[ws-manager-bridge] add update cluster tls config (#19975)

Author: iQQBot

components/ws-manager-bridge-api/cluster-service.proto

@@ -108,6 +108,8 @@ message UpdateRequest {
 
     // DEPRECATED
     // ModifyAdmissionPreference admission_preference = 6;
+
+    TlsConfig tls = 7;
   }
 }
 

components/ws-manager-bridge-api/go/cluster-service.pb.go

@@ -235,6 +235,46 @@ export class ClusterService implements IClusterServiceServer {
                         }
                     }
                 }
+                if (call.request.hasTls()) {
+                    const tls = req.tls;
+                    if (!tls?.ca || !tls?.crt || !tls?.key) {
+                        throw new GRPCError(grpc.status.INVALID_ARGUMENT, "missing required TLS config");
+                    }
+                    if (tls.ca === cluster.tls?.ca && tls.crt === cluster.tls?.crt && tls.key === cluster.tls?.key) {
+                        callback(null, new UpdateResponse());
+                        return;
+                    }
+
+                    const newCluster: WorkspaceCluster = {
+                        name: req.name,
+                        url: cluster.url,
+                        region: cluster.region,
+                        state: cluster.state,
+                        score: cluster.score,
+                        maxScore: 100,
+                        govern: cluster.govern,
+                        tls: tls,
+                        admissionConstraints: cluster.admissionConstraints,
+                    };
+
+                    // try to connect to validate the config. Throws an exception if it fails.
+                    await new Promise<DescribeClusterResponse>((resolve, reject) => {
+                        const c = this.clientProvider.createConnection(WorkspaceManagerClient, newCluster);
+                        c.describeCluster(new DescribeClusterRequest(), (err: any, resp: DescribeClusterResponse) => {
+                            if (err) {
+                                reject(
+                                    new GRPCError(
+                                        grpc.status.FAILED_PRECONDITION,
+                                        `cannot reach ${cluster.url}: ${err.message}`,
+                                    ),
+                                );
+                            } else {
+                                resolve(resp);
+                            }
+                        });
+                    });
+                    cluster.tls = tls;
+                }
                 await this.clusterDB.save(cluster);
                 log.info({}, "cluster updated", { cluster: req.name });
                 this.triggerReconcile("update", req.name);

components/ws-manager-bridge-api/go/cluster-service_grpc.pb.go

@@ -6,8 +6,11 @@ package cmd
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"path"
 	"strconv"
 	"strings"
 
@@ -148,9 +151,58 @@ var clustersUpdateAdmissionConstraintCmd = &cobra.Command{
 	},
 }
 
+var clustersUpdateTLSConfigCmd = &cobra.Command{
+	Use:   "tls",
+	Short: "Updates a cluster's TLS configuration",
+	Args:  cobra.ExactArgs(0),
+	Run: func(cmd *cobra.Command, args []string) {
+		name := getClusterName()
+
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		conn, client, err := getClustersClient(ctx)
+		if err != nil {
+			log.WithError(err).Fatal("cannot connect")
+		}
+		defer conn.Close()
+
+		tlsPath, err := cmd.Flags().GetString("tls-path")
+		if err != nil {
+			log.Fatal(err)
+		}
+		if tlsPath == "" {
+			log.Fatal("tls-path is required")
+		}
+
+		readFileToBase64Str := func(filename string) string {
+			filepath := path.Join(tlsPath, filename)
+			content, err := ioutil.ReadFile(filepath)
+			if err != nil {
+				log.WithError(err).Fatalf("unable to read from: '%s'", filepath)
+			}
+			return base64.StdEncoding.EncodeToString(content)
+		}
+		request := &api.UpdateRequest{Name: name, Property: &api.UpdateRequest_Tls{Tls: &api.TlsConfig{
+			Ca:  readFileToBase64Str("ca.crt"),
+			Crt: readFileToBase64Str("tls.crt"),
+			Key: readFileToBase64Str("tls.key"),
+		}}}
+
+		_, err = client.Update(ctx, request)
+		if err != nil && err != io.EOF {
+			log.Fatal(err)
+		}
+
+		fmt.Printf("cluster '%s' tls config updated\n", name)
+	},
+}
+
 func init() {
 	clustersCmd.AddCommand(clustersUpdateCmd)
 	clustersUpdateCmd.AddCommand(clustersUpdateScoreCmd)
 	clustersUpdateCmd.AddCommand(clustersUpdateMaxScoreCmd)
 	clustersUpdateCmd.AddCommand(clustersUpdateAdmissionConstraintCmd)
+	clustersUpdateTLSConfigCmd.Flags().String("tls-path", "", "folder containing the ws cluster's ca.crt, tls.crt and tls.key")
+	clustersUpdateCmd.AddCommand(clustersUpdateTLSConfigCmd)
 }