Skip to content

Commit

Permalink
*: new tls configuration for operator (#80)
Browse files Browse the repository at this point in the history
  • Loading branch information
xhebox authored Sep 15, 2022
1 parent 08a75db commit d7f1885
Show file tree
Hide file tree
Showing 27 changed files with 557 additions and 484 deletions.
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,11 @@ cmd_%:
go build $(BUILDFLAGS) -o $(OUTPUT) $(SOURCE)

test: ./bin/gocovmerge
rm -f .cover.*
go test -coverprofile=.cover.pkg ./...
cd lib && go test -coverprofile=../.cover.lib ./...
./bin/gocovmerge .cover.* > .cover
rm .cover.*
rm -f .cover.*
go tool cover -html=.cover -o .cover.html

./bin/gocovmerge:
Expand Down
30 changes: 30 additions & 0 deletions conf/weirproxy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,36 @@ log:
max-backups: 1
security:
rsa-key-size: 4096
# tls object is either of type server, client, or peer
# xxxx:
# ca: ca.pem
# cert: c.pem
# key: k.pem
# auto-certs: true
# skip-ca: trure
# client object:
# 1. requires: ca or skip-ca(skip verify server certs)
# 2. optionally: cert/key will be used if server asks
# 3. useless/forbid: auto-certs
# server object:
# 1. requires: cert/key or auto-certs(generate a temporary cert, mostly for testing)
# 2. optionally: ca will enable server-side client verification.
# 3. useless/forbid: skip-ca
# peer object:
# 1. requires: cert/key/ca or auto-certs
# 2. useless/forbid: skip-ca
cluster-tls: # client object
# access to other components like TiDB or PD, will use this
skip-ca: true
sql-tls: # client object
# access to TiDB sql port, it has a standalone TLS configuration
skip-ca: true
server-tls: # server object
# proxy SQL or HTTP port will use this
auto-certs: true
peer-tls: # peer object
# internal communication between proxies
auto-certs: true
advance:
# ignore-wrong-namespace: true
# peer-port: "3081"
Expand Down
2 changes: 1 addition & 1 deletion docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ RUN sh ./proxy/apk-fastest-mirror.sh
RUN apk add --no-cache --progress git make go
ARG BUILDFLAGS
ARG GOPROXY
RUN export BUILDFLAGS=${BUILDFLAGS} && export GOPROXY=${GOPROXY} && cd proxy && ls -al && cat Makefile && make cmd && cp bin/* /bin/ && cp -a conf /etc/proxy && cd .. && rm -rf proxy
RUN export BUILDFLAGS=${BUILDFLAGS} && export GOPROXY=${GOPROXY} && cd proxy && make cmd && cp bin/* /bin/ && cp -a conf /etc/proxy && cd .. && rm -rf proxy
RUN rm -rf $(go env GOMODCACHE GOCACHE) && apk del git make go
ENTRYPOINT ["/bin/weirproxy", "-conf", "/etc/proxy/weirproxy.yaml"]
8 changes: 4 additions & 4 deletions lib/config/namespace.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@ type Namespace struct {
}

type FrontendNamespace struct {
Security TLSCert `yaml:"security" json:"security" toml:"security"`
Security TLSConfig `yaml:"security" json:"security" toml:"security"`
}

type BackendNamespace struct {
Instances []string `yaml:"instances" json:"instances" toml:"instances"`
SelectorType string `yaml:"selector-type" json:"selector-type" toml:"selector-type"`
Security TLSCert `yaml:"security" json:"security" toml:"security"`
Instances []string `yaml:"instances" json:"instances" toml:"instances"`
SelectorType string `yaml:"selector-type" json:"selector-type" toml:"selector-type"`
Security TLSConfig `yaml:"security" json:"security" toml:"security"`
}
18 changes: 10 additions & 8 deletions lib/config/namespace_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,21 @@ import (
var testNamespaceConfig = Namespace{
Namespace: "test_ns",
Frontend: FrontendNamespace{
Security: TLSCert{
CA: "t",
Cert: "t",
Key: "t",
Security: TLSConfig{
CA: "t",
Cert: "t",
Key: "t",
AutoCerts: true,
},
},
Backend: BackendNamespace{
Instances: []string{"127.0.0.1:4000", "127.0.0.1:4001"},
SelectorType: "random",
Security: TLSCert{
CA: "t",
Cert: "t",
Key: "t",
Security: TLSConfig{
CA: "t",
Cert: "t",
Key: "t",
SkipCA: true,
},
},
}
Expand Down
22 changes: 13 additions & 9 deletions lib/config/proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,24 +75,28 @@ type LogFile struct {
MaxBackups int `yaml:"max-backups,omitempty" toml:"max-backups,omitempty" json:"max-backups,omitempty"`
}

type TLSCert struct {
CA string `yaml:"ca,omitempty" toml:"ca,omitempty" json:"ca,omitempty"`
Cert string `yaml:"cert,omitempty" toml:"cert,omitempty" json:"cert,omitempty"`
Key string `yaml:"key,omitempty" toml:"key,omitempty" json:"key,omitempty"`
type TLSConfig struct {
Cert string `yaml:"cert,omitempty" toml:"cert,omitempty" json:"cert,omitempty"`
Key string `yaml:"key,omitempty" toml:"key,omitempty" json:"key,omitempty"`
AutoCerts bool `yaml:"auto-certs,omitempty" toml:"auto-certs,omitempty" json:"auto-certs,omitempty"`
CA string `yaml:"ca,omitempty" toml:"ca,omitempty" json:"ca,omitempty"`
SkipCA bool `yaml:"skip-ca,omitempty" toml:"skip-ca,omitempty" json:"skip-ca,omitempty"`
}

func (c TLSCert) HasCert() bool {
func (c TLSConfig) HasCert() bool {
return !(c.Cert == "" && c.Key == "")
}

func (c TLSCert) HasCA() bool {
func (c TLSConfig) HasCA() bool {
return c.CA != ""
}

type Security struct {
RSAKeySize int `yaml:"rsa-key-size,omitempty" toml:"rsa-key-size,omitempty" json:"rsa-key-size,omitempty"`
Server TLSCert `yaml:"server,omitempty" toml:"server,omitempty" json:"server,omitempty"`
Cluster TLSCert `yaml:"cluster,omitempty" toml:"cluster,omitempty" json:"cluster,omitempty"`
RSAKeySize int `yaml:"rsa-key-size,omitempty" toml:"rsa-key-size,omitempty" json:"rsa-key-size,omitempty"`
ServerTLS TLSConfig `yaml:"server-tls,omitempty" toml:"server-tls,omitempty" json:"server-tls,omitempty"`
PeerTLS TLSConfig `yaml:"peer-tls,omitempty" toml:"peer-tls,omitempty" json:"peer-tls,omitempty"`
ClusterTLS TLSConfig `yaml:"cluster-tls,omitempty" toml:"cluster-tls,omitempty" json:"cluster-tls,omitempty"`
SQLTLS TLSConfig `yaml:"sql-tls,omitempty" toml:"sql-tls,omitempty" json:"sql-tls,omitempty"`
}

func NewConfig(data []byte) (*Config, error) {
Expand Down
30 changes: 22 additions & 8 deletions lib/config/proxy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,15 +57,29 @@ var testProxyConfig = Config{
},
Security: Security{
RSAKeySize: 64,
Server: TLSCert{
CA: "a",
Cert: "b",
Key: "c",
ServerTLS: TLSConfig{
CA: "a",
Cert: "b",
Key: "c",
AutoCerts: true,
},
Cluster: TLSCert{
CA: "a",
Cert: "b",
Key: "c",
PeerTLS: TLSConfig{
CA: "a",
Cert: "b",
Key: "c",
AutoCerts: true,
},
ClusterTLS: TLSConfig{
CA: "a",
SkipCA: true,
Cert: "b",
Key: "c",
},
SQLTLS: TLSConfig{
CA: "a",
SkipCA: true,
Cert: "b",
Key: "c",
},
},
}
Expand Down
5 changes: 4 additions & 1 deletion lib/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ module github.com/pingcap/TiProxy/lib
go 1.19

require (
github.com/pingcap/errors v0.11.4
github.com/pingcap/log v1.1.0
github.com/spf13/cobra v1.5.0
github.com/stretchr/testify v1.8.0
go.etcd.io/etcd/client/pkg/v3 v3.5.4
go.uber.org/atomic v1.9.0
go.uber.org/zap v1.23.0
gopkg.in/yaml.v3 v3.0.1
Expand All @@ -17,9 +17,12 @@ require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/pingcap/errors v0.11.4 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
go.uber.org/multierr v1.7.0 // indirect
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
)
11 changes: 10 additions & 1 deletion lib/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
Expand All @@ -21,8 +23,9 @@ github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4
github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
github.com/pingcap/log v1.1.0 h1:ELiPxACz7vdo1qAvvaWJg1NrYFoY6gqAh/+Uo6aXdD8=
github.com/pingcap/log v1.1.0/go.mod h1:DWQW5jICDR7UJh4HtxXSM20Churx4CQL0fwL/SoOSA4=
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
Expand All @@ -38,6 +41,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
go.etcd.io/etcd/client/pkg/v3 v3.5.4 h1:lrneYvz923dvC14R54XcA7FXoZ3mlGZAgmwhfm7HqOg=
go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
Expand All @@ -46,6 +51,7 @@ go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
Expand All @@ -55,6 +61,9 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
Expand Down
Loading

0 comments on commit d7f1885

Please sign in to comment.