-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reload tls config #5419
Reload tls config #5419
Changes from 30 commits
d881d63
8bcab53
76249dc
12076fa
f76c13e
a064f14
c996dd6
6017229
066acf6
61b6c50
cd35331
dd93d73
b111993
10aef9c
fccacc7
a8c3f05
cb3c407
ae321db
b789253
93f9adc
b2f7f19
16c1c80
792889a
967fb90
b25c9df
cab155a
3d7fc9e
7f78eb8
2efe7d2
282bd93
421cacf
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1580,12 +1580,13 @@ func (c *RuntimeConfig) Sanitized() map[string]interface{} { | |
return sanitize("rt", reflect.ValueOf(c)).Interface().(map[string]interface{}) | ||
} | ||
|
||
func (c *RuntimeConfig) ToTLSUtilConfig() *tlsutil.Config { | ||
return &tlsutil.Config{ | ||
func (c *RuntimeConfig) ToTLSUtilConfig() tlsutil.Config { | ||
return tlsutil.Config{ | ||
VerifyIncoming: c.VerifyIncoming, | ||
VerifyIncomingRPC: c.VerifyIncomingRPC, | ||
VerifyIncomingHTTPS: c.VerifyIncomingHTTPS, | ||
VerifyOutgoing: c.VerifyOutgoing, | ||
VerifyServerHostname: c.VerifyServerHostname, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ups, how could I forget that?! |
||
CAFile: c.CAFile, | ||
CAPath: c.CAPath, | ||
CertFile: c.CertFile, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -86,10 +86,16 @@ type Client struct { | |
EnterpriseClient | ||
} | ||
|
||
// NewClient is used to construct a new Consul client from the | ||
// configuration, potentially returning an error | ||
// NewClient is used to construct a new Consul client from the configuration, | ||
// potentially returning an error. | ||
// NewClient only used to help setting up a client for testing. Normal code | ||
// exercises NewClientLogger. | ||
func NewClient(config *Config) (*Client, error) { | ||
return NewClientLogger(config, nil, tlsutil.NewConfigurator(config.ToTLSUtilConfig())) | ||
c, err := tlsutil.NewConfigurator(config.ToTLSUtilConfig(), nil) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might be useful to note here that a normal Consul Agent doesn't use this method and instead will pass in its own TLS configurator. At first I was thinking that the agent and server/client would have different configurators (and thus reloading would not work) but realized that you have it passing them to NewClientLogger and NewServerLogger. Adding a comment here to mention whats going on would probably be good. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ✔️ |
||
if err != nil { | ||
return nil, err | ||
} | ||
return NewClientLogger(config, nil, c) | ||
} | ||
|
||
func NewClientLogger(config *Config, logger *log.Logger, tlsConfigurator *tlsutil.Configurator) (*Client, error) { | ||
|
@@ -113,12 +119,6 @@ func NewClientLogger(config *Config, logger *log.Logger, tlsConfigurator *tlsuti | |
config.LogOutput = os.Stderr | ||
} | ||
|
||
// Create the tls Wrapper | ||
tlsWrap, err := tlsConfigurator.OutgoingRPCWrapper() | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// Create a logger | ||
if logger == nil { | ||
logger = log.New(config.LogOutput, "", log.LstdFlags) | ||
|
@@ -129,7 +129,7 @@ func NewClientLogger(config *Config, logger *log.Logger, tlsConfigurator *tlsuti | |
LogOutput: config.LogOutput, | ||
MaxTime: clientRPCConnMaxIdle, | ||
MaxStreams: clientMaxStreams, | ||
TLSWrapper: tlsWrap, | ||
TLSWrapper: tlsConfigurator.OutgoingRPCWrapper(), | ||
ForceTLS: config.VerifyOutgoing, | ||
} | ||
|
||
|
@@ -158,6 +158,7 @@ func NewClientLogger(config *Config, logger *log.Logger, tlsConfigurator *tlsuti | |
CacheConfig: clientACLCacheConfig, | ||
Sentinel: nil, | ||
} | ||
var err error | ||
if c.acls, err = NewACLResolver(&aclConfig); err != nil { | ||
c.Shutdown() | ||
return nil, fmt.Errorf("Failed to create ACL resolver: %v", err) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -252,11 +252,17 @@ type Server struct { | |
EnterpriseServer | ||
} | ||
|
||
// NewServer is only used to help setting up a server for testing. Normal code | ||
// exercises NewServerLogger. | ||
func NewServer(config *Config) (*Server, error) { | ||
return NewServerLogger(config, nil, new(token.Store), tlsutil.NewConfigurator(config.ToTLSUtilConfig())) | ||
c, err := tlsutil.NewConfigurator(config.ToTLSUtilConfig(), nil) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same thing here. A comment about this configurator not being used for a normal Consul agent would be helpful. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ✔️ |
||
if err != nil { | ||
return nil, err | ||
} | ||
return NewServerLogger(config, nil, new(token.Store), c) | ||
} | ||
|
||
// NewServer is used to construct a new Consul server from the | ||
// NewServerLogger is used to construct a new Consul server from the | ||
// configuration, potentially returning an error | ||
func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store, tlsConfigurator *tlsutil.Configurator) (*Server, error) { | ||
// Check the protocol version. | ||
|
@@ -296,18 +302,6 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store, tl | |
} | ||
} | ||
|
||
// Create the TLS wrapper for outgoing connections. | ||
tlsWrap, err := tlsConfigurator.OutgoingRPCWrapper() | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// Get the incoming TLS config. | ||
incomingTLS, err := tlsConfigurator.IncomingRPCConfig() | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// Create the tombstone GC. | ||
gc, err := state.NewTombstoneGC(config.TombstoneTTL, config.TombstoneTTLGranularity) | ||
if err != nil { | ||
|
@@ -322,7 +316,7 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store, tl | |
LogOutput: config.LogOutput, | ||
MaxTime: serverRPCCache, | ||
MaxStreams: serverMaxStreams, | ||
TLSWrapper: tlsWrap, | ||
TLSWrapper: tlsConfigurator.OutgoingRPCWrapper(), | ||
ForceTLS: config.VerifyOutgoing, | ||
} | ||
|
||
|
@@ -338,7 +332,7 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store, tl | |
reconcileCh: make(chan serf.Member, reconcileChSize), | ||
router: router.NewRouter(logger, config.Datacenter), | ||
rpcServer: rpc.NewServer(), | ||
rpcTLS: incomingTLS, | ||
rpcTLS: tlsConfigurator.IncomingRPCConfig(), | ||
reassertLeaderCh: make(chan chan error), | ||
segmentLAN: make(map[string]*serf.Serf, len(config.Segments)), | ||
sessionTimers: NewSessionTimers(), | ||
|
@@ -373,7 +367,7 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store, tl | |
} | ||
|
||
// Initialize the RPC layer. | ||
if err := s.setupRPC(tlsWrap); err != nil { | ||
if err := s.setupRPC(tlsConfigurator.OutgoingRPCWrapper()); err != nil { | ||
s.Shutdown() | ||
return nil, fmt.Errorf("Failed to start RPC layer: %v", err) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is one of the cornerstones of this PR, the config is being updated here! And every
tls.Config
created afterwards will have the updates.