diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000000..0e330cf380 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,68 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '30 20 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + - run: | + echo "Run, Build Application using script" + make dist/flanneld + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/backend/ipsec/ipsec.go b/backend/ipsec/ipsec.go index 43f45bb260..a1a2b55bfc 100644 --- a/backend/ipsec/ipsec.go +++ b/backend/ipsec/ipsec.go @@ -89,9 +89,7 @@ func (be *IPSECBackend) RegisterNetwork( } if len(cfg.PSK) < minPasswordLength { - return nil, fmt.Errorf( - "config error, password should be at least %d characters long", - minPasswordLength) + return nil, fmt.Errorf("config error, password is too short") } log.Infof("IPSec config: UDPEncap=%v ESPProposal=%s", cfg.UDPEncap, cfg.ESPProposal) diff --git a/dist/functional-test.sh b/dist/functional-test.sh index 44a1844ff3..5a067f0b5c 100755 --- a/dist/functional-test.sh +++ b/dist/functional-test.sh @@ -28,7 +28,14 @@ setup_suite() { # Start etcd docker rm -f flannel-e2e-test-etcd >/dev/null 2>/dev/null - docker run --name=flannel-e2e-test-etcd -d --dns 8.8.8.8 -e ETCD_UNSUPPORTED_ARCH=${ARCH} -p 2379:2379 $ETCD_IMG $ETCD_LOCATION --listen-client-urls http://0.0.0.0:2379 --advertise-client-urls $etcd_endpt >/dev/null + docker run --name=flannel-e2e-test-etcd -d --dns 8.8.8.8 -v "${PWD}/test:/certs" \ + -e ETCD_UNSUPPORTED_ARCH=${ARCH} -p 2379:2379 $ETCD_IMG $ETCD_LOCATION \ + --listen-client-urls http://0.0.0.0:2379 \ + --cert-file=/certs/server.pem \ + --key-file=/certs/server-key.pem \ + --client-cert-auth \ + --trusted-ca-file=/certs/ca.pem \ + --advertise-client-urls $etcd_endpt >/dev/null } teardown_suite() { @@ -39,18 +46,18 @@ teardown_suite() { setup() { # rm any old flannel container that maybe running, ignore error as it might not exist docker rm -f flannel-e2e-test-flannel1 >/dev/null 2>/dev/null - assert "docker run --name=flannel-e2e-test-flannel1 -d --privileged $FLANNEL_DOCKER_IMAGE --etcd-endpoints=$etcd_endpt -v 10 >/dev/null" + assert "docker run -v ${PWD}/test:/certs --name=flannel-e2e-test-flannel1 -d --privileged $FLANNEL_DOCKER_IMAGE --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt -v 10" # rm any old flannel container that maybe running, ignore error as it might not exist docker rm -f flannel-e2e-test-flannel2 >/dev/null 2>/dev/null - assert "docker run --name=flannel-e2e-test-flannel2 -d --privileged $FLANNEL_DOCKER_IMAGE --etcd-endpoints=$etcd_endpt -v 10 >/dev/null" + assert "docker run -v ${PWD}/test:/certs --name=flannel-e2e-test-flannel2 -d --privileged $FLANNEL_DOCKER_IMAGE --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt -v 10" } teardown() { echo "########## logs for flannel-e2e-test-flannel1 container ##########" 2>&1 docker logs flannel-e2e-test-flannel1 docker rm -f flannel-e2e-test-flannel1 flannel-e2e-test-flannel2 flannel-e2e-test-flannel1-iperf flannel-host1 flannel-host2 > /dev/null 2>&1 - docker run --rm -e ETCDCTL_API=3 $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt del /coreos.com/network/config > /dev/null 2>&1 + docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem del /coreos.com/network/config > /dev/null 2>&1 } write_config_etcd() { @@ -62,7 +69,7 @@ write_config_etcd() { flannel_conf="{ \"Network\": \"$FLANNEL_NET\", \"Backend\": { \"Type\": \"${backend}\" } }" fi - while ! docker run --rm -e ETCDCTL_API=3 $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt put /coreos.com/network/config "$flannel_conf" >/dev/null + while ! docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem put /coreos.com/network/config "$flannel_conf" >/dev/null do sleep 0.1 done @@ -193,12 +200,12 @@ test_multi() { flannel_conf_vxlan='{"Network": "10.11.0.0/16", "Backend": {"Type": "vxlan"}}' flannel_conf_host_gw='{"Network": "10.12.0.0/16", "Backend": {"Type": "host-gw"}}' - while ! docker run --rm -e ETCDCTL_API=3 $ETCD_IMG etcdctl --endpoints=$etcd_endpt put /vxlan/network/config "$flannel_conf_vxlan" >/dev/null + while ! docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCD_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem put /vxlan/network/config "$flannel_conf_vxlan" >/dev/null do sleep 0.1 done - while ! docker run --rm -e ETCDCTL_API=3 $ETCD_IMG etcdctl --endpoints=$etcd_endpt put /hostgw/network/config "$flannel_conf_host_gw" >/dev/null + while ! docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCD_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem put /hostgw/network/config "$flannel_conf_host_gw" >/dev/null do sleep 0.1 done @@ -208,11 +215,11 @@ test_multi() { docker rm -f flannel-host$host 2>/dev/null >/dev/null # Start the hosts - docker run --name=flannel-host$host -id --privileged --entrypoint /bin/sh $FLANNEL_DOCKER_IMAGE >/dev/null + docker run -v "${PWD}/test:/certs" --name=flannel-host$host -id --privileged --entrypoint /bin/sh $FLANNEL_DOCKER_IMAGE >/dev/null # Start two flanneld instances - docker exec -d flannel-host$host sh -c "/opt/bin/flanneld -v 10 -subnet-file /vxlan.env -etcd-prefix=/vxlan/network --etcd-endpoints=$etcd_endpt 2>vxlan.log" - docker exec -d flannel-host$host sh -c "/opt/bin/flanneld -v 10 -subnet-file /hostgw.env -etcd-prefix=/hostgw/network --etcd-endpoints=$etcd_endpt 2>hostgw.log" + docker exec -d flannel-host$host sh -c "/opt/bin/flanneld -v 10 -subnet-file /vxlan.env -etcd-prefix=/vxlan/network --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt 2>vxlan.log" + docker exec -d flannel-host$host sh -c "/opt/bin/flanneld -v 10 -subnet-file /hostgw.env -etcd-prefix=/hostgw/network --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt 2>hostgw.log" done for host in 1 2; do diff --git a/dist/test/ca-config.json b/dist/test/ca-config.json new file mode 100644 index 0000000000..dba73de8fe --- /dev/null +++ b/dist/test/ca-config.json @@ -0,0 +1,34 @@ +{ + "signing": { + "default": { + "expiry": "43800h" + }, + "profiles": { + "server": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + }, + "client": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + }, + "peer": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ] + } + } + } +} diff --git a/dist/test/ca-csr.json b/dist/test/ca-csr.json new file mode 100644 index 0000000000..146d17c4e9 --- /dev/null +++ b/dist/test/ca-csr.json @@ -0,0 +1,17 @@ +{ + "CN": "My own CA", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "CA", + "O": "My Company Name", + "ST": "San Francisco", + "OU": "Org Unit 1", + "OU": "Org Unit 2" + } + ] +} diff --git a/dist/test/ca-key.pem b/dist/test/ca-key.pem new file mode 100644 index 0000000000..84483f9902 --- /dev/null +++ b/dist/test/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAu5kCsujw2F5xuFSJ6GXpwa7WFBbcYiJD7bw+9irHL0BIUs9N +pNi8B6dev0DM7ReIPJCgrnJyT+5dhwmGsQ3u0MHr0wMQwnHDytvV445VQlYafooz +Mb2Wdc3rLfkATEudvCn9gcs0/6N4OfY8bGLVRFplWHfhD1a9SsSFvGFQvkjRKysI +1UaoEDj13LS8ZA63mS3xI1ovcCGq/nvNUTB30H3viGSxLc7jS3lqFJ56hMFIWqbo +z7g6NHUqbOgbOnKCVI1Dk/pmpczQoynbmY6ZpA31alhH9p5tluc+Vdg0z4LTTsWO +Es8GtXPWh0epgG+7rGyThbjTRVKl5WcIRIz7AQIDAQABAoIBAAn7+sjK3QanACZv +WWelBOvqAjrPfKs8Z6Efg7pWTIOXSEIgBmHfpyJBJinHqSB1QCr5B5RBQxQ9+3xU +ZXbG5w71QzfX0eyHYYRKbvfNe3wsWPyjHlZnYLqkWv/3YKyu2ZZKJdPinM9+Q8fR +8yVRnUgmB37N4oyOcUSpcPS1uTZnUmPYANk9MCbFdLGDc3dKw2imJQj0L2SO2ynj +e2jpyGQaa6CqOHJDx3gjW5JFZZBgTsafajTKQN91s/Bvue9Ggqw4K5MQ09058FIU +499dmeU8DBTZjJZNUe+MmLxPJo8bl0S6xeC3Xj9lZ3jEEUu1POyx+l+gvRKREoqS +Cz5wKIECgYEA4jv5++0Bn7DXYDJPQEPTk886AA9qstKq6PcCPA/tu7hLWijZJsmX +AX6NSjj5BJaDi892RMFX+2EOWmyfT2p3MzG5JAKgiQMW4VYnxFIZfi1dzL9e/zlK +StVA+puCkOGGaqa+LVVDSmkQIUtVC/aHKiAkE4pRcIaqZG/SKLu035sCgYEA1Eet +Lt8E7j9DYqif1cJqgE8fj60X+Z/w6CPB/GHCo5bRIqa/t0X2lJh1Pya7MpI2wLt4 +NolZ9U44w86xuRjBn/aVUBBw1+goBeeiiOAChPGOAdmIcdn1lhGcQxMA4R8mN0/O +O35VyxFn5rCIMFgbmszzbj/faF+sk/sd10drj5MCgYBy+d5LbaFkokBjUE48r/vo +Y+nrO+qTJUPdECQfmEzPGZOaJ6Zs8wj+pm1yKlBMR55lQLOvr79iL2pXBFtWxhn8 +d6nLJlamK17GeL3PJZZ1LOM9+ohyF5CtRYI3my8ZKLTioQmICowfVhPvh9SaNtls +zFbpY2OOV7JjRv083GDJPwKBgQChNZW1pLRv4idgg0Ju6WhL7MrBJ+ivL+GZyZ4F +9pAEAALu18d8fWtXSbiwrs83BocCMtyGPiTNAAxn105sjPpuaqrV1MZ9kNbkNRbf +7466O19m1Dakj6vLva/32DSwwiEZnEe4MqcgwiUvshya6i58juzHa0ZUU2QSNYBh +/uEWdQKBgGWTbt1fl89585SFldW73RxIjw7Jb4gSVq4k8fG3KUhOqhrMRlpZbtAi +ij3DrDl1M5g81NVZflOthoy3UoZjxfIx56hPUnbLPH/llU+HeIGjHEmyFWIcklmR +hyi5y1dzuxBB4zL1aExiO0mGI+Q/XtZdiwSEvYPFQJ7UYSX8NQsG +-----END RSA PRIVATE KEY----- diff --git a/dist/test/ca.csr b/dist/test/ca.csr new file mode 100644 index 0000000000..c4c5189af7 --- /dev/null +++ b/dist/test/ca.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICujCCAaICAQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz +Y28xCzAJBgNVBAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNV +BAsTCk9yZyBVbml0IDIxEjAQBgNVBAMTCU15IG93biBDQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALuZArLo8NhecbhUiehl6cGu1hQW3GIiQ+28PvYq +xy9ASFLPTaTYvAenXr9AzO0XiDyQoK5yck/uXYcJhrEN7tDB69MDEMJxw8rb1eOO +VUJWGn6KMzG9lnXN6y35AExLnbwp/YHLNP+jeDn2PGxi1URaZVh34Q9WvUrEhbxh +UL5I0SsrCNVGqBA49dy0vGQOt5kt8SNaL3Ahqv57zVEwd9B974hksS3O40t5ahSe +eoTBSFqm6M+4OjR1KmzoGzpyglSNQ5P6ZqXM0KMp25mOmaQN9WpYR/aebZbnPlXY +NM+C007FjhLPBrVz1odHqYBvu6xsk4W400VSpeVnCESM+wECAwEAAaAAMA0GCSqG +SIb3DQEBCwUAA4IBAQCBL1hc4uT1BhYZVVFqEXkFWxWpb7R+Ia9Z1ZBpz9isTE1F +RUqG7shpHrQDqY6uQsEyYC1zHVJDacCXkfQqAiKO7mnB09b4bIkLAxb7glDm83g+ +5ur3lHTkJptWncvisV6B0I6fvPpNnUd9UlOt6EVYLSdMqIY15iISWXIvWPe/cxur +Gf0gc21oK+MHZZa8BdhQlnVGzU5tw1eqXoOsNynSoCdws+M/9kZXL6Nq1859RGMT +MgZZRDZAD1TBrDTw7LH4b0UE1uqyc2EsJ8FtRuVwQiTePyPPMR8jFh9iHixs52S8 +z/71hCoj/gD0CElA+pnxgGn6hdbTQyjHJhNuGqmg +-----END CERTIFICATE REQUEST----- diff --git a/dist/test/ca.pem b/dist/test/ca.pem new file mode 100644 index 0000000000..0cc57569ed --- /dev/null +++ b/dist/test/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgIURksNLgjamSSvFUWdYjuUq9ML3EAwDQYJKoZIhvcNAQEL +BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV +BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV +bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjA4MTkwODUzMDBaFw0yNzA4 +MTgwODUzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL +EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC7mQKy6PDYXnG4VInoZenBrtYUFtxiIkPtvD72Kscv +QEhSz02k2LwHp16/QMztF4g8kKCucnJP7l2HCYaxDe7QwevTAxDCccPK29XjjlVC +Vhp+ijMxvZZ1zest+QBMS528Kf2ByzT/o3g59jxsYtVEWmVYd+EPVr1KxIW8YVC+ +SNErKwjVRqgQOPXctLxkDreZLfEjWi9wIar+e81RMHfQfe+IZLEtzuNLeWoUnnqE +wUhapujPuDo0dSps6Bs6coJUjUOT+malzNCjKduZjpmkDfVqWEf2nm2W5z5V2DTP +gtNOxY4Szwa1c9aHR6mAb7usbJOFuNNFUqXlZwhEjPsBAgMBAAGjQjBAMA4GA1Ud +DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQubXe9u2GsXiEt +Y7fQM4iU7aRthjANBgkqhkiG9w0BAQsFAAOCAQEAVlffrW69znOxFhK6ieZinY75 +z6mm6syfMTLI5QEOCNBaiHG5uFORwFjcA3hafQF59R8Honp2zLArycXnTBkl0v5M +QlttVmyywbo1k6AuQC3rJgSlGp6/zd0ElNhXRyQw3Y2WSlxmAFzmRlqxyQ+kGZ4e +FnNm7Fg2SgGrYMfRV1oZ0RNOan95FZFnQ0ZjX046eSTzSJ+k195cHaoLSwuix5ku +/veiVq13A3/0MBJm3lc3bKhhg/aM8DshDuNQEBSjEb9ULkoAdnyU3XQTiBSP4kLZ +2to7TbvPhXwpygeC+1vZH05a8F9WoJeGf3mLWG7TB+KeOOCo6pHfmYsDePKWog== +-----END CERTIFICATE----- diff --git a/dist/test/client-key.pem b/dist/test/client-key.pem new file mode 100644 index 0000000000..dedede3366 --- /dev/null +++ b/dist/test/client-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKih7JlJdm3jguVqkAFFRbaPrMNx+szw/3WWc4IJNJcBoAoGCCqGSM49 +AwEHoUQDQgAEriOtzABDnRTaa7Nbp1ahmt7tK9nWWBcYC+THl76ThgeAqy+96524 +ey+7DJ/d35MJPQOTpH+zAVlLuFxiZmqrBg== +-----END EC PRIVATE KEY----- diff --git a/dist/test/client.csr b/dist/test/client.csr new file mode 100644 index 0000000000..38727d31d3 --- /dev/null +++ b/dist/test/client.csr @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBHTCBwwIBADBDMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT +DVNhbiBGcmFuY2lzY28xDzANBgNVBAMTBmNsaWVudDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABK4jrcwAQ50U2muzW6dWoZre7SvZ1lgXGAvkx5e+k4YHgKsvveud +uHsvuwyf3d+TCT0Dk6R/swFZS7hcYmZqqwagHjAcBgkqhkiG9w0BCQ4xDzANMAsG +A1UdEQQEMAKCADAKBggqhkjOPQQDAgNJADBGAiEAsCnAZ35WWeMi6/pebNoi0Cmg +I9lwPxoTaE/oAYkWn6YCIQCuuvJ74dqdhFpzNfntujjIr74PNibwWS7CD6g+RCuN +tw== +-----END CERTIFICATE REQUEST----- diff --git a/dist/test/client.json b/dist/test/client.json new file mode 100644 index 0000000000..93af58b4ad --- /dev/null +++ b/dist/test/client.json @@ -0,0 +1,17 @@ +{ + "CN": "client", + "hosts": [ + "" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "US", + "ST": "CA", + "L": "San Francisco" + } + ] +} diff --git a/dist/test/client.pem b/dist/test/client.pem new file mode 100644 index 0000000000..252d833b63 --- /dev/null +++ b/dist/test/client.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUPL5Fd8zSYWlVplN9l26fa834S+cwDQYJKoZIhvcNAQEL +BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV +BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV +bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjA4MTkwODU1MDBaFw0yNzA4 +MTgwODU1MDBaMEMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN +U2FuIEZyYW5jaXNjbzEPMA0GA1UEAxMGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEriOtzABDnRTaa7Nbp1ahmt7tK9nWWBcYC+THl76ThgeAqy+96524 +ey+7DJ/d35MJPQOTpH+zAVlLuFxiZmqrBqOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUu5kC +e6LAJHelXkPkCqFTVkRyzLcwHwYDVR0jBBgwFoAULm13vbthrF4hLWO30DOIlO2k +bYYwCwYDVR0RBAQwAoIAMA0GCSqGSIb3DQEBCwUAA4IBAQBz1LzcmNmK4VOJktJp +4UdIuysMIK+sAYd8wATaHl0/p9zKeWKresqPHR/5A+RuqZXTScnQf3HIllYvM2ak +xH4XdEWRtGSb1yl5XO8N0FnS2shiEDHI8kZ6sNu7xR+0iF4flGQSgsoDXk8QyPFV +s9cKQ3qytfm0cAIkmLmUxxlFHaDPK1x2B5BsVVdJv+ZzSDYH+dI3wVHSgZ8NxHWQ +s8wVzoOSBOp0pZe775HJjOTS5Jq51jJAWq8yAyErWOKwIF71qM2iYZ29J2o/Ibid +MXEXtiMUGD8Q2xOduV9L6/BRj7knxoHTtNyAdEa5y+qYswZwQogHpXd6BfXWld2w +rIw7 +-----END CERTIFICATE----- diff --git a/dist/test/member1.json b/dist/test/member1.json new file mode 100644 index 0000000000..bf65101291 --- /dev/null +++ b/dist/test/member1.json @@ -0,0 +1,18 @@ +{ + "CN": "member1", + "hosts": [ + "127.0.0.1", + "172.17.0.1" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "US", + "ST": "CA", + "L": "San Francisco" + } + ] +} diff --git a/dist/test/server-key.pem b/dist/test/server-key.pem new file mode 100644 index 0000000000..e845aef338 --- /dev/null +++ b/dist/test/server-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIP8wt7txIaYwVQFNC5Wjr8MRmnCMUtrQirRwvLzTTPNyoAoGCCqGSM49 +AwEHoUQDQgAE9t31xUASqx7TNXaczllMrzW0UyFGx6ypUiHXgm8pZt7D6Rxfjqfx +9Hfw044/2M3f0DPFiW0MTGM9CLYj4G9pbg== +-----END EC PRIVATE KEY----- diff --git a/dist/test/server.csr b/dist/test/server.csr new file mode 100644 index 0000000000..0fb9dc3ebd --- /dev/null +++ b/dist/test/server.csr @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBJTCBywIBADBBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT +DVNhbiBGcmFuY2lzY28xDTALBgNVBAMTBGV0Y2QwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAAT23fXFQBKrHtM1dpzOWUyvNbRTIUbHrKlSIdeCbylm3sPpHF+Op/H0 +d/DTjj/Yzd/QM8WJbQxMYz0ItiPgb2luoCgwJgYJKoZIhvcNAQkOMRkwFzAVBgNV +HREEDjAMhwR/AAABhwSsEQABMAoGCCqGSM49BAMCA0kAMEYCIQCfNFr41VeK7brc +arHQsQMOCjZs9xuK2ZfJHu3iJL31fgIhAPDKgdTTyxfCIsWv0PSDUCkL2kpSMBGI +1LYOkLeB2uxI +-----END CERTIFICATE REQUEST----- diff --git a/dist/test/server.json b/dist/test/server.json new file mode 100644 index 0000000000..939a6e4c10 --- /dev/null +++ b/dist/test/server.json @@ -0,0 +1,19 @@ +{ + "CN": "etcd", + "hosts": [ + "127.0.0.1", + "172.17.0.1" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "US", + "ST": "CA", + "L": "San Francisco" + } + ] +} + diff --git a/dist/test/server.pem b/dist/test/server.pem new file mode 100644 index 0000000000..1d8244cc80 --- /dev/null +++ b/dist/test/server.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBzCCAe+gAwIBAgIUIJ5xOJhQ5bqKWcVLHWixDOMWrDkwDQYJKoZIhvcNAQEL +BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV +BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV +bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjA4MTkwODU0MDBaFw0yNzA4 +MTgwODU0MDBaMEExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN +U2FuIEZyYW5jaXNjbzENMAsGA1UEAxMEZXRjZDBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABPbd9cVAEqse0zV2nM5ZTK81tFMhRsesqVIh14JvKWbew+kcX46n8fR3 +8NOOP9jN39AzxYltDExjPQi2I+BvaW6jgY0wgYowDgYDVR0PAQH/BAQDAgWgMBMG +A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOjrjTWJ +VmCV9EXfBQ7GJ/KHKoICMB8GA1UdIwQYMBaAFC5td727YaxeIS1jt9AziJTtpG2G +MBUGA1UdEQQOMAyHBH8AAAGHBKwRAAEwDQYJKoZIhvcNAQELBQADggEBAAc+Q117 +h4IdK8WWudly/B54/MHP0urkIzx9Rx+X16GAttXyAVUiZB6rDk7kwArjlqkLDWeG +qHmHyvnV/qRzLFPCmt11adwotoMs+ND5ReT7fEZnvWvdAEw/m+Bb6ffiUXqeVzKl +WrWwHcL1lHs+50rNtx8BxoEkZrewS4Tig5iSGR0zF1Sjxn+Hv0gmRn2+Z/pJf4cy +fZGVjzbe1ryH6IW/WkeBAvdmvXAt95k06fJWRhmWeeR3i2DHXeHdYF8CLmFTyfSw +iDpyj27+zQlDtOZ3Cgy7nz5rPYvfIZHwzzZRsHwLgw6rJf3DcuqukWFMBGS91L7o +U9auptmH2ovKXEU= +-----END CERTIFICATE----- diff --git a/subnet/etcd/registry.go b/subnet/etcd/registry.go index 41c2acc460..cff0b54eb8 100644 --- a/subnet/etcd/registry.go +++ b/subnet/etcd/registry.go @@ -79,7 +79,7 @@ func newTlsConfig(c *EtcdConfig) (*tls.Config, error) { } if c.Keyfile == "" || c.Certfile == "" { - tlscfg.InsecureSkipVerify = true + return nil, fmt.Errorf("can't connect to etcd: no cert file found") } else { cert, err := tlsutil.NewCert(c.Certfile, c.Keyfile, nil) if err != nil {