feat: Add the ability to inject a ca certificate for use in gRPC and gRPC Web (#753)

Signed-off-by: instamenta <[email protected]>
Signed-off-by: Jan Milenkov <[email protected]>
Co-authored-by: Jeromy Cannon <[email protected]>

Author: instamenta

src/commands/flags.ts

@@ -708,6 +708,60 @@ export const hederaExplorerVersion: CommandFlag = {
   }
 }
 
+//* ------------- Node Proxy Certificates ------------- !//
+
+export const grpcTlsCertificatePath: CommandFlag = {
+  constName: 'grpcTlsCertificatePath',
+  name: 'grpc-tls-cert',
+  definition: {
+    describe:
+      'TLS Certificate path for the gRPC ' +
+      '(e.g. "node1=/Users/username/node1-grpc.cert" ' +
+      'with multiple nodes comma seperated)',
+    defaultValue: '',
+    type: 'string'
+  }
+}
+
+export const grpcWebTlsCertificatePath: CommandFlag = {
+  constName: 'grpcWebTlsCertificatePath',
+  name: 'grpc-web-tls-cert',
+  definition: {
+    describe:
+      'TLS Certificate path for gRPC Web ' +
+      '(e.g. "node1=/Users/username/node1-grpc-web.cert" ' +
+      'with multiple nodes comma seperated)',
+    defaultValue: '',
+    type: 'string'
+  }
+}
+
+export const grpcTlsKeyPath: CommandFlag = {
+  constName: 'grpcTlsKeyPath',
+  name: 'grpc-tls-key',
+  definition: {
+    describe:
+      'TLS Certificate key path for the gRPC ' +
+      '(e.g. "node1=/Users/username/node1-grpc.key" ' +
+      'with multiple nodes comma seperated)',
+    defaultValue: '',
+    type: 'string'
+  }
+}
+
+export const grpcWebTlsKeyPath: CommandFlag = {
+  constName: 'grpcWebTlsKeyPath',
+  name: 'grpc-web-tls-key',
+  definition: {
+    describe:
+      'TLC Certificate key path for gRPC Web ' +
+      '(e.g. "node1=/Users/username/node1-grpc-web.key" ' +
+      'with multiple nodes comma seperated)',
+    defaultValue: '',
+    type: 'string'
+  }
+}
+
 export const allFlags: CommandFlag[] = [
   accountId,
   amount,
@@ -773,7 +827,11 @@ export const allFlags: CommandFlag[] = [
   mirrorNodeVersion,
   hederaExplorerVersion,
   inputDir,
-  outputDir
+  outputDir,
+  grpcTlsCertificatePath,
+  grpcWebTlsCertificatePath,
+  grpcTlsKeyPath,
+  grpcWebTlsKeyPath,
 ]
 
 /** Resets the definition.disablePrompt for all flags */

src/commands/network.ts

@@ -14,22 +14,21 @@
  * limitations under the License.
  *
  */
-
 import { ListrEnquirerPromptAdapter } from '@listr2/prompt-adapter-enquirer'
 import chalk from 'chalk'
 import { Listr } from 'listr2'
 import { SoloError, IllegalArgumentError, MissingArgumentError } from '../core/errors.ts'
 import { BaseCommand } from './base.ts'
 import * as flags from './flags.ts'
-import type { KeyManager, PlatformInstaller, ProfileManager } from '../core/index.ts'
 import { constants, Templates } from '../core/index.ts'
 import * as prompts from './prompts.ts'
 import * as helpers from '../core/helpers.ts'
 import path from 'path'
 import { addDebugOptions, validatePath } from '../core/helpers.ts'
 import fs from 'fs'
-import { type NodeAlias, type NodeAliases } from '../types/aliases.ts'
-import { type Opts } from '../types/index.ts'
+import type { CertificateManager, KeyManager, PlatformInstaller, ProfileManager } from '../core/index.ts'
+import type { NodeAlias, NodeAliases } from '../types/aliases.ts'
+import type { Opts } from '../types/index.ts'
 
 export interface NetworkDeployConfigClass {
   applicationEnv: string
@@ -48,14 +47,19 @@ export interface NetworkDeployConfigClass {
   nodeAliases: NodeAliases
   stagingDir: string
   stagingKeysDir: string
-  valuesArg: string
+  valuesArg: string,
+  grpcTlsCertificatePath: string,
+  grpcWebTlsCertificatePath: string,
+  grpcTlsKeyPath: string,
+  grpcWebTlsKeyPath: string,
   getUnusedConfigs: () => string[]
 }
 
 export class NetworkCommand extends BaseCommand {
   private readonly keyManager: KeyManager
   private readonly platformInstaller: PlatformInstaller
   private readonly profileManager: ProfileManager
+  private readonly certificateManager: CertificateManager
   private profileValuesFile?: string
 
   constructor (opts: Opts) {
@@ -65,7 +69,9 @@ export class NetworkCommand extends BaseCommand {
     if (!opts || !opts.keyManager) throw new IllegalArgumentError('An instance of core/KeyManager is required', opts.keyManager)
     if (!opts || !opts.platformInstaller) throw new IllegalArgumentError('An instance of core/PlatformInstaller is required', opts.platformInstaller)
     if (!opts || !opts.profileManager) throw new MissingArgumentError('An instance of core/ProfileManager is required', opts.downloader)
+    if (!opts || !opts.certificateManager) throw new MissingArgumentError('An instance of core/CertificateManager is required', opts.certificateManager)
 
+    this.certificateManager = opts.certificateManager
     this.keyManager = opts.keyManager
     this.platformInstaller = opts.platformInstaller
     this.profileManager = opts.profileManager
@@ -97,7 +103,11 @@ export class NetworkCommand extends BaseCommand {
       flags.quiet,
       flags.releaseTag,
       flags.settingTxt,
-      flags.valuesFile
+      flags.valuesFile,
+      flags.grpcTlsCertificatePath,
+      flags.grpcWebTlsCertificatePath,
+      flags.grpcTlsKeyPath,
+      flags.grpcWebTlsKeyPath,
     ]
   }
 
@@ -160,7 +170,11 @@ export class NetworkCommand extends BaseCommand {
       flags.persistentVolumeClaims,
       flags.profileName,
       flags.profileFile,
-      flags.settingTxt
+      flags.settingTxt,
+      flags.grpcTlsCertificatePath,
+      flags.grpcWebTlsCertificatePath,
+      flags.grpcTlsKeyPath,
+      flags.grpcWebTlsKeyPath,
     ])
 
     await prompts.execute(task, this.configManager, NetworkCommand.DEPLOY_FLAGS_LIST)
@@ -230,6 +244,18 @@ export class NetworkCommand extends BaseCommand {
           return lease.buildAcquireTask(task)
         }
       },
+      {
+        title: 'Copy gRPC TLS Certificates',
+        task: (ctx, parentTask) =>
+          self.certificateManager.buildCopyTlsCertificatesTasks(
+            parentTask,
+            ctx.config.grpcTlsCertificatePath,
+            ctx.config.grpcWebTlsCertificatePath,
+            ctx.config.grpcTlsKeyPath,
+            ctx.config.grpcWebTlsKeyPath
+          ),
+        skip: (ctx) => !ctx.config.grpcTlsCertificatePath && !ctx.config.grpcWebTlsCertificatePath
+      },
       {
         title: 'Check if cluster setup chart is installed',
         task: async (ctx, task) => {

src/commands/node/configs.ts

@@ -401,6 +401,10 @@ export interface NodeAddConfigClass {
     treasuryKey: PrivateKey
     stagingDir: string
     stagingKeysDir: string
+    grpcTlsCertificatePath: string,
+    grpcWebTlsCertificatePath: string,
+    grpcTlsKeyPath: string,
+    grpcWebTlsKeyPath: string,
     getUnusedConfigs: () => string[]
 }
 

src/commands/node/flags.ts

@@ -113,7 +113,11 @@ const COMMON_ADD_REQUIRED_NO_PROMPT_FLAGS = [
     flags.chainId,
     flags.debugNodeAlias,
     flags.soloChartVersion,
-    flags.persistentVolumeClaims
+    flags.persistentVolumeClaims,
+    flags.grpcTlsCertificatePath,
+    flags.grpcWebTlsCertificatePath,
+    flags.grpcTlsKeyPath,
+    flags.grpcWebTlsKeyPath,
 ]
 
 const COMMON_ADD_OPTIONAL_FLAGS = [

src/commands/node/handlers.ts

@@ -137,6 +137,7 @@ export class NodeCommandHandlers {
       this.tasks.checkPVCsEnabled(),
       this.tasks.identifyExistingNodes(),
       this.tasks.determineNewNodeAccountNumber(),
+      this.tasks.copyGrpcTlsCertificates(),
       this.tasks.generateGossipKey(),
       this.tasks.generateGrpcTlsKey(),
       this.tasks.loadSigningKeyCertificate(),

src/commands/node/index.ts

@@ -42,6 +42,7 @@ export class NodeCommand extends BaseCommand {
     if (!opts || !opts.keyManager) throw new IllegalArgumentError('An instance of core/KeyManager is required', opts.keyManager)
     if (!opts || !opts.accountManager) throw new IllegalArgumentError('An instance of core/AccountManager is required', opts.accountManager)
     if (!opts || !opts.profileManager) throw new IllegalArgumentError('An instance of ProfileManager is required', opts.profileManager)
+    if (!opts || !opts.certificateManager) throw new IllegalArgumentError('An instance of CertificateManager is required', opts.certificateManager)
 
     this.accountManager = opts.accountManager
     this._portForwards = []
@@ -55,6 +56,7 @@ export class NodeCommand extends BaseCommand {
       k8: opts.k8,
       keyManager: opts.keyManager,
       chartManager: opts.chartManager,
+      certificateManager: opts.certificateManager,
       parent: this
     })
 

src/commands/node/tasks.ts

@@ -14,8 +14,6 @@
  * limitations under the License.
  *
  */
-
-
 import {
   type ChartManager,
   type ConfigManager,
@@ -26,7 +24,8 @@ import {
   Task,
   Templates,
   Zippy,
-  type AccountManager
+  type AccountManager,
+  type CertificateManager
 } from '../../core/index.ts'
 import {
   DEFAULT_NETWORK_NODE_NAME,
@@ -82,12 +81,13 @@ export class NodeCommandTasks {
   private readonly k8: K8
   private readonly parent: NodeCommand
   private readonly chartManager: ChartManager
+  private readonly certificateManager: CertificateManager
 
   private readonly prepareValuesFiles: any
 
   constructor (opts: { logger: SoloLogger; accountManager: AccountManager; configManager: ConfigManager,
     k8: K8, platformInstaller: PlatformInstaller, keyManager: KeyManager, profileManager: ProfileManager,
-  chartManager: ChartManager, parent: NodeCommand}
+  chartManager: ChartManager, certificateManager: CertificateManager, parent: NodeCommand}
   ) {
     if (!opts || !opts.accountManager) throw new IllegalArgumentError('An instance of core/AccountManager is required', opts.accountManager as any)
     if (!opts || !opts.configManager) throw new Error('An instance of core/ConfigManager is required')
@@ -96,6 +96,8 @@ export class NodeCommandTasks {
     if (!opts || !opts.platformInstaller) throw new IllegalArgumentError('An instance of core/PlatformInstaller is required', opts.platformInstaller)
     if (!opts || !opts.keyManager) throw new IllegalArgumentError('An instance of core/KeyManager is required', opts.keyManager)
     if (!opts || !opts.profileManager) throw new IllegalArgumentError('An instance of ProfileManager is required', opts.profileManager)
+    if (!opts || !opts.certificateManager) throw new IllegalArgumentError('An instance of CertificateManager is required', opts.certificateManager)
+
 
     this.accountManager = opts.accountManager
     this.configManager = opts.configManager
@@ -106,6 +108,7 @@ export class NodeCommandTasks {
     this.profileManager = opts.profileManager
     this.keyManager = opts.keyManager
     this.chartManager = opts.chartManager
+    this.certificateManager = opts.certificateManager
     this.prepareValuesFiles = opts.parent.prepareValuesFiles.bind(opts.parent)
   }
 
@@ -414,6 +417,20 @@ export class NodeCommandTasks {
     }, (ctx: any) => !ctx.config.generateTlsKeys)
   }
 
+  copyGrpcTlsCertificates () {
+    return new Task('Copy gRPC TLS Certificates',
+      (ctx: { config: NodeAddConfigClass }, parentTask: ListrTaskWrapper<any, any, any>) =>
+        this.certificateManager.buildCopyTlsCertificatesTasks(
+          parentTask,
+          ctx.config.grpcTlsCertificatePath,
+          ctx.config.grpcWebTlsCertificatePath,
+          ctx.config.grpcTlsKeyPath,
+          ctx.config.grpcWebTlsKeyPath
+        ),
+      (ctx: any) => !ctx.config.grpcTlsCertificatePath && !ctx.config.grpcWebTlsCertificatePath
+    )
+  }
+
   _loadPermCertificate (certFullPath: string) {
     const certPem = fs.readFileSync(certFullPath).toString()
     const decodedDers = x509.PemConverter.decode(certPem)

src/commands/prompts.ts

@@ -462,6 +462,40 @@ export async function promptOutputDir (task: ListrTaskWrapper<any, any, any>, in
         flags.outputDir.name)
 }
 
+//! ------------- Node Proxy Certificates ------------- !//
+
+export async function promptGrpcTlsCertificatePath (task: ListrTaskWrapper<any, any, any>, input: any) {
+  return await promptText(task, input,
+    flags.grpcTlsCertificatePath.definition.defaultValue,
+    'Enter node alias and path to TLS certificate for gRPC (ex. nodeAlias=path )',
+    null,
+    flags.grpcTlsCertificatePath.name)
+}
+
+export async function promptGrpcWebTlsCertificatePath (task: ListrTaskWrapper<any, any, any>, input: any) {
+  return await promptText(task, input,
+    flags.grpcWebTlsCertificatePath.definition.defaultValue,
+    'Enter node alias and path to TLS certificate for gGRPC web (ex. nodeAlias=path )',
+    null,
+    flags.grpcWebTlsCertificatePath.name)
+}
+
+export async function promptGrpcTlsKeyPath (task: ListrTaskWrapper<any, any, any>, input: any) {
+  return await promptText(task, input,
+    flags.grpcTlsKeyPath.definition.defaultValue,
+    'Enter node alias and path to TLS certificate key for gRPC (ex. nodeAlias=path )',
+    null,
+    flags.grpcTlsKeyPath.name)
+}
+
+export async function promptGrpcWebTlsKeyPath (task: ListrTaskWrapper<any, any, any>, input: any) {
+  return await promptText(task, input,
+    flags.grpcWebTlsKeyPath.definition.defaultValue,
+    'Enter node alias and path to TLS certificate key for gGRPC Web (ex. nodeAlias=path )',
+    null,
+    flags.grpcWebTlsKeyPath.name)
+}
+
 export function getPromptMap (): Map<string, Function> {
   return new Map()
     .set(flags.accountId.name, promptAccountId)
@@ -506,6 +540,12 @@ export function getPromptMap (): Map<string, Function> {
     .set(flags.hederaExplorerVersion, promptHederaExplorerVersion)
     .set(flags.inputDir.name, promptInputDir)
     .set(flags.outputDir.name, promptOutputDir)
+
+    //! Node Proxy Certificates
+    .set(flags.grpcTlsCertificatePath.name, promptGrpcTlsCertificatePath)
+    .set(flags.grpcWebTlsCertificatePath.name, promptGrpcWebTlsCertificatePath)
+    .set(flags.grpcTlsKeyPath.name, promptGrpcTlsKeyPath)
+    .set(flags.grpcWebTlsKeyPath.name, promptGrpcWebTlsKeyPath)
 }
 
 // build the prompt registry