wip: integrate certmanager to rpxy-bin along with existing old rustls

rpxy-bin/src/config/mod.rs

@@ -4,6 +4,6 @@ mod toml;
 
 pub use {
   self::toml::ConfigToml,
-  parse::{build_settings, parse_opts},
+  parse::{build_cert_manager, build_settings, parse_opts},
   service::ConfigTomlReloader,
 };

rpxy-bin/src/config/parse.rs

@@ -4,7 +4,10 @@ use crate::{
   error::{anyhow, ensure},
 };
 use clap::{Arg, ArgAction};
+use hot_reload::{ReloaderReceiver, ReloaderService};
+use rpxy_certs::{build_cert_reloader, CryptoFileSourceBuilder, CryptoReloader, ServerCryptoBase};
 use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig};
+use rustc_hash::FxHashMap as HashMap;
 
 /// Parsed options
 pub struct Opts {
@@ -37,20 +40,13 @@ pub fn parse_opts() -> Result<Opts, anyhow::Error> {
   let config_file_path = matches.get_one::<String>("config_file").unwrap().to_owned();
   let watch = matches.get_one::<bool>("watch").unwrap().to_owned();
 
-  Ok(Opts {
-    config_file_path,
-    watch,
-  })
+  Ok(Opts { config_file_path, watch })
 }
 
-pub fn build_settings(
-  config: &ConfigToml,
-) -> std::result::Result<(ProxyConfig, AppConfigList<CryptoFileSource>), anyhow::Error> {
-  ///////////////////////////////////
+pub fn build_settings(config: &ConfigToml) -> std::result::Result<(ProxyConfig, AppConfigList<CryptoFileSource>), anyhow::Error> {
   // build proxy config
   let proxy_config: ProxyConfig = config.try_into()?;
 
-  ///////////////////////////////////
   // backend_apps
   let apps = config.apps.clone().ok_or(anyhow!("Missing application spec"))?;
 
@@ -95,3 +91,32 @@ pub fn build_settings(
 
   Ok((proxy_config, app_config_list))
 }
+
+/* ----------------------- */
+/// Build cert map
+pub async fn build_cert_manager(
+  config: &ConfigToml,
+) -> Result<
+  (
+    ReloaderService<CryptoReloader, ServerCryptoBase>,
+    ReloaderReceiver<ServerCryptoBase>,
+  ),
+  anyhow::Error,
+> {
+  let apps = config.apps.as_ref().ok_or(anyhow!("No apps"))?;
+  let mut crypto_source_map = HashMap::default();
+  for app in apps.0.values() {
+    if let Some(tls) = app.tls.as_ref() {
+      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
+      let server_name = app.server_name.as_ref().ok_or(anyhow!("No server name"))?;
+      let crypto_file_source = CryptoFileSourceBuilder::default()
+        .tls_cert_path(tls.tls_cert_path.as_ref().unwrap())
+        .tls_cert_key_path(tls.tls_cert_key_path.as_ref().unwrap())
+        .client_ca_cert_path(tls.client_ca_cert_path.as_deref())
+        .build()?;
+      crypto_source_map.insert(server_name.to_owned(), crypto_file_source);
+    }
+  }
+  let res = build_cert_reloader(&crypto_source_map, None).await?;
+  Ok(res)
+}

rpxy-bin/src/main.rs

@@ -8,8 +8,9 @@ mod error;
 mod log;
 
 use crate::{
-  config::{build_settings, parse_opts, ConfigToml, ConfigTomlReloader},
+  config::{build_cert_manager, build_settings, parse_opts, ConfigToml, ConfigTomlReloader},
   constants::CONFIG_WATCH_DELAY_SECS,
+  error::*,
   log::*,
 };
 use hot_reload::{ReloaderReceiver, ReloaderService};
@@ -36,13 +37,10 @@ fn main() {
         std::process::exit(1);
       }
     } else {
-      let (config_service, config_rx) = ReloaderService::<ConfigTomlReloader, ConfigToml>::new(
-        &parsed_opts.config_file_path,
-        CONFIG_WATCH_DELAY_SECS,
-        false,
-      )
-      .await
-      .unwrap();
+      let (config_service, config_rx) =
+        ReloaderService::<ConfigTomlReloader, ConfigToml>::new(&parsed_opts.config_file_path, CONFIG_WATCH_DELAY_SECS, false)
+          .await
+          .unwrap();
 
       tokio::select! {
         Err(e) = config_service.start() => {
@@ -53,6 +51,9 @@ fn main() {
           error!("rpxy service existed: {e}");
           std::process::exit(1);
         }
+        else => {
+          std::process::exit(0);
+        }
       }
     }
   });
@@ -63,23 +64,22 @@ async fn rpxy_service_without_watcher(
   runtime_handle: tokio::runtime::Handle,
 ) -> Result<(), anyhow::Error> {
   info!("Start rpxy service");
-  let config_toml = match ConfigToml::new(config_file_path) {
-    Ok(v) => v,
-    Err(e) => {
-      error!("Invalid toml file: {e}");
-      std::process::exit(1);
-    }
-  };
-  let (proxy_conf, app_conf) = match build_settings(&config_toml) {
-    Ok(v) => v,
-    Err(e) => {
-      error!("Invalid configuration: {e}");
-      return Err(anyhow::anyhow!(e));
-    }
-  };
-  entrypoint(&proxy_conf, &app_conf, &runtime_handle, None)
+  let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?;
+  let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
+  let (cert_service, cert_rx) = build_cert_manager(&config_toml)
     .await
-    .map_err(|e| anyhow::anyhow!(e))
+    .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
+
+  tokio::select! {
+    rpxy_res = entrypoint(&proxy_conf, &app_conf, &runtime_handle, None) => {
+      error!("rpxy entrypoint exited");
+      rpxy_res.map_err(|e| anyhow!(e))
+    }
+    cert_res = cert_service.start() => {
+      error!("cert reloader service exited");
+      cert_res.map_err(|e| anyhow!(e))
+    }
+  }
 }
 
 async fn rpxy_service_with_watcher(
@@ -89,14 +89,15 @@ async fn rpxy_service_with_watcher(
   info!("Start rpxy service with dynamic config reloader");
   // Initial loading
   config_rx.changed().await?;
-  let config_toml = config_rx.borrow().clone().unwrap();
-  let (mut proxy_conf, mut app_conf) = match build_settings(&config_toml) {
-    Ok(v) => v,
-    Err(e) => {
-      error!("Invalid configuration: {e}");
-      return Err(anyhow::anyhow!(e));
-    }
-  };
+  let config_toml = config_rx
+    .borrow()
+    .clone()
+    .ok_or(anyhow!("Something wrong in config reloader receiver"))?;
+  let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
+
+  let (mut cert_service, mut cert_rx) = build_cert_manager(&config_toml)
+    .await
+    .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
 
   // Notifier for proxy service termination
   let term_notify = std::sync::Arc::new(tokio::sync::Notify::new());
@@ -104,16 +105,15 @@ async fn rpxy_service_with_watcher(
   // Continuous monitoring
   loop {
     tokio::select! {
-      _ = entrypoint(&proxy_conf, &app_conf, &runtime_handle, Some(term_notify.clone())) => {
+      rpxy_res = entrypoint(&proxy_conf, &app_conf, &runtime_handle, Some(term_notify.clone())) => {
         error!("rpxy entrypoint exited");
-        break;
+        return rpxy_res.map_err(|e| anyhow!(e));
       }
       _ = config_rx.changed() => {
-        if config_rx.borrow().is_none() {
+        let Some(config_toml) = config_rx.borrow().clone() else {
           error!("Something wrong in config reloader receiver");
-          break;
-        }
-        let config_toml = config_rx.borrow().clone().unwrap();
+          return Err(anyhow!("Something wrong in config reloader receiver"));
+        };
         match build_settings(&config_toml) {
           Ok((p, a)) => {
             (proxy_conf, app_conf) = (p, a)
@@ -123,13 +123,27 @@ async fn rpxy_service_with_watcher(
             continue;
           }
         };
+        match build_cert_manager(&config_toml).await {
+          Ok((c, r)) => {
+            (cert_service, cert_rx) = (c, r)
+          },
+          Err(e) => {
+            error!("Invalid cert configuration. Configuration does not updated: {e}");
+            continue;
+          }
+        };
+
         info!("Configuration updated. Terminate all spawned proxy services and force to re-bind TCP/UDP sockets");
         term_notify.notify_waiters();
         // tokio::time::sleep(tokio::time::Duration::from_secs(1)).await;
       }
+      cert_res = cert_service.start() => {
+        error!("cert reloader service exited");
+        return cert_res.map_err(|e| anyhow!(e));
+      }
       else => break
     }
   }
 
-  Err(anyhow::anyhow!("rpxy or continuous monitoring service exited"))
+  Ok(())
 }