istio · istio-testing · Mar 18, 2021 · Mar 18, 2021
@@ -19,7 +19,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"strings"
@@ -77,7 +76,6 @@ where the network configuration doesn't support gRPC to the source pod.'
 			f, err := forwarder.New(forwarder.Config{
 				Request: request,
 				UDS:     uds,
-				TLSCert: caFile,
 			})
 			if err != nil {
 				log.Fatalf("Failed to create forwarder: %v", err)
@@ -185,16 +183,11 @@ func getRequest(url string) (*proto.ForwardEchoRequest, error) {
 	}
 
 	if clientCert != "" && clientKey != "" {
-		certData, err := ioutil.ReadFile(clientCert)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load client certificate: %v", err)
-		}
-		request.Cert = string(certData)
-		keyData, err := ioutil.ReadFile(clientKey)
-		if err != nil {
-			return nil, fmt.Errorf("failed to load client certificate key: %v", err)
-		}
-		request.Key = string(keyData)
+		request.CertFile = clientCert
+		request.KeyFile = clientKey
+	}
+	if caFile != "" {
+		request.CaCert = caFile
 	}
 	return request, nil
 }

@@ -57,7 +57,13 @@ message ForwardEchoRequest {
   string key = 11;
   // If non-empty, verify the server CA
   string caCert = 12;
-
+  // If non-empty, make the request with the corresponding cert and key file.
+  string certFile = 16;
+  string keyFile = 17;
+  // If non-empty, verify the server CA with the ca cert file.
+  string caCertFile = 18;
+  // Skip verifying peer's certificate.
+  bool insecureSkipVerify = 19;
   // List of ALPNs to present. If not set, this will be automatically be set based on the protocol
   Alpn alpn = 13;
 }

@@ -184,7 +184,6 @@ func (h *grpcHandler) ForwardEcho(ctx context.Context, req *proto.ForwardEchoReq
 	instance, err := forwarder.New(forwarder.Config{
 		Request: req,
 		Dialer:  h.Dialer,
-		TLSCert: h.TLSCert,
 	})
 	if err != nil {
 		return nil, err

@@ -36,7 +36,6 @@ const maxConcurrency = 20
 type Config struct {
 	Request *proto.ForwardEchoRequest
 	UDS     string
-	TLSCert string
 	Dialer  common.Dialer
 }
 

@@ -23,6 +23,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -78,6 +79,18 @@ func newProtocol(cfg Config) (protocol, error) {
 	headers := common.GetHeaders(cfg.Request)
 
 	var getClientCertificate func(info *tls.CertificateRequestInfo) (*tls.Certificate, error)
+	if cfg.Request.KeyFile != "" && cfg.Request.CertFile != "" {
+		certData, err := ioutil.ReadFile(cfg.Request.CertFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load client certificate: %v", err)
+		}
+		cfg.Request.Cert = string(certData)
+		keyData, err := ioutil.ReadFile(cfg.Request.KeyFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load client certificate key: %v", err)
+		}
+		cfg.Request.Key = string(keyData)
+	}
 	if cfg.Request.Cert != "" && cfg.Request.Key != "" {
 		cert, err := tls.X509KeyPair([]byte(cfg.Request.Cert), []byte(cfg.Request.Key))
 		if err != nil {
@@ -115,14 +128,21 @@ func newProtocol(cfg Config) (protocol, error) {
 		GetClientCertificate: getClientCertificate,
 		NextProtos:           cfg.Request.GetAlpn().GetValue(),
 	}
-	if cfg.Request.CaCert != "" {
+	if cfg.Request.CaCertFile != "" {
+		certData, err := ioutil.ReadFile(cfg.Request.CaCertFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load client certificate: %v", err)
+		}
+		cfg.Request.CaCert = string(certData)
+	}
+	if cfg.Request.InsecureSkipVerify || cfg.Request.CaCert == "" {
+		tlsConfig.InsecureSkipVerify = true
+	} else if cfg.Request.CaCert != "" {
 		certPool := x509.NewCertPool()
 		if !certPool.AppendCertsFromPEM([]byte(cfg.Request.CaCert)) {
 			return nil, fmt.Errorf("failed to create cert pool")
 		}
 		tlsConfig.RootCAs = certPool
-	} else {
-		tlsConfig.InsecureSkipVerify = true
 	}
 
 	// Disable redirects

@@ -71,6 +71,12 @@ type CallOptions struct {
 	// (without proxy) from naked client to test certificates issued by custom CA instead of the Istio self-signed CA.
 	Cert, Key, CaCert string
 
+	// Use the custom certificates file to make the call.
+	CertFile, KeyFile, CaCertFile string
+
+	// Skip verify peer's certificate.
+	InsecureSkipVerify bool
+
 	// FollowRedirects will instruct the call to follow 301 redirects. Otherwise, the original 301 response
 	// is returned directly.
 	FollowRedirects bool

@@ -64,18 +64,22 @@ func callInternal(srcName string, opts *echo.CallOptions, send sendFunc,
 	}
 
 	req := &proto.ForwardEchoRequest{
-		Url:             targetURL,
-		Count:           int32(opts.Count),
-		Headers:         protoHeaders,
-		TimeoutMicros:   common.DurationToMicros(opts.Timeout),
-		Message:         opts.Message,
-		Http2:           opts.HTTP2,
-		Method:          opts.Method,
-		ServerFirst:     opts.Port.ServerFirst,
-		Cert:            opts.Cert,
-		Key:             opts.Key,
-		CaCert:          opts.CaCert,
-		FollowRedirects: opts.FollowRedirects,
+		Url:                targetURL,
+		Count:              int32(opts.Count),
+		Headers:            protoHeaders,
+		TimeoutMicros:      common.DurationToMicros(opts.Timeout),
+		Message:            opts.Message,
+		Http2:              opts.HTTP2,
+		Method:             opts.Method,
+		ServerFirst:        opts.Port.ServerFirst,
+		Cert:               opts.Cert,
+		Key:                opts.Key,
+		CaCert:             opts.CaCert,
+		CertFile:           opts.CertFile,
+		KeyFile:            opts.KeyFile,
+		CaCertFile:         opts.CaCertFile,
+		InsecureSkipVerify: opts.InsecureSkipVerify,
+		FollowRedirects:    opts.FollowRedirects,
 	}
 
 	var responses client.ParsedResponses