Fix auto-setup when TLS is used and when bind-address is specified as a CLI arg. (#487)

Author: danxmoran

influxdb/2.0/alpine/entrypoint.sh

@@ -250,16 +250,25 @@ function init_influxd () {
         return
     fi
 
-    # Capture final bind address, and check it is distinct from init addr
     local -r final_bind_addr="$(influxd print-config --key-name http-bind-address "${@}")"
     local -r init_bind_addr=":${INFLUXD_INIT_PORT}"
     if [ "${init_bind_addr}" = "${final_bind_addr}" ]; then
       log warn "influxd setup binding to same addr as final config, server will be exposed before ready" addr "${init_bind_addr}"
     fi
+    local final_host_scheme="http"
+    if [ "$(influxd print-config --key-name tls-cert "${@}")" != '""' ] && [ "$(influxd print-config --key-name tls-key "${@}")" != '""' ]; then
+        final_host_scheme="https"
+    fi
+
+    # Generate a config file with a known HTTP port, and TLS disabled.
+    local -r init_config=/tmp/config.yml
+    influxd print-config "${@}" | \
+        sed -e "s#${final_bind_addr}#${init_bind_addr}#" -e '/^tls/d' > \
+        "${init_config}"
 
     # Start influxd in the background.
     log info "booting influxd server in the background"
-    INFLUXD_HTTP_BIND_ADDRESS="${init_bind_addr}" influxd "${@}" &
+    INFLUXD_CONFIG_PATH="${init_config}" INFLUXD_HTTP_BIND_ADDRESS="${init_bind_addr}" INFLUXD_TLS_CERT='' INFLUXD_TLS_KEY='' influxd &
     local -r influxd_init_pid="$!"
     trap "handle_signal TERM ${influxd_init_pid}" TERM
     trap "handle_signal INT ${influxd_init_pid}" INT
@@ -282,7 +291,7 @@ function init_influxd () {
 
     # Rewrite the ClI configs to point at the server's final HTTP address.
     local -r final_port="$(echo "${final_bind_addr}" | sed -E 's#[^:]*:(.*)#\1#')"
-    sed -i "s#http://localhost:${INFLUXD_INIT_PORT}#http://localhost:${final_port}#g" "${INFLUX_CONFIGS_PATH}"
+    sed -i "s#http://localhost:${INFLUXD_INIT_PORT}#${final_host_scheme}://localhost:${final_port}#g" "${INFLUX_CONFIGS_PATH}"
 }
 
 # Run influxd, with optional setup logic.

influxdb/2.0/entrypoint.sh

@@ -250,16 +250,25 @@ function init_influxd () {
         return
     fi
 
-    # Capture final bind address, and check it is distinct from init addr
     local -r final_bind_addr="$(influxd print-config --key-name http-bind-address "${@}")"
     local -r init_bind_addr=":${INFLUXD_INIT_PORT}"
     if [ "${init_bind_addr}" = "${final_bind_addr}" ]; then
       log warn "influxd setup binding to same addr as final config, server will be exposed before ready" addr "${init_bind_addr}"
     fi
+    local final_host_scheme="http"
+    if [ "$(influxd print-config --key-name tls-cert "${@}")" != '""' ] && [ "$(influxd print-config --key-name tls-key "${@}")" != '""' ]; then
+        final_host_scheme="https"
+    fi
+
+    # Generate a config file with a known HTTP port, and TLS disabled.
+    local -r init_config=/tmp/config.yml
+    influxd print-config "${@}" | \
+        sed -e "s#${final_bind_addr}#${init_bind_addr}#" -e '/^tls/d' > \
+        "${init_config}"
 
     # Start influxd in the background.
     log info "booting influxd server in the background"
-    INFLUXD_HTTP_BIND_ADDRESS="${init_bind_addr}" influxd "${@}" &
+    INFLUXD_CONFIG_PATH="${init_config}" INFLUXD_HTTP_BIND_ADDRESS="${init_bind_addr}" INFLUXD_TLS_CERT='' INFLUXD_TLS_KEY='' influxd &
     local -r influxd_init_pid="$!"
     trap "handle_signal TERM ${influxd_init_pid}" TERM
     trap "handle_signal INT ${influxd_init_pid}" INT
@@ -282,7 +291,7 @@ function init_influxd () {
 
     # Rewrite the ClI configs to point at the server's final HTTP address.
     local -r final_port="$(echo "${final_bind_addr}" | sed -E 's#[^:]*:(.*)#\1#')"
-    sed -i "s#http://localhost:${INFLUXD_INIT_PORT}#http://localhost:${final_port}#g" "${INFLUX_CONFIGS_PATH}"
+    sed -i "s#http://localhost:${INFLUXD_INIT_PORT}#${final_host_scheme}://localhost:${final_port}#g" "${INFLUX_CONFIGS_PATH}"
 }
 
 # Run influxd, with optional setup logic.

influxdb/test/cases/common.sh

@@ -40,10 +40,15 @@ function log_msg () {
 }
 
 function wait_container_ready () {
+    wait_container_ready_at_url localhost:8086/health
+}
+
+function wait_container_ready_at_url () {
+    local -r url=$1
     local attempt_count=0
 
     while [ ${attempt_count} -lt ${ATTEMPTS} ]; do
-        if curl -s localhost:8086/health >/dev/null; then
+        if curl -k -s "${url}" >/dev/null; then
             return 0
         fi
         sleep 2
@@ -54,7 +59,7 @@ function wait_container_ready () {
 }
 
 function extract_token () {
-    docker exec -i ${1} influx auth list --user ${TEST_USER} --hide-headers | cut -f 3
+    docker exec -i ${1} influx auth list --skip-verify --user ${TEST_USER} --hide-headers | cut -f 3
 }
 
 function join_array () {

influxdb/test/cases/test-auto-setup-init-bind

@@ -18,9 +18,18 @@ declare -ra docker_run_influxd=(
     -e DOCKER_INFLUXDB_INIT_PASSWORD=${TEST_PASSWORD}
     -e DOCKER_INFLUXDB_INIT_ORG=${TEST_ORG}
     -e DOCKER_INFLUXDB_INIT_BUCKET=${TEST_BUCKET}
-    -e INFLUXD_HTTP_BIND_ADDRESS=:3333
+    -e INFLUXD_HTTP_BIND_ADDRESS=:2222
     -e INFLUXD_INIT_PORT=9998
     influxdb:${tag} influxd run
+    # NOTE: The CLI arg here is redundant with the INFLUXD_HTTP_BIND_ADDRESS env var above.
+    # We include both because `entrypoint.sh` needs to cover both when overriding the bind-
+    # address used by the "init" instance of the server. The initial implementation of the
+    # script covered the CLI arg, but missed the env var. A follow-up fix covered the env
+    # var but dropped coverage for the CLI arg. Now we test for both.
+    #
+    # The CLI arg is expected to "win" once the final server boots up, according to our config
+    # precedence rules.
+    --http-bind-address ":3333"
 )
 
 # Boot the container

influxdb/test/cases/test-auto-setup-tls

@@ -0,0 +1,70 @@
+#!/bin/bash
+set -eo pipefail
+
+declare -r SCRIPT_DIR=$(cd $(dirname $0) >/dev/null 2>&1 && pwd)
+source ${SCRIPT_DIR}/common.sh
+
+declare -r tag=$1 container_name=$2 data=$3 config=$4 logs=$5
+
+# Generate a self-signed TLS cert.
+openssl req -batch -new \
+    -newkey rsa:4096 \
+    -x509 \
+    -sha256 \
+    -days 1 \
+    -nodes \
+    -subj "/C=US/ST=CA/L=./O=./OU=./CN=." \
+    -out "${config}/tls.crt" \
+    -keyout "${config}/tls.key"
+
+declare -ra docker_run_influxd=(
+    docker run -i -d
+    --name=${container_name}
+    -u $(id -u):influxdb
+    -p 443:8086
+    -v ${data}:/var/lib/influxdb2
+    -v ${config}:/etc/influxdb2
+    -e DOCKER_INFLUXDB_INIT_MODE=setup
+    -e DOCKER_INFLUXDB_INIT_USERNAME=${TEST_USER}
+    -e DOCKER_INFLUXDB_INIT_PASSWORD=${TEST_PASSWORD}
+    -e DOCKER_INFLUXDB_INIT_ORG=${TEST_ORG}
+    -e DOCKER_INFLUXDB_INIT_BUCKET=${TEST_BUCKET}
+    -e INFLUXD_TLS_CERT=/etc/influxdb2/tls.crt \
+    -e INFLUXD_TLS_KEY=/etc/influxdb2/tls.key \
+    influxdb:${tag} influxd
+)
+
+log_msg Booting 2.x container in setup mode
+if ! ${docker_run_influxd[@]} > /dev/null; then
+    log_msg Error: Failed to launch container
+    exit 1
+fi
+wait_container_ready_at_url "https://localhost/health"
+
+# Check that the DB reports it's been set up.
+log_msg Checking onboarding API post-start
+declare onboarding_allowed=$(curl -sk https://localhost/api/v2/setup | jq .allowed)
+if [[ ${onboarding_allowed} != 'false' ]]; then
+    log_msg Error: Onboarding allowed post-start
+    exit 1
+fi
+
+# Get the auth token generated by setup.
+declare -r auth_token=$(extract_token ${container_name})
+
+# Make sure we can use the generated auth token to find the resources we expect.
+log_msg Checking org list post-setup
+declare orgs=$(curl -sk -H "Authorization: Token ${auth_token}" https://localhost/api/v2/orgs | jq -r .orgs[].name)
+if [[ ${orgs} != ${TEST_ORG} ]]; then
+    log_msg Error: Bad org list post-setup
+    echo ${orgs}
+    exit 1
+fi
+
+log_msg Checking bucket list post-setup
+declare buckets=$(curl -sk -H "Authorization: Token ${auth_token}" "https://localhost/api/v2/buckets?name=${TEST_BUCKET}" | jq -r .buckets[].name)
+if [[ ${buckets} != ${TEST_BUCKET} ]]; then
+    log_msg Error: Bad bucket list post-setup
+    echo ${buckets}
+    exit 1
+fi