-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[master] Add websocket transport #64937
Merged
Merged
Changes from all commits
Commits
Show all changes
29 commits
Select commit
Hold shift + click to select a range
874bd3e
Add websocket transport skeleton
dwoz 2fad12f
Add ws transport to factories
dwoz a9d3988
Clean up tcp imports
dwoz dfb98cc
Fix up pre-commit (linter)
dwoz d540b99
Fix up basic ping between master and minion
dwoz e4565aa
Name conformity
dwoz af32aae
Fix up tcp ssl and add ssl to ws
dwoz 1f0f10b
Better testing of ssl opts and ws transport
dwoz c77afd9
Fix tests
dwoz 4e8ae80
Put channel tests under channel not transport
dwoz 23488aa
Request server basic test for all transports
dwoz 9393883
Wean of tcp transport bits in ws transport
dwoz c662eaa
Update transport docs with websockt transport
dwoz e3e8cb7
wip
dwoz 4a4a834
Transport test fix
dwoz 4c29ba6
Remove cruft
dwoz 83887bc
Simplify payload unpacking.
dwoz de970ad
Revert change to zmq transport
dwoz db3fd71
Fix pre-commit warts from rebase
dwoz 08eb89a
Bump workflow cache seed
dwoz 0b3d527
Fix review comments
dwoz 9e867c3
Fix up docs
dwoz c1cbf16
Debug windows unit tests
dwoz 6870e49
Fix another spelling wart
dwoz 8312d6d
check change
dwoz a2d0ebc
Mock blocking connect_pub method
dwoz 183ef8b
Fix more schedule tests
dwoz 03597b8
Mock PublishClient instead of TCPPubClient
dwoz edfd66a
Fix broken ssh tests
dwoz File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,3 +38,5 @@ The request client sends requests to a Request Server and receives a reply messa | |
|
||
zeromq | ||
tcp | ||
ws | ||
ssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
Transport TLS Support | ||
===================== | ||
|
||
Whenever possible transports should provide TLS Support. Currently the :doc:`tcp` and | ||
:doc:`ws` transports support encryption and verification using TLS. | ||
|
||
.. versionadded:: 2016.11.1 | ||
|
||
The TCP transport allows for the master/minion communication to be optionally | ||
wrapped in a TLS connection. Enabling this is simple, the master and minion need | ||
to be using the tcp connection, then the ``ssl`` option is enabled. The ``ssl`` | ||
option is passed as a dict and roughly corresponds to the options passed to the | ||
Python `ssl.wrap_socket <https://docs.python.org/3/library/ssl.html#ssl.wrap_socket>`_ | ||
function for backwards compatability. | ||
|
||
.. versionadded:: 3007.0 | ||
|
||
The ``ssl`` option accepts ``verify_locations`` and ``verify_flags``. The | ||
``verify_locations`` option is a list of strings or dictionaries. Strings are | ||
passed as a single argument to the SSL context's ``load_verify_locations`` | ||
method. Dictionary keys are expected to be one of ``cafile``, ``capath``, | ||
``cadata``. For each corresponding key, the key and value will be passed as a | ||
keyword argument to ``load_verify_locations``. The ``verify_flags`` option is | ||
a list of string names of verification flags which will be set on the SSL | ||
context. All paths are assumed to be the full path to the file or directory. | ||
|
||
A simple setup looks like this, on the Salt Master add the ``ssl`` option to the | ||
master configuration file: | ||
|
||
.. code-block:: yaml | ||
|
||
ssl: | ||
keyfile: <path_to_keyfile> | ||
certfile: <path_to_certfile> | ||
|
||
A more complex setup looks like this, on the Salt Master add the ``ssl`` | ||
option to the master's configuration file. In this example the Salt Master will | ||
require valid client side certificates from Minions by setting ``cert_reqs`` to | ||
``CERT_REQUIRED``. The Salt Master will also check a certificate revocation list | ||
if one is provided in ``verify_locations``: | ||
|
||
.. code-block:: yaml | ||
|
||
ssl: | ||
keyfile: <path_to_keyfile> | ||
certfile: <path_to_certfile> | ||
cert_reqs: CERT_REQUIRED | ||
verify_locations: | ||
- <path_to_ca_cert> | ||
- capath: <directory_of_certs> | ||
- cafile: <path_to_crl> | ||
verify_flags: | ||
- VERIFY_CRL_CHECK_CHAIN | ||
|
||
|
||
The minimal `ssl` option in the minion configuration file looks like this: | ||
|
||
.. code-block:: yaml | ||
|
||
ssl: True | ||
# Versions below 2016.11.4: | ||
ssl: {} | ||
|
||
A Minion can be configured to present a client certificate to the master like this: | ||
|
||
.. code-block:: yaml | ||
|
||
ssl: | ||
keyfile: <path_to_keyfile> | ||
certfile: <path_to_certfile> | ||
|
||
Specific options can be sent to the minion also, as defined in the Python | ||
`ssl.wrap_socket` function. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
=================== | ||
Websocket Transport | ||
=================== | ||
|
||
The Websocket transport is an implementation of Salt's transport using the websocket protocol. | ||
The Websocket transport is enabled by changing the :conf_minion:`transport` setting | ||
to ``ws`` on each Salt minion and Salt master. | ||
|
||
TLS Support | ||
=========== | ||
|
||
The Websocket transport supports full encryption and verification using both server | ||
and client certificates. See :doc:`ssl` for more details. | ||
|
||
Publish Server and Client | ||
========================= | ||
The publish server and client are implemented using aiohttp. | ||
|
||
Request Server and Client | ||
========================= | ||
The request server and client are implemented using aiohttp. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if the following paths have to be absolute or can be relative to something ?