-
Notifications
You must be signed in to change notification settings - Fork 757
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for TLS and mTLS to tctl #812
Conversation
tools/cli/factory.go
Outdated
caCertPool, err := fetchCACert(caPath) | ||
if err != nil { | ||
b.logger.Fatal("Failed to load server CA certificate", zap.Error(err)) | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i know the above link is log.Fatal, but should this line be return err
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This basically the same thing. If this func returns error
caller will do log anyway. I think it is ok to log from here. Actually I would also add info level logging in case of success. Like certs are loaded successfully, using TLS mode
or something like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This basically the same thing.
yeah, just a little bit allergic about this:
if err != nil {
return nil
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i would expect
if err != nil {
return err
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I would also add info level logging in case of success. Like certs are loaded successfully, using TLS mode or something like this.
Since this is a command line tool, I think it'd be too noisy to log a "connected successfully" every time it is executed.
tools/cli/factory.go
Outdated
// If we are given arguments to verify either server or client, configure TLS | ||
if caPool != nil || cert != nil { | ||
tlsConfig := &tls.Config{ | ||
ServerName: host, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it required to set ServerName on tls.Config? Most of the examples don't set it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is optional, but we should set ServerName
as it allows for hostname verification of the servers certs and SNI (server name indication) in TLS which enables the server to support virtual hosts on the same IP and pass decryption through to the appropriate service.
But this should match the name of the server we are trying to connect to rather than the host we are trying to connect from.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this should match the name of the server we are trying to connect to rather than the host we are trying to connect from.
It takes address
argument from the command line, but defaults to localHostPort
for development scenarios if
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good - just saw localHostPort and got confused there.
A replacement for #805 that does use server TLS code
What changed?
Added support for TLS and mutual TLS to tctl.
Why?
For secure usage of tctl.
How did you test it?
Manually tested that tctl can connect to a cluster secured with TLS.
Potential risks
No risk as the TLS related flags are optional.