Update README and remove test against upstream APIv3 provider using LE certs...

Update README and remove test against upstream APIv3 provider using LE certs for the API communication. This variant is diverging from the initial APIv3 (Bonafide) protocol and it would add more code complexity to maintain this option: The required certificate handling changes require that we always start menshen with --ca-file flag for the PEM formatted root CA file. In turn that would require to add an additional flag to let menshen distinuish if we point to the providers self-signed API endpoints or the LE signed endpoints. Before the absence of the --ca-file flag was exactly that distinguisher.

Update README and remove test against upstream APIv3 provider using LE certs...
05e1560e · cyberta · cyberta · 1c6a19c4 · 05e1560e · 05e1560e
Commit 05e1560e authored 5 months ago by cyberta Committed by cyberta 5 months ago
--- a/Makefile
+++ b/Makefile
@@ -56,14 +56,6 @@ run-container-test-api:
 	# check the validity of certificate 
 	openssl x509 -in /tmp/cert.pem -noout -text
 	podman-compose -f test/compose-files/docker-compose-remote-client-cert-selfsigned.yml down
-	# 3. run container image with remote standard url's for fetching config and certs
-	podman-compose -f test/compose-files/docker-compose-remote-client-cert.yml up -d
-	sleep 10s
-	podman logs compose-files_menshen_1
-	curl localhost:8443/api/5/openvpn/cert > /tmp/cert.pem
-	# check the validity of certificate 
-	openssl x509 -in /tmp/cert.pem -noout -text
-	podman-compose -f test/compose-files/docker-compose-remote-client-cert.yml down

 clean-container-setup:
 	# clean local menshen setup 

--- a/README.md
+++ b/README.md
@@ -97,15 +97,13 @@ go build ./cmd/menshen

 ## Run 

-The parameter `--from-provider-json` is a file path to a provider.json. It is always required to start menshen.
+The parameter `--from-provider-json` is a file path to a provider.json, `--ca-file` is the file path to the root CA.  Both are always required to start menshen.
 Use `--verbose` to get debug output.


 ### by pointing to another upstream provider

-#### *a) with self-signed provider API endpoints*
-
-Further required parameters are `--ca-file`, `--client-cert-url` and an eip source (`--from-eip-file` or `--from-eip-url `).
+Further required parameters are `--client-cert-url` and an eip source (`--from-eip-file` or `--from-eip-url `).
 You can start menshen from a v3 eip-service file:

 ```
@@ -126,26 +124,6 @@ go run ./cmd/menshen/main.go --verbose \
 --client-cert-url https://api.demo.bitmask.net:4430/3/cert
 ```

-#### *b) with ca-signed provider endpoints*
-
-Additional required parameters are `--client-cert-url` and an eip source (`--from-eip-file` or `--from-eip-url `).
-You can start menshen from a v3 eip-service file:
-
-```
-go run ./cmd/menshen/main.go --verbose \
--from-provider-json-file test/data/provider.json \
--from-eip-url https://api.demo.bitmask.net/3/config/eip-service.json \
--client-cert-url https://api.demo.bitmask.net/3/cert
-```
-
-Alternatively you can start menshen with a eip-service.json from an URL:    
-```
-go run ./cmd/menshen/main.go --verbose \
--from-provider-json-file test/data/provider.json \
--from-eip-file test/data/eip-service.json \
--client-cert-url https://api.demo.bitmask.net/3/cert
-```
-
 ##### **Note**: Replace `test/data/eip-service.json` and `test/data/provider.json` with the relevant configuration files, as they are just samples.

 ### by configuring for local cert generation
@@ -156,6 +134,7 @@ You can start menshen from a v3 eip-service file:
 ```
 go run ./cmd/menshen/main.go --verbose \
 --from-provider-json-file test/data/provider.json \
+--ca-file test/data/ca.crt
 --from-eip-file test/data/eip-service.json \
 --ovpn-ca-crt test/data/ovpn_client_ca.crt \
 --ovpn-ca-key test/data/ovpn_client_ca.key

--- a/test/compose-files/docker-compose-remote-client-cert.yml
+++ b/test/compose-files/docker-compose-remote-client-cert.yml
-services:
-  menshen:
-    build: ../../.
-    entrypoint: ["menshen"]
-    environment:
-      - MENSHEN_FROM_EIP_URL=https://api.${PROVIDER:-ft1.bitmask.net}/3/config/eip-service.json
-      - MENSHEN_CLIENT_CERT_URL=https://api.${PROVIDER:-ft1.bitmask.net}/3/cert
-      - MENSHEN_FROM_PROVIDER_JSON_FILE=/etc/leap/test/provider.json
-      - MENSHEN_DB_FILE=/tmp/sqlite.db
-      - MENSHEN_PORT=8443
-      - MENSHEN_ALLOW_GATEWAY_LIST=true
-      - MENSHEN_ALLOW_BRIDGE_LIST=true
-      - MENSHEN_AUTO_TLS=false
-      - MENSHEN_VERBOSE=false
-    network_mode: host
-    ports:
-      - "127.0.0.1:8443:8443/tcp"
-    volumes:
-      - "../data:/etc/leap/test"