
|
||||
<form @submit="hostFromTemplateDel" action="" v-if="any(hostsFromTemplate)">
|
||||
<p>Remove a host from template instance:</p>
|
||||
<select v-model="forms.hostFromTemplateDel" required>
|
||||
<option v-for="h in hostsFromTemplate" :value="h.Name">{{h.Name}}</option>
|
||||
</select>
|
||||
<input type="submit" value="delete instance" :disabled="!forms.hostFromTemplateDel" />
|
||||
</form>
|
||||
</template>
|
||||
</div>
|
||||
</template>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -0,0 +1,131 @@
|
||||
const Cluster = {
|
||||
components: { Downloads, GetCopy },
|
||||
props: [ 'cluster', 'token', 'state' ],
|
||||
data() {
|
||||
return {
|
||||
signReqValidity: "1d",
|
||||
sshSignReq: {
|
||||
PubKey: "",
|
||||
Principal: "root",
|
||||
},
|
||||
sshUserCert: null,
|
||||
kubeSignReq: {
|
||||
CSR: "",
|
||||
User: "",
|
||||
Group: "system:masters",
|
||||
},
|
||||
kubeUserCert: null,
|
||||
};
|
||||
},
|
||||
methods: {
|
||||
sshCASign() {
|
||||
event.preventDefault();
|
||||
fetch(`/clusters/${this.cluster.Name}/ssh/user-ca/sign`, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({ ...this.sshSignReq, Validity: this.signReqValidity }),
|
||||
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
|
||||
}).then((resp) => {
|
||||
if (resp.ok) {
|
||||
resp.blob().then((cert) => { this.sshUserCert = URL.createObjectURL(cert) })
|
||||
} else {
|
||||
resp.json().then((resp) => alert('failed to sign: '+resp.message))
|
||||
}
|
||||
})
|
||||
.catch((e) => { alert('failed to sign: '+e); })
|
||||
},
|
||||
kubeCASign() {
|
||||
event.preventDefault();
|
||||
fetch(`/clusters/${this.cluster.Name}/kube/sign`, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({ ...this.kubeSignReq, Validity: this.signReqValidity }),
|
||||
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
|
||||
}).then((resp) => {
|
||||
if (resp.ok) {
|
||||
resp.blob().then((cert) => { this.kubeUserCert = URL.createObjectURL(cert) })
|
||||
} else {
|
||||
resp.json().then((resp) => alert('failed to sign: '+resp.message))
|
||||
}
|
||||
})
|
||||
.catch((e) => { alert('failed to sign: '+e); })
|
||||
},
|
||||
readFile(e, onload) {
|
||||
const file = e.target.files[0];
|
||||
if (!file) { return; }
|
||||
const reader = new FileReader();
|
||||
reader.onload = () => { onload(reader.result) };
|
||||
reader.onerror = () => { alert("error reading file"); };
|
||||
reader.readAsText(file);
|
||||
},
|
||||
loadPubKey(e) {
|
||||
this.readFile(e, (v) => {
|
||||
this.sshSignReq.PubKey = v;
|
||||
});
|
||||
},
|
||||
loadCSR(e) {
|
||||
this.readFile(e, (v) => {
|
||||
this.kubeSignReq.CSR = v;
|
||||
});
|
||||
},
|
||||
},
|
||||
template: `
|
||||
<h3>Access</h3>
|
||||
|
||||
<p>Allow cluster access from a public key</p>
|
||||
|
||||
<h4>Grant SSH access</h4>
|
||||
|
||||
<p>Validity: <input type="text" v-model="signReqValidity"/> <small>time range, ie: -5m:1w, 5m, 1M, 1y, 1d-1s, etc.</small></p>
|
||||
<p>User: <input type="text" v-model="sshSignReq.Principal"/></p>
|
||||
<p>Public key (OpenSSH format):<br/>
|
||||
<span class="text-and-file"><textarea v-model="sshSignReq.PubKey" style="height:3lh"></textarea>
|
||||
<input type="file" accept=".pub" @change="loadPubKey" /></span>
|
||||
</p>
|
||||
|
||||
<p><button @click="sshCASign">Sign SSH access</button>
|
||||
<template v-if="sshUserCert">
|
||||
=> <a :href="sshUserCert" download="ssh-cert.pub">Get certificate</a>
|
||||
</template>
|
||||
</p>
|
||||
|
||||
<h4>Grant Kubernetes API access</h4>
|
||||
|
||||
<p>Validity: <input type="text" v-model="signReqValidity"/> <small>time range, ie: -5m:1w, 5m, 1M, 1y, 1d-1s, etc.</small></p>
|
||||
<p>User: <input type="text" v-model="kubeSignReq.User"/> (by default, from the CSR)</p>
|
||||
<p>Group: <input type="text" v-model="kubeSignReq.Group"/></p>
|
||||
<p>Certificate signing request (PEM format):<br/>
|
||||
<span class="text-and-file"><textarea v-model="kubeSignReq.CSR" style="height:7lh;"></textarea>
|
||||
<input type="file" accept=".csr" @change="loadCSR" /></span>
|
||||
</p>
|
||||
|
||||
<p><button @click="kubeCASign">Sign Kubernetes API access</button>
|
||||
<template v-if="kubeUserCert">
|
||||
=> <a :href="kubeUserCert" download="kube-cert.pub">Get certificate</a>
|
||||
</template>
|
||||
</p>
|
||||
|
||||
<h3>Tokens</h3>
|
||||
<section class="links">
|
||||
<GetCopy v-for="n in cluster.Tokens" :token="token" :name="n" :href="'/clusters/'+cluster.Name+'/tokens/'+n" />
|
||||
</section>
|
||||
|
||||
<h3>Passwords</h3>
|
||||
<section class="links">
|
||||
<GetCopy v-for="n in cluster.Passwords" :token="token" :name="n" :href="'/clusters/'+cluster.Name+'/passwords/'+n" />
|
||||
</section>
|
||||
|
||||
<h3>Downloads</h3>
|
||||
<Downloads :token="token" :state="state" kind="cluster" :name="cluster.Name" />
|
||||
|
||||
<h3>CAs</h3>
|
||||
<table><tr><th>Name</th><th>Certificate</th><th>Signed certificates</th></tr>
|
||||
<tr v-for="ca in cluster.CAs">
|
||||
<td>{{ ca.Name }}</td>
|
||||
<td><GetCopy :token="token" name="cert" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/certificate'" /></td>
|
||||
<td><template v-for="signed in ca.Signed">
|
||||
{{" "}}
|
||||
<GetCopy :token="token" :name="signed" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/signed?name='+signed" />
|
||||
</template></td>
|
||||
</tr></table>
|
||||
|
||||
`
|
||||
}
|
||||
@@ -0,0 +1,70 @@
|
||||
const Downloads = {
|
||||
props: [ 'kind', 'name', 'token', 'state' ],
|
||||
data() {
|
||||
return { createDisabled: false, selectedAssets: {} }
|
||||
},
|
||||
computed: {
|
||||
availableAssets() {
|
||||
return {
|
||||
cluster: ['addons'],
|
||||
host: [
|
||||
"kernel",
|
||||
"initrd",
|
||||
"uki",
|
||||
"bootstrap.tar",
|
||||
"boot.img.gz",
|
||||
"boot.img",
|
||||
"boot.qcow2",
|
||||
"boot.vmdk",
|
||||
"boot.iso",
|
||||
"boot.tar",
|
||||
"bootstrap-config",
|
||||
"config",
|
||||
"config.json",
|
||||
"ipxe",
|
||||
],
|
||||
}[this.kind]
|
||||
},
|
||||
downloads() {
|
||||
return Object.entries(this.state.Downloads)
|
||||
.filter(e => { let d=e[1]; return d.Kind == this.kind && d.Name == this.name })
|
||||
.map(e => {
|
||||
const token= e[0];
|
||||
return {
|
||||
text: token.substring(0, 5) + '...',
|
||||
url: '/public/downloads/'+token+"/",
|
||||
}
|
||||
})
|
||||
},
|
||||
assets() {
|
||||
return this.availableAssets.filter(a => this.selectedAssets[a])
|
||||
},
|
||||
},
|
||||
methods: {
|
||||
createToken() {
|
||||
event.preventDefault()
|
||||
this.createDisabled = true
|
||||
|
||||
fetch('/authorize-download', {
|
||||
method: 'POST',
|
||||
body: JSON.stringify({Kind: this.kind, Name: this.name, Assets: this.assets}),
|
||||
headers: { 'Authorization': 'Bearer ' + this.token, 'Content-Type': 'application/json' },
|
||||
}).then((resp) => resp.json())
|
||||
.then((token) => { this.selectedAssets = {}; this.createDisabled = false })
|
||||
.catch((e) => { alert('failed to create link'); this.createDisabled = false })
|
||||
},
|
||||
},
|
||||
template: `
|
||||
<h4>Available assets</h4>
|
||||
<p class="downloads">
|
||||
<template v-for="asset in availableAssets">
|
||||
<label :class="{selected: selectedAssets[asset]}"><input type="checkbox" v-model="selectedAssets[asset]" /> {{ asset }}</label>
|
||||
{{" "}}
|
||||
</template>
|
||||
</p>
|
||||
<p><button :disabled="createDisabled || assets.length==0" @click="createToken">Create link</button></p>
|
||||
<template v-if="downloads.length">
|
||||
<h4>Active links</h4>
|
||||
<p class="download-links"><template v-for="d in downloads"><a :href="d.url" target="_blank">{{ d.text }}</a>{{" "}}</template></p>
|
||||
</template>`
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
const GetCopy = {
|
||||
props: [ 'name', 'href', 'token' ],
|
||||
data() { return {showCopied: false} },
|
||||
template: `<span class="notif"><div v-if="showCopied">copied!</div><a :href="href" @click="fetchAndSave()">{{name}}</a> <a href="#" class="copy" @click="fetchAndCopy()">🗐</a></span>`,
|
||||
methods: {
|
||||
fetch() {
|
||||
event.preventDefault()
|
||||
return fetch(this.href, {
|
||||
method: 'GET',
|
||||
headers: { 'Authorization': 'Bearer ' + this.token },
|
||||
})
|
||||
},
|
||||
handleFetchError(e) {
|
||||
console.log("failed to get value:", e)
|
||||
alert('failed to get value')
|
||||
},
|
||||
fetchAndSave() {
|
||||
this.fetch().then(resp => resp.blob()).then((value) => {
|
||||
window.open(URL.createObjectURL(value), "_blank")
|
||||
}).catch(this.handleFetchError)
|
||||
},
|
||||
fetchAndCopy() {
|
||||
this.fetch()
|
||||
.then((resp) => resp.headers.get("content-type") == "application/json" ? resp.json() : resp.text())
|
||||
.then((value) => {
|
||||
window.navigator.clipboard.writeText(value)
|
||||
this.showCopied = true
|
||||
setTimeout(() => { this.showCopied = false }, 1000)
|
||||
}).catch(this.handleFetchError)
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
const Host = {
|
||||
components: { Downloads },
|
||||
props: [ 'host', 'token', 'state' ],
|
||||
template: `
|
||||
<p>Cluster: {{ host.Cluster }}<template v-if="host.Template"> ({{ host.Template }})</template></p>
|
||||
<p>IPs:
|
||||
<code v-for="ip in host.IPs">
|
||||
{{ ip }}{{" "}}
|
||||
</code>
|
||||
</p>
|
||||
<h3>Downloads</h3>
|
||||
<Downloads :token="token" :state="state" kind="host" :name="host.Name" />
|
||||
`
|
||||
}
|
||||
+272
@@ -0,0 +1,272 @@
|
||||
|
||||
import { createApp } from './vue.esm-browser.js';
|
||||
|
||||
createApp({
|
||||
components: { Cluster, Host },
|
||||
data() {
|
||||
return {
|
||||
forms: {
|
||||
store: {},
|
||||
storeUpload: {},
|
||||
delKey: {},
|
||||
hostFromTemplate: {},
|
||||
hostFromTemplateDel: "",
|
||||
},
|
||||
view: "",
|
||||
viewFilter: "",
|
||||
session: {},
|
||||
error: null,
|
||||
publicState: null,
|
||||
serverVersion: null,
|
||||
uiHash: null,
|
||||
watchingState: false,
|
||||
state: null,
|
||||
}
|
||||
},
|
||||
mounted() {
|
||||
this.session = JSON.parse(sessionStorage.state || "{}")
|
||||
this.watchPublicState()
|
||||
},
|
||||
watch: {
|
||||
session: {
|
||||
deep: true,
|
||||
handler(v) {
|
||||
sessionStorage.state = JSON.stringify(v)
|
||||
|
||||
if (v.token && !this.watchingState) {
|
||||
this.watchState()
|
||||
this.watchingState = true
|
||||
}
|
||||
}
|
||||
},
|
||||
publicState: {
|
||||
deep: true,
|
||||
handler(v) {
|
||||
if (v) {
|
||||
this.serverVersion = v.ServerVersion
|
||||
if (this.uiHash && v.UIHash != this.uiHash) {
|
||||
console.log("reloading")
|
||||
location.reload()
|
||||
} else {
|
||||
this.uiHash = v.UIHash
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
computed: {
|
||||
views() {
|
||||
var views = [{type: "actions", name: "admin", title: "Admin actions"}];
|
||||
|
||||
(this.state.Clusters||[]).forEach((c) => views.push({type: "cluster", name: c.Name, title: `Cluster ${c.Name}`}));
|
||||
(this.state.Hosts ||[]).forEach((c) => views.push({type: "host", name: c.Name, title: `Host ${c.Name}`}));
|
||||
|
||||
return views.filter((v) => v.type != "host" || v.name.includes(this.viewFilter));
|
||||
},
|
||||
viewObj() {
|
||||
if (this.view) {
|
||||
if (this.view.type == "cluster") {
|
||||
return this.state.Clusters.find((c) => c.Name == this.view.name);
|
||||
}
|
||||
if (this.view.type == "host") {
|
||||
return this.state.Hosts.find((h) => h.Name == this.view.name);
|
||||
}
|
||||
}
|
||||
return undefined;
|
||||
},
|
||||
hostsFromTemplate() {
|
||||
return (this.state.Hosts||[]).filter((h) => h.Template);
|
||||
},
|
||||
},
|
||||
|
||||
methods: {
|
||||
any(array) {
|
||||
return array && array.length != 0;
|
||||
},
|
||||
copyText(text) {
|
||||
event.preventDefault()
|
||||
window.navigator.clipboard.writeText(text)
|
||||
},
|
||||
setToken() {
|
||||
event.preventDefault()
|
||||
this.session.token = this.forms.setToken
|
||||
this.forms.setToken = null
|
||||
},
|
||||
uploadStore() {
|
||||
event.preventDefault()
|
||||
this.apiPost('/public/store.tar', this.$refs.storeUpload.files[0], (v) => {
|
||||
this.forms.store = {}
|
||||
}, "application/tar")
|
||||
},
|
||||
namedPassphrase(name, passphrase) {
|
||||
return {Name: this.forms.store.name, Passphrase: btoa(this.forms.store.pass1)}
|
||||
},
|
||||
storeAddKey() {
|
||||
const params = this.namedPassphrase();
|
||||
if (this.forms.store.byHash) {
|
||||
params.Hash = this.forms.store.hash;
|
||||
}
|
||||
|
||||
this.apiPost('/store/add-key', params, (v) => {
|
||||
this.forms.store = {}
|
||||
})
|
||||
},
|
||||
storeDelKey() {
|
||||
event.preventDefault()
|
||||
|
||||
let name = this.forms.delKey.name
|
||||
|
||||
if (!confirm("Remove key named "+JSON.stringify(name)+"?")) {
|
||||
return
|
||||
}
|
||||
this.apiPost('/store/delete-key', name , (v) => {
|
||||
this.forms.delKey = {}
|
||||
})
|
||||
},
|
||||
unlockStore() {
|
||||
this.apiPost('/public/unlock-store', this.namedPassphrase(), (v) => {
|
||||
this.forms.store = {}
|
||||
|
||||
if (v) {
|
||||
this.session.token = v
|
||||
if (!this.watchingState) {
|
||||
this.watchState()
|
||||
this.watchingState = true
|
||||
}
|
||||
}
|
||||
})
|
||||
},
|
||||
uploadConfig() {
|
||||
const file = this.$refs.configUpload.files[0];
|
||||
let contentType = "text/vnd.yaml";
|
||||
if (file.name.endsWith(".json")) {
|
||||
contentType = "application/json";
|
||||
}
|
||||
this.apiPost('/configs', file, (v) => {}, contentType, true)
|
||||
},
|
||||
hostFromTemplateAdd() {
|
||||
let v = this.forms.hostFromTemplate;
|
||||
this.apiPost('/hosts-from-template/'+v.name, v, (v) => { this.forms.hostFromTemplate = {} });
|
||||
},
|
||||
hostFromTemplateDel() {
|
||||
event.preventDefault()
|
||||
|
||||
let v = this.forms.hostFromTemplateDel;
|
||||
if (!confirm("delete host template instance "+v+"?")) {
|
||||
return
|
||||
}
|
||||
this.apiDelete('/hosts-from-template/'+v, (v) => { this.forms.hostFromTemplateDel = "" });
|
||||
},
|
||||
apiPost(action, data, onload, contentType = 'application/json', raw = false) {
|
||||
event.preventDefault()
|
||||
|
||||
if (data === undefined) {
|
||||
throw("action " + action + ": no data")
|
||||
}
|
||||
|
||||
/* TODO
|
||||
fetch(action, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify(data),
|
||||
})
|
||||
.then((response) => response.json())
|
||||
.then((result) => onload)
|
||||
// */
|
||||
|
||||
var xhr = new XMLHttpRequest()
|
||||
|
||||
xhr.responseType = 'json'
|
||||
// TODO spinner, pending action notification, or something
|
||||
xhr.onerror = () => {
|
||||
// this.actionResults.splice(idx, 1, {...item, done: true, failed: true })
|
||||
}
|
||||
xhr.onload = (r) => {
|
||||
if (xhr.status != 200) {
|
||||
this.error = xhr.response
|
||||
return
|
||||
}
|
||||
// this.actionResults.splice(idx, 1, {...item, done: true, resp: xhr.responseText})
|
||||
this.error = null
|
||||
if (onload) {
|
||||
onload(xhr.response)
|
||||
}
|
||||
}
|
||||
|
||||
xhr.open("POST", action)
|
||||
xhr.setRequestHeader('Accept', 'application/json')
|
||||
xhr.setRequestHeader('Content-Type', contentType)
|
||||
if (this.session.token) {
|
||||
xhr.setRequestHeader('Authorization', 'Bearer '+this.session.token)
|
||||
}
|
||||
|
||||
if (!raw && contentType == "application/json") {
|
||||
xhr.send(JSON.stringify(data))
|
||||
} else {
|
||||
xhr.send(data)
|
||||
}
|
||||
},
|
||||
apiDelete(action, data, onload) {
|
||||
event.preventDefault()
|
||||
|
||||
var xhr = new XMLHttpRequest()
|
||||
xhr.onload = (r) => {
|
||||
if (xhr.status != 200) {
|
||||
this.error = xhr.response
|
||||
return
|
||||
}
|
||||
this.error = null
|
||||
if (onload) {
|
||||
onload(xhr.response)
|
||||
}
|
||||
}
|
||||
xhr.open("DELETE", action)
|
||||
xhr.setRequestHeader('Accept', 'application/json')
|
||||
if (this.session.token) {
|
||||
xhr.setRequestHeader('Authorization', 'Bearer '+this.session.token)
|
||||
}
|
||||
xhr.send()
|
||||
},
|
||||
download(url) {
|
||||
event.target.target = '_blank'
|
||||
event.target.href = this.downloadLink(url)
|
||||
},
|
||||
downloadLink(url) {
|
||||
// TODO once-shot download link
|
||||
return url + '?token=' + this.session.token
|
||||
},
|
||||
watchPublicState() {
|
||||
this.watchStream('publicState', '/public-state')
|
||||
},
|
||||
watchState() {
|
||||
this.watchStream('state', '/state', true)
|
||||
},
|
||||
watchStream(field, path, withToken) {
|
||||
let evtSrc = new EventSource(path + (withToken ? '?token='+this.session.token : ''));
|
||||
evtSrc.onmessage = (e) => {
|
||||
let update = JSON.parse(e.data)
|
||||
|
||||
console.log("watch "+path+":", update)
|
||||
|
||||
if (update.err) {
|
||||
console.log("watch error from server:", err)
|
||||
}
|
||||
if (update.set) {
|
||||
this[field] = update.set
|
||||
}
|
||||
if (update.p) { // patch
|
||||
new jsonpatch.JSONPatch(update.p, true).apply(this[field])
|
||||
}
|
||||
}
|
||||
evtSrc.onerror = (e) => {
|
||||
// console.log("event source " + path + " error:", e)
|
||||
if (evtSrc) evtSrc.close()
|
||||
|
||||
this[field] = null
|
||||
|
||||
window.setTimeout(() => { this.watchStream(field, path, withToken) }, 1000)
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
}).mount('#app');
|
||||
Vendored
+36
File diff suppressed because one or more lines are too long
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user