cli: implement cluster worker publish command

oleg-jukovec · oleg-jukovec · commit e33c53a31efd · 2026-04-16T17:34:10.000+03:00
@TarantoolBot document Title: `tt cluster worker publish` implementation Implement `tt cluster worker publish` command for publishing worker configurations to etcd or tarantool config storage (TCS). The command accepts a URL with format: ``` http(s)://[username:password@]host:port/prefix/host-name/worker-name ``` * prefix - a base path to the worker configuration. * host-name - a name of the host. * worker-name - a name of the worker. Possible arguments: * timeout - a request timeout in seconds (default 3.0). * ssl_key_file - a path to a private SSL key file. * ssl_cert_file - a path to an SSL certificate file. * ssl_ca_file - a path to a trusted certificate authorities (CA) file. * ssl_ca_path - a path to a trusted certificate authorities (CA) directory. * ssl_ciphers - a list of allowed SSL ciphers. * verify_host - set off (default true) verification of the certificate’s name against the host. * verify_peer - set off (default true) verification of the peer’s SSL certificate. The command supports the following environment variables: * TT_CLI_USERNAME - specifies a Tarantool username; * TT_CLI_PASSWORD - specifies a Tarantool password. * TT_CLI_ETCD_USERNAME - specifies a Etcd username; * TT_CLI_ETCD_PASSWORD - specifies a Etcd password. The priority of credentials: environment variables < command flags < URL credentials. Usage: ``` tt cluster worker publish <URI> <FILE> ``` Supported flags: --force force publish and skip checking existence -h, --help help for publish -p, --password string password (used as etcd/tarantool config storage credentials) -u, --username string username (used as etcd/tarantool config storage credentials) Example: ``` tt cluster worker publish \ https://user:pass@localhost:2379/cluster/workers/host/server-1 \ worker.yaml ``` The implementation uses go-storage library for both etcd and TCS. Without --force flag, it checks if the key already exists before publishing. Due to go-storage limitations (no "count" predicate support), this check is done via two separate transactions with a potential race condition. Closes TNTP-7062
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Added
 
+- `tt cluster`: worker publish subcommand.
+
 ### Changed
 
 ### Fixed
diff --git a/cli/cluster/cmd/storage.go b/cli/cluster/cmd/storage.go
@@ -0,0 +1,198 @@
+package cmd
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/fs"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/tarantool/go-storage"
+	etcdDriver "github.com/tarantool/go-storage/driver/etcd"
+	tcsDriver "github.com/tarantool/go-storage/driver/tcs"
+	"github.com/tarantool/go-tarantool/v2"
+	libconnect "github.com/tarantool/tt/lib/connect"
+	"github.com/tarantool/tt/lib/dial"
+	"go.etcd.io/etcd/client/pkg/v3/transport"
+	clientv3 "go.etcd.io/etcd/client/v3"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+)
+
+// ConnectStorage connects to etcd or tarantool config storage and returns
+// a storage.Storage instance. It tries etcd first, then tarantool.
+func ConnectStorage(
+	opts libconnect.UriOpts,
+	username, password string,
+) (storage.Storage, func(), error) {
+	etcdcli, errEtcd := connectEtcd(opts, username, password)
+	if errEtcd == nil {
+		drv := etcdDriver.New(etcdcli)
+		stg := storage.NewStorage(drv)
+		return stg, func() { etcdcli.Close() }, nil
+	}
+
+	conn, errTarantool := connectTarantool(opts, username, password)
+	if errTarantool == nil {
+		drv := tcsDriver.New(conn)
+		stg := storage.NewStorage(drv)
+		return stg, func() { conn.Close() }, nil
+	}
+
+	return nil, nil, fmt.Errorf("failed to connect to etcd or tarantool: %w, %w",
+		errTarantool, errEtcd)
+}
+
+// connectEtcd creates an etcd client from URI options.
+func connectEtcd(
+	opts libconnect.UriOpts,
+	username, password string,
+) (*clientv3.Client, error) {
+	var endpoints []string
+	if opts.Endpoint != "" {
+		endpoints = []string{opts.Endpoint}
+	}
+
+	etcdUsername := username
+	etcdPassword := password
+	if etcdUsername == "" {
+		etcdUsername = os.Getenv(libconnect.EtcdUsernameEnv)
+	}
+	if etcdPassword == "" {
+		etcdPassword = os.Getenv(libconnect.EtcdPasswordEnv)
+	}
+
+	var tlsConfig *tls.Config
+	if opts.KeyFile != "" || opts.CertFile != "" || opts.CaFile != "" ||
+		opts.CaPath != "" || opts.SkipHostVerify {
+
+		tlsInfo := transport.TLSInfo{
+			CertFile:      opts.CertFile,
+			KeyFile:       opts.KeyFile,
+			TrustedCAFile: opts.CaFile,
+		}
+
+		var err error
+		tlsConfig, err = tlsInfo.ClientConfig()
+		if err != nil {
+			return nil, fmt.Errorf("failed to create tls client config: %w", err)
+		}
+
+		if opts.CaPath != "" {
+			roots, err := loadRootCACerts(opts.CaPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load CA directory: %w", err)
+			}
+			tlsConfig.RootCAs = roots
+		}
+
+		if opts.SkipHostVerify {
+			tlsConfig.InsecureSkipVerify = true
+		}
+	}
+
+	client, err := clientv3.New(clientv3.Config{
+		Endpoints:   endpoints,
+		DialTimeout: opts.Timeout,
+		Username:    etcdUsername,
+		Password:    etcdPassword,
+		TLS:         tlsConfig,
+		Logger:      zap.NewNop(),
+		DialOptions: []grpc.DialOption{grpc.WithBlock()}, //nolint:staticcheck
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create etcd client: %w", err)
+	}
+
+	return client, nil
+}
+
+// connectTarantool creates a tarantool connection from URI options.
+func connectTarantool(
+	opts libconnect.UriOpts,
+	username, password string,
+) (*tarantool.Connection, error) {
+	tarantoolUsername := username
+	tarantoolPassword := password
+	if tarantoolUsername == "" {
+		tarantoolUsername = os.Getenv(libconnect.TarantoolUsernameEnv)
+	}
+	if tarantoolPassword == "" {
+		tarantoolPassword = os.Getenv(libconnect.TarantoolPasswordEnv)
+	}
+
+	dialOpts := dial.Opts{
+		Address:     fmt.Sprintf("tcp://%s", opts.Host),
+		User:        tarantoolUsername,
+		Password:    tarantoolPassword,
+		SslKeyFile:  opts.KeyFile,
+		SslCertFile: opts.CertFile,
+		SslCaFile:   opts.CaFile,
+		SslCiphers:  opts.Ciphers,
+	}
+
+	dialer, err := dial.New(dialOpts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create dialer: %w", err)
+	}
+
+	connectorOpts := tarantool.Opts{
+		Timeout: opts.Timeout,
+	}
+
+	ctx, cancel := contextWithTimeout(connectorOpts.Timeout)
+	defer cancel()
+
+	conn, err := tarantool.Connect(ctx, dialer, connectorOpts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to tarantool: %w", err)
+	}
+
+	return conn, nil
+}
+
+// contextWithTimeout creates a context with optional timeout.
+func contextWithTimeout(timeout time.Duration) (context.Context, context.CancelFunc) {
+	if timeout > 0 {
+		return context.WithTimeout(context.Background(), timeout)
+	}
+	return context.Background(), func() {}
+}
+
+// loadRootCACerts loads root CA certificates from a directory.
+func loadRootCACerts(caPath string) (*x509.CertPool, error) {
+	roots := x509.NewCertPool()
+
+	files, err := os.ReadDir(caPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read CA directory: %w", err)
+	}
+
+	for _, f := range files {
+		if f.IsDir() || isSameDirSymlink(f, caPath) {
+			continue
+		}
+
+		data, err := os.ReadFile(caPath + "/" + f.Name())
+		if err != nil {
+			continue
+		}
+
+		roots.AppendCertsFromPEM(data)
+	}
+
+	return roots, nil
+}
+
+// isSameDirSymlink checks if a directory entry is a symlink pointing to the same directory.
+func isSameDirSymlink(f fs.DirEntry, dir string) bool {
+	if f.Type()&fs.ModeSymlink == 0 {
+		return false
+	}
+
+	target, err := os.Readlink(dir + "/" + f.Name())
+	return err == nil && !strings.Contains(target, "/")
+}
diff --git a/cli/cluster/cmd/worker.go b/cli/cluster/cmd/worker.go
@@ -1,24 +1,27 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"strings"
 
+	"github.com/tarantool/go-storage"
+	"github.com/tarantool/go-storage/operation"
 	libconnect "github.com/tarantool/tt/lib/connect"
 )
 
 // WorkerPublishCtx contains information about cluster worker publish command
 // execution context.
 type WorkerPublishCtx struct {
-	// Username defines a username for connection.
-	Username string
-	// Password defines a password for connection.
-	Password string
-	// Force defines whether the publish should be forced.
-	Force bool
+	// Storage is the storage instance for the operation.
+	Storage storage.Storage
+	// Key is the key in storage for the worker configuration.
+	Key string
 	// Src is a raw data to publish.
 	Src []byte
+	// Force defines whether the publish should be forced.
+	Force bool
 }
 
 // WorkerShowCtx contains information about cluster worker show command
@@ -108,9 +111,50 @@ func ResolveWorkerCredentials(
 	return username, password
 }
 
-// WorkerPublish publishes a worker configuration. Unimplemented.
-func WorkerPublish(url string, ctx WorkerPublishCtx) error {
-	return fmt.Errorf("unimplemented")
+// WorkerPublish publishes a worker configuration to storage.
+// Without Force flag, it checks if the key already exists and returns an error if so.
+// With Force flag, it overwrites the existing configuration unconditionally.
+func WorkerPublish(publishCtx WorkerPublishCtx) error {
+	ctx := context.Background()
+	key := []byte(publishCtx.Key)
+	value := publishCtx.Src
+
+	if publishCtx.Force {
+		_, err := publishCtx.Storage.Tx(ctx).Then(operation.Put(key, value)).Commit()
+		if err != nil {
+			return fmt.Errorf("failed to publish worker configuration: %w", err)
+		}
+		return nil
+	}
+
+	// Without force: check if key exists first, then put.
+	// Note: This is not atomic - there's a race condition between Get and Put.
+	// For TCS (tarantool config storage), we cannot use predicates like
+	// VersionEqual or ValueEqual because they require an existing record.
+	// TCS supports "count" predicate (count == 0 for non-existent key),
+	// but go-storage library doesn't support it yet.
+	// See: https://github.com/tarantool/go-storage/issues
+	getResp, err := publishCtx.Storage.Tx(ctx).Then(operation.Get(key)).Commit()
+	if err != nil {
+		return fmt.Errorf("failed to publish worker configuration: %w", err)
+	}
+
+	// Check if key exists (has values in results).
+	for _, result := range getResp.Results {
+		if len(result.Values) > 0 {
+			return fmt.Errorf(
+				"worker configuration already exists at %q, use --force to overwrite",
+				publishCtx.Key)
+		}
+	}
+
+	// Key doesn't exist, perform Put.
+	_, err = publishCtx.Storage.Tx(ctx).Then(operation.Put(key, value)).Commit()
+	if err != nil {
+		return fmt.Errorf("failed to publish worker configuration: %w", err)
+	}
+
+	return nil
 }
 
 // WorkerShow shows a worker configuration. Unimplemented.
diff --git a/cli/cluster/cmd/worker_test.go b/cli/cluster/cmd/worker_test.go
@@ -239,11 +239,6 @@ func TestResolveWorkerCredentials(t *testing.T) {
 	}
 }
 
-func TestWorkerPublish(t *testing.T) {
-	err := WorkerPublish("http://localhost:2379/prefix/host/worker", WorkerPublishCtx{})
-	require.EqualError(t, err, "unimplemented")
-}
-
 func TestWorkerShow(t *testing.T) {
 	err := WorkerShow("http://localhost:2379/prefix/host/worker", WorkerShowCtx{})
 	require.EqualError(t, err, "unimplemented")
diff --git a/cli/cmd/cluster.go b/cli/cmd/cluster.go
@@ -67,11 +67,14 @@ var switchStatusCtx = clustercmd.SwitchStatusCtx{
 var rolesChangeCtx = clustercmd.RolesChangeCtx{}
 
 var workerPublishCtx = clustercmd.WorkerPublishCtx{
-	Username: "",
-	Password: "",
-	Force:    false,
+	Force: false,
 }
 
+var (
+	workerPublishUsername string
+	workerPublishPassword string
+)
+
 var workerShowCtx = clustercmd.WorkerShowCtx{
 	Username: "",
 	Password: "",
@@ -306,9 +309,9 @@ func newClusterWorkerCmd() *cobra.Command {
 		Run:  RunModuleFunc(internalClusterWorkerPublishModule),
 		Args: cobra.ExactArgs(2),
 	}
-	publishCmd.Flags().StringVarP(&workerPublishCtx.Username, "username", "u", "",
+	publishCmd.Flags().StringVarP(&workerPublishUsername, "username", "u", "",
 		"username (used as etcd/tarantool config storage credentials)")
-	publishCmd.Flags().StringVarP(&workerPublishCtx.Password, "password", "p", "",
+	publishCmd.Flags().StringVarP(&workerPublishPassword, "password", "p", "",
 		"password (used as etcd/tarantool config storage credentials)")
 	publishCmd.Flags().BoolVar(&workerPublishCtx.Force, "force", false,
 		"force publish and skip checking existence")
@@ -617,10 +620,23 @@ func internalClusterWorkerPublishModule(cmdCtx *cmdcontext.CmdCtx, args []string
 	}
 	workerPublishCtx.Src = data
 
-	workerPublishCtx.Username, workerPublishCtx.Password = clustercmd.ResolveWorkerCredentials(
-		opts, workerPublishCtx.Username, workerPublishCtx.Password)
+	prefix, hostName, workerName, err := clustercmd.ParseWorkerPath(opts.Prefix)
+	if err != nil {
+		return fmt.Errorf("failed to parse URL path: %w", err)
+	}
+	workerPublishCtx.Key = clustercmd.BuildWorkerStorageKey(prefix, hostName, workerName)
+
+	username, password := clustercmd.ResolveWorkerCredentials(
+		opts, workerPublishUsername, workerPublishPassword)
+
+	stg, closeFunc, err := clustercmd.ConnectStorage(opts, username, password)
+	if err != nil {
+		return fmt.Errorf("failed to connect to storage: %w", err)
+	}
+	defer closeFunc()
+	workerPublishCtx.Storage = stg
 
-	if err := clustercmd.WorkerPublish(args[0], workerPublishCtx); err != nil {
+	if err := clustercmd.WorkerPublish(workerPublishCtx); err != nil {
 		return fmt.Errorf("failed to publish worker configuration: %w", err)
 	}
 	return nil
diff --git a/go.mod b/go.mod
@@ -29,6 +29,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/tarantool/cartridge-cli v0.0.0-00010101000000-000000000000
 	github.com/tarantool/go-prompt v1.0.1
+	github.com/tarantool/go-storage v1.1.2
 	github.com/tarantool/go-tarantool v1.12.3
 	github.com/tarantool/go-tarantool/v2 v2.4.2
 	github.com/tarantool/tt/lib/cluster v0.0.0
@@ -40,6 +41,7 @@ require (
 	go.etcd.io/etcd/client/pkg/v3 v3.6.8
 	go.etcd.io/etcd/client/v3 v3.6.8
 	go.etcd.io/etcd/tests/v3 v3.6.8
+	go.uber.org/zap v1.27.1
 	golang.org/x/crypto v0.49.0
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa
 	golang.org/x/sys v0.42.0
@@ -129,7 +131,6 @@ require (
 	github.com/tarantool/go-iproto v1.1.0 // indirect
 	github.com/tarantool/go-openssl v1.2.1 // indirect
 	github.com/tarantool/go-option v1.0.0 // indirect
-	github.com/tarantool/go-storage v1.1.2 // indirect
 	github.com/tarantool/go-tlsdialer v1.0.2 // indirect
 	github.com/tklauser/go-sysconf v0.3.4 // indirect
 	github.com/tklauser/numcpus v0.2.1 // indirect
@@ -155,7 +156,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/net v0.52.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
diff --git a/go.sum b/go.sum
diff --git a/test/integration/cluster/test_cluster_worker.py b/test/integration/cluster/test_cluster_worker.py

Original file line number	Diff line number	Diff line change
`@@ -239,11 +239,6 @@ func TestResolveWorkerCredentials(t *testing.T) {`
`239`	`239`	`}`
`240`	`240`	`}`
`241`	`241`
`242`		`-func TestWorkerPublish(t *testing.T) {`
`243`		`- err := WorkerPublish("http://localhost:2379/prefix/host/worker", WorkerPublishCtx{})`
`244`		`- require.EqualError(t, err, "unimplemented")`
`245`		`-}`
`246`		`-`
`247`	`242`	`func TestWorkerShow(t *testing.T) {`
`248`	`243`	`err := WorkerShow("http://localhost:2379/prefix/host/worker", WorkerShowCtx{})`
`249`	`244`	`require.EqualError(t, err, "unimplemented")`