Merge pull request #4328 from hashicorp/r-single-tls-config-constructor
Refactor to prefer using NewTLSConfiguration constructor
This commit is contained in:
commit
af15dda45a
|
@ -197,11 +197,14 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
|
|||
// Create the tls wrapper
|
||||
var tlsWrap tlsutil.RegionWrapper
|
||||
if cfg.TLSConfig.EnableRPC {
|
||||
tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper()
|
||||
tw, err := tlsutil.NewTLSConfiguration(cfg.TLSConfig, true, true)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsWrap, err = tw.OutgoingTLSWrapper()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
tlsWrap = tw
|
||||
}
|
||||
|
||||
// Create the client
|
||||
|
@ -399,7 +402,7 @@ func (c *Client) init() error {
|
|||
func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error {
|
||||
var tlsWrap tlsutil.RegionWrapper
|
||||
if newConfig != nil && newConfig.EnableRPC {
|
||||
tw, err := tlsutil.NewTLSConfiguration(newConfig)
|
||||
tw, err := tlsutil.NewTLSConfiguration(newConfig, true, true)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -9,7 +9,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/nomad/helper"
|
||||
"github.com/hashicorp/nomad/helper/tlsutil"
|
||||
"github.com/hashicorp/nomad/nomad/structs"
|
||||
"github.com/hashicorp/nomad/nomad/structs/config"
|
||||
"github.com/hashicorp/nomad/version"
|
||||
|
@ -358,17 +357,3 @@ func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string
|
|||
}
|
||||
return list
|
||||
}
|
||||
|
||||
// TLSConfiguration returns a TLSUtil Config based on the existing client
|
||||
// configuration
|
||||
func (c *Config) TLSConfiguration() *tlsutil.Config {
|
||||
return &tlsutil.Config{
|
||||
VerifyIncoming: true,
|
||||
VerifyOutgoing: true,
|
||||
VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
|
||||
CAFile: c.TLSConfig.CAFile,
|
||||
CertFile: c.TLSConfig.CertFile,
|
||||
KeyFile: c.TLSConfig.KeyFile,
|
||||
KeyLoader: c.TLSConfig.GetKeyLoader(),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -70,15 +70,11 @@ func NewHTTPServer(agent *Agent, config *Config) (*HTTPServer, error) {
|
|||
|
||||
// If TLS is enabled, wrap the listener with a TLS listener
|
||||
if config.TLSConfig.EnableHTTP {
|
||||
tlsConf := &tlsutil.Config{
|
||||
VerifyIncoming: config.TLSConfig.VerifyHTTPSClient,
|
||||
VerifyOutgoing: true,
|
||||
VerifyServerHostname: config.TLSConfig.VerifyServerHostname,
|
||||
CAFile: config.TLSConfig.CAFile,
|
||||
CertFile: config.TLSConfig.CertFile,
|
||||
KeyFile: config.TLSConfig.KeyFile,
|
||||
KeyLoader: config.TLSConfig.GetKeyLoader(),
|
||||
tlsConf, err := tlsutil.NewTLSConfiguration(config.TLSConfig, config.TLSConfig.VerifyHTTPSClient, true)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tlsConfig, err := tlsConf.IncomingTLSConfig()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
@ -109,7 +109,7 @@ type Config struct {
|
|||
MinVersion uint16
|
||||
}
|
||||
|
||||
func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) {
|
||||
func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoing bool) (*Config, error) {
|
||||
ciphers, err := ParseCiphers(newConf.TLSCipherSuites)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -121,8 +121,8 @@ func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) {
|
|||
}
|
||||
|
||||
return &Config{
|
||||
VerifyIncoming: true,
|
||||
VerifyOutgoing: true,
|
||||
VerifyIncoming: verifyIncoming,
|
||||
VerifyOutgoing: verifyOutgoing,
|
||||
VerifyServerHostname: newConf.VerifyServerHostname,
|
||||
CAFile: newConf.CAFile,
|
||||
CertFile: newConf.CertFile,
|
||||
|
|
|
@ -531,3 +531,22 @@ func TestConfig_ParseMinVersion_Invalid(t *testing.T) {
|
|||
require.Equal(uint16(0), parsedVersion)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfig_NewTLSConfiguration(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
conf := &config.TLSConfig{
|
||||
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
}
|
||||
|
||||
tlsConf, err := NewTLSConfiguration(conf, true, true)
|
||||
require.Nil(err)
|
||||
require.True(tlsConf.VerifyIncoming)
|
||||
require.True(tlsConf.VerifyOutgoing)
|
||||
|
||||
expectedCiphers := []uint16{
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
}
|
||||
require.Equal(tlsConf.CipherSuites, expectedCiphers)
|
||||
}
|
||||
|
|
|
@ -9,7 +9,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/memberlist"
|
||||
"github.com/hashicorp/nomad/helper/tlsutil"
|
||||
"github.com/hashicorp/nomad/helper/uuid"
|
||||
"github.com/hashicorp/nomad/nomad/structs"
|
||||
"github.com/hashicorp/nomad/nomad/structs/config"
|
||||
|
@ -388,16 +387,3 @@ func DefaultConfig() *Config {
|
|||
|
||||
return c
|
||||
}
|
||||
|
||||
// tlsConfig returns a TLSUtil Config based on the server configuration
|
||||
func (c *Config) tlsConfig() *tlsutil.Config {
|
||||
return &tlsutil.Config{
|
||||
VerifyIncoming: true,
|
||||
VerifyOutgoing: true,
|
||||
VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
|
||||
CAFile: c.TLSConfig.CAFile,
|
||||
CertFile: c.TLSConfig.CertFile,
|
||||
KeyFile: c.TLSConfig.KeyFile,
|
||||
KeyLoader: c.TLSConfig.GetKeyLoader(),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -273,7 +273,10 @@ func NewServer(config *Config, consulCatalog consul.CatalogAPI, logger *log.Logg
|
|||
}
|
||||
|
||||
// Configure TLS
|
||||
tlsConf := config.tlsConfig()
|
||||
tlsConf, err := tlsutil.NewTLSConfiguration(config.TLSConfig, true, true)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
incomingTLS, tlsWrap, err := getTLSConf(config.TLSConfig.EnableRPC, tlsConf)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -450,7 +453,7 @@ func (s *Server) reloadTLSConnections(newTLSConfig *config.TLSConfig) error {
|
|||
return fmt.Errorf("can't reload uninitialized RPC listener")
|
||||
}
|
||||
|
||||
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig)
|
||||
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig, true, true)
|
||||
if err != nil {
|
||||
s.logger.Printf("[ERR] nomad: unable to create TLS configuration %s", err)
|
||||
return err
|
||||
|
|
|
@ -205,6 +205,12 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
|
|||
if b.RPCUpgradeMode {
|
||||
result.RPCUpgradeMode = true
|
||||
}
|
||||
if b.TLSCipherSuites != "" {
|
||||
result.TLSCipherSuites = b.TLSCipherSuites
|
||||
}
|
||||
if b.TLSMinVersion != "" {
|
||||
result.TLSMinVersion = b.TLSMinVersion
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
|
|
|
@ -21,6 +21,8 @@ func TestTLSConfig_Merge(t *testing.T) {
|
|||
CAFile: "test-ca-file-2",
|
||||
CertFile: "test-cert-file-2",
|
||||
RPCUpgradeMode: true,
|
||||
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
TLSMinVersion: "tls12",
|
||||
}
|
||||
|
||||
new := a.Merge(b)
|
||||
|
|
Loading…
Reference in a new issue