Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(op-signer): generate TLS certs using Docker #255

Merged
merged 10 commits into from
Mar 24, 2025
Merged

feat(op-signer): generate TLS certs using Docker #255

merged 10 commits into from
Mar 24, 2025

Conversation

ddaws
Copy link
Contributor

@ddaws ddaws commented Mar 21, 2025
edited
Loading

Use Docker for OpenSSL Operations

This PR updates the gen-local-tls.sh script to use Docker for all OpenSSL operations, eliminating the need for local OpenSSL installation and version compatibility checks.

Changes

  • Replace direct OpenSSL calls with containerized execution using alpine/openssl:3.3.3
  • Run Docker container with current user's UID/GID to avoid permission issues
  • Create a proper OpenSSL config file instead of using process substitution

This approach ensures consistent behavior across different development environments and simplifies the setup process for new contributors.

Testing

I have tested this change by running

$ rm -r tls/
/.../ttz/op-infra/op-signer $ ./gen-local-tls.sh 
Generating mTLS credentials for local development...
Generating CA
.+.....+.+..+.......+.....+.+.........+........+............+.+++++++++++++++++++++++++++++++++++++++*...+........+...+..........+++++++++++++++++++++++++++++++++++++++*..........+..+.........+...+...+.......+.....+...+...+....+.....+.+.........+...+....................+....+...+..+...+......+....+......+............+...+..+.......++++++
..+...+..+...+...+.+.........+.........+..+.+..+.+.................+....+......+...+..+...+....+......+++++++++++++++++++++++++++++++++++++++*.........+......+.+...+..+....+.....+...+..........+.....+.+.....+..........+......+........+++++++++++++++++++++++++++++++++++++++*..+...+....+........+......+....+...+............+..+...+..........+.....+.............+..+...+..........+........+.+.....+.+...+..+...+.......+...............+...+.....+......+....+...............+..+...+....+........+...+....+............+........+...+...+....+.....+...+.......+.................+.+............+..+......+..........+...+......+....................+.+...+...........+.........+.+...+......+..+.......+...+...+.........+..+.............+...+..............+.+..+.+....................+......+.+...............+..............+...+.......+.........+..+..........+...+.....+....+..+....+......+.....+...+.+.....+....+.....+...........................+..........+.....+....+..+....+......+...+.........+.....+......+.+.....+.........+.........+..........+......+.....+....+.................+......+...+.+......+..+...+....+......+........+..........+..+...+....+...........+.+...........+...+......+.+.................+...+.............+.........+...+.........+........+...+.......+.....+...++++++
-----
Generating TLS certificate request
Certificate request self-signature ok
subject=O=OP Labs, CN=localhost
TLS certificates generated successfully in /<local path>/op-infra/op-signer/tls

@ddaws ddaws mentioned this pull request Mar 21, 2025
Merged
ddaws
ddaws commented Mar 21, 2025
View reviewed changes
@ddaws ddaws marked this pull request as ready for review March 21, 2025 04:54
@ddaws ddaws requested a review from a team as a code owner March 21, 2025 04:54
@ddaws ddaws requested a review from ajsutton March 21, 2025 04:54
@codecov-commenter
Copy link

codecov-commenter commented Mar 22, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 53.43%. Comparing base (ddca10c) to head (c85d3f1).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #255      +/-   ##
==========================================
- Coverage   53.63%   53.43%   -0.20%     
==========================================
  Files          67       67              
  Lines        7881     7753     -128     
==========================================
- Hits         4227     4143      -84     
+ Misses       3373     3332      -41     
+ Partials      281      278       -3
Flag Coverage Δ
op-signer 47.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@edobry edobry changed the title Generate op-signer TLS certs using Docker feat(op-signer): generate TLS certs using Docker Mar 24, 2025
@edobry
Copy link
Contributor

edobry commented Mar 24, 2025
edited
Loading

I ran into this error when testing locally:

❯ curl --cert tls/tls.crt --key tls/tls.key -X POST -H "Content-Type: application/json" -d @test-rpc.json https://localhost:8080

client certificate verified but did not contain DNS SAN extension

and have made some changes to fix it, the necessary step was adding -extensions san to the client certificate generation command

Great contribution btw, ty!

@edobry edobry merged commit b10b103 into ethereum-optimism:main Mar 24, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edobry edobry edobry approved these changes

@ajsutton ajsutton Awaiting requested review from ajsutton ajsutton is a code owner automatically assigned from ethereum-optimism/infra-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddaws @codecov-commenter @edobry