Moving the TLSConfig to structs

2016-10-25 15:57:38 -07:00 · 2016-10-25 15:57:38 -07:00 · cf35aeac84
parent eefc8db3b3
commit cf35aeac84
8 changed files with 80 additions and 132 deletions
--- a/client/client.go
+++ b/client/client.go
@ -167,8 +167,8 @@ var (
 func NewClient(cfg *config.Config, consulSyncer *consul.Syncer, logger *log.Logger) (*Client, error) {
 	//Create the tls wrapper
 	var tlsWrap tlsutil.Wrapper
-	if cfg.RpcTLS {
-		tw, err := cfg.TLSConfig().OutgoingTLSWrapper()
+	if cfg.TLSConfig.EnableRPC {
+		tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper()
 		if err != nil {
 			return nil, err
 		}
--- a/client/config/config.go
+++ b/client/config/config.go
@ -134,31 +134,8 @@ type Config struct {
 	// allocation metrics to remote Telemetry sinks
 	PublishAllocationMetrics bool

-	// HttpTLS enables TLS for the HTTP endpoints on the clients.
-	HttpTLS bool
-
-	// RpcTLS enables TLS for the outgoing TLS connections to the Nomad servers.
-	RpcTLS bool
-
-	// VerifyServerHostname is used to enable hostname verification of servers. This
-	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
-	// This prevents a compromised client from being restarted as a server, and then
-	// intercepting request traffic as well as being added as a raft peer. This should be
-	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
-	// existing clients.
-	VerifyServerHostname bool
-
-	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
-	// or VerifyOutgoing to verify the TLS connection.
-	CAFile string
-
-	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
-	// Must be provided to serve TLS connections.
-	CertFile string
-
-	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
-	// Must be provided to serve TLS connections.
-	KeyFile string
+	// TLSConfig holds various TLS related configurations
+	TLSConfig *config.TLSConfig
 }

 func (c *Config) Copy() *Config {
@ -255,14 +232,14 @@ func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string
 }

 // TLSConfig returns a TLSUtil Config based on the client configuration
-func (c *Config) TLSConfig() *tlsutil.Config {
+func (c *Config) TLSConfiguration() *tlsutil.Config {
 	tlsConf := &tlsutil.Config{
 		VerifyIncoming:       true,
 		VerifyOutgoing:       true,
-		VerifyServerHostname: c.VerifyServerHostname,
-		CAFile:               c.CAFile,
-		CertFile:             c.CertFile,
-		KeyFile:              c.KeyFile,
+		VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
+		CAFile:               c.TLSConfig.CAFile,
+		CertFile:             c.TLSConfig.CertFile,
+		KeyFile:              c.TLSConfig.KeyFile,
 		ServerName:           c.Node.Name,
 	}
 	return tlsConf
--- a/command/agent/agent.go
+++ b/command/agent/agent.go
@ -244,13 +244,8 @@ func (a *Agent) serverConfig() (*nomad.Config, error) {
 	conf.ConsulConfig = a.config.Consul
 	conf.VaultConfig = a.config.Vault

-	// Set the TLS related configs
-	conf.RpcTLS = a.config.TLSConfig.EnableRPC
-	conf.RequireTLS = conf.RpcTLS
-	conf.VerifyServerHostname = a.config.TLSConfig.VerifyServerHostname
-	conf.CAFile = a.config.TLSConfig.CAFile
-	conf.CertFile = a.config.TLSConfig.CertFile
-	conf.KeyFile = a.config.TLSConfig.KeyFile
+	// Set the TLS config
+	conf.TLSConfig = a.config.TLSConfig

 	return conf, nil
 }
@ -367,12 +362,7 @@ func (a *Agent) clientConfig() (*clientconfig.Config, error) {
 	conf.PublishAllocationMetrics = a.config.Telemetry.PublishAllocationMetrics

 	// Set the TLS related configs
-	conf.HttpTLS = a.config.TLSConfig.EnableHTTP
-	conf.RpcTLS = a.config.TLSConfig.EnableRPC
-	conf.VerifyServerHostname = a.config.TLSConfig.VerifyServerHostname
-	conf.CAFile = a.config.TLSConfig.CAFile
-	conf.CertFile = a.config.TLSConfig.CertFile
-	conf.KeyFile = a.config.TLSConfig.KeyFile
+	conf.TLSConfig = a.config.TLSConfig

 	return conf, nil
 }
--- a/command/agent/config.go
+++ b/command/agent/config.go
@ -114,7 +114,7 @@ type Config struct {

 	// TLSConfig provides TLS related configuration for the Nomad server and
 	// client
-	TLSConfig *TLSConfig `mapstructure:"tls"`
+	TLSConfig *config.TLSConfig `mapstructure:"tls"`

 	// HTTPAPIResponseHeaders allows users to configure the Nomad http agent to
 	// set arbritrary headers on API responses
@ -139,36 +139,6 @@ type AtlasConfig struct {
 	Endpoint string `mapstructure:"endpoint"`
 }

-// TLSConfig provides TLS related configuration
-type TLSConfig struct {
-
-	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
-	EnableHTTP bool `mapstructure:"http"`
-
-	// EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers
-	EnableRPC bool `mapstructure:"rpc"`
-
-	// VerifyServerHostname is used to enable hostname verification of servers. This
-	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
-	// This prevents a compromised client from being restarted as a server, and then
-	// intercepting request traffic as well as being added as a raft peer. This should be
-	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
-	// existing clients.
-	VerifyServerHostname bool `mapstructure:"verify_server_hostname"`
-
-	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
-	// or VerifyOutgoing to verify the TLS connection.
-	CAFile string `mapstructure:"ca_file"`
-
-	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
-	// Must be provided to serve TLS connections.
-	CertFile string `mapstructure:"cert_file"`
-
-	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
-	// Must be provided to serve TLS connections.
-	KeyFile string `mapstructure:"key_file"`
-}
-
 // ClientConfig is configuration specific to the client mode
 type ClientConfig struct {
 	// Enabled controls if we are a client
@ -520,7 +490,7 @@ func DefaultConfig() *Config {
 			CollectionInterval: "1s",
 			collectionInterval: 1 * time.Second,
 		},
-		TLSConfig: &TLSConfig{},
+		TLSConfig: &config.TLSConfig{},
 	}
 }

@ -807,32 +777,6 @@ func (a *ClientConfig) Merge(b *ClientConfig) *ClientConfig {
 	return &result
 }

-// Merge is used to merge two TLS configs together
-func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
-	result := *t
-
-	if b.EnableHTTP {
-		result.EnableHTTP = true
-	}
-	if b.EnableRPC {
-		result.EnableRPC = true
-	}
-	if b.VerifyServerHostname {
-		result.VerifyServerHostname = true
-	}
-	if b.CAFile != "" {
-		result.CAFile = b.CAFile
-	}
-	if b.CertFile != "" {
-		result.CertFile = b.CertFile
-	}
-	if b.KeyFile != "" {
-		result.KeyFile = b.KeyFile
-	}
-
-	return &result
-}
-
 // Merge is used to merge two telemetry configs together
 func (a *Telemetry) Merge(b *Telemetry) *Telemetry {
 	result := *a
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@ -652,7 +652,7 @@ func parseConsulConfig(result **config.ConsulConfig, list *ast.ObjectList) error
 	return nil
 }

-func parseTLSConfig(result **TLSConfig, list *ast.ObjectList) error {
+func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
 	list = list.Elem()
 	if len(list.Items) > 1 {
 		return fmt.Errorf("only one 'tls' block allowed")
@ -679,7 +679,7 @@ func parseTLSConfig(result **TLSConfig, list *ast.ObjectList) error {
 		return err
 	}

-	var tlsConfig TLSConfig
+	var tlsConfig config.TLSConfig
 	if err := mapstructure.WeakDecode(m, &tlsConfig); err != nil {
 		return err
 	}
--- a/nomad/config.go
+++ b/nomad/config.go
@ -193,28 +193,8 @@ type Config struct {
 	// place, and a small jitter is applied to avoid a thundering herd.
 	RPCHoldTimeout time.Duration

-	// Enable TLS for incoming RPC calls from Nomad clients
-	RpcTLS bool
-
-	// VerifyServerHostname is used to enable hostname verification of servers. This
-	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
-	// This prevents a compromised client from being restarted as a server, and then
-	// intercepting request traffic as well as being added as a raft peer. This should be
-	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
-	// existing clients.
-	VerifyServerHostname bool
-
-	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
-	// or VerifyOutgoing to verify the TLS connection.
-	CAFile string
-
-	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
-	// Must be provided to serve TLS connections.
-	CertFile string
-
-	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
-	// Must be provided to serve TLS connections.
-	KeyFile string
+	// TLSConfig holds various TLS related configurations
+	TLSConfig *config.TLSConfig
 }

 // CheckVersion is used to check if the ProtocolVersion is valid
@ -293,10 +273,10 @@ func (c *Config) tlsConfig() *tlsutil.Config {
 	tlsConf := &tlsutil.Config{
 		VerifyIncoming:       true,
 		VerifyOutgoing:       true,
-		VerifyServerHostname: c.VerifyServerHostname,
-		CAFile:               c.CAFile,
-		CertFile:             c.CertFile,
-		KeyFile:              c.KeyFile,
+		VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
+		CAFile:               c.TLSConfig.CAFile,
+		CertFile:             c.TLSConfig.CertFile,
+		KeyFile:              c.TLSConfig.KeyFile,
 		ServerName:           c.NodeName,
 	}
 	return tlsConf
--- a/nomad/server.go
+++ b/nomad/server.go
@ -190,7 +190,7 @@ func NewServer(config *Config, consulSyncer *consul.Syncer, logger *log.Logger)
 	// Configure TLS
 	var tlsWrap tlsutil.Wrapper
 	var incomingTLS *tls.Config
-	if config.RpcTLS {
+	if config.TLSConfig.EnableRPC {
 		tlsConf := config.tlsConfig()
 		tw, err := tlsConf.OutgoingTLSWrapper()
 		if err != nil {
--- a/nomad/structs/config/tls.go
+++ b/nomad/structs/config/tls.go
@ -0,0 +1,57 @@
+package config
+
+// TLSConfig provides TLS related configuration
+type TLSConfig struct {
+
+	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
+	EnableHTTP bool `mapstructure:"http"`
+
+	// EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers
+	EnableRPC bool `mapstructure:"rpc"`
+
+	// VerifyServerHostname is used to enable hostname verification of servers. This
+	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
+	// This prevents a compromised client from being restarted as a server, and then
+	// intercepting request traffic as well as being added as a raft peer. This should be
+	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
+	// existing clients.
+	VerifyServerHostname bool `mapstructure:"verify_server_hostname"`
+
+	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
+	// or VerifyOutgoing to verify the TLS connection.
+	CAFile string `mapstructure:"ca_file"`
+
+	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
+	// Must be provided to serve TLS connections.
+	CertFile string `mapstructure:"cert_file"`
+
+	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
+	// Must be provided to serve TLS connections.
+	KeyFile string `mapstructure:"key_file"`
+}
+
+// Merge is used to merge two TLS configs together
+func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
+	result := *t
+
+	if b.EnableHTTP {
+		result.EnableHTTP = true
+	}
+	if b.EnableRPC {
+		result.EnableRPC = true
+	}
+	if b.VerifyServerHostname {
+		result.VerifyServerHostname = true
+	}
+	if b.CAFile != "" {
+		result.CAFile = b.CAFile
+	}
+	if b.CertFile != "" {
+		result.CertFile = b.CertFile
+	}
+	if b.KeyFile != "" {
+		result.KeyFile = b.KeyFile
+	}
+
+	return &result
+}