Merge pull request #2905 from gabrtv/config-logic

Gabriel Monroy · Gabriel Monroy · commit c28e4ace5f22 · 2015-01-15T16:34:58.000-07:00
Refactor deisctl config logic and add docs on Router SSL
diff --git a/deisctl/config/config.go b/deisctl/config/config.go
@@ -9,6 +9,15 @@ import (
 	"github.com/deis/deis/deisctl/utils"
 )
 
+// fileKeys define config keys to be read from local files
+var fileKeys = []string{
+	"/deis/platform/sshPrivateKey",
+	"/deis/router/sslCert",
+	"/deis/router/sslKey"}
+
+// b64Keys define config keys to be base64 encoded before stored
+var b64Keys = []string{"/deis/platform/sshPrivateKey"}
+
 // Config runs the config subcommand
 func Config(args map[string]interface{}) error {
 	return doConfig(args)
@@ -62,25 +71,14 @@ func doConfigSet(client *etcdClient, root string, kvs []string) ([]string, error
 	for _, kv := range kvs {
 
 		// split k/v from args
-		split := strings.Split(kv, "=")
-		if len(split) != 2 {
-			return result, fmt.Errorf("invalid argument: %v", kv)
-		}
+		split := strings.SplitN(kv, "=", 2)
 		k, v := split[0], split[1]
 
 		// prepare path and value
 		path := root + k
-		var val string
-
-		// special handling for sshKey
-		if path == "/deis/platform/sshPrivateKey" {
-			b64, err := readSSHPrivateKey(utils.ResolvePath(v))
-			if err != nil {
-				return result, err
-			}
-			val = b64
-		} else {
-			val = v
+		val, err := valueForPath(path, v)
+		if err != nil {
+			return result, err
 		}
 
 		// set key/value in etcd
@@ -106,13 +104,31 @@ func doConfigGet(client *etcdClient, root string, keys []string) ([]string, erro
 	return result, nil
 }
 
-// readSSHPrivateKey reads the key file and returns a base64 encoded string
-func readSSHPrivateKey(path string) (string, error) {
+// valueForPath returns the canonical value for a user-defined path and value
+func valueForPath(path string, v string) (string, error) {
 
-	bytes, err := ioutil.ReadFile(path)
-	if err != nil {
-		return "", err
+	// check if path is part of fileKeys
+	for _, p := range fileKeys {
+
+		if path == p {
+
+			// read value from filesystem
+			bytes, err := ioutil.ReadFile(utils.ResolvePath(v))
+			if err != nil {
+				return "", err
+			}
+
+			// see if we should return base64 encoded value
+			for _, pp := range b64Keys {
+				if path == pp {
+					return base64.StdEncoding.EncodeToString(bytes), nil
+				}
+			}
+
+			return string(bytes), nil
+		}
 	}
 
-	return base64.StdEncoding.EncodeToString(bytes), nil
+	return v, nil
+
 }
diff --git a/deisctl/config/config_test.go b/deisctl/config/config_test.go
@@ -0,0 +1,76 @@
+package config
+
+import (
+	"encoding/base64"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+// TestConfigSSHPrivateKey ensures private keys are base64 encoded from file path
+func TestConfigSSHPrivateKey(t *testing.T) {
+
+	f, err := writeTempFile("private-key")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	val, err := valueForPath("/deis/platform/sshPrivateKey", f.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	encoded := base64.StdEncoding.EncodeToString([]byte("private-key"))
+
+	if val != encoded {
+		t.Fatalf("expected: %v, got: %v", encoded, val)
+	}
+}
+
+func TestConfigRouterKey(t *testing.T) {
+
+	f, err := writeTempFile("router-key")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	val, err := valueForPath("/deis/router/sslKey", f.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if val != "router-key" {
+		t.Fatalf("expected: router-key, got: %v", val)
+	}
+
+}
+
+func TestConfigRouterCert(t *testing.T) {
+
+	f, err := writeTempFile("router-cert")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	val, err := valueForPath("/deis/router/sslCert", f.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if val != "router-cert" {
+		t.Fatalf("expected: router-cert, got: %v", val)
+	}
+
+}
+
+func writeTempFile(data string) (*os.File, error) {
+	f, err := ioutil.TempFile("", "deisctl")
+	if err != nil {
+		return nil, err
+	}
+
+	f.Write([]byte(data))
+	defer f.Close()
+
+	return f, nil
+}
diff --git a/docs/managing_deis/ssl-endpoints.rst b/docs/managing_deis/ssl-endpoints.rst
@@ -69,5 +69,23 @@ See your vendor's specific instructions on installing SSL on your load balancer.
 documentation on `installing an SSL cert for load balancing`_. For Rackspace, see their
 `Product FAQ`_.
 
+Installing SSL on the Deis Routers
+----------------------------------
+
+You can also use the Deis routers to terminate SSL connections.
+Use ``deisctl`` to install the certificate and private keys:
+
+.. code-block:: console
+
+    $ deisctl config router set sslKey=<path-to-key> sslCert=<path-to-cert>
+
+If your certificate has intermediate certs that need to be presented as part of a
+certificate chain, append the intermediate certs to the bottom of the sslCert value.
+
+.. note::
+
+    To secure all endpoints on the platform domain, you must use a wildcard certificate.
+
+
 .. _`installing an SSL cert for load balancing`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
 .. _`Product FAQ`: http://www.rackspace.com/knowledge_center/product-faq/cloud-load-balancers
