From 9b2ddc859f5c9c45fbd05a7223e7dfa7ce80dd37 Mon Sep 17 00:00:00 2001 From: Gabriele Gerbino Date: Wed, 16 Mar 2022 21:20:30 +0100 Subject: [PATCH] feat: add --skip-ca-certificates flag Since CA certificates are 'global' entities in Kong, they cannot be managed on a per-workspace basis, making it hard to be handled declaratively with decK. This introduces a new --skip-ca-certificates to sync/dump/diff/reset to make sure CA certs are ignored when needed. --- cmd/common.go | 3 +++ cmd/diff.go | 2 ++ cmd/dump.go | 2 ++ cmd/reset.go | 2 ++ cmd/sync.go | 2 ++ dump/dump.go | 21 +++++++++++++-------- 6 files changed, 24 insertions(+), 8 deletions(-) diff --git a/cmd/common.go b/cmd/common.go index 4124e38bd..9787c0224 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -73,6 +73,9 @@ func syncMain(ctx context.Context, filenames []string, dry bool, parallelism, if dumpConfig.SkipConsumers { targetContent.Consumers = []file.FConsumer{} } + if dumpConfig.SkipCACerts { + targetContent.CACertificates = []file.FCACertificate{} + } rootClient, err := utils.GetKongClient(rootConfig) if err != nil { diff --git a/cmd/diff.go b/cmd/diff.go index 209adb67a..d58f13290 100644 --- a/cmd/diff.go +++ b/cmd/diff.go @@ -61,6 +61,8 @@ that will be created, updated, or deleted. false, "return exit code 2 if there is a diff present,\n"+ "exit code 0 if no diff is found,\n"+ "and exit code 1 if an error occurs.") + diffCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates", + false, "do not diff CA certificates.") addSilenceEventsFlag(diffCmd.Flags()) return diffCmd } diff --git a/cmd/dump.go b/cmd/dump.go index e4a9d3a76..cecd60549 100644 --- a/cmd/dump.go +++ b/cmd/dump.go @@ -166,5 +166,7 @@ configure Kong.`, false, "export only the RBAC resources (Kong Enterprise only).") dumpCmd.Flags().BoolVar(&assumeYes, "yes", false, "assume 'yes' to prompts and run non-interactively.") + dumpCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates", + false, "do not dump CA certificates.") return dumpCmd } diff --git a/cmd/reset.go b/cmd/reset.go index bf9213ac4..4cd72d4f9 100644 --- a/cmd/reset.go +++ b/cmd/reset.go @@ -118,6 +118,8 @@ By default, this command will ask for confirmation.`, "When this setting has multiple tag values, entities must match every tag.") resetCmd.Flags().BoolVar(&dumpConfig.RBACResourcesOnly, "rbac-resources-only", false, "reset only the RBAC resources (Kong Enterprise only).") + resetCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates", + false, "do not reset CA certificates.") return resetCmd } diff --git a/cmd/sync.go b/cmd/sync.go index d439851ca..319b15aa2 100644 --- a/cmd/sync.go +++ b/cmd/sync.go @@ -58,6 +58,8 @@ to get Kong's state in sync with the input state.`, 0, "artificial delay (in seconds) that is injected between insert operations \n"+ "for related entities (usually for Cassandra deployments).\n"+ "See 'db_update_propagation' in kong.conf.") + syncCmd.Flags().BoolVar(&dumpConfig.SkipCACerts, "skip-ca-certificates", + false, "do not sync CA certificates.") addSilenceEventsFlag(syncCmd.Flags()) return syncCmd } diff --git a/dump/dump.go b/dump/dump.go index 759f79986..a78a6f0ba 100644 --- a/dump/dump.go +++ b/dump/dump.go @@ -20,6 +20,9 @@ type Config struct { // are not exported. SkipConsumers bool + // If true, CA certificates are not exported. + SkipCACerts bool + // SelectorTags can be used to export entities tagged with only specific // tags. SelectorTags []string @@ -185,14 +188,16 @@ func getProxyConfiguration(ctx context.Context, group *errgroup.Group, return nil }) - group.Go(func() error { - caCerts, err := GetAllCACertificates(ctx, client, config.SelectorTags) - if err != nil { - return fmt.Errorf("ca-certificates: %w", err) - } - state.CACertificates = caCerts - return nil - }) + if !config.SkipCACerts { + group.Go(func() error { + caCerts, err := GetAllCACertificates(ctx, client, config.SelectorTags) + if err != nil { + return fmt.Errorf("ca-certificates: %w", err) + } + state.CACertificates = caCerts + return nil + }) + } group.Go(func() error { snis, err := GetAllSNIs(ctx, client, config.SelectorTags)