mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 12:37:00 +01:00
Fixing the kanidmd healthcheck (#1789)
* fixing the health check * fixing pages while I am here * flipping options like I flip burgers * using the config-supplied cert
This commit is contained in:
James Hodgkinson
GitHub
parent
9a3c12a79d
commit
3e4c8f6241
16
.github/workflows/kanidm_book.yml
vendored
16
.github/workflows/kanidm_book.yml
vendored
|
|
@ -53,6 +53,7 @@ jobs:
|
|||
fanout:
|
||||
uses: './.github/workflows/kanidm_individual_book.yml'
|
||||
needs: pre_deploy
|
||||
if: ${{ github.action_ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' && github.event == 'merge' }}
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
|
|
@ -70,13 +71,14 @@ jobs:
|
|||
|
||||
deploy:
|
||||
environment:
|
||||
name: github-pages
|
||||
name: "github-pages"
|
||||
url: ${{ steps.deployment.outputs.page_url }}
|
||||
needs:
|
||||
- pre_deploy
|
||||
- fanout
|
||||
- docs_master
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.action_ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' && github.event == 'merge' }}
|
||||
steps:
|
||||
- name: Setup Pages
|
||||
uses: actions/configure-pages@v3
|
||||
|
|
@ -97,18 +99,6 @@ jobs:
|
|||
path: ./docs/
|
||||
env:
|
||||
ACTIONS_RUNNER_DEBUG: true
|
||||
# - name: Log more stuff
|
||||
# run: |
|
||||
# echo "Currently in $(pwd)"
|
||||
# mkdir -p docs && find $(pwd) -ls > ./docs/manifest.txt
|
||||
# env:
|
||||
# ACTIONS_RUNNER_DEBUG: true
|
||||
# - name: Upload docs dir as an artifact
|
||||
# # https://github.com/actions/upload-artifact
|
||||
# uses: actions/upload-artifact@v3
|
||||
# with:
|
||||
# name: logs
|
||||
# path: docs/
|
||||
- name: Extract the files
|
||||
run: |
|
||||
pwd
|
||||
|
|
|
|||
|
|
@ -12,5 +12,6 @@ title = "Kanidm Administration"
|
|||
[output.html]
|
||||
edit-url-template = "https://github.com/kanidm/kanidm/edit/master/book/{path}"
|
||||
git-repository-url = "https://github.com/kanidm/kanidm"
|
||||
git-repository-icon = "fa-github"
|
||||
|
||||
[preprocessor.template]
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ static ALLOC: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc;
|
|||
use std::fs::{metadata, File};
|
||||
// This works on both unix and windows.
|
||||
use fs2::FileExt;
|
||||
use kanidm_proto::messages::ConsoleOutputMode;
|
||||
#[cfg(target_family = "unix")]
|
||||
use std::os::unix::fs::MetadataExt;
|
||||
use std::path::PathBuf;
|
||||
|
|
@ -284,24 +285,30 @@ async fn main() -> ExitCode {
|
|||
config.update_output_mode(opt.commands.commonopt().output_mode.to_owned().into());
|
||||
config.update_trust_x_forward_for(sconfig.trust_x_forward_for);
|
||||
|
||||
// Okay - Lets now create our lock and go.
|
||||
let klock_path = format!("{}.klock" ,sconfig.db_path.as_str());
|
||||
let flock = match File::create(&klock_path) {
|
||||
Ok(flock) => flock,
|
||||
Err(e) => {
|
||||
error!("ERROR: Refusing to start - unable to create kanidm exclusive lock at {} - {:?}", klock_path, e);
|
||||
return ExitCode::FAILURE
|
||||
}
|
||||
};
|
||||
match &opt.commands {
|
||||
// we aren't going to touch the DB so we can carry on
|
||||
KanidmdOpt::HealthCheck(_) => (),
|
||||
_ => {
|
||||
// Okay - Lets now create our lock and go.
|
||||
let klock_path = format!("{}.klock" ,sconfig.db_path.as_str());
|
||||
let flock = match File::create(&klock_path) {
|
||||
Ok(flock) => flock,
|
||||
Err(e) => {
|
||||
error!("ERROR: Refusing to start - unable to create kanidm exclusive lock at {} - {:?}", klock_path, e);
|
||||
return ExitCode::FAILURE
|
||||
}
|
||||
};
|
||||
|
||||
match flock.try_lock_exclusive() {
|
||||
Ok(()) => debug!("Acquired kanidm exclusive lock"),
|
||||
Err(e) => {
|
||||
error!("ERROR: Refusing to start - unable to lock kanidm exclusive lock at {} - {:?}", klock_path, e);
|
||||
error!("Is another kanidm process running?");
|
||||
return ExitCode::FAILURE
|
||||
match flock.try_lock_exclusive() {
|
||||
Ok(()) => debug!("Acquired kanidm exclusive lock"),
|
||||
Err(e) => {
|
||||
error!("ERROR: Refusing to start - unable to lock kanidm exclusive lock at {} - {:?}", klock_path, e);
|
||||
error!("Is another kanidm process running?");
|
||||
return ExitCode::FAILURE
|
||||
}
|
||||
};
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
/*
|
||||
// Apply any cli overrides, normally debug level.
|
||||
|
|
@ -523,36 +530,50 @@ async fn main() -> ExitCode {
|
|||
|
||||
debug!("{sopt:?}");
|
||||
|
||||
let healthcheck_url = format!("https://{}/status", config.address);
|
||||
|
||||
let healthcheck_url = match &sopt.check_origin {
|
||||
true => format!("{}/status", config.origin),
|
||||
false => format!("https://{}/status", config.address),
|
||||
};
|
||||
|
||||
debug!("Checking {healthcheck_url}");
|
||||
|
||||
|
||||
|
||||
let client = reqwest::ClientBuilder::new()
|
||||
.danger_accept_invalid_certs(sopt.no_verify_tls)
|
||||
.danger_accept_invalid_hostnames(sopt.no_verify_tls)
|
||||
let mut client = reqwest::ClientBuilder::new()
|
||||
.danger_accept_invalid_certs(!sopt.verify_tls)
|
||||
.danger_accept_invalid_hostnames(!sopt.verify_tls)
|
||||
.https_only(true);
|
||||
// TODO: work out how to pull the CA from the chain
|
||||
// client = match config.tls_config {
|
||||
// Some(tls_config) => {
|
||||
// eprintln!("{:?}", tls_config);
|
||||
// let mut buf = Vec::new();
|
||||
// File::open(tls_config.chain)
|
||||
// .unwrap()
|
||||
// .read_to_end(&mut buf)
|
||||
// .unwrap();
|
||||
// eprintln!("buf: {:?}", buf);
|
||||
// match reqwest::Certificate::from_pem(&buf){
|
||||
// Ok(cert) => client.add_root_certificate(cert),
|
||||
// Err(err) => {
|
||||
// error!("Failed to read TLS chain: {err:?}");
|
||||
// client
|
||||
// }
|
||||
// }
|
||||
|
||||
// },
|
||||
// None => client,
|
||||
// };
|
||||
|
||||
client = match &sconfig.tls_chain {
|
||||
None => client,
|
||||
Some(ca_cert) => {
|
||||
debug!("Trying to load {}", ca_cert);
|
||||
// if the ca_cert file exists, then we'll use it
|
||||
let ca_cert_path = PathBuf::from(ca_cert);
|
||||
match ca_cert_path.exists() {
|
||||
true => {
|
||||
let ca_contents = std::fs::read_to_string(ca_cert_path.clone()).expect(&format!("Failed to read {}!", ca_cert));
|
||||
let content = ca_contents
|
||||
.split("-----END CERTIFICATE-----")
|
||||
.into_iter()
|
||||
.filter_map(|c| if c.trim().is_empty() { None } else { Some(c.trim().to_string())})
|
||||
.collect::<Vec<String>>();
|
||||
let content = content.last().expect(&format!("Failed to pull the last chunk of {} as a valid certificate!", ca_cert));
|
||||
let content = format!("{}-----END CERTIFICATE-----", content);
|
||||
|
||||
let ca_cert_parsed = reqwest::Certificate::from_pem(content.as_bytes())
|
||||
.expect(&format!("Failed to parse {} as a valid certificate!\n{}", ca_cert, content));
|
||||
client.add_root_certificate(ca_cert_parsed)
|
||||
},
|
||||
false => {
|
||||
warn!("Couldn't find ca cert {} but carrying on...", ca_cert);
|
||||
client
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
let client = client
|
||||
.build()
|
||||
|
|
@ -576,7 +597,16 @@ async fn main() -> ExitCode {
|
|||
}
|
||||
};
|
||||
debug!("Request: {req:?}");
|
||||
info!("OK")
|
||||
let output_mode: ConsoleOutputMode = sopt.commonopts.output_mode.to_owned().into();
|
||||
match output_mode {
|
||||
ConsoleOutputMode::JSON => {
|
||||
println!("{{\"result\":\"OK\"}}")
|
||||
},
|
||||
ConsoleOutputMode::Text => {
|
||||
info!("OK")
|
||||
},
|
||||
}
|
||||
|
||||
}
|
||||
KanidmdOpt::Version(_) => {}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,7 +75,10 @@ struct DbScanListIndex {
|
|||
struct HealthCheckArgs {
|
||||
/// Disable TLS verification
|
||||
#[clap(short, long, action)]
|
||||
no_verify_tls: bool,
|
||||
verify_tls: bool,
|
||||
/// Check the 'origin' URL from the server configuration file, instead of the 'address'
|
||||
#[clap(short='O', long, action)]
|
||||
check_origin: bool,
|
||||
#[clap(flatten)]
|
||||
commonopts: CommonOpt,
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue