cli: add --workspace flag to set base directory for Constellation workspace (#2148)

* Remove `--config` and `--master-secret` falgs * Add `--workspace` flag * In CLI, only work on files with paths created from `cli/internal/cmd` * Properly print values for GCP on IAM create when not directly updating the config --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-07 14:32:17 -04:00 · 2023-08-04 13:53:51 +02:00 · 2023-08-04 13:53:51 +02:00 · d1ace13713
commit d1ace13713
parent ec33530c38
57 changed files with 966 additions and 1145 deletions
--- a/cli/internal/cmd/init.go
+++ b/cli/internal/cmd/init.go
@ -15,6 +15,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"path/filepath"
 	"strconv"
 	"sync"
 	"text/tabwriter"
@ -65,7 +66,6 @@ func NewInitCmd() *cobra.Command {
 		Args: cobra.ExactArgs(0),
 		RunE: runInitialize,
 	}
-	cmd.Flags().String("master-secret", "", "path to base64-encoded master secret")
 	cmd.Flags().Bool("conformance", false, "enable conformance mode")
 	cmd.Flags().Bool("skip-helm-wait", false, "install helm charts without waiting for deployments to be ready")
 	cmd.Flags().Bool("merge-kubeconfig", false, "merge Constellation kubeconfig file with default kubeconfig file in $HOME/.kube/config")
@ -76,9 +76,8 @@ type initCmd struct {
 	log           debugLog
 	merger        configMerger
 	spinner       spinnerInterf
-	masterSecret  uri.MasterSecret
 	fileHandler   file.Handler
-	helmInstaller helm.Initializer
+	helmInstaller initializer
 	clusterShower clusterShower
 }

@ -87,7 +86,7 @@ type clusterShower interface {
 }

 func newInitCmd(
-	clusterShower clusterShower, helmInstaller helm.Initializer, fileHandler file.Handler,
+	clusterShower clusterShower, helmInstaller initializer, fileHandler file.Handler,
 	spinner spinnerInterf, merger configMerger, log debugLog,
 ) *initCmd {
 	return &initCmd{
@ -121,14 +120,15 @@ func runInitialize(cmd *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(cmd.Context(), time.Hour)
 	defer cancel()
 	cmd.SetContext(ctx)
-	helmInstaller, err := helm.NewInitializer(log)
-	if err != nil {
-		return fmt.Errorf("creating Helm installer: %w", err)
-	}
+
 	tfClient, err := terraform.New(ctx, constants.TerraformWorkingDir)
 	if err != nil {
 		return fmt.Errorf("creating Terraform client: %w", err)
 	}
+	helmInstaller, err := helm.NewInitializer(log, constants.AdminConfFilename)
+	if err != nil {
+		return fmt.Errorf("creating Helm installer: %w", err)
+	}
 	i := newInitCmd(tfClient, helmInstaller, fileHandler, spinner, &kubeconfigMerger{log: log}, log)
 	fetcher := attestationconfigapi.NewFetcher()
 	return i.initialize(cmd, newDialer, license.NewClient(), fetcher)
@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.V
 		return err
 	}
 	i.log.Debugf("Using flags: %+v", flags)
-	i.log.Debugf("Loading configuration file from %q", flags.configPath)
-	conf, err := config.New(i.fileHandler, flags.configPath, configFetcher, flags.force)
+	i.log.Debugf("Loading configuration file from %q", configPath(flags.workspace))
+	conf, err := config.New(i.fileHandler, constants.ConfigFilename, configFetcher, flags.force)
 	var configValidationErr *config.ValidationError
 	if errors.As(err, &configValidationErr) {
 		cmd.PrintErrln(configValidationErr.LongMessage())
@ -163,7 +163,7 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.V

 	i.log.Debugf("Checking cluster ID file")
 	var idFile clusterid.File
-	if err := i.fileHandler.ReadJSON(constants.ClusterIDsFileName, &idFile); err != nil {
+	if err := i.fileHandler.ReadJSON(constants.ClusterIDsFilename, &idFile); err != nil {
 		return fmt.Errorf("reading cluster ID file: %w", err)
 	}

@ -193,15 +193,14 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.V
 		return fmt.Errorf("creating new validator: %w", err)
 	}
 	i.log.Debugf("Created a new validator")
-	serviceAccURI, err := i.getMarshaledServiceAccountURI(provider, conf)
+	serviceAccURI, err := i.getMarshaledServiceAccountURI(provider, conf, flags.workspace)
 	if err != nil {
 		return err
 	}
 	i.log.Debugf("Successfully marshaled service account URI")
-	masterSecret, err := i.readOrGenerateMasterSecret(cmd.OutOrStdout(), flags.masterSecretPath)
-	i.masterSecret = masterSecret
+	masterSecret, err := i.generateMasterSecret(cmd.OutOrStdout(), flags.workspace)
 	if err != nil {
-		return fmt.Errorf("parsing or generating master secret from file %s: %w", flags.masterSecretPath, err)
+		return fmt.Errorf("generating master secret: %w", err)
 	}

 	clusterName := clusterid.GetClusterName(conf, idFile)
@ -239,8 +238,7 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator atls.V
 	idFile.CloudProvider = provider

 	bufferedOutput := &bytes.Buffer{}
-	err = i.writeOutput(idFile, resp, flags.mergeConfigs, bufferedOutput)
-	if err != nil {
+	if err := i.writeOutput(idFile, resp, flags.mergeConfigs, bufferedOutput, flags.workspace); err != nil {
 		return err
 	}

@ -388,7 +386,8 @@ func (d *initDoer) handleGRPCStateChanges(ctx context.Context, wg *sync.WaitGrou
 }

 func (i *initCmd) writeOutput(
-	idFile clusterid.File, initResp *initproto.InitSuccessResponse, mergeConfig bool, wr io.Writer,
+	idFile clusterid.File, initResp *initproto.InitSuccessResponse,
+	mergeConfig bool, wr io.Writer, workspace string,
 ) error {
 	fmt.Fprint(wr, "Your Constellation cluster was successfully initialized.\n\n")

@ -399,14 +398,14 @@ func (i *initCmd) writeOutput(
 	tw := tabwriter.NewWriter(wr, 0, 0, 2, ' ', 0)
 	// writeRow(tw, "Constellation cluster's owner identifier", ownerID)
 	writeRow(tw, "Constellation cluster identifier", clusterID)
-	writeRow(tw, "Kubernetes configuration", constants.AdminConfFilename)
+	writeRow(tw, "Kubernetes configuration", adminConfPath(workspace))
 	tw.Flush()
 	fmt.Fprintln(wr)

 	if err := i.fileHandler.Write(constants.AdminConfFilename, initResp.GetKubeconfig(), file.OptNone); err != nil {
 		return fmt.Errorf("writing kubeconfig: %w", err)
 	}
-	i.log.Debugf("Kubeconfig written to %s", constants.AdminConfFilename)
+	i.log.Debugf("Kubeconfig written to %s", adminConfPath(workspace))

 	if mergeConfig {
 		if err := i.merger.mergeConfigs(constants.AdminConfFilename, i.fileHandler); err != nil {
@ -420,14 +419,14 @@ func (i *initCmd) writeOutput(
 	idFile.OwnerID = ownerID
 	idFile.ClusterID = clusterID

-	if err := i.fileHandler.WriteJSON(constants.ClusterIDsFileName, idFile, file.OptOverwrite); err != nil {
+	if err := i.fileHandler.WriteJSON(constants.ClusterIDsFilename, idFile, file.OptOverwrite); err != nil {
 		return fmt.Errorf("writing Constellation ID file: %w", err)
 	}
-	i.log.Debugf("Constellation ID file written to %s", constants.ClusterIDsFileName)
+	i.log.Debugf("Constellation ID file written to %s", clusterIDsPath(workspace))

 	if !mergeConfig {
 		fmt.Fprintln(wr, "You can now connect to your cluster by executing:")
-		fmt.Fprintf(wr, "\texport KUBECONFIG=\"$PWD/%s\"\n", constants.AdminConfFilename)
+		fmt.Fprintf(wr, "\texport KUBECONFIG=\"$PWD/%s\"\n", adminConfPath(workspace))
 	} else {
 		fmt.Fprintln(wr, "Constellation kubeconfig merged with default config.")

@ -448,11 +447,6 @@ func writeRow(wr io.Writer, col1 string, col2 string) {
 // evalFlagArgs gets the flag values and does preprocessing of these values like
 // reading the content from file path flags and deriving other values from flag combinations.
 func (i *initCmd) evalFlagArgs(cmd *cobra.Command) (initFlags, error) {
-	masterSecretPath, err := cmd.Flags().GetString("master-secret")
-	if err != nil {
-		return initFlags{}, fmt.Errorf("parsing master-secret path flag: %w", err)
-	}
-	i.log.Debugf("Master secret path flag value is %q", masterSecretPath)
 	conformance, err := cmd.Flags().GetBool("conformance")
 	if err != nil {
 		return initFlags{}, fmt.Errorf("parsing conformance flag: %w", err)
@ -467,7 +461,7 @@ func (i *initCmd) evalFlagArgs(cmd *cobra.Command) (initFlags, error) {
 		helmWaitMode = helm.WaitModeNone
 	}
 	i.log.Debugf("Helm wait flag is %t", skipHelmWait)
-	configPath, err := cmd.Flags().GetString("config")
+	workspace, err := cmd.Flags().GetString("workspace")
 	if err != nil {
 		return initFlags{}, fmt.Errorf("parsing config path flag: %w", err)
 	}
@ -485,43 +479,25 @@ func (i *initCmd) evalFlagArgs(cmd *cobra.Command) (initFlags, error) {
 	i.log.Debugf("force flag is %t", force)

 	return initFlags{
-		configPath:       configPath,
-		conformance:      conformance,
-		helmWaitMode:     helmWaitMode,
-		masterSecretPath: masterSecretPath,
-		force:            force,
-		mergeConfigs:     mergeConfigs,
+		workspace:    workspace,
+		conformance:  conformance,
+		helmWaitMode: helmWaitMode,
+		force:        force,
+		mergeConfigs: mergeConfigs,
 	}, nil
 }

 // initFlags are the resulting values of flag preprocessing.
 type initFlags struct {
-	configPath       string
-	masterSecretPath string
-	conformance      bool
-	helmWaitMode     helm.WaitMode
-	force            bool
-	mergeConfigs     bool
+	workspace    string
+	conformance  bool
+	helmWaitMode helm.WaitMode
+	force        bool
+	mergeConfigs bool
 }

 // readOrGenerateMasterSecret reads a base64 encoded master secret from file or generates a new 32 byte secret.
-func (i *initCmd) readOrGenerateMasterSecret(outWriter io.Writer, filename string) (uri.MasterSecret, error) {
-	if filename != "" {
-		i.log.Debugf("Reading master secret from file %q", filename)
-		var secret uri.MasterSecret
-		if err := i.fileHandler.ReadJSON(filename, &secret); err != nil {
-			return uri.MasterSecret{}, err
-		}
-
-		if len(secret.Key) < crypto.MasterSecretLengthMin {
-			return uri.MasterSecret{}, fmt.Errorf("provided master secret is smaller than the required minimum of %d Bytes", crypto.MasterSecretLengthMin)
-		}
-		if len(secret.Salt) < crypto.RNGLengthDefault {
-			return uri.MasterSecret{}, fmt.Errorf("provided salt is smaller than the required minimum of %d Bytes", crypto.RNGLengthDefault)
-		}
-		return secret, nil
-	}
-
+func (i *initCmd) generateMasterSecret(outWriter io.Writer, workspace string) (uri.MasterSecret, error) {
 	// No file given, generate a new secret, and save it to disk
 	i.log.Debugf("Generating new master secret")
 	key, err := crypto.GenerateRandomBytes(crypto.MasterSecretLengthDefault)
@ -540,21 +516,21 @@ func (i *initCmd) readOrGenerateMasterSecret(outWriter io.Writer, filename strin
 	if err := i.fileHandler.WriteJSON(constants.MasterSecretFilename, secret, file.OptNone); err != nil {
 		return uri.MasterSecret{}, err
 	}
-	fmt.Fprintf(outWriter, "Your Constellation master secret was successfully written to ./%s\n", constants.MasterSecretFilename)
+	fmt.Fprintf(outWriter, "Your Constellation master secret was successfully written to %q\n", masterSecretPath(workspace))
 	return secret, nil
 }

-func (i *initCmd) getMarshaledServiceAccountURI(provider cloudprovider.Provider, config *config.Config) (string, error) {
+func (i *initCmd) getMarshaledServiceAccountURI(provider cloudprovider.Provider, config *config.Config, workspace string,
+) (string, error) {
 	i.log.Debugf("Getting service account URI")
 	switch provider {
 	case cloudprovider.GCP:
 		i.log.Debugf("Handling case for GCP")
-		path := config.Provider.GCP.ServiceAccountKeyPath
-		i.log.Debugf("GCP service account key path %s", path)
+		i.log.Debugf("GCP service account key path %s", filepath.Join(workspace, config.Provider.GCP.ServiceAccountKeyPath))

 		var key gcpshared.ServiceAccountKey
-		if err := i.fileHandler.ReadJSON(path, &key); err != nil {
-			return "", fmt.Errorf("reading service account key from path %q: %w", path, err)
+		if err := i.fileHandler.ReadJSON(config.Provider.GCP.ServiceAccountKeyPath, &key); err != nil {
+			return "", fmt.Errorf("reading service account key from path %q: %w", filepath.Join(workspace, config.Provider.GCP.ServiceAccountKeyPath), err)
 		}
 		i.log.Debugf("Read GCP service account key from path")
 		return key.ToCloudServiceAccountURI(), nil
@ -667,3 +643,7 @@ func (e *nonRetriableError) Error() string {
 func (e *nonRetriableError) Unwrap() error {
 	return e.err
 }
+
+type initializer interface {
+	Install(ctx context.Context, releases *helm.Releases) error
+}