Skip to content

fix: certificate generation and Vault recovery bugs#970

Open
sinchubhat wants to merge 3 commits into
mainfrom
issue573-deployment
Open

fix: certificate generation and Vault recovery bugs#970
sinchubhat wants to merge 3 commits into
mainfrom
issue573-deployment

Conversation

@sinchubhat
Copy link
Copy Markdown
Contributor

@sinchubhat sinchubhat commented May 13, 2026
edited
Loading

  • Return parsed certificate instead of template struct (empty .Raw field) in GenerateRootCertificate and IssueWebServerCertificate
  • Validate certificates loaded from Vault and delete if malformed
  • Persist web server certificate files to disk when loading from Vault (CIRA server reads cert files from disk)
  • Persist web server certificate files to disk after generation

Addresses device-management-toolkit/deployment#573

Output:

docker logs device-management-toolkit-console-1
2026/05/14 05:15:15 Migrate: postgres is trying to connect, attempts left: 20
2026/05/14 05:15:16 Migrate: postgres is trying to connect, attempts left: 19
2026/05/14 05:15:17 Migrate: postgres is trying to connect, attempts left: 18
2026/05/14 05:15:18 Migrate: postgres is trying to connect, attempts left: 17
2026/05/14 05:15:19 Migrate: postgres is trying to connect, attempts left: 16
2026/05/14 05:15:20 Migrate: postgres is trying to connect, attempts left: 15
2026/05/14 05:15:21 Migrate: postgres is trying to connect, attempts left: 14
2026/05/14 05:15:22 Migrate: up success
2026/05/14 05:15:22 Connected to secret store at: http://vault:8200
2026/05/14 05:15:22 Could not load root certificate from Vault: secret not found at path: secret/data//certs/root. Checking local files...
2026/05/14 05:15:23 New root certificate generated
2026/05/14 05:15:23 Root certificate stored in Vault
2026/05/14 05:15:23 Could not load web server certificate from Vault: secret not found at path: secret/data//certs/webserver-10.49.76.159. Checking local files...
2026/05/14 05:15:24 New web server certificate generated
2026/05/14 05:15:24 Web server certificate stored in Vault
2026/05/14 05:15:24 Encryption key loaded from environment
{"level":"info","time":"2026-05-14T05:15:24Z","caller":"/app/cmd/app/main.go:72","message":"UI assets not embedded; skipping browser launch"}
{"level":"info","time":"2026-05-14T05:15:24Z","caller":"/app/cmd/app/main.go:30","message":"app - Run - version: DEVELOPMENT"}
{"level":"warn","time":"2026-05-14T05:15:24Z","caller":"/app/internal/controller/httpapi/ui.go:46","message":"Could not read embedded main.js: open ui/main.js: file does not exist"}
{"level":"info","time":"2026-05-14T05:15:24Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:65","message":"CIRA server running on port 4433"}
{"level":"info","time":"2026-05-14T05:15:27Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:15:27 | 200 | 175.533µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:15:40Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:15:40 | 200 | 77.099µs |       127.0.0.1 | GET      \"/healthz\""}

After restart:
"Root certificate loaded from Vault" — loaded instead of regenerated
"Web server certificate loaded from Vault" — loaded instead of regenerated
No panic, no crash, CIRA server running

docker restart device-management-toolkit-console-1
device-management-toolkit-console-1
hspe@BA38RNL00653:~/sinchana/test-issue573-deployment/deployment$ docker logs device-management-toolkit-console-1
2026/05/14 05:15:15 Migrate: postgres is trying to connect, attempts left: 20
2026/05/14 05:15:16 Migrate: postgres is trying to connect, attempts left: 19
2026/05/14 05:15:17 Migrate: postgres is trying to connect, attempts left: 18
2026/05/14 05:15:18 Migrate: postgres is trying to connect, attempts left: 17
2026/05/14 05:15:19 Migrate: postgres is trying to connect, attempts left: 16
2026/05/14 05:15:20 Migrate: postgres is trying to connect, attempts left: 15
2026/05/14 05:15:21 Migrate: postgres is trying to connect, attempts left: 14
2026/05/14 05:15:22 Migrate: up success
2026/05/14 05:15:22 Connected to secret store at: http://vault:8200
2026/05/14 05:15:22 Could not load root certificate from Vault: secret not found at path: secret/data//certs/root. Checking local files...
2026/05/14 05:15:23 New root certificate generated
2026/05/14 05:15:23 Root certificate stored in Vault
2026/05/14 05:15:23 Could not load web server certificate from Vault: secret not found at path: secret/data//certs/webserver-10.49.76.159. Checking local files...
2026/05/14 05:15:24 New web server certificate generated
2026/05/14 05:15:24 Web server certificate stored in Vault
2026/05/14 05:15:24 Encryption key loaded from environment
{"level":"info","time":"2026-05-14T05:15:24Z","caller":"/app/cmd/app/main.go:72","message":"UI assets not embedded; skipping browser launch"}
{"level":"info","time":"2026-05-14T05:15:24Z","caller":"/app/cmd/app/main.go:30","message":"app - Run - version: DEVELOPMENT"}
{"level":"warn","time":"2026-05-14T05:15:24Z","caller":"/app/internal/controller/httpapi/ui.go:46","message":"Could not read embedded main.js: open ui/main.js: file does not exist"}
{"level":"info","time":"2026-05-14T05:15:24Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:65","message":"CIRA server running on port 4433"}
{"level":"info","time":"2026-05-14T05:15:27Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:15:27 | 200 | 175.533µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:15:40Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:15:40 | 200 | 77.099µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:15:52Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:15:52 | 200 | 63.646µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:16:04Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:16:04 | 200 | 69.951µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:16:16Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:16:16 | 200 | 119.12µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:16:28Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:16:28 | 200 | 69.062µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"warn","time":"2026-05-14T05:16:34Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:198","message":"Read error for device : remote error: tls: unknown certificate authority"}
{"level":"info","time":"2026-05-14T05:16:40Z","caller":"/usr/local/go/src/fmt/print.go:263","message":"[GIN] 2026/05/14 - 05:16:40 | 200 | 56.356µs |       127.0.0.1 | GET      \"/healthz\""}
{"level":"info","time":"2026-05-14T05:16:50Z","caller":"/app/internal/app/app.go:66","message":"app - Run - signal: terminated"}
2026/05/14 05:16:51 Migrate: no change
2026/05/14 05:16:51 Connected to secret store at: http://vault:8200
2026/05/14 05:16:51 Root certificate loaded from Vault
2026/05/14 05:16:51 Web server certificate loaded from Vault
2026/05/14 05:16:51 Encryption key loaded from environment
{"level":"info","time":"2026-05-14T05:16:51Z","caller":"/app/cmd/app/main.go:72","message":"UI assets not embedded; skipping browser launch"}
{"level":"info","time":"2026-05-14T05:16:51Z","caller":"/app/cmd/app/main.go:30","message":"app - Run - version: DEVELOPMENT"}
{"level":"warn","time":"2026-05-14T05:16:51Z","caller":"/app/internal/controller/httpapi/ui.go:46","message":"Could not read embedded main.js: open ui/main.js: file does not exist"}
{"level":"info","time":"2026-05-14T05:16:51Z","caller":"/app/internal/controller/tcp/cira/tunnel.go:65","message":"CIRA server running on port 4433"}

@sinchubhat
fix: certificate generation and Vault recovery bugs
a1ccb6e 
- Return parsed certificate instead of template struct (empty .Raw field)
  in GenerateRootCertificate and IssueWebServerCertificate
- Validate certificates loaded from Vault and delete if malformed
- Persist web server certificate files to disk when loading from Vault
  (CIRA server reads cert files from disk)
- Persist web server certificate files to disk after generation

Addresses device-management-toolkit/deployment#573
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 52.63158% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.48%. Comparing base (b6ed1de) to head (e6ce688).

Files with missing lines Patch % Lines
internal/certificates/generate.go 58.82% 9 Missing and 5 partials ⚠️
cmd/app/main.go 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #970      +/-   ##
==========================================
+ Coverage   40.78%   41.48%   +0.70%     
==========================================
  Files         134      134              
  Lines       12297    12322      +25     
==========================================
+ Hits         5015     5112      +97     
+ Misses       6759     6659     -100     
- Partials      523      551      +28

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sinchubhat sinchubhat linked an issue May 13, 2026 that may be closed by this pull request
error with deployment main branch (console) device-management-toolkit/deployment#573
Open
@sinchubhat sinchubhat force-pushed the issue573-deployment branch 3 times, most recently from 6f02c34 to a1ccb6e Compare May 13, 2026 06:04
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes certificate handling so generated certificates return parsed DER-backed structures and web server certificates can be restored from Vault for CIRA disk-based usage.

Changes:

  • Returns parsed certificates from root and web server certificate generation.
  • Adds Vault certificate load validation and malformed-cert cleanup path.
  • Adds tests for parsed certificate .Raw content and web server cert persistence.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
internal/certificates/generate.go Updates certificate store field constants, Vault load validation, parsed certificate returns, and disk persistence for web server certs.
internal/certificates/generate_test.go Adds tests covering Vault loading, parsed certificate returns, and disk persistence behavior.

Comment thread internal/certificates/generate.go
Comment thread internal/certificates/generate.go Outdated
sinchubhat added 2 commits May 14, 2026 09:59
@sinchubhat
Merge remote-tracking branch 'origin/main' into issue573-deployment
4637e90
@sinchubhat
fix: address review comments
e6ce688 
- Delete malformed PEM entries from Vault on decode failures
- Propagate saveCertAndKeyToFiles errors instead of logging warnings
- Add HEADLESS env var check to skip browser launch in containers
- Fix inverted GIN_MODE condition in handleDebugMode

Addresses device-management-toolkit/deployment#573
@sinchubhat sinchubhat requested review from nbmaiti and sudhir-intc May 14, 2026 08:32
@sinchubhat sinchubhat marked this pull request as ready for review May 14, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sudhir-intc sudhir-intc sudhir-intc approved these changes

@nbmaiti nbmaiti Awaiting requested review from nbmaiti

@rsdmike rsdmike Awaiting requested review from rsdmike

@madhavilosetty-intel madhavilosetty-intel Awaiting requested review from madhavilosetty-intel

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

error with deployment main branch (console)

3 participants

@sinchubhat @sudhir-intc