Enforce soft failure when mtls data not available

pjbgf · pjbgf · commit 5c0c63d8f795 · 2025-11-03T22:21:41.000Z
The mtls data storage is largely a convenience feature which enables things
such as mime handling. This change ensures that a profile can still be started
regardless of it.

Signed-off-by: Paulo Gomes &lt;pjbgf@linux.com&gt;
diff --git a/internal/profiles/profiles.go b/internal/profiles/profiles.go
@@ -688,7 +688,7 @@ func createNewDisplay(bin string, ca, cert, key []byte, profile *types.Profile,
 
 	err = storeMtlsData(profile.Name, string(ca), string(cert), string(key))
 	if err != nil {
-		return err
+		slog.Error("failed storing mtls data", "error", err)
 	}
 
 	output, err := cmd.CombinedOutput()
diff --git a/internal/runners/docker/run.go b/internal/runners/docker/run.go
@@ -272,27 +272,16 @@ func Run(ew types.EffectiveWorkload) error {
 		// Since the implementation of mTLS, workloads granted mime handling
 		// need the mTLS creds so that they can communicate with the inception
 		// server.
-		ks := keyring.New(ew.Profile.Name, backend.New())
-		ca, err := ks.Get(keyring.MtlsCA)
-		if err != nil {
-			return err
-		}
 
-		cert, err := ks.Get(keyring.MtlsClientCert)
-		if err != nil {
-			return err
-		}
+		if ca, cert, key, ok := mtlsData(ew.Profile.Name); ok {
+			slog.Debug("mime access: enabled")
 
-		key, err := ks.Get(keyring.MtlsClientKey)
-		if err != nil {
-			return err
+			cmd.Env = append(os.Environ(), "Q_MTLS_CA="+ca)
+			cmd.Env = append(cmd.Env, "Q_MTLS_CERT="+cert)
+			cmd.Env = append(cmd.Env, "Q_MTLS_KEY="+key)
+		} else {
+			slog.Debug("mime access: skipped")
 		}
-
-		slog.Debug("enabling mime access")
-
-		cmd.Env = append(os.Environ(), "Q_MTLS_CA="+ca)
-		cmd.Env = append(cmd.Env, "Q_MTLS_CERT="+cert)
-		cmd.Env = append(cmd.Env, "Q_MTLS_KEY="+key)
 	}
 
 	cmd.Stderr = os.Stderr
@@ -302,6 +291,29 @@ func Run(ew types.EffectiveWorkload) error {
 	return cmd.Run()
 }
 
+func mtlsData(name string) (string, string, string, bool) {
+	ks := keyring.New(name, backend.New())
+	ca, err := ks.Get(keyring.MtlsCA)
+	if err != nil {
+		slog.Error("failed to fetch mtls-ca", "error", err)
+		return "", "", "", false
+	}
+
+	cert, err := ks.Get(keyring.MtlsClientCert)
+	if err != nil {
+		slog.Error("failed to fetch mtls-client-cert", "error", err)
+		return "", "", "", false
+	}
+
+	key, err := ks.Get(keyring.MtlsClientKey)
+	if err != nil {
+		slog.Error("failed to fetch mtls-client-key", "error", err)
+		return "", "", "", false
+	}
+
+	return ca, cert, key, true
+}
+
 func getHomeDir(image string) (string, error) {
 	args := []string{"run", "--rm", image, "ls", "/home"}
 

Original file line number	Diff line number	Diff line change
`@@ -688,7 +688,7 @@ func createNewDisplay(bin string, ca, cert, key []byte, profile *types.Profile,`
`688`	`688`
`689`	`689`	`err = storeMtlsData(profile.Name, string(ca), string(cert), string(key))`
`690`	`690`	`if err != nil {`
`691`		`- return err`
	`691`	`+ slog.Error("failed storing mtls data", "error", err)`
`692`	`692`	`}`
`693`	`693`
`694`	`694`	`output, err := cmd.CombinedOutput()`