Skip to content

Commit 21a2370

Browse files
abarganierabarganier
authored
Merge pull request #142 from abarganier/check-tenant-scoped-certs
tenant: use `-h` to check if tenant scoped client certs available
2 parents 2fac03c + 21764da commit 21a2370

File tree

1 file changed

+25
-1
lines changed

1 file changed

+25
-1
lines changed

testserver/tenant.go

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
package testserver
1616

1717
import (
18+
"bytes"
1819
"database/sql"
1920
"errors"
2021
"fmt"
@@ -36,6 +37,25 @@ func (ts *testServerImpl) isTenant() bool {
3637
return ts.curTenantID < firstTenantID
3738
}
3839

40+
// cockroachSupportsTenantScopeCert is a hack to figure out if the version of
41+
// cockroach on the test server supports tenant scoped certificates. This is less
42+
// brittle than a static version comparison as these tenant scoped certificates are
43+
// subject to backports to older CRDB verions.
44+
func (ts *testServerImpl) cockroachSupportsTenantScopeCert() (bool, error) {
45+
certCmdArgs := []string{
46+
"cert",
47+
"create-client",
48+
"--help",
49+
}
50+
checkTenantScopeCertCmd := exec.Command(ts.serverArgs.cockroachBinary, certCmdArgs...)
51+
var output bytes.Buffer
52+
checkTenantScopeCertCmd.Stdout = &output
53+
if err := checkTenantScopeCertCmd.Run(); err != nil {
54+
return false, err
55+
}
56+
return strings.Contains(output.String(), "--tenant-scope"), nil
57+
}
58+
3959
// NewTenantServer creates and returns a new SQL tenant pointed at the receiver,
4060
// which acts as a KV server, and starts it.
4161
// The SQL tenant is responsible for all SQL processing and does not store any
@@ -87,7 +107,11 @@ func (ts *testServerImpl) NewTenantServer(proxy bool) (TestServer, error) {
87107
if err := createCertCmd.Run(); err != nil {
88108
return nil, fmt.Errorf("%s command %s failed: %w", tenantserverMessagePrefix, createCertCmd, err)
89109
}
90-
if ts.version.AtLeast(version.MustParse("v22.2.0-alpha")) {
110+
tenantScopeCertsAvailable, err := ts.cockroachSupportsTenantScopeCert()
111+
if err != nil {
112+
return nil, fmt.Errorf("failed to determine if tenant scoped certificates are available: %w", err)
113+
}
114+
if tenantScopeCertsAvailable {
91115
// Overwrite root client certificate scoped to the system and current tenant.
92116
// Tenant scoping is needed for client certificates used to access tenant servers.
93117
tenantScopedClientCertArgs := []string{

0 commit comments

Comments
 (0)