-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change security flags #4957
Change security flags #4957
Conversation
Looks good besides the Review status: 0 of 43 files reviewed at latest revision, 2 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): security/x509.go, line 151 [r1] (raw file): Comments from the review on Reviewable.io |
@@ -145,6 +141,18 @@ duration.`), | |||
Adjusts the max idle time of the scanner. This speeds up the scanner on small | |||
clusters to be more responsive.`), | |||
|
|||
"ssl-ca": wrapText(` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't we rename these keys so they're shorter and more consistent:
--ca-cert
--ca-key
--cert
--key
Review status: 0 of 43 files reviewed at latest revision, 6 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): resource/test_certs/README.md, line 23 [r1] (raw file): Comments from the review on Reviewable.io |
Reviewed 42 of 43 files at r1. acceptance/cluster/localcluster.go, line 398 [r1] (raw file): base/context.go, line 55 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions. acceptance/cluster/localcluster.go, line 398 [r1] (raw file): base/context.go, line 55 [r1] (raw file): cli/flags.go, line 144 [r1] (raw file): cli/flags.go, line 145 [r1] (raw file): cli/flags.go, line 153 [r1] (raw file): I like using Overall, it would be nice to have agreement between url args and cmdline args, but I really don't like the non-hyphened versions in postgres, and So here are a few proposals:
cli/kv.go, line 40 [r1] (raw file): resource/test_certs/README.md, line 23 [r1] (raw file): security/x509.go, line 151 [r1] (raw file): Comments from the review on Reviewable.io |
Review status: 42 of 43 files reviewed at latest revision, 7 unresolved discussions. acceptance/cluster/localcluster.go, line 398 [r1] (raw file):
Seems much clearer to me. Comments from the review on Reviewable.io |
per discussion, renamed to Review status: 38 of 43 files reviewed at latest revision, 7 unresolved discussions. acceptance/cluster/localcluster.go, line 398 [r1] (raw file): Comments from the review on Reviewable.io |
Reviewed 4 of 5 files at r2. acceptance/cluster/localcluster.go, line 398 [r1] (raw file): Comments from the review on Reviewable.io |
3ac26ba
to
96590c4
Compare
LGTM Review status: 34 of 43 files reviewed at latest revision, 8 unresolved discussions, some commit checks failed. acceptance/cluster/localcluster.go, line 398 [r1] (raw file): cli/cli_test.go, line 169 [r3] (raw file): cli/flags.go, line 153 [r1] (raw file): I think I like the bare names (option 3) best, followed by postgres-style (option 1), prefixed with Comments from the review on Reviewable.io |
Reviewed 8 of 9 files at r3. Comments from the review on Reviewable.io |
LGTM Review status: 42 of 43 files reviewed at latest revision, 8 unresolved discussions, some commit checks failed. base/context.go, line 54 [r3] (raw file): Comments from the review on Reviewable.io |
2b0f168
to
d35d175
Compare
Fixes #4269 Replace `--certs` with individual flags for CA cert and key, and server/client cert and key. One notable difference is that we now have a single certificate for nodes with double role as server and client authentication.
d35d175
to
3d24024
Compare
Review status: 28 of 42 files reviewed at latest revision, 7 unresolved discussions, some commit checks failed. base/context.go, line 54 [r3] (raw file): cli/cli_test.go, line 169 [r3] (raw file): cli/flags.go, line 153 [r1] (raw file): Comments from the review on Reviewable.io |
Docs updated with cockroachdb/docs#117. |
43712: pkg/security: fix misleading comment r=knz a=aybabtme Forgive me if I'm wrong, but the current comment appears to be wrong. To be honest, I don't know a ton about TLS and my change might be mislead, but I figured I'd at least raise this via a PR or something. It seems that when this was changed 5y ago (#4957) by @mberhault, the comment wasn't updated. > One notable difference is that we now have a single certificate for nodes with double role as server and client authentication. Sorry for this perhaps pedantic PR. Co-authored-by: Antoine Grondin <antoinegrondin@gmail.com>
Addresses #4269
Replace
--certs
with individual flags for CA cert and key, andserver/client cert and key.
One notable difference is that we now have a single certificate for
nodes with double role as server and client authentication.
A few notes:
--insecure
value to the next PR.