feat: use host ca bundle for PrivateCACert template function (#2208)

* feat: use host ca bundle for PrivateCACert template function

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

Author: emosbaugh

.github/workflows/ci.yaml

@@ -781,8 +781,6 @@ jobs:
             is-lxd: true
           - test: TestProxiedCustomCIDR
             is-lxd: true
-          - test: TestInstallWithPrivateCAs
-            is-lxd: true
           - test: TestInstallWithMITMProxy
             is-lxd: true
     steps:

.github/workflows/release-prod.yaml

@@ -582,8 +582,6 @@ jobs:
             is-lxd: true
           - test: TestProxiedCustomCIDR
             is-lxd: true
-          - test: TestInstallWithPrivateCAs
-            is-lxd: true
           - test: TestInstallWithMITMProxy
             is-lxd: true
     steps:

api/api_test.go

@@ -0,0 +1,105 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/replicatedhq/embedded-cluster/api/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPI_jsonError(t *testing.T) {
+	tests := []struct {
+		name     string
+		apiErr   *types.APIError
+		wantCode int
+		wantJSON map[string]any
+	}{
+		{
+			name: "simple error",
+			apiErr: &types.APIError{
+				StatusCode: http.StatusInternalServerError,
+				Message:    "invalid request",
+			},
+			wantCode: http.StatusInternalServerError,
+			wantJSON: map[string]any{
+				"status_code": float64(http.StatusInternalServerError),
+				"message":     "invalid request",
+			},
+		},
+		{
+			name: "field error",
+			apiErr: &types.APIError{
+				StatusCode: http.StatusBadRequest,
+				Message:    "validation error",
+				Field:      "username",
+			},
+			wantCode: http.StatusBadRequest,
+			wantJSON: map[string]any{
+				"status_code": float64(http.StatusBadRequest),
+				"message":     "validation error",
+				"field":       "username",
+			},
+		},
+		{
+			name: "error with nested errors",
+			apiErr: &types.APIError{
+				StatusCode: http.StatusBadRequest,
+				Message:    "multiple validation errors",
+				Errors: []*types.APIError{
+					{
+						Message: "field1 is required",
+						Field:   "field1",
+					},
+					{
+						Message: "field2 must be a number",
+						Field:   "field2",
+					},
+				},
+			},
+			wantCode: http.StatusBadRequest,
+			wantJSON: map[string]any{
+				"status_code": float64(http.StatusBadRequest),
+				"message":     "multiple validation errors",
+				"errors": []any{
+					map[string]any{
+						"message": "field1 is required",
+						"field":   "field1",
+					},
+					map[string]any{
+						"message": "field2 must be a number",
+						"field":   "field2",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a mock HTTP response recorder
+			rec := httptest.NewRecorder()
+
+			// Call the JSON method
+			api := &API{
+				logger: NewDiscardLogger(),
+			}
+			api.jsonError(rec, httptest.NewRequest("GET", "/api/test", nil), tt.apiErr)
+
+			// Check status code
+			assert.Equal(t, tt.wantCode, rec.Code, "Status code should match")
+
+			// Check content type header
+			contentType := rec.Header().Get("Content-Type")
+			assert.Equal(t, "application/json", contentType, "Content-Type header should be application/json")
+
+			// Parse and check the JSON response
+			var gotJSON map[string]any
+			err := json.Unmarshal(rec.Body.Bytes(), &gotJSON)
+			assert.NoError(t, err, "Should be able to parse the JSON response")
+			assert.Equal(t, tt.wantJSON, gotJSON, "JSON response should match expected structure")
+		})
+	}
+}

cmd/installer/cli/enable_ha.go

@@ -91,5 +91,5 @@ func runEnableHA(ctx context.Context) error {
 	loading := spinner.Start()
 	defer loading.Close()
 
-	return addons.EnableHA(ctx, kcli, kclient, hcli, in.Spec.Network.ServiceCIDR, in.Spec, loading)
+	return addons.EnableHA(ctx, logrus.Debugf, kcli, kclient, hcli, in.Spec.Network.ServiceCIDR, in.Spec, loading)
 }

cmd/installer/cli/install.go

@@ -76,7 +76,6 @@ type InstallCmdFlags struct {
 	localArtifactMirrorPort int
 	assumeYes               bool
 	overrides               string
-	privateCAs              []string
 	skipHostPreflights      bool
 	ignoreHostPreflights    bool
 	configValues            string
@@ -185,7 +184,13 @@ func addInstallFlags(cmd *cobra.Command, flags *InstallCmdFlags) error {
 		return err
 	}
 
-	cmd.Flags().StringSliceVar(&flags.privateCAs, "private-ca", []string{}, "Path to a trusted private CA certificate file")
+	cmd.Flags().StringSlice("private-ca", []string{}, "Path to a trusted private CA certificate file")
+	if err := cmd.Flags().MarkHidden("private-ca"); err != nil {
+		return err
+	}
+	if err := cmd.Flags().MarkDeprecated("private-ca", "This flag is no longer used and will be removed in a future version. The CA bundle will be automatically detected from the host."); err != nil {
+		return err
+	}
 
 	if err := addProxyFlags(cmd); err != nil {
 		return err
@@ -602,13 +607,12 @@ func runInstall(ctx context.Context, name string, flags InstallCmdFlags, metrics
 	defer hcli.Close()
 
 	logrus.Debugf("installing addons")
-	if err := addons.Install(ctx, hcli, addons.InstallOptions{
+	if err := addons.Install(ctx, logrus.Debugf, hcli, addons.InstallOptions{
 		AdminConsolePwd:         flags.adminConsolePassword,
 		License:                 flags.license,
 		IsAirgap:                flags.airgapBundle != "",
 		Proxy:                   flags.proxy,
 		HostCABundlePath:        runtimeconfig.HostCABundlePath(),
-		PrivateCAs:              flags.privateCAs,
 		TLSCertBytes:            flags.tlsCertBytes,
 		TLSKeyBytes:             flags.tlsKeyBytes,
 		Hostname:                flags.hostname,

cmd/installer/cli/install_runpreflights.go

@@ -99,7 +99,6 @@ func runInstallPreflights(ctx context.Context, flags InstallCmdFlags, metricsRep
 		ServiceCIDR:          flags.cidrCfg.ServiceCIDR,
 		GlobalCIDR:           flags.cidrCfg.GlobalCIDR,
 		NodeIP:               nodeIP,
-		PrivateCAs:           flags.privateCAs,
 		IsAirgap:             flags.isAirgap,
 		SkipHostPreflights:   flags.skipHostPreflights,
 		IgnoreHostPreflights: flags.ignoreHostPreflights,

cmd/installer/cli/join.go

@@ -625,6 +625,7 @@ func maybeEnableHA(ctx context.Context, kcli client.Client, flags JoinCmdFlags,
 
 	return addons.EnableHA(
 		ctx,
+		logrus.Debugf,
 		kcli,
 		kclient,
 		hcli,

cmd/installer/cli/restore.go

@@ -434,11 +434,10 @@ func runRestoreStepNew(ctx context.Context, name string, flags InstallCmdFlags,
 	// TODO (@salah): update installation status to reflect what's happening
 
 	logrus.Debugf("installing addons")
-	if err := addons.Install(ctx, hcli, addons.InstallOptions{
+	if err := addons.Install(ctx, logrus.Debugf, hcli, addons.InstallOptions{
 		IsAirgap:           flags.airgapBundle != "",
 		Proxy:              flags.proxy,
 		HostCABundlePath:   runtimeconfig.HostCABundlePath(),
-		PrivateCAs:         flags.privateCAs,
 		ServiceCIDR:        flags.cidrCfg.ServiceCIDR,
 		IsRestore:          true,
 		EmbeddedConfigSpec: embCfgSpec,
@@ -580,7 +579,7 @@ func runRestoreEnableAdminConsoleHA(ctx context.Context, flags InstallCmdFlags,
 	}
 	defer hcli.Close()
 
-	err = addons.EnableAdminConsoleHA(ctx, kcli, hcli, flags.isAirgap, flags.cidrCfg.ServiceCIDR, flags.proxy, in.Spec.Config, in.Spec.LicenseInfo)
+	err = addons.EnableAdminConsoleHA(ctx, logrus.Debugf, kcli, hcli, flags.isAirgap, flags.cidrCfg.ServiceCIDR, flags.proxy, in.Spec.Config, in.Spec.LicenseInfo)
 	if err != nil {
 		return err
 	}

e2e/proxy_test.go

@@ -337,7 +337,6 @@ func TestInstallWithMITMProxy(t *testing.T) {
 	installSingleNodeWithOptions(t, tc, installOptions{
 		httpProxy:  lxd.HTTPMITMProxy,
 		httpsProxy: lxd.HTTPMITMProxy,
-		privateCA:  "/usr/local/share/ca-certificates/proxy/ca.crt",
 		withEnv:    lxd.WithMITMProxyEnv(tc.IPs),
 	})
 

e2e/shared.go

@@ -32,7 +32,6 @@ type installOptions struct {
 	httpProxy               string
 	httpsProxy              string
 	noProxy                 string
-	privateCA               string
 	configValuesFile        string
 	networkInterface        string
 	dataDir                 string
@@ -116,9 +115,6 @@ func installSingleNodeWithOptions(t *testing.T, tc cluster.Cluster, opts install
 	if opts.noProxy != "" {
 		line = append(line, "--no-proxy", opts.noProxy)
 	}
-	if opts.privateCA != "" {
-		line = append(line, "--private-ca", opts.privateCA)
-	}
 	if opts.configValuesFile != "" {
 		line = append(line, "--config-values", opts.configValuesFile)
 	}