diff --git a/services/tunnelbroker/Dockerfile b/services/tunnelbroker/Dockerfile index 1fa6bf740..6f526b718 100644 --- a/services/tunnelbroker/Dockerfile +++ b/services/tunnelbroker/Dockerfile @@ -1,36 +1,35 @@ FROM rust:1.70-bullseye as builder RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ build-essential cmake git libgtest-dev libssl-dev zlib1g-dev \ && rm -rf /var/lib/apt/lists/* \ && mkdir -p /home/root/app/ WORKDIR /home/root/app # Install more recent version of protobuf, must be ran as root COPY scripts/install_protobuf.sh ../../scripts/install_protobuf.sh RUN ../../scripts/install_protobuf.sh COPY services/tunnelbroker . -COPY shared/protos ../../shared/protos -COPY shared/tunnelbroker_messages ../../shared/tunnelbroker_messages +COPY shared ../../shared/ RUN cargo install --path . FROM debian:bullseye-slim as runner RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ ca-certificates \ && rm -rf /var/lib/apt/lists/* \ && useradd -m comm \ && mkdir -p /home/comm/app/tunnelbroker WORKDIR /home/comm/app/tunnelbroker COPY --from=builder /usr/local/cargo/bin/tunnelbroker \ /usr/local/bin/tunnelbroker USER comm CMD ["tunnelbroker"] diff --git a/services/tunnelbroker/make_docker_image.sh b/services/tunnelbroker/make_docker_image.sh index a35507c1b..4fd003524 100755 --- a/services/tunnelbroker/make_docker_image.sh +++ b/services/tunnelbroker/make_docker_image.sh @@ -1,19 +1,17 @@ #!/usr/bin/env bash # This file exists to make a smaller docker context, so that building it is # significantly faster and requires less system resources SCRIPT_DIR="$(cd "$(dirname "$0")" || exit 1; pwd -P)" BUILD_DIR="${SCRIPT_DIR}/target/oci_image" rm -rf "$BUILD_DIR" mkdir -p "$BUILD_DIR"/{scripts,shared,services/tunnelbroker} cp "$SCRIPT_DIR/../../scripts/install_protobuf.sh" "$BUILD_DIR"/scripts -cp -r "${SCRIPT_DIR}/../../shared/protos" "$BUILD_DIR"/shared/protos -cp -r "${SCRIPT_DIR}/../../shared/tunnelbroker_messages" \ - "$BUILD_DIR"/shared/tunnelbroker_messages +cp -r "${SCRIPT_DIR}/../../shared" "$BUILD_DIR"/ cp -r "${SCRIPT_DIR}"/{Cargo.toml,Cargo.lock,build.rs,src} \ "$BUILD_DIR"/services/tunnelbroker/ docker build "$@" -f "${SCRIPT_DIR}/Dockerfile" "$BUILD_DIR" diff --git a/shared/grpc_clients/build.rs b/shared/grpc_clients/build.rs index bd2e351a8..ccd4134d2 100644 --- a/shared/grpc_clients/build.rs +++ b/shared/grpc_clients/build.rs @@ -1,13 +1,17 @@ fn main() { tonic_build::configure() .build_server(false) .compile( &[ "../protos/identity_client.proto", "../protos/identity_authenticated.proto", "../protos/tunnelbroker.proto", ], &["../protos"], ) .unwrap_or_else(|e| panic!("Failed to compile protos {:?}", e)); + + println!("cargo:rerun-if-changed=../protos/identity_client.proto"); + println!("cargo:rerun-if-changed=../protos/identity_authenticated.proto"); + println!("cargo:rerun-if-changed=../protos/tunnelbroker.proto"); } diff --git a/shared/grpc_clients/src/lib.rs b/shared/grpc_clients/src/lib.rs index 4de7dcfec..8bb5ae07d 100644 --- a/shared/grpc_clients/src/lib.rs +++ b/shared/grpc_clients/src/lib.rs @@ -1,42 +1,45 @@ pub mod error; pub mod identity; pub mod tunnelbroker; +// Re-export some dependencies which may need to be used by downstream crates +pub use tonic; + use error::Error; use std::path::Path; use tonic::transport::{Certificate, Channel, ClientTlsConfig}; use tracing::info; const CERT_PATHS: &'static [&'static str] = &[ // MacOS and newer Ubuntu "/etc/ssl/cert.pem", // Common CA cert paths "/etc/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", ]; pub(crate) fn get_ca_cert_contents() -> Option { CERT_PATHS .iter() .map(Path::new) .filter(|p| p.exists()) .filter_map(|f| std::fs::read_to_string(f).ok()) .next() } pub(crate) async fn get_grpc_service_channel( url: &str, ) -> Result { let ca_cert = crate::get_ca_cert_contents().expect("Unable to get CA bundle"); info!("Connecting to gRPC service at {}", url); let mut channel = Channel::from_shared(url.to_string())?; // tls_config will fail if the underlying URI is only http:// if url.starts_with("https:") { channel = channel.tls_config( ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&ca_cert)), )? } Ok(channel.connect().await?) }