Allow using server authentication cert config in runtime WithContainerFiles callbacks, fix MacOS keychain access spam with dev cert#13151
Conversation
…g, avoid excessive keychain access prompts on Mac
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 13151Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 13151" |
danegsta
added
the
NO-MERGE
|
I've applied the no merge label as one change in this PR depends on a DCP change that'll need to be merged first, otherwise pfx based certs won't work in containers. |
There was a problem hiding this comment.
Pull request overview
This PR adds support for using server authentication certificate configuration in runtime WithContainerFiles callbacks and fixes MacOS keychain access spam by caching the development certificate. The changes introduce a new API context property, improve certificate caching, and add configuration options to disable dev cert usage independently of certificate trust.
Key Changes:
- Adds
ServerAuthenticationCertificateContextproperty toContainerFileSystemCallbackContextfor accessing certificate paths in container file generation callbacks - Implements MacOS-specific caching of ASP.NET development certificate key material to avoid repeated keychain prompts
- Introduces new configuration flags (
UseDeveloperCertificateForServerAuthentication) to control dev cert usage for server authentication independently of trust settings
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
src/Shared/KnownConfigNames.cs |
Adds new environment variable constant for server authentication configuration |
src/Aspire.Hosting/IDeveloperCertificateService.cs |
Renames property to UseForServerAuthentication for clarity |
src/Aspire.Hosting/DistributedApplicationOptions.cs |
Adds new option for controlling dev cert usage for server authentication |
src/Aspire.Hosting/DeveloperCertificateService.cs |
Implements new property with configuration priority logic |
src/Aspire.Hosting/Dcp/Model/Container.cs |
Adds RawContents field for base64-encoded binary file content |
src/Aspire.Hosting/Dcp/DcpExecutor.cs |
Major refactor: implements certificate caching, removes temp PFX files, adds MacOS keychain cache |
src/Aspire.Hosting/ApplicationModel/X509CertificateResource.cs |
New experimental resource type for X.509 certificates |
src/Aspire.Hosting/ApplicationModel/ResourceExtensions.cs |
Refactors to use new ServerAuthenticationCertificateConfigurationDetails class |
src/Aspire.Hosting/ApplicationModel/ReferenceExpression.cs |
Adds WasResolved tracking to detect reference usage |
src/Aspire.Hosting/ApplicationModel/ExpressionResolver.cs |
Sets WasResolved flag during expression evaluation |
src/Aspire.Hosting/ApplicationModel/ContainerFileSystemCallbackAnnotation.cs |
Adds new context class for server authentication certificate paths |
src/Aspire.Hosting.Yarp/YarpResourceExtensions.cs |
Updates to use renamed service property |
src/Aspire.Hosting.Redis/RedisBuilderExtensions.cs |
Updates to use renamed service property |
src/Aspire.Hosting.Python/PythonAppResourceBuilderExtensions.cs |
Updates to use renamed service property |
src/Aspire.Hosting.Keycloak/KeycloakResourceBuilderExtensions.cs |
Updates to use renamed service property |
src/Aspire.Hosting/ApplicationModel/ContainerFileSystemCallbackAnnotation.cs
Show resolved
Hide resolved
src/Aspire.Hosting/ApplicationModel/ContainerFileSystemCallbackAnnotation.cs
Show resolved
Hide resolved
src/Aspire.Hosting/ApplicationModel/ContainerFileSystemCallbackAnnotation.cs
Show resolved
Hide resolved
danegsta
requested review from
eerhardt,
mitchdenny and
radical
as code owners
danegsta
removed
the
NO-MERGE
|
#13186 was merged with the path fixes and support for copying pfx files to containers via base64 encoded strings in the resource config instead of requiring temporary files. |
|
Works like a charm! |
| /// <summary> | ||
| /// Indicates whether this expression was ever referenced to get its value. | ||
| /// </summary> | ||
| internal bool WasResolved { get; set; } |
There was a problem hiding this comment.
I’m only generating key material that’s actually reference; if no resource actually references the pfx or pem key, I’m not exporting them. I’m using this to check the usage.
There was a problem hiding this comment.
I dont like it, can we put it outside of the reference expression.
There was a problem hiding this comment.
Other option (without making the API weird) would be a custom IValueProvider
| private static readonly TimeSpan s_disposeTimeout = TimeSpan.FromSeconds(10); | ||
|
|
||
| // Well-known location on disk where dev-cert key material is cached. | ||
| private static readonly string s_macOSUserDevCertificateLocation = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".aspire", "dev-certs", "https"); |
There was a problem hiding this comment.
This is why I am doing that folders PR, to avoid code like this spreading 😄
There was a problem hiding this comment.
Yeah, it’ll be nice to have a central service for this.
|
Are we going to need docs to tell people to set ASPIRE_DEVELOPER_CERTIFICATE_DEFAULT_SERVER_AUTHENTICATION on mac if you are doing CI? |
Yes, amongst all the rest of the new API that was added. I’ll open a docs issue to expand on the current certificates docs from 13.0. |
Description
ServerAuthenticationCertificateContextproperty to theWithContainerFilescallback API context that can be used to include server authentication specific properties (path to the key file, pfx file, etc.) in configuration files if required.Fixes #13137
Implements #13040