Improvements to RunWithHttpsDevCert extensions

.github/workflows/ci.yml

@@ -30,6 +30,8 @@ jobs:
       DOTNET_INSTALL_DIR: ${{ matrix.os == 'ubuntu-latest' && '' || 'dotnet' }}
       ASPIRE_ALLOW_UNSECURED_TRANSPORT: true
       SuppressNETCoreSdkPreviewMessage: true
+      DCP_DIAGNOSTICS_LOG_LEVEL: debug
+      DCP_PRESERVE_EXECUTABLE_LOGS: 1
     steps:
     - uses: actions/checkout@v4
 
@@ -93,7 +95,14 @@ jobs:
         RunConfiguration.CollectSourceInformation=true
       env:
         DAPR_CLI_PATH: ${{ steps.install-dapr.outputs.dapr-path }}
-
+
+    - name: Copy dcp logs
+      if: (success() || steps.test.conclusion == 'failure') && matrix.os == 'ubuntu-latest'
+      run: |
+        mkdir -p ./TestResults/dcplogs
+        cp -r /tmp/dcp/logs ./TestResults/dcplogs
+        cp -r /tmp/aspire.* ./TestResults/dcplogs
+
     - name: Publish Test Results
       if: (success() || steps.test.conclusion == 'failure') && matrix.os == 'ubuntu-latest'
       uses: actions/upload-artifact@v4

samples/AspireWithNode/AspireWithNode.AppHost/AspireWithNode.AppHost.csproj

@@ -8,6 +8,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <IsAspireHost>true</IsAspireHost>
+    <UserSecretsId>f428d36b-3fad-4237-a29d-6dd8c8605ca5</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>

samples/AspireWithNode/AspireWithNode.AppHost/NodeHostingExtensions.cs

@@ -1,4 +1,5 @@
-using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
 
 namespace Aspire.Hosting;
 
@@ -8,24 +9,25 @@ internal static class NodeHostingExtensions
     /// Injects the ASP.NET Core HTTPS developer certificate into the resource via the specified environment variables when
     /// <paramref name="builder"/>.<see cref="IResourceBuilder{T}.ApplicationBuilder">ApplicationBuilder</see>.<see cref="IDistributedApplicationBuilder.ExecutionContext">ExecutionContext</see>.<see cref="DistributedApplicationExecutionContext.IsRunMode">IsRunMode</see><c> == true</c>.<br/>
     /// </summary>
-    public static IResourceBuilder<NodeAppResource> RunWithHttpsDevCertificate(this IResourceBuilder<NodeAppResource> builder, string certFileEnv, string certKeyFileEnv)
+    public static IResourceBuilder<NodeAppResource> RunWithHttpsDevCertificate(this IResourceBuilder<NodeAppResource> builder, CertificateFileFormat certificateFileFormat, string certFileEnv, string? certPasswordOrKeyEnv)
     {
         if (builder.ApplicationBuilder.ExecutionContext.IsRunMode && builder.ApplicationBuilder.Environment.IsDevelopment())
         {
-            DevCertHostingExtensions.RunWithHttpsDevCertificate(builder, certFileEnv, certKeyFileEnv, (certFilePath, certKeyPath) =>
+            DevCertHostingExtensions.RunWithHttpsDevCertificate(builder, certificateFileFormat, certFileEnv, certPasswordOrKeyEnv, (services, certFilePath, certPasswordOrKeyPath) =>
             {
                 builder.WithHttpsEndpoint(env: "HTTPS_PORT");
                 var httpsEndpoint = builder.GetEndpoint("https");
-
-                builder.WithEnvironment(context =>
+
+                // Configure Node to trust the ASP.NET Core HTTPS development certificate as a root CA.
+                builder.WithEnvironment(async context =>
                 {
-                    // Configure Node to trust the ASP.NET Core HTTPS development certificate as a root CA.
-                    if (context.EnvironmentVariables.TryGetValue(certFileEnv, out var certPath))
-                    {
-                        context.EnvironmentVariables["NODE_EXTRA_CA_CERTS"] = certPath;
-                        context.EnvironmentVariables["HTTPS_REDIRECT_PORT"] = ReferenceExpression.Create($"{httpsEndpoint.Property(EndpointProperty.Port)}");
-                    }
+                    var logger = services.GetRequiredService<ResourceLoggerService>().GetLogger(builder.Resource);
+                    var (succeded, pemFilePath, _) = await DevCertHostingExtensions.TryExportDevCertificateAsync(CertificateFileFormat.Pem, builder.ApplicationBuilder, logger);
+                    context.EnvironmentVariables["NODE_EXTRA_CA_CERTS"] = pemFilePath;
+                    context.EnvironmentVariables["HTTPS_REDIRECT_PORT"] = ReferenceExpression.Create($"{httpsEndpoint.Property(EndpointProperty.Port)}");
                 });
+
+                return Task.CompletedTask;
             });
         }
 

samples/AspireWithNode/AspireWithNode.AppHost/Program.cs

@@ -2,7 +2,8 @@
 
 var builder = DistributedApplication.CreateBuilder(args);
 
-var cache = builder.AddRedis("cache");
+var cache = builder.AddRedis("cache")
+    .RunWithHttpsDevCertificate();
 
 var weatherapi = builder.AddProject<Projects.AspireWithNode_AspNetCoreApi>("weatherapi");
 
@@ -20,7 +21,7 @@
 
 if (builder.Environment.IsDevelopment() && launchProfile == "https")
 {
-    frontend.RunWithHttpsDevCertificate("HTTPS_CERT_FILE", "HTTPS_CERT_KEY_FILE");
+    frontend.RunWithHttpsDevCertificate(CertificateFileFormat.PfxWithPassword, "HTTPS_CERT_PFX_FILE", "HTTPS_CERT_PASSWORD");
 }
 
 builder.Build().Run();

samples/AspireWithNode/AspireWithNode.AppHost/RedisHostingExtensions.cs

@@ -0,0 +1,53 @@
+using Microsoft.Extensions.Hosting;
+
+namespace Aspire.Hosting;
+
+internal static class RedisHostingExtensions
+{
+    /// <summary>
+    /// Configures the Redis resource to use the ASP.NET Core HTTPS developer certificate when
+    /// <paramref name="builder"/>.<see cref="IResourceBuilder{T}.ApplicationBuilder">ApplicationBuilder</see>.<see cref="IDistributedApplicationBuilder.ExecutionContext">ExecutionContext</see>.<see cref="DistributedApplicationExecutionContext.IsRunMode">IsRunMode</see><c> == true</c>.<br/>
+    /// </summary>
+    public static IResourceBuilder<RedisResource> RunWithHttpsDevCertificate(this IResourceBuilder<RedisResource> builder)
+    {
+        if (builder.ApplicationBuilder.ExecutionContext.IsRunMode && builder.ApplicationBuilder.Environment.IsDevelopment())
+        {
+            DevCertHostingExtensions.RunWithHttpsDevCertificate(builder, CertificateFileFormat.Pem, "TLS_CERT_FILE", "TLS_KEY_FILE", (services, certFilePath, certPasswordOrKeyPath) =>
+            {
+                // This callback is invoked during the BeforeStartEvent phase if the certificate is successfully exported.
+                builder.WithConnectionStringRedirection(new RedisTlsConnectionString(builder.Resource));
+
+                // Configure Redis to use the ASP.NET Core HTTPS development certificate.
+                builder.WithArgs(context =>
+                {
+                    context.Args.Add("--port");
+                    context.Args.Add("0");
+                    context.Args.Add("--tls-port");
+                    context.Args.Add(builder.Resource.PrimaryEndpoint.TargetPort.ToString()!);
+                    context.Args.Add("--tls-cert-file");
+                    context.Args.Add($"{DevCertHostingExtensions.DEV_CERT_BIND_MOUNT_DEST_DIR}/{DevCertHostingExtensions.DEV_CERT_FILE_NAME_PEM}");
+                    context.Args.Add("--tls-key-file");
+                    context.Args.Add($"{DevCertHostingExtensions.DEV_CERT_BIND_MOUNT_DEST_DIR}/{DevCertHostingExtensions.DEV_CERT_FILE_NAME_KEY}");
+                    context.Args.Add("--tls-ca-cert-file");
+                    context.Args.Add($"{DevCertHostingExtensions.DEV_CERT_BIND_MOUNT_DEST_DIR}/{DevCertHostingExtensions.DEV_CERT_FILE_NAME_PEM}");
+                    context.Args.Add("--tls-auth-clients");
+                    context.Args.Add("no");
+                });
+
+                return Task.CompletedTask;
+            });
+        }
+
+        return builder;
+    }
+
+    private class RedisTlsConnectionString(RedisResource resource) : IResourceWithConnectionString
+    {
+        public string Name { get; } = $"{resource.Name}-tls";
+
+        public ReferenceExpression ConnectionStringExpression => ReferenceExpression.Create(
+            $"{resource.PrimaryEndpoint.Property(EndpointProperty.Host)}:{resource.PrimaryEndpoint.Property(EndpointProperty.Port)},Ssl=true");
+
+        public ResourceAnnotationCollection Annotations { get; } = [];
+    }
+}

samples/AspireWithNode/NodeFrontend/app.js

@@ -12,6 +12,8 @@ const config = {
     httpPort: process.env['PORT'] ?? 8080,
     httpsPort: process.env['HTTPS_PORT'] ?? 8443,
     httpsRedirectPort: process.env['HTTPS_REDIRECT_PORT'] ?? (process.env['HTTPS_PORT'] ?? 8443),
+    certPfxFile: process.env['HTTPS_CERT_PFX_FILE'] ?? '',
+    certPassword: process.env['HTTPS_CERT_PASSWORD'] ?? '',
     certFile: process.env['HTTPS_CERT_FILE'] ?? '',
     certKeyFile: process.env['HTTPS_CERT_KEY_FILE'] ?? '',
     cacheAddress: process.env['ConnectionStrings__cache'] ?? '',
@@ -20,28 +22,38 @@ const config = {
 console.log(`config: ${JSON.stringify(config)}`);
 
 // Setup HTTPS options
-const httpsOptions = fs.existsSync(config.certFile) && fs.existsSync(config.certKeyFile)
+const httpsOptions = fs.existsSync(config.certPfxFile)
     ? {
-        cert: fs.readFileSync(config.certFile),
-        key: fs.readFileSync(config.certKeyFile),
+        pfx: fs.readFileSync(config.certPfxFile),
+        passphrase: config.certPassword,
         enabled: true
     }
-    : { enabled: false };
+    : fs.existsSync(config.certFile) && fs.existsSync(config.certKeyFile)
+        ? {
+            cert: fs.readFileSync(config.certFile),
+            key: fs.readFileSync(config.certKeyFile),
+            enabled: true
+        }
+        : { enabled: false };
 
 // Setup connection to Redis cache
-const passwordPrefix = ',password=';
+let cacheOptions = {};
+config.cacheAddress.split(',').forEach(setting => {
+    const parts = setting.split('=');
+    if (parts.length === 2) {
+        const key = parts[0].toLowerCase();
+        const value = parts[1];
+        cacheOptions[key] = value;
+    } else if (parts.length === 1) {
+        cacheOptions['url'] = setting;
+    }
+});
+
 let cacheConfig = {
-    url: `redis://${config.cacheAddress}`
+    url: `${ cacheOptions.ssl ? "rediss" : "redis" }://${cacheOptions.url}`,
+    password: cacheOptions.password
 };
 
-const cachePasswordIndex = config.cacheAddress.indexOf(passwordPrefix);
-if (cachePasswordIndex > 0) {
-    cacheConfig = {
-        url: `redis://${config.cacheAddress.substring(0, cachePasswordIndex)}`,
-        password: config.cacheAddress.substring(cachePasswordIndex + passwordPrefix.length)
-    }
-}
-
 const cache = createClient(cacheConfig);
 cache.on('error', err => console.error('Redis Client Error', err));
 await cache.connect();

samples/Directory.Build.targets

@@ -0,0 +1,11 @@
+<Project>
+  <!-- Embed the path to /obj so that hosting integrations can write files to re-use between runs there -->
+  <Target Name="EmbedAppHostIntermediateOutputPath" BeforeTargets="GetAssemblyAttributes">
+    <ItemGroup>
+      <AssemblyAttribute Include="System.Reflection.AssemblyMetadataAttribute">
+        <_Parameter1>apphostprojectbaseintermediateoutputpath</_Parameter1>
+        <_Parameter2>$(BaseIntermediateOutputPath)</_Parameter2>
+      </AssemblyAttribute>
+    </ItemGroup>
+  </Target>
+</Project>

samples/Metrics/MetricsApp.AppHost/OpenTelemetryCollector/OpenTelemetryCollectorResourceBuilderExtensions.cs

@@ -29,14 +29,16 @@ public static IResourceBuilder<OpenTelemetryCollectorResource> AddOpenTelemetryC
 
         if (isHttpsEnabled && builder.ExecutionContext.IsRunMode && builder.Environment.IsDevelopment())
         {
-            DevCertHostingExtensions.RunWithHttpsDevCertificate(resourceBuilder, "HTTPS_CERT_FILE", "HTTPS_CERT_KEY_FILE", (certFilePath, certKeyPath) =>
+            DevCertHostingExtensions.RunWithHttpsDevCertificate(resourceBuilder, CertificateFileFormat.Pem, "HTTPS_CERT_FILE", "HTTPS_CERT_KEY_FILE", (_, certFilePath, certKeyPath) =>
             {
                 // Set TLS details using YAML path via the command line. This allows the values to be added to the existing config file.
                 // Setting the values in the config file doesn't work because adding the "tls" section always enables TLS, even if there is no cert provided.
                 resourceBuilder.WithArgs(
                     @"--config=yaml:receivers::otlp::protocols::grpc::tls::cert_file: ""dev-certs/dev-cert.pem""",
                     @"--config=yaml:receivers::otlp::protocols::grpc::tls::key_file: ""dev-certs/dev-cert.key""",
                     @"--config=/etc/otelcol-contrib/config.yaml");
+
+                return Task.CompletedTask;
             });
         }