normalize pki create params; fixes #3307

qrkourier · qrkourier · commit 56359a49d59d · 2026-03-31T10:28:48.000-04:00
diff --git a/ziti/cmd/pki/pki_create.go b/ziti/cmd/pki/pki_create.go
@@ -98,6 +98,31 @@ func (o *PKICreateOptions) Run() error {
 	return o.Cmd.Help()
 }
 
+// ResolveFlagsFromViper backfills struct fields from viper (env vars) when the
+// corresponding CLI flag was not explicitly set.  This allows flags like
+// --ca-file, --curve, --intermediate-file, etc. to be set via ZITI_CA_FILE,
+// ZITI_CURVE, ZITI_INTERMEDIATE_FILE environment variables.
+func (o *PKICreateOptions) ResolveFlagsFromViper(cmd *cobra.Command) {
+	resolve := func(flagName string, target *string) {
+		if !cmd.Flags().Changed(flagName) {
+			if v := o.viper.GetString(flagName); v != "" {
+				*target = v
+			}
+		}
+	}
+	resolve("ca-file", &o.Flags.CAFile)
+	resolve("ca-name", &o.Flags.CAName)
+	resolve("curve", &o.Flags.EcCurve)
+	resolve("intermediate-file", &o.Flags.IntermediateFile)
+	resolve("intermediate-name", &o.Flags.IntermediateName)
+	resolve("server-file", &o.Flags.ServerFile)
+	resolve("server-name", &o.Flags.ServerName)
+	resolve("client-file", &o.Flags.ClientFile)
+	resolve("client-name", &o.Flags.ClientName)
+	resolve("key-file", &o.Flags.KeyFile)
+	resolve("trust-domain", &o.Flags.SpiffeID)
+}
+
 // ObtainPKIRoot returns the value for pki-root
 func (o *PKICreateOptions) ObtainPKIRoot() (string, error) {
 	pkiRoot := o.Flags.PKIRoot
diff --git a/ziti/cmd/pki/pki_create_ca.go b/ziti/cmd/pki/pki_create_ca.go
@@ -82,6 +82,7 @@ func (o *PKICreateCAOptions) addPKICreateCAFlags(cmd *cobra.Command) {
 
 // Run implements this command
 func (o *PKICreateCAOptions) Run() error {
+	o.ResolveFlagsFromViper(o.Cmd)
 	pkiRoot, err := o.ObtainPKIRoot()
 	if err != nil {
 		return err
diff --git a/ziti/cmd/pki/pki_create_client.go b/ziti/cmd/pki/pki_create_client.go
@@ -87,6 +87,7 @@ func (o *PKICreateClientOptions) addPKICreateClientFlags(cmd *cobra.Command) {
 
 // Run implements this command
 func (o *PKICreateClientOptions) Run() error {
+	o.ResolveFlagsFromViper(o.Cmd)
 	pkiRoot, err := o.ObtainPKIRoot()
 	if err != nil {
 		return err
@@ -181,7 +182,7 @@ func (o *PKICreateClientOptions) Run() error {
 	}
 
 	// Concat the newly-created client cert with the intermediate cert to create a client.chain.pem file
-	if err := o.Flags.PKI.Chain(signer, req); err != nil {
+	if err := o.Flags.PKI.Chain(signer, req, o.Flags.AllowOverwrite); err != nil {
 		return errors.Wrap(err, "unable to generate cert chain")
 	}
 
diff --git a/ziti/cmd/pki/pki_create_intermediate.go b/ziti/cmd/pki/pki_create_intermediate.go
@@ -81,6 +81,7 @@ func (o *PKICreateIntermediateOptions) addPKICreateIntermediateFlags(cmd *cobra.
 
 // Run implements this command
 func (o *PKICreateIntermediateOptions) Run() error {
+	o.ResolveFlagsFromViper(o.Cmd)
 	pkiRoot, err := o.ObtainPKIRoot()
 	if err != nil {
 		return err
@@ -142,7 +143,7 @@ func (o *PKICreateIntermediateOptions) Run() error {
 	}
 
 	// Concat the newly-created intermediate cert with the signing cert to create an intermediate.chain.pem file
-	if err := o.Flags.PKI.Chain(signer, req); err != nil {
+	if err := o.Flags.PKI.Chain(signer, req, false); err != nil {
 		return errors.Wrap(err, "unable to generate cert chain")
 	}
 
diff --git a/ziti/cmd/pki/pki_create_key.go b/ziti/cmd/pki/pki_create_key.go
@@ -76,6 +76,7 @@ func (options *PKICreateKeyOptions) addPKICreateKeyFlags(cmd *cobra.Command) {
 
 // Run implements this command
 func (options *PKICreateKeyOptions) Run() error {
+	options.ResolveFlagsFromViper(options.Cmd)
 
 	pkiRoot, err := options.ObtainPKIRoot()
 	if err != nil {
diff --git a/ziti/cmd/pki/pki_create_server.go b/ziti/cmd/pki/pki_create_server.go
@@ -88,6 +88,7 @@ func (o *PKICreateServerOptions) addPKICreateServerFlags(cmd *cobra.Command) {
 
 // Run implements this command
 func (o *PKICreateServerOptions) Run() error {
+	o.ResolveFlagsFromViper(o.Cmd)
 	IPs, DNSNames, err := o.ObtainIPsAndDNSNames()
 	if err != nil {
 		return err
@@ -188,7 +189,7 @@ func (o *PKICreateServerOptions) Run() error {
 	}
 
 	// Concat the newly-created server cert with the intermediate cert to create a server.chain.pem file
-	if err := o.Flags.PKI.Chain(signer, req); err != nil {
+	if err := o.Flags.PKI.Chain(signer, req, o.Flags.AllowOverwrite); err != nil {
 		return errors.Wrap(err, "unable to generate cert chain")
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ func (o PKICreateClientOptions) addPKICreateClientFlags(cmd cobra.Command) {`
`87`	`87`
`88`	`88`	`// Run implements this command`
`89`	`89`	`func (o *PKICreateClientOptions) Run() error {`
	`90`	`+ o.ResolveFlagsFromViper(o.Cmd)`
`90`	`91`	`pkiRoot, err := o.ObtainPKIRoot()`
`91`	`92`	`if err != nil {`
`92`	`93`	`return err`
`@@ -181,7 +182,7 @@ func (o *PKICreateClientOptions) Run() error {`
`181`	`182`	`}`
`182`	`183`
`183`	`184`	`// Concat the newly-created client cert with the intermediate cert to create a client.chain.pem file`
`184`		`- if err := o.Flags.PKI.Chain(signer, req); err != nil {`
	`185`	`+ if err := o.Flags.PKI.Chain(signer, req, o.Flags.AllowOverwrite); err != nil {`
`185`	`186`	`return errors.Wrap(err, "unable to generate cert chain")`
`186`	`187`	`}`
`187`	`188`
Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ func (o PKICreateIntermediateOptions) addPKICreateIntermediateFlags(cmd cobra.`
`81`	`81`
`82`	`82`	`// Run implements this command`
`83`	`83`	`func (o *PKICreateIntermediateOptions) Run() error {`
	`84`	`+ o.ResolveFlagsFromViper(o.Cmd)`
`84`	`85`	`pkiRoot, err := o.ObtainPKIRoot()`
`85`	`86`	`if err != nil {`
`86`	`87`	`return err`
`@@ -142,7 +143,7 @@ func (o *PKICreateIntermediateOptions) Run() error {`
`142`	`143`	`}`
`143`	`144`
`144`	`145`	`// Concat the newly-created intermediate cert with the signing cert to create an intermediate.chain.pem file`
`145`		`- if err := o.Flags.PKI.Chain(signer, req); err != nil {`
	`146`	`+ if err := o.Flags.PKI.Chain(signer, req, false); err != nil {`
`146`	`147`	`return errors.Wrap(err, "unable to generate cert chain")`
`147`	`148`	`}`
`148`	`149`
Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ func (o PKICreateServerOptions) addPKICreateServerFlags(cmd cobra.Command) {`
`88`	`88`
`89`	`89`	`// Run implements this command`
`90`	`90`	`func (o *PKICreateServerOptions) Run() error {`
	`91`	`+ o.ResolveFlagsFromViper(o.Cmd)`
`91`	`92`	`IPs, DNSNames, err := o.ObtainIPsAndDNSNames()`
`92`	`93`	`if err != nil {`
`93`	`94`	`return err`
`@@ -188,7 +189,7 @@ func (o *PKICreateServerOptions) Run() error {`
`188`	`189`	`}`
`189`	`190`
`190`	`191`	`// Concat the newly-created server cert with the intermediate cert to create a server.chain.pem file`
`191`		`- if err := o.Flags.PKI.Chain(signer, req); err != nil {`
	`192`	`+ if err := o.Flags.PKI.Chain(signer, req, o.Flags.AllowOverwrite); err != nil {`
`192`	`193`	`return errors.Wrap(err, "unable to generate cert chain")`
`193`	`194`	`}`
`194`	`195`