Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for TLS and mTLS to tctl #812

Merged
merged 6 commits into from
Oct 8, 2020
Merged

Add support for TLS and mTLS to tctl #812

merged 6 commits into from
Oct 8, 2020

Conversation

sergeybykov
Copy link
Member

@sergeybykov sergeybykov commented Oct 8, 2020
edited

A replacement for #805 that does use server TLS code

What changed?
Added support for TLS and mutual TLS to tctl.

Why?
For secure usage of tctl.

How did you test it?
Manually tested that tctl can connect to a cluster secured with TLS.

Potential risks
No risk as the TLS related flags are optional.

underrun
underrun reviewed Oct 8, 2020
View reviewed changes
tools/cli/factory.go Outdated Show resolved Hide resolved
underrun
underrun reviewed Oct 8, 2020
View reviewed changes
tools/cli/factory.go Outdated Show resolved Hide resolved
wxing1292
wxing1292 reviewed Oct 8, 2020
View reviewed changes
tools/cli/factory.go Outdated
caCertPool, err := fetchCACert(caPath)
if err != nil {
b.logger.Fatal("Failed to load server CA certificate", zap.Error(err))
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i know the above link is log.Fatal, but should this line be return err?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This basically the same thing. If this func returns error caller will do log anyway. I think it is ok to log from here. Actually I would also add info level logging in case of success. Like certs are loaded successfully, using TLS mode or something like this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This basically the same thing.

yeah, just a little bit allergic about this:

if err != nil {
    return nil
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i would expect

if err != nil {
    return err
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I would also add info level logging in case of success. Like certs are loaded successfully, using TLS mode or something like this.

Since this is a command line tool, I think it'd be too noisy to log a "connected successfully" every time it is executed.

wxing1292
wxing1292 reviewed Oct 8, 2020
View reviewed changes
tools/cli/factory.go Outdated Show resolved Hide resolved
samarabbas
samarabbas reviewed Oct 8, 2020
View reviewed changes
tools/cli/factory.go Outdated
// If we are given arguments to verify either server or client, configure TLS
if caPool != nil || cert != nil {
tlsConfig := &tls.Config{
ServerName: host,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it required to set ServerName on tls.Config? Most of the examples don't set it.

Copy link
Contributor

@underrun underrun Oct 8, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is optional, but we should set ServerName as it allows for hostname verification of the servers certs and SNI (server name indication) in TLS which enables the server to support virtual hosts on the same IP and pass decryption through to the appropriate service.

But this should match the name of the server we are trying to connect to rather than the host we are trying to connect from.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this should match the name of the server we are trying to connect to rather than the host we are trying to connect from.

It takes address argument from the command line, but defaults to localHostPort for development scenarios if

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good - just saw localHostPort and got confused there.

alexshtin
alexshtin reviewed Oct 8, 2020
View reviewed changes
tools/cli/factory.go Outdated Show resolved Hide resolved
@sergeybykov sergeybykov changed the title Tctl client auth Add support for TLS and mTLS to tctl Oct 8, 2020
@sergeybykov sergeybykov merged commit cd1e466 into temporalio:master Oct 8, 2020
@underrun underrun mentioned this pull request Oct 8, 2020
Closed
@sergeybykov sergeybykov deleted the tctl-client-auth branch October 12, 2020 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@underrun underrun underrun approved these changes

@samarabbas samarabbas samarabbas left review comments

@wxing1292 wxing1292 wxing1292 left review comments

@alexshtin alexshtin alexshtin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@sergeybykov @underrun @samarabbas @alexshtin @wxing1292