Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add flags for enabling TLS for store #139

Closed
wants to merge 2 commits into from
Closed

Add flags for enabling TLS for store #139

wants to merge 2 commits into from

Conversation

agalitsyn
Copy link

Add capability to use TLS for communication with store, for example with secure etcd

You can check it out by using following steps:

  • Rebuild stolon bins from this branch
  • Quickly setup secure etcd using this tool
  • Run stolon bins using proper values to flags, like:
$ cat Procfile 
sentinel: ./bin/stolon-sentinel --cluster-name stolon-cluster --store-backend etcd --store-endpoints localhost:8080 --store-cert $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/proxy1.pem --store-key $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/proxy1-key.pem --store-cacert $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/ca.pem
keeper0: ./bin/stolon-keeper --data-dir data/postgres0 --id postgres0 --cluster-name stolon-cluster --pg-repl-username repluser --pg-repl-password replpassword --pg-su-username postgres --pg-su-password qweqwe --pg-bin-path /usr/lib/postgresql/9.4/bin --store-backend etcd --store-endpoints localhost:8080 --store-cert $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/proxy1.pem --store-key $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/proxy1-key.pem --store-cacert $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/ca.pem
proxy: ./bin/stolon-proxy --cluster-name stolon-cluster --port 25432 --store-backend etcd --store-endpoints localhost:8080 --store-cert $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/proxy1.pem --store-key $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/proxy1-key.pem --store-cacert $GOPATH/src/github.com/coreos/etcd/hack/tls-setup/certs/ca.pem

@agalitsyn
Copy link
Author

Sorry, I didn't recognize integration tests, so I will update them too

@sgotti
Copy link
Member

sgotti commented Jul 13, 2016

@agalitsyn Sorry for the delay and thanks for this PR!

I haven't had time to deeply test it but, since it'll continue working without tls store communication, it LGTM.

Can you please squash it in an unique commit?

@kayrus
Copy link

kayrus commented Aug 25, 2016

@agalitsyn I'd argue on this PR. I suppose it is better to update libkv to 0.2.1 (it contains docker/libkv@e7f836c)
And pass ClientTLSConfig pointer instead of bunch of strings.

@agalitsyn
Copy link
Author

@kayrus sure, go ahead, we can close this PR

@sgotti
Copy link
Member

sgotti commented Sep 13, 2016

@agalitsyn @kayrus libkv has been updated to v0.2.1 in #131. Sorry but I'm missing if someone is going to work on this (to directly pass ClientTLSConfig)?

@BarnabyShearer
Copy link

BarnabyShearer commented Nov 4, 2016

v0.2.1 also includes docker/libkv@d635a8e which reverted out the actual implementation for ClientTLSConfig, leaving this pull request as the best working option atm.

@sgotti
Copy link
Member

sgotti commented Nov 24, 2016

Superseded by #208.

@sgotti sgotti closed this Nov 24, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants