Add TLS CLI commands #41418

cescoffier · 2024-06-25T11:13:36Z

This PR introduces two new CLI commands to enhance TLS management:

Generate and install a Quarkus Development CA.
Create certificates, either signed with the generated CA or unsigned.

Fix #41010

github-actions · 2024-06-27T12:39:56Z

🙈 The PR is closed and the preview is expired.

gsmet

Sorry it took so long.

Most of the comments are related to the doc but... there are some other important comments.

docs/src/main/asciidoc/tls-registry-reference.adoc

gsmet · 2024-07-02T12:24:26Z

docs/src/main/asciidoc/tls-registry-reference.adoc

+                        alias in the keystore
+  -p, --password=<password>
+                      The password of the keystore. Default is 'password'
+  -r, --renew         Whether existing certificates will need to be replaced


Would it have value to be able to generate a certificate from a given CA?

you mean a CA you already own? I would need the private key. I would rather not do that for security reasons.

docs/src/main/asciidoc/tls-registry-reference.adoc

extensions/tls-registry/cli/src/main/java/io/quarkus/tls/cli/GenerateCertificateCommand.java

docs/src/main/asciidoc/tls-registry-reference.adoc

gsmet · 2024-07-02T12:30:43Z

build-parent/pom.xml

+            <dependency>
+                <groupId>me.escoffier.certs</groupId>
+                <artifactId>certificate-generator</artifactId>
+                <version>0.7.1</version>
+            </dependency>


I think we should move these projects to the Quarkus or the SmallRye org. And same for the groupId.

For tests, it was mostly OK but I wouldn't be comfortable with having some CLI/runtime stuff hosted outside of our community namespaces. And this especially since they are security components.

Both for security and for the future.

I won't require this to get the PR in but we need to have a plan and a deadline for it.

It's still the goal. I would go to SmallRye as the project has a lot of tests, and I don't want to use Quarkus CI time for this.

Will work on something tomorrow.

See #41665

Do not resolve this conversation - once the mentioned PR is merged, there is some work to do to transition to this new dependency.

iocanel · 2024-07-03T07:51:35Z

extensions/tls-registry/runtime/src/main/resources/META-INF/quarkus-extension.yaml

@@ -8,3 +8,5 @@ metadata:
  unlisted: true
  config:
  - "quarkus.tls."
+  cli-plugins:
+  - "${project.groupId}:quarkus-tls-registry-cli:${project.version}"


Suggested change

- "${project.groupId}:quarkus-tls-registry-cli:${project.version}"

- tls: "${project.groupId}:quarkus-tls-registry-cli:${project.version}"

As of #40580 we can prefix the maven coordinates with an alias.
In this case tls: .

Did the changes.

cli-plugins: - "tls: ${project.groupId}:quarkus-tls-registry-cli:${project.version}"

extensions/tls-registry/cli/src/main/java/io/quarkus/tls/cli/TlsCommand.java

iocanel · 2024-07-03T08:20:32Z

docs/src/main/asciidoc/tls-registry-reference.adoc

+> quarkus tls-registry
+Install and Manage TLS development certificates
+Usage: tls-registry [COMMAND]
+Commands:


We could optionally pull the generate- prefix as an intermediate sub-command:

quarkus tls generate qukarus-ca quarkus tls generate certificate ```

Good question. What's the recommendation?

I think I would keep it as it is for now. They are fundamentally different operations.

iocanel

LGTM

gsmet · 2024-07-04T16:31:22Z

@cescoffier I think you will need to update this one with the new artifacts.

cescoffier · 2024-07-05T12:52:01Z

@gsmet Yes! On it!

This commit introduces two new CLI commands to enhance TLS management: - Generate and install a Quarkus Development CA. - Create certificates, either signed with the generated CA or unsigned. As the generated certificates are generated in ``$project-directory/.certs`, this directory is added to the generated .gitignore. The CLI uses the new alias supported added in quarkusio#40580, and thus the commands are behind: `quarkus tls`

cescoffier · 2024-07-05T13:12:50Z

@gsmet Done.

quarkus-bot · 2024-07-05T13:35:16Z

Status for workflow `Quarkus Documentation CI`

This is the status report for running Quarkus Documentation CI on commit da8d7a9.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

⚠️ There are other workflow runs running, you probably need to wait for their status before merging.

quarkus-bot · 2024-07-05T18:32:55Z

Status for workflow `Quarkus CI`

This is the status report for running Quarkus CI on commit da8d7a9.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/documentation labels Jun 25, 2024