From 94b02c3954eb3a360f9ea6af428b08d6e545f5bb Mon Sep 17 00:00:00 2001 From: Christopher Broglie Date: Wed, 24 Feb 2021 22:35:34 -0800 Subject: [PATCH 1/2] Add support for configuring TLS ServerName for health checks Some TLS servers require SNI, but the Golang HTTP client doesn't include it in the ClientHello when connecting to an IP address. This change adds a new TLSServerName field to health check definitions to optionally set it. This fixes #9473. --- agent/agent.go | 4 +- agent/config/builder.go | 1 + agent/config/config.go | 1 + agent/config/runtime_test.go | 9 + .../TestRuntimeConfig_Sanitize.golden | 2 + agent/config/testdata/full-config.hcl | 9 + agent/config/testdata/full-config.json | 9 + agent/http_decode_test.go | 87 ++++++- agent/structs/check_definition.go | 6 + agent/structs/check_type.go | 5 + agent/structs/structs.go | 2 + agent/txn_endpoint.go | 1 + api/agent.go | 1 + api/health.go | 1 + proto/pbservice/healthcheck.gen.go | 4 + proto/pbservice/healthcheck.pb.go | 221 +++++++++++++----- proto/pbservice/healthcheck.proto | 2 + tlsutil/config.go | 14 +- tlsutil/config_test.go | 9 +- website/content/api-docs/agent/check.mdx | 5 + website/content/docs/discovery/checks.mdx | 5 +- 21 files changed, 314 insertions(+), 84 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 00f488a33..237bd3c66 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -2517,7 +2517,7 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType, chkType.Interval = checks.MinInterval } - tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify) + tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify, chkType.TLSServerName) http := &checks.CheckHTTP{ CheckID: cid, @@ -2589,7 +2589,7 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType, var tlsClientConfig *tls.Config if chkType.GRPCUseTLS { - tlsClientConfig = a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify) + tlsClientConfig = a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify, chkType.TLSServerName) } grpc := &checks.CheckGRPC{ diff --git a/agent/config/builder.go b/agent/config/builder.go index 843a45266..367048c56 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -1571,6 +1571,7 @@ func (b *builder) checkVal(v *CheckDefinition) *structs.CheckDefinition { Shell: stringVal(v.Shell), GRPC: stringVal(v.GRPC), GRPCUseTLS: boolVal(v.GRPCUseTLS), + TLSServerName: stringVal(v.TLSServerName), TLSSkipVerify: boolVal(v.TLSSkipVerify), AliasNode: stringVal(v.AliasNode), AliasService: stringVal(v.AliasService), diff --git a/agent/config/config.go b/agent/config/config.go index d23dae32f..9bb1ab900 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -405,6 +405,7 @@ type CheckDefinition struct { Shell *string `mapstructure:"shell"` GRPC *string `mapstructure:"grpc"` GRPCUseTLS *bool `mapstructure:"grpc_use_tls"` + TLSServerName *string `mapstructure:"tls_server_name"` TLSSkipVerify *bool `mapstructure:"tls_skip_verify" alias:"tlsskipverify"` AliasNode *string `mapstructure:"alias_node"` AliasService *string `mapstructure:"alias_service"` diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 8d44da5e3..f1abcc8b3 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -5081,6 +5081,7 @@ func TestLoad_FullConfig(t *testing.T) { OutputMaxSize: checks.DefaultBufSize, DockerContainerID: "ipgdFtjd", Shell: "qAeOYy0M", + TLSServerName: "bdeb5f6a", TLSSkipVerify: true, Timeout: 1813 * time.Second, TTL: 21743 * time.Second, @@ -5106,6 +5107,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 28767 * time.Second, DockerContainerID: "THW6u7rL", Shell: "C1Zt3Zwh", + TLSServerName: "6adc3bfb", TLSSkipVerify: true, Timeout: 18506 * time.Second, TTL: 31006 * time.Second, @@ -5131,6 +5133,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 18714 * time.Second, DockerContainerID: "qF66POS9", Shell: "sOnDy228", + TLSServerName: "7BdnzBYk", TLSSkipVerify: true, Timeout: 5954 * time.Second, TTL: 30044 * time.Second, @@ -5336,6 +5339,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 24392 * time.Second, DockerContainerID: "ZKXr68Yb", Shell: "CEfzx0Fo", + TLSServerName: "4f191d4F", TLSSkipVerify: true, Timeout: 38333 * time.Second, TTL: 57201 * time.Second, @@ -5386,6 +5390,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 32718 * time.Second, DockerContainerID: "cU15LMet", Shell: "nEz9qz2l", + TLSServerName: "f43ouY7a", TLSSkipVerify: true, Timeout: 34738 * time.Second, TTL: 22773 * time.Second, @@ -5409,6 +5414,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 5656 * time.Second, DockerContainerID: "5tDBWpfA", Shell: "rlTpLM8s", + TLSServerName: "sOv5WTtp", TLSSkipVerify: true, Timeout: 4868 * time.Second, TTL: 11222 * time.Second, @@ -5525,6 +5531,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 22224 * time.Second, DockerContainerID: "ipgdFtjd", Shell: "omVZq7Sz", + TLSServerName: "axw5QPL5", TLSSkipVerify: true, Timeout: 18913 * time.Second, TTL: 44743 * time.Second, @@ -5548,6 +5555,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 12356 * time.Second, DockerContainerID: "HBndBU6R", Shell: "hVI33JjA", + TLSServerName: "7uwWOnUS", TLSSkipVerify: true, Timeout: 38282 * time.Second, TTL: 1181 * time.Second, @@ -5571,6 +5579,7 @@ func TestLoad_FullConfig(t *testing.T) { Interval: 23926 * time.Second, DockerContainerID: "dO5TtRHk", Shell: "e6q2ttES", + TLSServerName: "ECSHk8WF", TLSSkipVerify: true, Timeout: 38483 * time.Second, TTL: 10943 * time.Second, diff --git a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden index 921d101d1..b792e466f 100644 --- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden +++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden @@ -107,6 +107,7 @@ "Status": "", "SuccessBeforePassing": 0, "TCP": "", + "TLSServerName": "", "TLSSkipVerify": false, "TTL": "0s", "Timeout": "0s", @@ -307,6 +308,7 @@ "Status": "", "SuccessBeforePassing": 0, "TCP": "", + "TLSServerName": "", "TLSSkipVerify": false, "TTL": "0s", "Timeout": "0s" diff --git a/agent/config/testdata/full-config.hcl b/agent/config/testdata/full-config.hcl index f09683270..9dc4b6224 100644 --- a/agent/config/testdata/full-config.hcl +++ b/agent/config/testdata/full-config.hcl @@ -113,6 +113,7 @@ check = { output_max_size = 4096 docker_container_id = "qF66POS9" shell = "sOnDy228" + tls_server_name = "7BdnzBYk" tls_skip_verify = true timeout = "5954s" ttl = "30044s" @@ -139,6 +140,7 @@ checks = [ output_max_size = 4096 docker_container_id = "ipgdFtjd" shell = "qAeOYy0M" + tls_server_name = "bdeb5f6a" tls_skip_verify = true timeout = "1813s" ttl = "21743s" @@ -164,6 +166,7 @@ checks = [ output_max_size = 4096 docker_container_id = "THW6u7rL" shell = "C1Zt3Zwh" + tls_server_name = "6adc3bfb" tls_skip_verify = true timeout = "18506s" ttl = "31006s" @@ -378,6 +381,7 @@ service = { interval = "23926s" docker_container_id = "dO5TtRHk" shell = "e6q2ttES" + tls_server_name = "ECSHk8WF" tls_skip_verify = true timeout = "38483s" ttl = "10943s" @@ -402,6 +406,7 @@ service = { output_max_size = 4096 docker_container_id = "ipgdFtjd" shell = "omVZq7Sz" + tls_server_name = "axw5QPL5" tls_skip_verify = true timeout = "18913s" ttl = "44743s" @@ -425,6 +430,7 @@ service = { output_max_size = 4096 docker_container_id = "HBndBU6R" shell = "hVI33JjA" + tls_server_name = "7uwWOnUS" tls_skip_verify = true timeout = "38282s" ttl = "1181s" @@ -462,6 +468,7 @@ services = [ output_max_size = 4096 docker_container_id = "ZKXr68Yb" shell = "CEfzx0Fo" + tls_server_name = "4f191d4F" tls_skip_verify = true timeout = "38333s" ttl = "57201s" @@ -502,6 +509,7 @@ services = [ output_max_size = 4096 docker_container_id = "cU15LMet" shell = "nEz9qz2l" + tls_server_name = "f43ouY7a" tls_skip_verify = true timeout = "34738s" ttl = "22773s" @@ -525,6 +533,7 @@ services = [ output_max_size = 4096 docker_container_id = "5tDBWpfA" shell = "rlTpLM8s" + tls_server_name = "sOv5WTtp" tls_skip_verify = true timeout = "4868s" ttl = "11222s" diff --git a/agent/config/testdata/full-config.json b/agent/config/testdata/full-config.json index d5e7e41a7..e9b9d47ef 100644 --- a/agent/config/testdata/full-config.json +++ b/agent/config/testdata/full-config.json @@ -114,6 +114,7 @@ "interval": "18714s", "docker_container_id": "qF66POS9", "shell": "sOnDy228", + "tls_server_name": "7BdnzBYk", "tls_skip_verify": true, "timeout": "5954s", "ttl": "30044s", @@ -140,6 +141,7 @@ "output_max_size": 4096, "docker_container_id": "ipgdFtjd", "shell": "qAeOYy0M", + "tls_server_name": "bdeb5f6a", "tls_skip_verify": true, "timeout": "1813s", "ttl": "21743s", @@ -165,6 +167,7 @@ "output_max_size": 4096, "docker_container_id": "THW6u7rL", "shell": "C1Zt3Zwh", + "tls_server_name": "6adc3bfb", "tls_skip_verify": true, "timeout": "18506s", "ttl": "31006s", @@ -375,6 +378,7 @@ "output_max_size": 4096, "docker_container_id": "dO5TtRHk", "shell": "e6q2ttES", + "tls_server_name": "ECSHk8WF", "tls_skip_verify": true, "timeout": "38483s", "ttl": "10943s", @@ -399,6 +403,7 @@ "output_max_size": 4096, "docker_container_id": "ipgdFtjd", "shell": "omVZq7Sz", + "tls_server_name": "axw5QPL5", "tls_skip_verify": true, "timeout": "18913s", "ttl": "44743s", @@ -422,6 +427,7 @@ "output_max_size": 4096, "docker_container_id": "HBndBU6R", "shell": "hVI33JjA", + "tls_server_name": "7uwWOnUS", "tls_skip_verify": true, "timeout": "38282s", "ttl": "1181s", @@ -459,6 +465,7 @@ "output_max_size": 4096, "docker_container_id": "ZKXr68Yb", "shell": "CEfzx0Fo", + "tls_server_name": "4f191d4F", "tls_skip_verify": true, "timeout": "38333s", "ttl": "57201s", @@ -499,6 +506,7 @@ "output_max_size": 4096, "docker_container_id": "cU15LMet", "shell": "nEz9qz2l", + "tls_server_name": "f43ouY7a", "tls_skip_verify": true, "timeout": "34738s", "ttl": "22773s", @@ -522,6 +530,7 @@ "output_max_size": 4096, "docker_container_id": "5tDBWpfA", "shell": "rlTpLM8s", + "tls_server_name": "sOv5WTtp", "tls_skip_verify": true, "timeout": "4868s", "ttl": "11222s", diff --git a/agent/http_decode_test.go b/agent/http_decode_test.go index bbfabc6c3..4b546f630 100644 --- a/agent/http_decode_test.go +++ b/agent/http_decode_test.go @@ -275,6 +275,7 @@ type translateKeyTestCase struct { // "script_args": "ScriptArgs", // "deregister_critical_service_after": "DeregisterCriticalServiceAfter", // "docker_container_id": "DockerContainerID", +// "tls_server_name": "TLSServerName", // "tls_skip_verify": "TLSSkipVerify", // "service_id": "ServiceID", @@ -283,7 +284,8 @@ var translateCheckTypeTCs = [][]translateKeyTestCase{ translateDeregisterTCs, translateDockerTCs, translateGRPCUseTLSTCs, - translateTLSTCs, + translateTLSServerNameTCs, + translateTLSSkipVerifyTCs, translateServiceIDTCs, } @@ -504,8 +506,65 @@ var translateDockerTCs = []translateKeyTestCase{ }, } +// TLSServerName: string +func tlsServerNameEqFn(out interface{}, want interface{}) error { + var got interface{} + switch v := out.(type) { + case structs.CheckDefinition: + got = v.TLSServerName + case *structs.CheckDefinition: + got = v.TLSServerName + case structs.CheckType: + got = v.TLSServerName + case *structs.CheckType: + got = v.TLSServerName + case structs.HealthCheckDefinition: + got = v.TLSServerName + case *structs.HealthCheckDefinition: + got = v.TLSServerName + default: + panic(fmt.Sprintf("unexpected type %T", out)) + } + if got != want { + return fmt.Errorf("expected TLSServerName to be %v, got %v", want, got) + } + return nil +} + +var tlsServerNameFields = []string{`"TLSServerName": %s`, `"tls_server_name": %s`} +var translateTLSServerNameTCs = []translateKeyTestCase{ + { + desc: "tlsServerName: both set", + in: []interface{}{`"server1"`, `"server2"`}, + want: "server1", + jsonFmtStr: "{" + strings.Join(tlsServerNameFields, ",") + "}", + equalityFn: tlsServerNameEqFn, + }, + { + desc: "tlsServerName: first set", + in: []interface{}{`"server1"`}, + want: "server1", + jsonFmtStr: "{" + tlsServerNameFields[0] + "}", + equalityFn: tlsServerNameEqFn, + }, + { + desc: "tlsServerName: second set", + in: []interface{}{`"server2"`}, + want: "server2", + jsonFmtStr: "{" + tlsServerNameFields[1] + "}", + equalityFn: tlsServerNameEqFn, + }, + { + desc: "tlsServerName: neither set", + in: []interface{}{}, + want: "", // zero value + jsonFmtStr: "{}", + equalityFn: tlsServerNameEqFn, + }, +} + // TLSSkipVerify: bool -func tlsEqFn(out interface{}, want interface{}) error { +func tlsSkipVerifyEqFn(out interface{}, want interface{}) error { var got interface{} switch v := out.(type) { case structs.CheckDefinition: @@ -529,35 +588,35 @@ func tlsEqFn(out interface{}, want interface{}) error { return nil } -var tlsFields = []string{`"TLSSkipVerify": %s`, `"tls_skip_verify": %s`} -var translateTLSTCs = []translateKeyTestCase{ +var tlsSkipVerifyFields = []string{`"TLSSkipVerify": %s`, `"tls_skip_verify": %s`} +var translateTLSSkipVerifyTCs = []translateKeyTestCase{ { desc: "tlsSkipVerify: both set", in: []interface{}{`true`, `false`}, want: true, - jsonFmtStr: "{" + strings.Join(tlsFields, ",") + "}", - equalityFn: tlsEqFn, + jsonFmtStr: "{" + strings.Join(tlsSkipVerifyFields, ",") + "}", + equalityFn: tlsSkipVerifyEqFn, }, { desc: "tlsSkipVerify: first set", in: []interface{}{`true`}, want: true, - jsonFmtStr: "{" + tlsFields[0] + "}", - equalityFn: tlsEqFn, + jsonFmtStr: "{" + tlsSkipVerifyFields[0] + "}", + equalityFn: tlsSkipVerifyEqFn, }, { desc: "tlsSkipVerify: second set", in: []interface{}{`true`}, want: true, - jsonFmtStr: "{" + tlsFields[1] + "}", - equalityFn: tlsEqFn, + jsonFmtStr: "{" + tlsSkipVerifyFields[1] + "}", + equalityFn: tlsSkipVerifyEqFn, }, { desc: "tlsSkipVerify: neither set", in: []interface{}{}, want: false, // zero value jsonFmtStr: "{}", - equalityFn: tlsEqFn, + equalityFn: tlsSkipVerifyEqFn, }, } @@ -876,6 +935,7 @@ func TestDecodeACLRoleWrite(t *testing.T) { // Shell string // GRPC string // GRPCUseTLS bool +// TLSServerName string // TLSSkipVerify bool // AliasNode string // AliasService string @@ -988,6 +1048,7 @@ func TestDecodeAgentRegisterCheck(t *testing.T) { // Shell string // GRPC string // GRPCUseTLS bool +// TLSServerName string // TLSSkipVerify bool // Timeout time.Duration // TTL time.Duration @@ -1924,6 +1985,7 @@ func TestDecodeAgentRegisterService(t *testing.T) { // Shell string // GRPC string // GRPCUseTLS bool +// TLSServerName string // TLSSkipVerify bool // Timeout time.Duration // TTL time.Duration @@ -1953,6 +2015,7 @@ func TestDecodeAgentRegisterService(t *testing.T) { // ServiceTags []string // Definition structs.HealthCheckDefinition // HTTP string +// TLSServerName string // TLSSkipVerify bool // Header map[string][]string // Method string @@ -2425,6 +2488,7 @@ func TestDecodeSessionCreate(t *testing.T) { // TCP string // Status string // Notes string +// TLSServerName string // TLSSkipVerify bool // GRPC string // GRPCUseTLS bool @@ -2451,6 +2515,7 @@ func TestDecodeSessionCreate(t *testing.T) { // Header map[string][]string // Method string // Body string +// TLSServerName string // TLSSkipVerify bool // TCP string // IntervalDuration time.Duration diff --git a/agent/structs/check_definition.go b/agent/structs/check_definition.go index 82c36a16d..3a8c2326a 100644 --- a/agent/structs/check_definition.go +++ b/agent/structs/check_definition.go @@ -33,6 +33,7 @@ type CheckDefinition struct { Shell string GRPC string GRPCUseTLS bool + TLSServerName string TLSSkipVerify bool AliasNode string AliasService string @@ -62,6 +63,7 @@ func (t *CheckDefinition) UnmarshalJSON(data []byte) (err error) { ScriptArgsSnake []string `json:"script_args"` DeregisterCriticalServiceAfterSnake interface{} `json:"deregister_critical_service_after"` DockerContainerIDSnake string `json:"docker_container_id"` + TLSServerNameSnake string `json:"tls_server_name"` TLSSkipVerifySnake bool `json:"tls_skip_verify"` GRPCUseTLSSnake bool `json:"grpc_use_tls"` ServiceIDSnake string `json:"service_id"` @@ -87,6 +89,9 @@ func (t *CheckDefinition) UnmarshalJSON(data []byte) (err error) { if t.DockerContainerID == "" { t.DockerContainerID = aux.DockerContainerIDSnake } + if t.TLSServerName == "" { + t.TLSServerName = aux.TLSServerNameSnake + } if aux.TLSSkipVerifySnake { t.TLSSkipVerify = aux.TLSSkipVerifySnake } @@ -182,6 +187,7 @@ func (c *CheckDefinition) CheckType() *CheckType { Interval: c.Interval, DockerContainerID: c.DockerContainerID, Shell: c.Shell, + TLSServerName: c.TLSServerName, TLSSkipVerify: c.TLSSkipVerify, Timeout: c.Timeout, TTL: c.TTL, diff --git a/agent/structs/check_type.go b/agent/structs/check_type.go index 0cf256cc8..4e864d96b 100644 --- a/agent/structs/check_type.go +++ b/agent/structs/check_type.go @@ -43,6 +43,7 @@ type CheckType struct { Shell string GRPC string GRPCUseTLS bool + TLSServerName string TLSSkipVerify bool Timeout time.Duration TTL time.Duration @@ -75,6 +76,7 @@ func (t *CheckType) UnmarshalJSON(data []byte) (err error) { ScriptArgsSnake []string `json:"script_args"` DeregisterCriticalServiceAfterSnake interface{} `json:"deregister_critical_service_after"` DockerContainerIDSnake string `json:"docker_container_id"` + TLSServerNameSnake string `json:"tls_server_name"` TLSSkipVerifySnake bool `json:"tls_skip_verify"` GRPCUseTLSSnake bool `json:"grpc_use_tls"` @@ -102,6 +104,9 @@ func (t *CheckType) UnmarshalJSON(data []byte) (err error) { if t.DockerContainerID == "" { t.DockerContainerID = aux.DockerContainerIDSnake } + if t.TLSServerName == "" { + t.TLSServerName = aux.TLSServerNameSnake + } if aux.TLSSkipVerifySnake { t.TLSSkipVerify = aux.TLSSkipVerifySnake } diff --git a/agent/structs/structs.go b/agent/structs/structs.go index 5a10a36a1..ac153d8a1 100644 --- a/agent/structs/structs.go +++ b/agent/structs/structs.go @@ -1429,6 +1429,7 @@ func (hc *HealthCheck) CompoundCheckID() CheckID { type HealthCheckDefinition struct { HTTP string `json:",omitempty"` + TLSServerName string `json:",omitempty"` TLSSkipVerify bool `json:",omitempty"` Header map[string][]string `json:",omitempty"` Method string `json:",omitempty"` @@ -1583,6 +1584,7 @@ func (c *HealthCheck) CheckType() *CheckType { Interval: c.Definition.Interval, DockerContainerID: c.Definition.DockerContainerID, Shell: c.Definition.Shell, + TLSServerName: c.Definition.TLSServerName, TLSSkipVerify: c.Definition.TLSSkipVerify, Timeout: c.Definition.Timeout, TTL: c.Definition.TTL, diff --git a/agent/txn_endpoint.go b/agent/txn_endpoint.go index 01d86a634..d01b23bac 100644 --- a/agent/txn_endpoint.go +++ b/agent/txn_endpoint.go @@ -264,6 +264,7 @@ func (s *HTTPHandlers) convertOps(resp http.ResponseWriter, req *http.Request) ( ServiceTags: check.ServiceTags, Definition: structs.HealthCheckDefinition{ HTTP: check.Definition.HTTP, + TLSServerName: check.Definition.TLSServerName, TLSSkipVerify: check.Definition.TLSSkipVerify, Header: check.Definition.Header, Method: check.Definition.Method, diff --git a/api/agent.go b/api/agent.go index 931cce0a8..43e9b89e2 100644 --- a/api/agent.go +++ b/api/agent.go @@ -313,6 +313,7 @@ type AgentServiceCheck struct { TCP string `json:",omitempty"` Status string `json:",omitempty"` Notes string `json:",omitempty"` + TLSServerName string `json:",omitempty"` TLSSkipVerify bool `json:",omitempty"` GRPC string `json:",omitempty"` GRPCUseTLS bool `json:",omitempty"` diff --git a/api/health.go b/api/health.go index 99b9ac257..a51d41a87 100644 --- a/api/health.go +++ b/api/health.go @@ -58,6 +58,7 @@ type HealthCheckDefinition struct { Header map[string][]string Method string Body string + TLSServerName string TLSSkipVerify bool TCP string IntervalDuration time.Duration `json:"-"` diff --git a/proto/pbservice/healthcheck.gen.go b/proto/pbservice/healthcheck.gen.go index 9b80c4b43..dcf8435bb 100644 --- a/proto/pbservice/healthcheck.gen.go +++ b/proto/pbservice/healthcheck.gen.go @@ -23,6 +23,7 @@ func CheckTypeToStructs(s CheckType) structs.CheckType { t.Shell = s.Shell t.GRPC = s.GRPC t.GRPCUseTLS = s.GRPCUseTLS + t.TLSServerName = s.TLSServerName t.TLSSkipVerify = s.TLSSkipVerify t.Timeout = s.Timeout t.TTL = s.TTL @@ -53,6 +54,7 @@ func NewCheckTypeFromStructs(t structs.CheckType) CheckType { s.Shell = t.Shell s.GRPC = t.GRPC s.GRPCUseTLS = t.GRPCUseTLS + s.TLSServerName = t.TLSServerName s.TLSSkipVerify = t.TLSSkipVerify s.Timeout = t.Timeout s.TTL = t.TTL @@ -101,6 +103,7 @@ func NewHealthCheckFromStructs(t structs.HealthCheck) HealthCheck { func HealthCheckDefinitionToStructs(s HealthCheckDefinition) structs.HealthCheckDefinition { var t structs.HealthCheckDefinition t.HTTP = s.HTTP + t.TLSServerName = s.TLSServerName t.TLSSkipVerify = s.TLSSkipVerify t.Header = MapHeadersToStructs(s.Header) t.Method = s.Method @@ -123,6 +126,7 @@ func HealthCheckDefinitionToStructs(s HealthCheckDefinition) structs.HealthCheck func NewHealthCheckDefinitionFromStructs(t structs.HealthCheckDefinition) HealthCheckDefinition { var s HealthCheckDefinition s.HTTP = t.HTTP + s.TLSServerName = t.TLSServerName s.TLSSkipVerify = t.TLSSkipVerify s.Header = NewMapHeadersFromStructs(t.Header) s.Method = t.Method diff --git a/proto/pbservice/healthcheck.pb.go b/proto/pbservice/healthcheck.pb.go index 9fa10e4d4..ae66511c7 100644 --- a/proto/pbservice/healthcheck.pb.go +++ b/proto/pbservice/healthcheck.pb.go @@ -133,6 +133,7 @@ var xxx_messageInfo_HeaderValue proto.InternalMessageInfo // name=Structs type HealthCheckDefinition struct { HTTP string `protobuf:"bytes,1,opt,name=HTTP,proto3" json:"HTTP,omitempty"` + TLSServerName string `protobuf:"bytes,19,opt,name=TLSServerName,proto3" json:"TLSServerName,omitempty"` TLSSkipVerify bool `protobuf:"varint,2,opt,name=TLSSkipVerify,proto3" json:"TLSSkipVerify,omitempty"` // mog: func-to=MapHeadersToStructs func-from=NewMapHeadersFromStructs Header map[string]HeaderValue `protobuf:"bytes,3,rep,name=Header,proto3" json:"Header" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` @@ -218,6 +219,7 @@ type CheckType struct { Shell string `protobuf:"bytes,13,opt,name=Shell,proto3" json:"Shell,omitempty"` GRPC string `protobuf:"bytes,14,opt,name=GRPC,proto3" json:"GRPC,omitempty"` GRPCUseTLS bool `protobuf:"varint,15,opt,name=GRPCUseTLS,proto3" json:"GRPCUseTLS,omitempty"` + TLSServerName string `protobuf:"bytes,27,opt,name=TLSServerName,proto3" json:"TLSServerName,omitempty"` TLSSkipVerify bool `protobuf:"varint,16,opt,name=TLSSkipVerify,proto3" json:"TLSSkipVerify,omitempty"` Timeout time.Duration `protobuf:"bytes,17,opt,name=Timeout,proto3,stdduration" json:"Timeout"` TTL time.Duration `protobuf:"bytes,18,opt,name=TTL,proto3,stdduration" json:"TTL"` @@ -281,70 +283,71 @@ func init() { func init() { proto.RegisterFile("proto/pbservice/healthcheck.proto", fileDescriptor_8a6f7448747c9fbe) } var fileDescriptor_8a6f7448747c9fbe = []byte{ - // 999 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0x4d, 0x6f, 0xe3, 0x44, - 0x18, 0x8e, 0x9b, 0x8f, 0xc6, 0x93, 0x6d, 0xb7, 0x1d, 0xba, 0x65, 0xb6, 0x20, 0x37, 0x04, 0x0e, - 0x41, 0x14, 0x47, 0x2a, 0x02, 0x01, 0x12, 0xa0, 0x26, 0xd9, 0x8f, 0xa0, 0x76, 0x09, 0x8e, 0xd9, - 0x03, 0x37, 0xd7, 0x99, 0x24, 0x56, 0x1c, 0x4f, 0x34, 0x1e, 0x57, 0x0d, 0x57, 0xfe, 0x00, 0xc7, - 0xfd, 0x49, 0x3d, 0x56, 0x9c, 0x38, 0x15, 0x68, 0xcf, 0xfc, 0x01, 0x4e, 0x68, 0xde, 0xb1, 0x53, - 0x67, 0xe3, 0x25, 0x65, 0xb5, 0x9c, 0xf2, 0x7e, 0xce, 0x78, 0xde, 0xf7, 0x79, 0x9e, 0x16, 0xbd, - 0x37, 0xe5, 0x4c, 0xb0, 0xc6, 0xf4, 0x34, 0xa4, 0xfc, 0xcc, 0x73, 0x69, 0x63, 0x44, 0x1d, 0x5f, - 0x8c, 0xdc, 0x11, 0x75, 0xc7, 0x26, 0xe4, 0xb0, 0x3e, 0x4f, 0xee, 0x19, 0x43, 0xc6, 0x86, 0x3e, - 0x6d, 0x40, 0xe2, 0x34, 0x1a, 0x34, 0xfa, 0x11, 0x77, 0x84, 0xc7, 0x02, 0x55, 0xba, 0xf7, 0x4e, - 0x72, 0x9a, 0xcb, 0x26, 0x13, 0x16, 0x34, 0xd4, 0x4f, 0x9c, 0xdc, 0x19, 0xb2, 0x21, 0x53, 0x05, - 0xd2, 0x52, 0xd1, 0xda, 0xcf, 0x05, 0x54, 0x79, 0x0a, 0x77, 0xb6, 0xe4, 0x9d, 0x18, 0xa3, 0xc2, - 0x33, 0xd6, 0xa7, 0x44, 0xab, 0x6a, 0x75, 0xdd, 0x02, 0x1b, 0x3f, 0x41, 0xeb, 0x90, 0xec, 0xb4, - 0xc9, 0x9a, 0x0c, 0x37, 0x3f, 0xfe, 0xfb, 0x6a, 0xff, 0xc3, 0xa1, 0x27, 0x46, 0xd1, 0xa9, 0xe9, - 0xb2, 0x49, 0x63, 0xe4, 0x84, 0x23, 0xcf, 0x65, 0x7c, 0xda, 0x70, 0x59, 0x10, 0x46, 0x7e, 0x43, - 0xcc, 0xa6, 0x34, 0x34, 0xe3, 0x26, 0x2b, 0xe9, 0x86, 0xc3, 0x9d, 0x09, 0x25, 0xf9, 0xf8, 0x70, - 0x67, 0x42, 0xf1, 0x2e, 0x2a, 0xf5, 0x84, 0x23, 0xa2, 0x90, 0x14, 0x20, 0x1a, 0x7b, 0x78, 0x07, - 0x15, 0x9f, 0x31, 0x41, 0x43, 0x52, 0x84, 0xb0, 0x72, 0x64, 0xf5, 0x77, 0x91, 0x98, 0x46, 0x82, - 0x94, 0x54, 0xb5, 0xf2, 0xf0, 0xbb, 0x48, 0xef, 0xa9, 0x21, 0x75, 0xda, 0x64, 0x1d, 0x52, 0xb7, - 0x01, 0x5c, 0x45, 0x95, 0xd8, 0x81, 0xeb, 0xcb, 0x90, 0x4f, 0x87, 0x52, 0x15, 0xb6, 0x33, 0x0c, - 0x89, 0x5e, 0xcd, 0xa7, 0x2a, 0x64, 0x48, 0x7e, 0xbb, 0x3d, 0x9b, 0x52, 0x72, 0x4f, 0x7d, 0xbb, - 0xb4, 0xf1, 0x63, 0x84, 0xda, 0x74, 0xe0, 0x05, 0x9e, 0xdc, 0x01, 0x41, 0x55, 0xad, 0x5e, 0x39, - 0xac, 0x9a, 0xf3, 0x7d, 0x99, 0xa9, 0xc1, 0xde, 0xd6, 0x35, 0x0b, 0x17, 0x57, 0xfb, 0x39, 0x2b, - 0xd5, 0x89, 0xbf, 0x40, 0xba, 0xe5, 0x0c, 0x44, 0x27, 0xe8, 0xd3, 0x73, 0x52, 0x81, 0x63, 0xb6, - 0xcd, 0x78, 0x79, 0xf3, 0x44, 0xb3, 0x2c, 0xfb, 0x2e, 0xaf, 0xf6, 0x35, 0xeb, 0xb6, 0x1a, 0xb7, - 0xd1, 0xe6, 0xa3, 0x40, 0x50, 0x3e, 0xe5, 0x5e, 0x48, 0x4f, 0xa8, 0x70, 0xc8, 0x06, 0xf4, 0xef, - 0x26, 0xfd, 0x8b, 0xd9, 0xf8, 0xf2, 0x97, 0x7a, 0x6a, 0xef, 0x03, 0x08, 0xfa, 0x94, 0x3f, 0x77, - 0xfc, 0x88, 0xca, 0xd9, 0x83, 0x41, 0x34, 0x98, 0x83, 0x72, 0x6a, 0xbf, 0x96, 0xd0, 0x83, 0xcc, - 0x17, 0xc9, 0xd9, 0x3c, 0xb5, 0xed, 0x6e, 0x02, 0x1a, 0x69, 0xe3, 0x0f, 0xd0, 0x86, 0x7d, 0xdc, - 0xeb, 0x8d, 0xbd, 0xe9, 0x73, 0xca, 0xbd, 0xc1, 0x0c, 0xa0, 0x53, 0xb6, 0x16, 0x83, 0xf8, 0x5b, - 0x54, 0x52, 0x17, 0x93, 0x7c, 0x35, 0x5f, 0xaf, 0x1c, 0x1e, 0xac, 0x9a, 0x9e, 0xa9, 0xca, 0x1f, - 0x05, 0x82, 0xcf, 0xe2, 0xc7, 0xc4, 0x27, 0x48, 0x6c, 0x9c, 0x50, 0x31, 0x62, 0xfd, 0x04, 0x49, - 0xca, 0x93, 0x5f, 0xd7, 0x64, 0xfd, 0x19, 0xc1, 0xea, 0xeb, 0xa4, 0x8d, 0xb7, 0x50, 0xde, 0x6e, - 0x75, 0x63, 0x6c, 0x49, 0x13, 0x7f, 0x83, 0xca, 0x1d, 0x39, 0x94, 0x33, 0xc7, 0x07, 0x6c, 0x55, - 0x0e, 0x1f, 0x9a, 0x8a, 0x6e, 0x66, 0x42, 0x37, 0xb3, 0x1d, 0xd3, 0x4d, 0xad, 0xe2, 0xc5, 0xef, - 0xfb, 0x9a, 0x35, 0x6f, 0x92, 0x0f, 0x56, 0x60, 0x3c, 0x71, 0xce, 0x7b, 0xde, 0x4f, 0x94, 0xe8, - 0x55, 0xad, 0xbe, 0x61, 0x2d, 0x06, 0xf1, 0x57, 0x68, 0xdd, 0xf6, 0x26, 0x94, 0x45, 0x02, 0x60, - 0x7a, 0xc7, 0x5b, 0x92, 0x1e, 0x3c, 0x46, 0x46, 0x9b, 0x72, 0x3a, 0xf4, 0x42, 0x41, 0x79, 0x8b, - 0x7b, 0xc2, 0x73, 0x1d, 0x3f, 0x86, 0xe9, 0xd1, 0x40, 0x50, 0x0e, 0xe0, 0xbe, 0xe3, 0xa9, 0x2b, - 0x8e, 0xc2, 0x06, 0x42, 0x3d, 0x97, 0x7b, 0x53, 0x71, 0xc4, 0x87, 0x21, 0x41, 0x80, 0x85, 0x54, - 0x04, 0x1f, 0xa0, 0xed, 0x36, 0x73, 0xc7, 0x94, 0xb7, 0x58, 0x20, 0x1c, 0x2f, 0xa0, 0xbc, 0xd3, - 0x06, 0xf8, 0xea, 0xd6, 0x72, 0x42, 0x82, 0xaa, 0x37, 0xa2, 0xbe, 0x1f, 0x33, 0x48, 0x39, 0x72, - 0x39, 0x4f, 0xac, 0x6e, 0x0b, 0x50, 0xab, 0x5b, 0x60, 0xcb, 0x7b, 0xe5, 0xef, 0x0f, 0x21, 0xb5, - 0x8f, 0x7b, 0x64, 0x13, 0x70, 0x93, 0x8a, 0x48, 0xb2, 0x1f, 0xf9, 0x9e, 0x13, 0x82, 0x50, 0xdd, - 0x57, 0x64, 0x9f, 0x07, 0x70, 0x0d, 0xdd, 0x03, 0x27, 0x7e, 0x0a, 0xd9, 0x82, 0x82, 0x85, 0x18, - 0xfe, 0x14, 0xe5, 0x6d, 0xfb, 0x98, 0x6c, 0xdf, 0x7d, 0x56, 0xb2, 0x7e, 0xef, 0xfb, 0x84, 0x26, - 0x00, 0x3f, 0x09, 0xa2, 0x31, 0x9d, 0xc5, 0xa8, 0x97, 0x26, 0x3e, 0x40, 0xc5, 0x33, 0x20, 0xce, - 0x5a, 0x4c, 0xc2, 0x05, 0x34, 0x27, 0xfc, 0xb2, 0x54, 0xd1, 0x97, 0x6b, 0x9f, 0x6b, 0xb5, 0xbf, - 0xca, 0x48, 0x07, 0x88, 0x83, 0xa0, 0xa4, 0x94, 0x56, 0x7b, 0x23, 0x4a, 0xbb, 0x96, 0xa9, 0xb4, - 0xf9, 0x6c, 0xa5, 0x2d, 0xa4, 0x95, 0x76, 0x71, 0xf9, 0xc5, 0xa5, 0xe5, 0x27, 0x9c, 0x2f, 0xa5, - 0x38, 0xff, 0xf5, 0x9c, 0xcd, 0x3b, 0xc0, 0xe6, 0xb4, 0x16, 0xce, 0x1f, 0x79, 0x27, 0x06, 0xaf, - 0x67, 0x32, 0x78, 0x6f, 0x99, 0xc1, 0xe5, 0x6c, 0x06, 0xeb, 0xaf, 0xc3, 0xe0, 0x05, 0x5c, 0xa1, - 0x55, 0xb8, 0xaa, 0x64, 0xe0, 0x2a, 0x93, 0x11, 0xf7, 0x56, 0x32, 0x62, 0x23, 0x8b, 0x11, 0x9b, - 0xaf, 0x64, 0xc4, 0xfd, 0x25, 0x46, 0x2c, 0x89, 0xed, 0x56, 0x96, 0xd8, 0xa6, 0xb4, 0x67, 0xfb, - 0x35, 0xb4, 0x27, 0x26, 0x0d, 0xfe, 0x6f, 0xa4, 0xc1, 0x87, 0x68, 0xa7, 0x17, 0xb9, 0x2e, 0x0d, - 0xc3, 0x26, 0x1d, 0x30, 0x4e, 0xbb, 0x4e, 0x18, 0x7a, 0xc1, 0x90, 0x3c, 0xa8, 0x6a, 0xf5, 0xa2, - 0x95, 0x99, 0xc3, 0x9f, 0xa1, 0xdd, 0xc7, 0x8e, 0xe7, 0x47, 0x9c, 0xc6, 0x89, 0x44, 0x9f, 0xc8, - 0x2e, 0x74, 0xbd, 0x22, 0x2b, 0x37, 0xd8, 0xe5, 0xec, 0x7c, 0x06, 0xc8, 0x7c, 0x5b, 0x6d, 0x70, - 0x1e, 0x98, 0x67, 0x61, 0xbc, 0x24, 0x95, 0x85, 0x19, 0xaf, 0x96, 0xd6, 0xb7, 0xde, 0x9c, 0xb4, - 0x2e, 0xfd, 0xb1, 0x78, 0x08, 0xef, 0x5a, 0x0c, 0xfe, 0x0f, 0x7a, 0xd3, 0x3c, 0xb9, 0xf8, 0xd3, - 0xc8, 0x5d, 0x5c, 0x1b, 0xda, 0xe5, 0xb5, 0xa1, 0xfd, 0x71, 0x6d, 0x68, 0xbf, 0xdc, 0x18, 0xb9, - 0x17, 0x37, 0x46, 0xee, 0xf2, 0xc6, 0xc8, 0xfd, 0x76, 0x63, 0xe4, 0x7e, 0xfc, 0xe8, 0xdf, 0xe4, - 0xe6, 0xa5, 0x7f, 0x57, 0x4f, 0x4b, 0x10, 0xf8, 0xe4, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x3e, - 0x9a, 0xda, 0xd9, 0xc8, 0x0a, 0x00, 0x00, + // 1016 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0xcf, 0x6f, 0xe3, 0x44, + 0x14, 0x8e, 0x9b, 0x36, 0x8d, 0x27, 0x6d, 0xb7, 0x9d, 0xed, 0x96, 0xd9, 0x2e, 0x72, 0x43, 0xe0, + 0x10, 0x44, 0x71, 0xa4, 0x22, 0x10, 0x20, 0x01, 0x6a, 0x92, 0xfd, 0x11, 0xd4, 0x2e, 0xc1, 0x31, + 0x7b, 0xe0, 0xe6, 0x3a, 0x93, 0xc4, 0x8a, 0xe3, 0x89, 0xc6, 0xe3, 0xaa, 0xe1, 0xca, 0x3f, 0x80, + 0xc4, 0x65, 0xff, 0xa4, 0x1e, 0x7b, 0xe4, 0x54, 0xa0, 0xfd, 0x27, 0x10, 0x27, 0x34, 0x6f, 0xec, + 0xd4, 0xd9, 0x78, 0x49, 0x58, 0x2d, 0xa7, 0xcc, 0x7c, 0xef, 0xbd, 0x19, 0xcf, 0x7b, 0xdf, 0xf7, + 0xb5, 0xe8, 0xbd, 0x31, 0x67, 0x82, 0xd5, 0xc6, 0x67, 0x21, 0xe5, 0xe7, 0x9e, 0x4b, 0x6b, 0x03, + 0xea, 0xf8, 0x62, 0xe0, 0x0e, 0xa8, 0x3b, 0x34, 0x21, 0x86, 0xf5, 0x69, 0x70, 0xdf, 0xe8, 0x33, + 0xd6, 0xf7, 0x69, 0x0d, 0x02, 0x67, 0x51, 0xaf, 0xd6, 0x8d, 0xb8, 0x23, 0x3c, 0x16, 0xa8, 0xd4, + 0xfd, 0x47, 0xc9, 0x69, 0x2e, 0x1b, 0x8d, 0x58, 0x50, 0x53, 0x3f, 0x71, 0x70, 0xb7, 0xcf, 0xfa, + 0x4c, 0x25, 0xc8, 0x95, 0x42, 0x2b, 0x3f, 0xaf, 0xa2, 0xd2, 0x33, 0xb8, 0xb3, 0x21, 0xef, 0xc4, + 0x18, 0xad, 0x3e, 0x67, 0x5d, 0x4a, 0xb4, 0xb2, 0x56, 0xd5, 0x2d, 0x58, 0xe3, 0xa7, 0x68, 0x1d, + 0x82, 0xad, 0x26, 0x59, 0x91, 0x70, 0xfd, 0xe3, 0xbf, 0xaf, 0x0f, 0x3e, 0xec, 0x7b, 0x62, 0x10, + 0x9d, 0x99, 0x2e, 0x1b, 0xd5, 0x06, 0x4e, 0x38, 0xf0, 0x5c, 0xc6, 0xc7, 0x35, 0x97, 0x05, 0x61, + 0xe4, 0xd7, 0xc4, 0x64, 0x4c, 0x43, 0x33, 0x2e, 0xb2, 0x92, 0x6a, 0x38, 0xdc, 0x19, 0x51, 0x92, + 0x8f, 0x0f, 0x77, 0x46, 0x14, 0xef, 0xa1, 0x42, 0x47, 0x38, 0x22, 0x0a, 0xc9, 0x2a, 0xa0, 0xf1, + 0x0e, 0xef, 0xa2, 0xb5, 0xe7, 0x4c, 0xd0, 0x90, 0xac, 0x01, 0xac, 0x36, 0x32, 0xfb, 0xbb, 0x48, + 0x8c, 0x23, 0x41, 0x0a, 0x2a, 0x5b, 0xed, 0xf0, 0xbb, 0x48, 0xef, 0xa8, 0x26, 0xb5, 0x9a, 0x64, + 0x1d, 0x42, 0x77, 0x00, 0x2e, 0xa3, 0x52, 0xbc, 0x81, 0xeb, 0x8b, 0x10, 0x4f, 0x43, 0xa9, 0x0c, + 0xdb, 0xe9, 0x87, 0x44, 0x2f, 0xe7, 0x53, 0x19, 0x12, 0x92, 0xdf, 0x6e, 0x4f, 0xc6, 0x94, 0x6c, + 0xa8, 0x6f, 0x97, 0x6b, 0xfc, 0x04, 0xa1, 0x26, 0xed, 0x79, 0x81, 0x27, 0x67, 0x40, 0x50, 0x59, + 0xab, 0x96, 0x8e, 0xca, 0xe6, 0x74, 0x5e, 0x66, 0xaa, 0xb1, 0x77, 0x79, 0xf5, 0xd5, 0xcb, 0xeb, + 0x83, 0x9c, 0x95, 0xaa, 0xc4, 0x5f, 0x20, 0xdd, 0x72, 0x7a, 0xa2, 0x15, 0x74, 0xe9, 0x05, 0x29, + 0xc1, 0x31, 0x3b, 0x66, 0x3c, 0xbc, 0x69, 0xa0, 0x5e, 0x94, 0x75, 0x57, 0xd7, 0x07, 0x9a, 0x75, + 0x97, 0x8d, 0x9b, 0x68, 0xeb, 0x71, 0x20, 0x28, 0x1f, 0x73, 0x2f, 0xa4, 0xa7, 0x54, 0x38, 0x64, + 0x13, 0xea, 0xf7, 0x92, 0xfa, 0xd9, 0x68, 0x7c, 0xf9, 0x2b, 0x35, 0x95, 0xf7, 0x81, 0x04, 0x5d, + 0xca, 0x5f, 0x38, 0x7e, 0x44, 0x65, 0xef, 0x61, 0x41, 0x34, 0xe8, 0x83, 0xda, 0x54, 0xfe, 0x2a, + 0xa0, 0x07, 0x99, 0x2f, 0x92, 0xbd, 0x79, 0x66, 0xdb, 0xed, 0x84, 0x34, 0x72, 0x8d, 0x3f, 0x40, + 0x9b, 0xf6, 0x49, 0x47, 0x76, 0x90, 0x72, 0xe8, 0xfa, 0x7d, 0x08, 0xce, 0x82, 0x49, 0xd6, 0xd0, + 0x1b, 0xbf, 0xa0, 0xdc, 0xeb, 0x4d, 0x80, 0x60, 0x45, 0x6b, 0x16, 0xc4, 0xdf, 0xa2, 0x82, 0xfa, + 0x3c, 0x92, 0x2f, 0xe7, 0xab, 0xa5, 0xa3, 0xc3, 0x45, 0x3d, 0x36, 0x55, 0xfa, 0xe3, 0x40, 0xf0, + 0x49, 0xfc, 0xe4, 0xf8, 0x04, 0xc9, 0xa0, 0x53, 0x2a, 0x06, 0xac, 0x9b, 0xf0, 0x4d, 0xed, 0xe4, + 0x1b, 0xea, 0xac, 0x3b, 0x21, 0x58, 0xbd, 0x41, 0xae, 0xf1, 0x36, 0xca, 0xdb, 0x8d, 0x76, 0xcc, + 0x40, 0xb9, 0xc4, 0xdf, 0xa0, 0x62, 0x4b, 0xb6, 0xee, 0xdc, 0xf1, 0x81, 0x81, 0xa5, 0xa3, 0x87, + 0xa6, 0x12, 0xa5, 0x99, 0x88, 0xd2, 0x6c, 0xc6, 0xa2, 0x54, 0x03, 0x7b, 0xf9, 0xfb, 0x81, 0x66, + 0x4d, 0x8b, 0xe4, 0x83, 0x15, 0x65, 0x4f, 0x9d, 0x8b, 0x8e, 0xf7, 0x13, 0x25, 0x7a, 0x59, 0xab, + 0x6e, 0x5a, 0xb3, 0x20, 0xfe, 0x0a, 0xad, 0xdb, 0xde, 0x88, 0xb2, 0x48, 0x00, 0x99, 0x97, 0xbc, + 0x25, 0xa9, 0xc1, 0x43, 0x64, 0x34, 0x29, 0xa7, 0x7d, 0x2f, 0x14, 0x94, 0x37, 0xb8, 0x27, 0x3c, + 0xd7, 0xf1, 0x63, 0x32, 0x1f, 0xf7, 0x04, 0xe5, 0x20, 0x81, 0x25, 0x4f, 0x5d, 0x70, 0x14, 0x36, + 0x10, 0xea, 0xb8, 0xdc, 0x1b, 0x8b, 0x63, 0xde, 0x0f, 0x09, 0x02, 0xc6, 0xa4, 0x10, 0x7c, 0x88, + 0x76, 0x9a, 0xcc, 0x1d, 0x52, 0xde, 0x60, 0x81, 0x70, 0xbc, 0x80, 0xf2, 0x56, 0x13, 0x48, 0xae, + 0x5b, 0xf3, 0x01, 0x49, 0xbd, 0xce, 0x80, 0xfa, 0x7e, 0xac, 0x33, 0xb5, 0x91, 0xc3, 0x79, 0x6a, + 0xb5, 0x1b, 0xc0, 0x6d, 0xdd, 0x82, 0xb5, 0xbc, 0x57, 0xfe, 0xfe, 0x10, 0x52, 0xfb, 0xa4, 0x43, + 0xb6, 0x80, 0x37, 0x29, 0x44, 0x5a, 0xc2, 0xb1, 0xef, 0x39, 0x21, 0xd8, 0xd9, 0x3d, 0x65, 0x09, + 0x53, 0x00, 0x57, 0xd0, 0x06, 0x6c, 0xe2, 0xa7, 0x90, 0x6d, 0x48, 0x98, 0xc1, 0xf0, 0xa7, 0x28, + 0x6f, 0xdb, 0x27, 0x64, 0x67, 0xf9, 0x5e, 0xc9, 0xfc, 0xfd, 0xef, 0x13, 0x31, 0x01, 0xfd, 0x24, + 0x89, 0x86, 0x74, 0x12, 0x6b, 0x43, 0x2e, 0xf1, 0x21, 0x5a, 0x3b, 0x07, 0x79, 0xad, 0xc4, 0x52, + 0x9d, 0x61, 0x73, 0xa2, 0x42, 0x4b, 0x25, 0x7d, 0xb9, 0xf2, 0xb9, 0x56, 0xf9, 0x55, 0x47, 0x3a, + 0x50, 0x1c, 0x6c, 0x27, 0xe5, 0xc7, 0xda, 0x5b, 0xf1, 0xe3, 0x95, 0x4c, 0x3f, 0xce, 0x67, 0xfb, + 0xf1, 0x6a, 0xda, 0x8f, 0x67, 0x87, 0xbf, 0x36, 0x37, 0xfc, 0xc4, 0x19, 0x0a, 0x29, 0x67, 0xf8, + 0x7a, 0xaa, 0xe6, 0x5d, 0x50, 0x73, 0xda, 0x31, 0xa7, 0x8f, 0x5c, 0x4a, 0xc1, 0xeb, 0x99, 0x0a, + 0xde, 0x9f, 0x57, 0x70, 0x31, 0x5b, 0xc1, 0xfa, 0x9b, 0x28, 0x78, 0x86, 0x57, 0x68, 0x11, 0xaf, + 0x4a, 0x19, 0xbc, 0xca, 0x54, 0xc4, 0xc6, 0x42, 0x45, 0x6c, 0x66, 0x29, 0x62, 0xeb, 0xb5, 0x8a, + 0xb8, 0x37, 0xa7, 0x88, 0x39, 0x4b, 0x7e, 0xb4, 0x94, 0x25, 0x6f, 0x67, 0x59, 0x72, 0xca, 0xa1, + 0x76, 0xde, 0xc0, 0xa1, 0x62, 0x69, 0xe1, 0xff, 0x26, 0x2d, 0x7c, 0x84, 0x76, 0x3b, 0x91, 0xeb, + 0xd2, 0x30, 0xac, 0xd3, 0x1e, 0xe3, 0xb4, 0xed, 0x84, 0xa1, 0x17, 0xf4, 0xc9, 0x83, 0xb2, 0x56, + 0x5d, 0xb3, 0x32, 0x63, 0xf8, 0x33, 0xb4, 0xf7, 0xc4, 0xf1, 0xfc, 0x88, 0xd3, 0x38, 0x90, 0xb8, + 0x18, 0xd9, 0x83, 0xaa, 0xd7, 0x44, 0xe5, 0x9c, 0xdb, 0x9c, 0x5d, 0x4c, 0x80, 0xbf, 0xef, 0xa8, + 0x39, 0x4f, 0x81, 0x69, 0x14, 0x86, 0x40, 0x52, 0x51, 0x98, 0xc4, 0x62, 0x03, 0xbe, 0xff, 0xf6, + 0x0c, 0x78, 0xee, 0x4f, 0xca, 0x43, 0x78, 0xd7, 0x2c, 0xf8, 0x3f, 0xb8, 0x52, 0xfd, 0xf4, 0xf2, + 0x4f, 0x23, 0x77, 0x79, 0x63, 0x68, 0x57, 0x37, 0x86, 0xf6, 0xc7, 0x8d, 0xa1, 0xfd, 0x72, 0x6b, + 0xe4, 0x5e, 0xde, 0x1a, 0xb9, 0xab, 0x5b, 0x23, 0xf7, 0xdb, 0xad, 0x91, 0xfb, 0xf1, 0xa3, 0x7f, + 0x33, 0xa5, 0x57, 0xfe, 0xf5, 0x3d, 0x2b, 0x00, 0xf0, 0xc9, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, + 0xf4, 0xca, 0x84, 0xe7, 0x14, 0x0b, 0x00, 0x00, } func (m *HealthCheck) Marshal() (dAtA []byte, err error) { @@ -524,6 +527,15 @@ func (m *HealthCheckDefinition) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if len(m.TLSServerName) > 0 { + i -= len(m.TLSServerName) + copy(dAtA[i:], m.TLSServerName) + i = encodeVarintHealthcheck(dAtA, i, uint64(len(m.TLSServerName))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x9a + } if len(m.Body) > 0 { i -= len(m.Body) copy(dAtA[i:], m.Body) @@ -706,6 +718,15 @@ func (m *CheckType) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if len(m.TLSServerName) > 0 { + i -= len(m.TLSServerName) + copy(dAtA[i:], m.TLSServerName) + i = encodeVarintHealthcheck(dAtA, i, uint64(len(m.TLSServerName))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xda + } if len(m.Body) > 0 { i -= len(m.Body) copy(dAtA[i:], m.Body) @@ -1093,6 +1114,10 @@ func (m *HealthCheckDefinition) Size() (n int) { if l > 0 { n += 2 + l + sovHealthcheck(uint64(l)) } + l = len(m.TLSServerName) + if l > 0 { + n += 2 + l + sovHealthcheck(uint64(l)) + } return n } @@ -1200,6 +1225,10 @@ func (m *CheckType) Size() (n int) { if l > 0 { n += 2 + l + sovHealthcheck(uint64(l)) } + l = len(m.TLSServerName) + if l > 0 { + n += 2 + l + sovHealthcheck(uint64(l)) + } return n } @@ -2435,6 +2464,38 @@ func (m *HealthCheckDefinition) Unmarshal(dAtA []byte) error { } m.Body = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 19: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field TLSServerName", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHealthcheck + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthHealthcheck + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthHealthcheck + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.TLSServerName = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipHealthcheck(dAtA[iNdEx:]) @@ -3358,6 +3419,38 @@ func (m *CheckType) Unmarshal(dAtA []byte) error { } m.Body = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 27: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field TLSServerName", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHealthcheck + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthHealthcheck + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthHealthcheck + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.TLSServerName = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipHealthcheck(dAtA[iNdEx:]) diff --git a/proto/pbservice/healthcheck.proto b/proto/pbservice/healthcheck.proto index be0e88d67..a5e438633 100644 --- a/proto/pbservice/healthcheck.proto +++ b/proto/pbservice/healthcheck.proto @@ -56,6 +56,7 @@ message HeaderValue { // name=Structs message HealthCheckDefinition { string HTTP = 1; + string TLSServerName = 19; bool TLSSkipVerify = 2; // mog: func-to=MapHeadersToStructs func-from=NewMapHeadersFromStructs @@ -117,6 +118,7 @@ message CheckType { string Shell = 13; string GRPC = 14; bool GRPCUseTLS = 15; + string TLSServerName = 27; bool TLSSkipVerify = 16; google.protobuf.Duration Timeout = 17 [(gogoproto.stdduration) = true, (gogoproto.nullable) = false]; diff --git a/tlsutil/config.go b/tlsutil/config.go index 4042518b3..ab6213cce 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -711,21 +711,27 @@ func (c *Configurator) IncomingHTTPSConfig() *tls.Config { return config } -// IncomingTLSConfig generates a *tls.Config for outgoing TLS connections for -// checks. This function is separated because there is an extra flag to +// OutgoingTLSConfigForCheck generates a *tls.Config for outgoing TLS connections +// for checks. This function is separated because there is an extra flag to // consider for checks. EnableAgentTLSForChecks and InsecureSkipVerify has to // be checked for checks. -func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool) *tls.Config { +func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config { c.log("OutgoingTLSConfigForCheck") + + if serverName == "" { + serverName = c.serverNameOrNodeName() + } + if !c.enableAgentTLSForChecks() { return &tls.Config{ InsecureSkipVerify: skipVerify, + ServerName: serverName, } } config := c.commonTLSConfig(false) config.InsecureSkipVerify = skipVerify - config.ServerName = c.serverNameOrNodeName() + config.ServerName = serverName return config } diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index 1cfd44d01..7287d8628 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -909,16 +909,21 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { TLSMinVersion: "tls12", EnableAgentTLSForChecks: false, }, autoTLS: &autoTLS{}} - tlsConf := c.OutgoingTLSConfigForCheck(true) + tlsConf := c.OutgoingTLSConfigForCheck(true, "") require.Equal(t, true, tlsConf.InsecureSkipVerify) require.Equal(t, uint16(0), tlsConf.MinVersion) c.base.EnableAgentTLSForChecks = true c.base.ServerName = "servername" - tlsConf = c.OutgoingTLSConfigForCheck(true) + tlsConf = c.OutgoingTLSConfigForCheck(true, "") require.Equal(t, true, tlsConf.InsecureSkipVerify) require.Equal(t, TLSLookup[c.base.TLSMinVersion], tlsConf.MinVersion) require.Equal(t, c.base.ServerName, tlsConf.ServerName) + + tlsConf = c.OutgoingTLSConfigForCheck(true, "servername2") + require.Equal(t, true, tlsConf.InsecureSkipVerify) + require.Equal(t, TLSLookup[c.base.TLSMinVersion], tlsConf.MinVersion) + require.Equal(t, "servername2", tlsConf.ServerName) } func TestConfigurator_OutgoingRPCConfig(t *testing.T) { diff --git a/website/content/api-docs/agent/check.mdx b/website/content/api-docs/agent/check.mdx index 194df3d7a..196de7fe6 100644 --- a/website/content/api-docs/agent/check.mdx +++ b/website/content/api-docs/agent/check.mdx @@ -188,6 +188,11 @@ The table below shows this endpoint's support for The value can be further limited for all checks of a given agent using the `check_output_max_size` flag in the agent. +- `TLSServerName` `(string: "")` - Specifies an optional string used to set the + SNI host when connecting via TLS. + For an `HTTP` check, this value is set automatically if the URL uses a hostname + (not an IP address). + - `TLSSkipVerify` `(bool: false)` - Specifies if the certificate for an HTTPS check should not be verified. diff --git a/website/content/docs/discovery/checks.mdx b/website/content/docs/discovery/checks.mdx index a8b05851e..4e9b28e37 100644 --- a/website/content/docs/discovery/checks.mdx +++ b/website/content/docs/discovery/checks.mdx @@ -63,7 +63,9 @@ There are several different kinds of checks: check is limited to roughly 4KB. Responses larger than this will be truncated. HTTP checks also support TLS. By default, a valid TLS certificate is expected. Certificate verification can be turned off by setting the `tls_skip_verify` - field to `true` in the check definition. + field to `true` in the check definition. When using TLS, the SNI will be set + automatically from the URL if it uses a hostname (as opposed to an IP address); + the value can be overriden by setting `tls_server_name`. - `TCP + Interval` - These checks make a TCP connection attempt to the specified IP/hostname and port, waiting `interval` amount of time between attempts @@ -153,6 +155,7 @@ A HTTP check: "id": "api", "name": "HTTP API on port 5000", "http": "https://localhost:5000/health", + "tls_server_name": "", "tls_skip_verify": false, "method": "POST", "header": {"Content-Type": ["application/json"]}, From 96276fc7b8f8e09b52be436ee2cedb1925794f5d Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 16 Mar 2021 18:22:25 -0400 Subject: [PATCH 2/2] Add changelog for 9475 --- .changelog/9475.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/9475.txt diff --git a/.changelog/9475.txt b/.changelog/9475.txt new file mode 100644 index 000000000..feee64f8c --- /dev/null +++ b/.changelog/9475.txt @@ -0,0 +1,3 @@ +```release-note:bug +checks: add TLSServerName field to allow setting the TLS server name for HTTPS health checks. +```