Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PATCH] improve client insecure mode #881

Open
mapperr opened this issue Sep 25, 2023 · 0 comments
Open

[PATCH] improve client insecure mode #881

mapperr opened this issue Sep 25, 2023 · 0 comments

Comments

@mapperr
Copy link

mapperr commented Sep 25, 2023

Hi everyone,

this is a patch with a re-apply the now missing parts of #718 from @PascalChardon on master and cover the etcd --auto-tls use case (more on commit message).

Sorry to send it to you instead of pull-requesting, I'm currently too lazy to fork/clone/patch/gotogithubagain/pullrequest.

From 0d6bd81079d04cb8e3c099bbc1c7397cc5eb7ffa Mon Sep 17 00:00:00 2001
From: mapperr <[email protected]>
Date: Mon, 25 Sep 2023 20:11:36 +0200
Subject: [PATCH] improve client insecure mode

Cover the case of --auto-tls,
when you want transport security,
but not client authentication with certificates.
---
 backends/client.go        |  4 ++--
 backends/config.go        | 44 +++++++++++++++++++--------------------
 backends/etcd/client.go   |  6 +++++-
 backends/etcdv3/client.go |  8 +++++--
 4 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/backends/client.go b/backends/client.go
index 2c34d4c..74a7012 100644
--- a/backends/client.go
+++ b/backends/client.go
@@ -49,9 +49,9 @@ func New(config Config) (StoreClient, error) {
 		)
 	case "etcd":
 		// etcd v2 has been deprecated and etcdv3 is now the client for both the etcd and etcdv3 backends.
-		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.BasicAuth, config.Username, config.Password)
+		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.ClientInsecure, config.BasicAuth, config.Username, config.Password)
 	case "etcdv3":
-		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.BasicAuth, config.Username, config.Password)
+		return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.ClientInsecure, config.BasicAuth, config.Username, config.Password)
 	case "zookeeper":
 		return zookeeper.NewZookeeperClient(backendNodes)
 	case "rancher":
diff --git a/backends/config.go b/backends/config.go
index 9f58127..a080d18 100644
--- a/backends/config.go
+++ b/backends/config.go
@@ -5,26 +5,26 @@ import (
 )
 
 type Config struct {
-	AuthToken    string     `toml:"auth_token"`
-	AuthType     string     `toml:"auth_type"`
-	Backend      string     `toml:"backend"`
-	BasicAuth    bool       `toml:"basic_auth"`
-	ClientCaKeys string     `toml:"client_cakeys"`
-	ClientCert   string     `toml:"client_cert"`
-	ClientKey    string     `toml:"client_key"`
-        ClientInsecure bool     `toml:"client_insecure"`
-	BackendNodes util.Nodes `toml:"nodes"`
-	Password     string     `toml:"password"`
-	Scheme       string     `toml:"scheme"`
-	Table        string     `toml:"table"`
-	Separator    string     `toml:"separator"`
-	Username     string     `toml:"username"`
-	AppID        string     `toml:"app_id"`
-	UserID       string     `toml:"user_id"`
-	RoleID       string     `toml:"role_id"`
-	SecretID     string     `toml:"secret_id"`
-	YAMLFile     util.Nodes `toml:"file"`
-	Filter       string     `toml:"filter"`
-	Path         string     `toml:"path"`
-	Role         string
+	AuthToken      string     `toml:"auth_token"`
+	AuthType       string     `toml:"auth_type"`
+	Backend        string     `toml:"backend"`
+	BasicAuth      bool       `toml:"basic_auth"`
+	ClientCaKeys   string     `toml:"client_cakeys"`
+	ClientCert     string     `toml:"client_cert"`
+	ClientKey      string     `toml:"client_key"`
+	ClientInsecure bool       `toml:"client_insecure"`
+	BackendNodes   util.Nodes `toml:"nodes"`
+	Password       string     `toml:"password"`
+	Scheme         string     `toml:"scheme"`
+	Table          string     `toml:"table"`
+	Separator      string     `toml:"separator"`
+	Username       string     `toml:"username"`
+	AppID          string     `toml:"app_id"`
+	UserID         string     `toml:"user_id"`
+	RoleID         string     `toml:"role_id"`
+	SecretID       string     `toml:"secret_id"`
+	YAMLFile       util.Nodes `toml:"file"`
+	Filter         string     `toml:"filter"`
+	Path           string     `toml:"path"`
+	Role           string
 }
diff --git a/backends/etcd/client.go b/backends/etcd/client.go
index 2e3d3a6..daa5255 100644
--- a/backends/etcd/client.go
+++ b/backends/etcd/client.go
@@ -119,7 +119,11 @@ func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool,
 
 	tlsEnabled := false
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: false,
+		InsecureSkipVerify: true,
+	}
+
+	if clientInsecure {
+		tlsEnabled = true
 	}
 
 	if caCert != "" {
diff --git a/backends/etcdv3/client.go b/backends/etcdv3/client.go
index a3dc0a0..f1a3b1a 100644
--- a/backends/etcdv3/client.go
+++ b/backends/etcdv3/client.go
@@ -104,7 +104,7 @@ type Client struct {
 }
 
 // NewEtcdClient returns an *etcdv3.Client with a connection to named machines.
-func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool, username string, password string) (*Client, error) {
+func NewEtcdClient(machines []string, cert, key, caCert string, clientInsecure bool, basicAuth bool, username string, password string) (*Client, error) {
 	cfg := clientv3.Config{
 		Endpoints:            machines,
 		DialTimeout:          5 * time.Second,
@@ -119,7 +119,11 @@ func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool,
 
 	tlsEnabled := false
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: false,
+		InsecureSkipVerify: clientInsecure,
+	}
+
+	if clientInsecure {
+		tlsEnabled = true
 	}
 
 	if caCert != "" {
-- 
2.42.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant