Add TLS encryption#1532
Conversation
the-glu
left a comment
the-glu
left a comment
There was a problem hiding this comment.
Could you squash your changes in one commit, leaving only the one from the base PR and the one from your PR ? That would avoid mixing changes
mahdi-orbitalize
force-pushed
the
add_tls_encryption
branch
from
40208fb to
9b843b9
Compare
mahdi-orbitalize
force-pushed
the
add_tls_encryption
branch
from
9b843b9 to
5f64374
Compare
the-glu
left a comment
the-glu
left a comment
There was a problem hiding this comment.
Can you make it optional, with a
raft_insecure
flag, default to false?
If set to true, don't require https + log a warning about beeing run in an insecure mode. If there are certificate, don't verify them (no CA check / trust blindly client certificates) . If there is no certificate, don't enable https at all.
It will be useful for local deployments and testing (to validate that test fail if mis configured).
Thanks
barroco
added
the
dss-raft
Adressed in 64f3f9a |
4 participants
What I did:
consensus.gowas updated to enable client-side (handled byrafthttpif we provide atransport.TLSInfowhen constructing arafthttp.transport) and server-side (handled by extracting atls.Configfrom thetransport.TLSInfoand passing it to the server at construction plus usingListenAndServeTLSinstead ofListenAndServe)gen-cert.shwas introduced to make certificates (with the number of nodes as a parameter). Note that it's made to work for local setups (i.e. address islocalhostor127.0.0.1). I also provided example certificates to save the trouble of generating them.params.gowas updated to support passing the paths to the TLS certificates as a parameter. It also enforces the use ofHTTPSinstead ofHTTPfor the peers' URLs. Also, more tests were added toparams_test.goto test the new features.start_cluster.shwas created to quickly test a 3-node setup with TLS and easily inspect logs.How I tested it: