vespa-engine / vespa

AI + Data, online. https://vespa.ai
https://vespa.ai
Apache License 2.0
5.77k stars 602 forks source link

`vespa prod deploy` requires named `clients.pem` file #31978

Open olaughter opened 3 months ago

olaughter commented 3 months ago

Describe the bug The cli command for deploying a production application package contains a check for a certificate. However the check itself is just looking for a file named clients.pem. Meaning cli deploys fail when using named certs the cli fails

To Reproduce Steps to reproduce the behavior: In the security guide there is an example config for the services.xml file that uses the clients element to configure cert permissions. The example shows using an id and file name to have certs with names like 'serve, ingest, etc. When deploying this config to vespa cloud the error is raised:

Error: deployment to Vespa Cloud requires certificate in application package
Hint: See https://cloud.vespa.ai/en/security/guide
Hint: Pass --add-cert to use the certificate of the current application

Expected behaviour The cli check for certs is based on the clients element, falling back to the current behaviour if not present

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

Vespa version CLI version used initially: 8.250.43

Additional context Add any other context about the problem here.

olaughter commented 3 months ago

Hey @mpolden, I've made an attempt to resolve this, let me know what you think: https://github.com/vespa-engine/vespa/pull/31988

yngveaasheim commented 3 months ago

@olaughter, Thank you for the contribution! @mpolden is currently on PTO; I am sure he will get back to you on this when he comes back; presumably the week of August 5.

Best, -Yngve