Skip to content

Support pkimetal via Unix socket #8531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Support pkimetal via Unix socket #8531

Copilot wants to merge 8 commits into from

Conversation

Copy link

Copilot AI commented Dec 18, 2025
edited
Loading

Implementation Plan for pkimetal Unix Socket Support

  • Add Socket field to PKIMetalConfig struct in lint_cert_via_pkimetal.go
  • Modify execute() method to create HTTP client with Unix socket transport when Socket is configured
  • Update docker-compose.yml to:
    • Upgrade pkimetal image from v1.20.0 to v1.32.0
    • Configure pkimetal to use Unix socket via Viper YAML config
    • Set up volume mount for Unix socket sharing
  • Update test/config/zlint.toml to use socket configuration
  • Update test/config-next/zlint.toml to use socket configuration
  • Address code review feedback:
    • Add timeout to Unix socket HTTP client
    • Use url.JoinPath for consistent URL construction
    • Set timeout on HTTP client for regular HTTP connections
    • Improve comment clarity
    • Refactor to enable connection reuse and simplify code
    • Use sync.Once for thread-safe client initialization
    • Apply timeout per-request instead of per-client
  • Create pkimetal.yaml configuration files with Viper-compatible settings
  • Run security checks

Summary

All changes completed. The implementation enables pkimetal to run via Unix socket with thread-safe connection pooling.

Original prompt

This section details on the original issue you should resolve

<issue_title>Support pkimetal via Unix Socket</issue_title>
<issue_description>I've contributed support to pkimetal to listen on a unix socket. This is included in release v1.32.0.

Now we need Boulder to support using pkimetal via Unix socket.

This enables running a pkimetal container as a sidecar to cert-checker & boulder-ca with networking disabled, which we want to do to reduce risk in our production environment.

In lint_cert_via_pkimetal.go, we'll need to add a new Socket option to PKIMetalConfig, and construct an HTTP Client with a Transport using a net.Dialer DialContext with network "unix" and the unix socket path.

The integration test docker-compose.yml will be need to be updated to use pkimetal v1.32.0. It will need to be configured to use a unix socket, and zlint.toml in config and config-next will need to be updated with the new socket configuration to use that.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits December 18, 2025 04:09
@mcpherrinm
Add Unix socket support for pkimetal integration
c1cc25c 
- Add Socket field to PKIMetalConfig struct
- Modify execute() to create HTTP client with Unix socket transport
- Update docker-compose.yml to use pkimetal v1.32.0 with Unix socket
- Configure socket volume sharing between boulder and pkimetal
- Update test configs to use Unix socket instead of HTTP endpoint

Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
@mcpherrinm
Address code review feedback for Unix socket implementation
cd0be2a 
- Add timeout to HTTP client for Unix socket transport
- Use url.JoinPath for Unix socket URL construction for consistency

Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
@mcpherrinm
Configure pkimetal with Viper YAML config for Unix socket
3bedb74 
- Create pkimetal.yaml config files with server.webserverPath setting
- Mount config file in docker-compose instead of using command-line args
- Add config for both test/config and test/config-next directories

Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
@mcpherrinm
Set timeout on HTTP client for regular HTTP connections
847b6e7 
- Ensure both Unix socket and HTTP connections respect configured timeout
- Improve comment clarity about localhost usage in Unix socket URLs

Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for pkimetal via Unix socket Support pkimetal via Unix socket Dec 18, 2025
Copilot AI requested a review from mcpherrinm December 18, 2025 04:20
@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

@Copilot, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

mcpherrinm
mcpherrinm reviewed Dec 18, 2025
View reviewed changes
linter/lints/rfc/lint_cert_via_pkimetal.go Outdated
// Use Unix socket connection
client = &http.Client{
Timeout: timeout,
Transport: &http.Transport{
Copy link
Contributor

@mcpherrinm mcpherrinm Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To enable connection reuse, we shouldn't create a new http.Client (and importantly, http.Transport) for each request.

This code is a bit more verbose than it needs to be: Only the dummy value in place of pkim.Addr and Transport needs to change if pkim.Socket is set.

Copy link
Contributor

@mcpherrinm mcpherrinm Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

Copy link
Author

Copilot AI Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored to store the HTTP client in the struct for reuse across requests, enabling connection pooling. The code now only conditionally sets the Transport and base URL, eliminating duplication. Changes in commit 86c1eb9.

Copilot AI and others added 2 commits December 18, 2025 04:32
@mcpherrinm
Refactor HTTP client creation to enable connection reuse
86c1eb9 
- Store http.Client in PKIMetalConfig struct for reuse across requests
- Initialize client lazily on first execute() call
- Only conditionally set Transport for Unix socket, simplifying code
- Reduces verbosity by eliminating duplicate client creation logic

Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
@mcpherrinm
Use sync.Once for thread-safe client initialization
868ccc2 
- Use sync.Once to ensure thread-safe HTTP client initialization
- Remove timeout from client (apply per-request via context instead)
- Prevents race conditions when multiple goroutines call execute()

Co-authored-by: mcpherrinm <47425+mcpherrinm@users.noreply.github.com>
Copilot AI requested a review from mcpherrinm December 18, 2025 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcpherrinm mcpherrinm Awaiting requested review from mcpherrinm

At least 1 approving review is required to merge this pull request.

Assignees

@mcpherrinm mcpherrinm

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support pkimetal via Unix Socket

2 participants

@mcpherrinm