From 53effa806b73a1c728fba9160b23000c8f7cc5e0 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tom@curii.com>
Date: Sun, 17 Jul 2022 23:16:59 -0400
Subject: [PATCH] 16552: Rename ACME config options.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---
 lib/boot/cert.go              | 11 +++++++++--
 lib/config/config.default.yml | 26 +++++++++++++++-----------
 lib/install/init.go           |  7 ++++---
 lib/service/tls.go            |  2 +-
 sdk/go/arvados/config.go      |  5 +++--
 5 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/lib/boot/cert.go b/lib/boot/cert.go
index 10fd0aa9f6..175a350803 100644
--- a/lib/boot/cert.go
+++ b/lib/boot/cert.go
@@ -36,7 +36,7 @@ func (createCertificates) String() string {
 }
 
 func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error {
-	if super.cluster.TLS.Automatic {
+	if super.cluster.TLS.ACME.Server != "" {
 		return bootAutoCert(ctx, fail, super)
 	} else if super.cluster.TLS.Key == "" && super.cluster.TLS.Certificate == "" {
 		return createSelfSignedCert(ctx, fail, super)
@@ -78,8 +78,15 @@ func bootAutoCert(ctx context.Context, fail func(error), super *Supervisor) erro
 			}
 		},
 	}
-	if super.cluster.TLS.Staging {
+	if srv := super.cluster.TLS.ACME.Server; srv == "LE" {
+		// Leaving mgr.Client == nil means use Let's Encrypt
+		// production environment
+	} else if srv == "LE-staging" {
 		mgr.Client = &acme.Client{DirectoryURL: stagingDirectoryURL}
+	} else if strings.HasPrefix(srv, "https://") {
+		mgr.Client = &acme.Client{DirectoryURL: srv}
+	} else {
+		return fmt.Errorf("autocert setup: invalid directory URL in TLS.ACME.Server: %q", srv)
 	}
 	go func() {
 		err := http.ListenAndServe(":80", mgr.HTTPHandler(nil))
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index c8c02cc604..8d5bbc258e 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -909,17 +909,21 @@ Clusters:
       # use this in production.
       Insecure: false
 
-      # Agree to Let's Encrypt terms of service and obtain
-      # certificates automatically for ExternalURL domains.
-      #
-      # Note: this feature is not yet implemented in released
-      # versions, only in the alpha/prerelease arvados-server-easy
-      # package.
-      Automatic: false
-
-      # Use Let's Encrypt staging environment instead of production
-      # environment.
-      Staging: false
+      ACME:
+        # Obtain certificates automatically for ExternalURL domains
+        # using an ACME server and http-01 validation.
+        #
+        # To use Let's Encrypt, specify "LE".  To use the Let's
+        # Encrypt staging environment, specify "LE-staging".  To use a
+        # different ACME server, specify the full directory URL
+        # ("https://...").
+        #
+        # Note: this feature is not yet implemented in released
+        # versions, only in the alpha/prerelease arvados-server-easy
+        # package.
+        #
+        # Implies agreement with the server's terms of service.
+        Server: ""
 
     Containers:
       # List of supported Docker Registry image formats that compute nodes
diff --git a/lib/install/init.go b/lib/install/init.go
index 792262b59a..a928f22529 100644
--- a/lib/install/init.go
+++ b/lib/install/init.go
@@ -72,7 +72,7 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
 	flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
 	flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
 	flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
-	flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, auto, insecure, or none")
+	flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, acmetool, insecure, or none")
 	flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
 	if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
 		return code
@@ -214,9 +214,10 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
     TLS:
       {{if eq .TLS "insecure"}}
       Insecure: true
-      {{else if eq .TLS "auto"}}
-      Automatic: true
       {{else if eq .TLS "acme"}}
+      ACME:
+        Server: LE
+      {{else if eq .TLS "acmetool"}}
       Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
       Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
       {{else}}
diff --git a/lib/service/tls.go b/lib/service/tls.go
index 234ee57878..88a2858beb 100644
--- a/lib/service/tls.go
+++ b/lib/service/tls.go
@@ -21,7 +21,7 @@ import (
 )
 
 func makeTLSConfig(cluster *arvados.Cluster, logger logrus.FieldLogger) (*tls.Config, error) {
-	if cluster.TLS.Automatic {
+	if cluster.TLS.ACME.Server != "" {
 		return makeAutocertConfig(cluster, logger)
 	} else {
 		return makeFileLoaderConfig(cluster, logger)
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index d9aa92b65d..6d8f39dfb3 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -227,8 +227,9 @@ type Cluster struct {
 		Certificate string
 		Key         string
 		Insecure    bool
-		Automatic   bool
-		Staging     bool
+		ACME        struct {
+			Server string
+		}
 	}
 	Users struct {
 		ActivatedUsersAreVisibleToOthers      bool
-- 
2.30.2