Skip to content

Commit

Permalink
refactor(cockroachdb): to use request driven options
Browse files Browse the repository at this point in the history
Refactor cockroachdb module to to use request driven options,
simplifying the flow.
  • Loading branch information
stevenh committed Nov 8, 2024
1 parent c94900f commit c1ad565
Show file tree
Hide file tree
Showing 5 changed files with 397 additions and 342 deletions.
77 changes: 60 additions & 17 deletions modules/cockroachdb/certs.go
Original file line number Diff line number Diff line change
@@ -1,22 +1,69 @@
package cockroachdb

import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"net"
"time"

"github.com/mdelapenya/tlscert"

"github.com/testcontainers/testcontainers-go"
)

// TLSConfig is a [testcontainers.ContainerCustomizer] that enables TLS for CockroachDB.
type TLSConfig struct {
CACert *x509.Certificate
NodeCert []byte
NodeKey []byte
ClientCert []byte
ClientKey []byte

cfg *tls.Config
}

// customize implements the [customizer] interface.
// It sets the TLS config on the CockroachDBContainer.
func (c *TLSConfig) customize(ctr *CockroachDBContainer) error {
ctr.tlsConfig = c.cfg
return nil
}

// Customize implements the [testcontainers.ContainerCustomizer] interface.
func (c *TLSConfig) Customize(req *testcontainers.GenericContainerRequest) error {
if req.Env[envUser] != defaultUser {
return fmt.Errorf("unsupported user %q with TLS, use %q", req.Env[envUser], defaultUser)
}

req.Env[envOptionTLS] = "true"

caBytes := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: c.CACert.Raw,
})
files := map[string][]byte{
fileCACert: caBytes,
fileNodeCert: c.NodeCert,
fileNodeKey: c.NodeKey,
fileClientCert: c.ClientCert,
fileClientKey: c.ClientKey,
}

for filename, contents := range files {
req.Files = append(req.Files, testcontainers.ContainerFile{
Reader: bytes.NewReader(contents),
ContainerFilePath: filename,
FileMode: 0o600,
})
}

req.Cmd = append(req.Cmd, "--certs-dir="+certsDir)

return nil
}

// NewTLSConfig creates a new TLSConfig capable of running CockroachDB & connecting over TLS.
Expand Down Expand Up @@ -59,28 +106,24 @@ func NewTLSConfig() (*TLSConfig, error) {
return nil, errors.New("failed to generate client certificate")
}

return &TLSConfig{
CACert: caCert.Cert,
NodeCert: nodeCert.Bytes,
NodeKey: nodeCert.KeyBytes,
ClientCert: clientCert.Bytes,
ClientKey: clientCert.KeyBytes,
}, nil
}

// tlsConfig returns a [tls.Config] for options.
func (c *TLSConfig) tlsConfig() (*tls.Config, error) {
keyPair, err := tls.X509KeyPair(c.ClientCert, c.ClientKey)
keyPair, err := tls.X509KeyPair(clientCert.Bytes, clientCert.KeyBytes)
if err != nil {
return nil, fmt.Errorf("x509 key pair: %w", err)
}

certPool := x509.NewCertPool()
certPool.AddCert(c.CACert)
certPool.AddCert(caCert.Cert)

return &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{keyPair},
ServerName: "localhost",
return &TLSConfig{
CACert: caCert.Cert,
NodeCert: nodeCert.Bytes,
NodeKey: nodeCert.KeyBytes,
ClientCert: clientCert.Bytes,
ClientKey: clientCert.KeyBytes,
cfg: &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{keyPair},
ServerName: "localhost",
},
}, nil
}
Loading

0 comments on commit c1ad565

Please sign in to comment.