[gpctl] Support tls-path and host for imagebuilds

Author: csweichel

dev/gpctl/cmd/imagebuilds.go

@@ -6,8 +6,12 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
@@ -29,56 +33,93 @@ var imagebuildsCmd = &cobra.Command{
 func init() {
 	imagebuildsCmd.PersistentFlags().StringP("tls", "t", "", "TLS certificate when connecting to a secured gRPC endpoint")
 	imagebuildsCmd.PersistentFlags().Bool("mk3", true, "use image-builder mk3")
+	imagebuildsCmd.PersistentFlags().String("host", "", "dial a host directly")
+	imagebuildsCmd.PersistentFlags().String("tls-path", "", "TLS certificate when connecting to a secured gRPC endpoint")
 
 	rootCmd.AddCommand(imagebuildsCmd)
 }
 
 func getImagebuildsClient(ctx context.Context) (*grpc.ClientConn, api.ImageBuilderClient, error) {
-	cfg, namespace, err := getKubeconfig()
-	if err != nil {
-		return nil, nil, err
-	}
-	clientSet, err := kubernetes.NewForConfig(cfg)
-	if err != nil {
-		return nil, nil, err
-	}
+	host, _ := imagebuildsCmd.PersistentFlags().GetString("host")
+	if host == "" {
+		cfg, namespace, err := getKubeconfig()
+		if err != nil {
+			return nil, nil, err
+		}
+		clientSet, err := kubernetes.NewForConfig(cfg)
+		if err != nil {
+			return nil, nil, err
+		}
 
-	comp := "image-builder"
-	if mk3, _ := imagebuildsCmd.PersistentFlags().GetBool("mk3"); mk3 {
-		comp = "image-builder-mk3"
-	}
+		comp := "image-builder"
+		if mk3, _ := imagebuildsCmd.PersistentFlags().GetBool("mk3"); mk3 {
+			comp = "image-builder-mk3"
+		}
 
-	freePort, err := GetFreePort()
-	if err != nil {
-		return nil, nil, err
-	}
+		freePort, err := GetFreePort()
+		if err != nil {
+			return nil, nil, err
+		}
 
-	port := fmt.Sprintf("%d:8080", freePort)
-	podName, err := util.FindAnyPodForComponent(clientSet, namespace, comp)
-	if err != nil {
-		return nil, nil, err
-	}
-	readychan, errchan := util.ForwardPort(ctx, cfg, namespace, podName, port)
-	select {
-	case <-readychan:
-	case err := <-errchan:
-		return nil, nil, err
-	case <-ctx.Done():
-		return nil, nil, ctx.Err()
+		port := fmt.Sprintf("%d:8080", freePort)
+		podName, err := util.FindAnyPodForComponent(clientSet, namespace, comp)
+		if err != nil {
+			return nil, nil, err
+		}
+		readychan, errchan := util.ForwardPort(ctx, cfg, namespace, podName, port)
+		select {
+		case <-readychan:
+		case err := <-errchan:
+			return nil, nil, err
+		case <-ctx.Done():
+			return nil, nil, ctx.Err()
+		}
+		host = fmt.Sprintf("localhost:%d", freePort)
 	}
 
 	secopt := grpc.WithInsecure()
-	cert, _ := workspacesCmd.Flags().GetString("tls")
+	cert, _ := imagebuildsCmd.Flags().GetString("tls")
 	if cert != "" {
 		creds, err := credentials.NewClientTLSFromFile(cert, "")
 		if err != nil {
 			return nil, nil, xerrors.Errorf("could not load tls cert: %w", err)
 		}
 
+		secopt = grpc.WithTransportCredentials(creds)
+	} else if fn, _ := imagebuildsCmd.Flags().GetString("tls-path"); fn != "" {
+		crt, err := ioutil.ReadFile(filepath.Join(fn, "tls.crt"))
+		if err != nil {
+			return nil, nil, err
+		}
+		key, err := ioutil.ReadFile(filepath.Join(fn, "tls.key"))
+		if err != nil {
+			return nil, nil, err
+		}
+		cert, err := tls.X509KeyPair(crt, key)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		ca, err := ioutil.ReadFile(filepath.Join(fn, "ca.crt"))
+		if err != nil {
+			return nil, nil, err
+		}
+		certPool := x509.NewCertPool()
+		certPool.AppendCertsFromPEM(ca)
+
+		creds := credentials.NewTLS(&tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      certPool,
+			ServerName:   "ws-manager",
+		})
+		if err != nil {
+			return nil, nil, xerrors.Errorf("could not load tls cert: %w", err)
+		}
+
 		secopt = grpc.WithTransportCredentials(creds)
 	}
 
-	conn, err := grpc.Dial(fmt.Sprintf("localhost:%d", freePort), secopt, util.WithClientUnaryInterceptor())
+	conn, err := grpc.Dial(host, secopt, util.WithClientUnaryInterceptor())
 	if err != nil {
 		return nil, nil, err
 	}