Dockerfile

omertuc · omertuc · commit b39155c62712 · 2023-06-19T12:50:19.000+02:00
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,3 @@
+cluster-files
+cluster-files-backup
+target
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,28 @@
+FROM rust:1 AS chef 
+# We only pay the installation cost once, 
+# it will be cached from the second build onwards
+RUN cargo install cargo-chef 
+WORKDIR app
+
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+RUN apt-get update
+RUN apt-get install -y protobuf-compiler
+COPY --from=planner /app/recipe.json recipe.json
+# Build dependencies - this is the caching Docker layer!
+RUN cargo chef cook --release --recipe-path recipe.json
+# Build application
+COPY . .
+RUN cargo build --release --bin recert
+
+# We do not need the Rust toolchain to run the binary!
+FROM debian:bookworm AS runtime
+WORKDIR app
+COPY ouger /usr/local/bin
+RUN apt-get update
+RUN apt-get install -y openssl
+COPY --from=builder /app/target/release/recert /usr/local/bin
+ENTRYPOINT ["/usr/local/bin/recert"]
diff --git a/README.md b/README.md
@@ -239,3 +239,9 @@ ssh $SSH_FLAGS "$SSH_HOST" sudo systemctl enable kubelet
 ssh $SSH_FLAGS "$SSH_HOST" sudo systemctl enable crio
 ssh $SSH_FLAGS "$SSH_HOST" sudo reboot 
 ```
+
+# Image build
+
+export DOCKER_BUILDKIT=1
+docker build . -t quay.io/otuchfel/recert:latest
+docker push quay.io/otuchfel/recert:latest
diff --git a/src/cluster_crypto/certificate.rs b/src/cluster_crypto/certificate.rs
@@ -40,7 +40,8 @@ impl TryFrom<CapturedX509Certificate> for Certificate {
                     &bytes::Bytes::copy_from_slice(&cert.to_public_key_der().context("parsing public key")?.as_bytes()),
                 )),
                 x509_certificate::KeyAlgorithm::Ecdsa(_) => {
-                    PublicKey::from_ec_cert_bytes(&bytes::Bytes::copy_from_slice(cert.encode_pem().as_bytes()))?
+                    PublicKey::from_ec_cert_bytes(&bytes::Bytes::copy_from_slice(cert.encode_pem().as_bytes()))
+                        .context("converting EC key bytes")?
                 }
                 x509_certificate::KeyAlgorithm::Ed25519 => panic!("ed25519 not supported"),
             },
diff --git a/src/cluster_crypto/crypto_utils.rs b/src/cluster_crypto/crypto_utils.rs
@@ -1,5 +1,5 @@
 use super::{cert_key_pair::CertKeyPair, distributed_jwt, keys};
-use anyhow::Result;
+use anyhow::{Context, Result};
 use bcder::{encode::Values, Mode};
 use jwt_simple::prelude::RSAPublicKeyLike;
 use rsa::{
@@ -79,13 +79,22 @@ pub(crate) fn verify_jwt(
 
 pub(crate) async fn generate_rsa_key_async() -> Result<(RsaPrivateKey, InMemorySigningKeyPair)> {
     let rsa_private_key = RsaPrivateKey::from_pkcs8_pem(
-        String::from_utf8_lossy(&Command::new("openssl").args(&["genrsa", "2048"]).output().await?.stdout)
-            .to_string()
-            .as_str(),
-    )?;
+        String::from_utf8(
+            Command::new("openssl")
+                .args(&["genrsa", "2048"])
+                .output()
+                .await
+                .context("openssl genrsa")?
+                .stdout,
+        )
+        .context("converting openssl key to utf-8")?
+        .to_string()
+        .as_str(),
+    )
+    .context("private from pem")?;
 
-    let rsa_pkcs8_der_bytes: Vec<u8> = rsa_private_key.to_pkcs8_der()?.as_bytes().into();
-    let key_pair = InMemorySigningKeyPair::from_pkcs8_der(&rsa_pkcs8_der_bytes)?;
+    let rsa_pkcs8_der_bytes: Vec<u8> = rsa_private_key.to_pkcs8_der().context("private to der")?.as_bytes().into();
+    let key_pair = InMemorySigningKeyPair::from_pkcs8_der(&rsa_pkcs8_der_bytes).context("pair from der")?;
     Ok((rsa_private_key, key_pair))
 }
 
diff --git a/src/cluster_crypto/keys.rs b/src/cluster_crypto/keys.rs
@@ -88,15 +88,16 @@ impl PublicKey {
             .arg("-noout")
             .stdin(Stdio::piped())
             .stdout(Stdio::piped())
-            .spawn()?;
+            .spawn()
+            .context("running openssl")?;
 
         command
             .stdin
             .take()
             .context("failed to get openssl stdin pipe")?
             .write_all(cert_bytes)?;
 
-        let output = command.wait_with_output()?;
+        let output = command.wait_with_output().context("waiting for openssl output")?;
         if !output.status.success() {
             return Err(anyhow::anyhow!("openssl failed: {}", String::from_utf8_lossy(&output.stderr)));
         }
diff --git a/src/k8s_etcd.rs b/src/k8s_etcd.rs
@@ -82,15 +82,20 @@ impl InMemoryK8sEtcd {
             }
         }
 
-        let get_result = self.etcd_client.kv_client().get(key.clone(), None).await?;
+        let get_result = self
+            .etcd_client
+            .kv_client()
+            .get(key.clone(), None)
+            .await
+            .context("during etcd get")?;
         let raw_etcd_value = get_result.kvs().first().context("key not found")?.value();
 
         if key.starts_with("/kubernetes.io/machineconfiguration.openshift.io/machineconfigs/") {
             result.value = raw_etcd_value.to_vec();
             return Ok(result);
         }
 
-        let decoded_value = run_ouger("decode", raw_etcd_value).await?;
+        let decoded_value = run_ouger("decode", raw_etcd_value).await.context("decoding value with ouger")?;
         self.etcd_keyvalue_hashmap
             .lock()
             .await

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+cluster-files`
	`2`	`+cluster-files-backup`
	`3`	`+target`