tls: support server TLS options (#492)

## Motivation Follow up the last TLS support PR. This PR is trying to support CLI to set TLS options for Server ## Modification - Add new command parameters to set TLS options. ## Others - We might consider using different TLS options for public/internal; we can easily support it in the future if we need it. --------- Co-authored-by: Matteo Merli <mmerli@apache.org>
streamnative · Jun 8, 2024 · d9d9ead · d9d9ead
1 parent 5035dff
commit d9d9ead
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/cmd/server/cmd.go b/cmd/server/cmd.go
@@ -22,13 +22,17 @@ import (
 
 	"github.com/streamnative/oxia/cmd/flag"
 	"github.com/streamnative/oxia/common"
+	"github.com/streamnative/oxia/common/security"
 	"github.com/streamnative/oxia/server"
 	"github.com/streamnative/oxia/server/kv"
 )
 
 var (
 	conf = server.Config{}
 
+	peerTLS   = security.TLSOption{}
+	serverTLS = security.TLSOption{}
+
 	Cmd = &cobra.Command{
 		Use:   "server",
 		Short: "Start a server",
@@ -47,10 +51,39 @@ func init() {
 	Cmd.Flags().BoolVar(&conf.WalSyncData, "wal-sync-data", true, "Whether to sync data in write-ahead-log")
 	Cmd.Flags().Int64Var(&conf.DbBlockCacheMB, "db-cache-size-mb", kv.DefaultFactoryOptions.CacheSizeMB,
 		"Max size of the shared DB cache")
+
+	// server TLS section
+	Cmd.Flags().StringVar(&serverTLS.CertFile, "tls-cert-file", "", "Tls certificate file")
+	Cmd.Flags().StringVar(&serverTLS.KeyFile, "tls-key-file", "", "Tls key file")
+	Cmd.Flags().Uint16Var(&serverTLS.MinVersion, "tls-min-version", 0, "Tls minimum version")
+	Cmd.Flags().Uint16Var(&serverTLS.MaxVersion, "tls-max-version", 0, "Tls maximum version")
+	Cmd.Flags().StringVar(&serverTLS.TrustedCaFile, "tls-trusted-ca-file", "", "Tls trusted ca file")
+	Cmd.Flags().BoolVar(&serverTLS.InsecureSkipVerify, "tls-insecure-skip-verify", false, "Tls insecure skip verify")
+	Cmd.Flags().BoolVar(&serverTLS.ClientAuth, "tls-client-auth", false, "Tls client auth")
+
+	// peer client TLS section
+	Cmd.Flags().StringVar(&peerTLS.CertFile, "peer-tls-cert-file", "", "Peer tls certificate file")
+	Cmd.Flags().StringVar(&peerTLS.KeyFile, "peer-tls-key-file", "", "Peer tls key file")
+	Cmd.Flags().Uint16Var(&peerTLS.MinVersion, "peer-tls-min-version", 0, "Peer tls minimum version")
+	Cmd.Flags().Uint16Var(&peerTLS.MaxVersion, "peer-tls-max-version", 0, "Peer tls maximum version")
+	Cmd.Flags().StringVar(&peerTLS.TrustedCaFile, "peer-tls-trusted-ca-file", "", "Peer tls trusted ca file")
+	Cmd.Flags().BoolVar(&peerTLS.InsecureSkipVerify, "peer-tls-insecure-skip-verify", false, "Peer tls insecure skip verify")
+	Cmd.Flags().StringVar(&peerTLS.ServerName, "peer-tls-server-name", "", "Peer tls server name")
 }
 
 func exec(*cobra.Command, []string) {
 	common.RunProcess(func() (io.Closer, error) {
+		var err error
+		if serverTLS.IsConfigured() {
+			if conf.ServerTLS, err = serverTLS.MakeServerTLSConf(); err != nil {
+				return nil, err
+			}
+		}
+		if peerTLS.IsConfigured() {
+			if conf.PeerTLS, err = peerTLS.MakeClientTLSConf(); err != nil {
+				return nil, err
+			}
+		}
 		return server.New(conf)
 	})
 }