Skip to content

Commit

Permalink
Merge pull request #18063 from ArkaSaha30/backport-config-support
Browse files Browse the repository at this point in the history
[3.5] config: support AllowedCN and AllowedHostname through config file
  • Loading branch information
ahrtr authored May 23, 2024
2 parents 3afe949 + 8bc3271 commit 47c5fb8
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 9 deletions.
6 changes: 6 additions & 0 deletions etcd.conf.yml.sample
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,12 @@ peer-transport-security:
# Peer TLS using generated certificates.
auto-tls: false

# Allowed CN for inter peer authentication.
allowed-cn:

# Allowed TLS hostname for inter peer authentication.
allowed-hostname:

# The validity period of the self-signed certificate, the unit is year.
self-signed-cert-validity: 1

Expand Down
18 changes: 11 additions & 7 deletions server/embed/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -443,13 +443,15 @@ type configJSON struct {
}

type securityConfig struct {
CertFile string `json:"cert-file"`
KeyFile string `json:"key-file"`
ClientCertFile string `json:"client-cert-file"`
ClientKeyFile string `json:"client-key-file"`
CertAuth bool `json:"client-cert-auth"`
TrustedCAFile string `json:"trusted-ca-file"`
AutoTLS bool `json:"auto-tls"`
CertFile string `json:"cert-file"`
KeyFile string `json:"key-file"`
ClientCertFile string `json:"client-cert-file"`
ClientKeyFile string `json:"client-key-file"`
CertAuth bool `json:"client-cert-auth"`
TrustedCAFile string `json:"trusted-ca-file"`
AutoTLS bool `json:"auto-tls"`
AllowedCN string `json:"allowed-cn"`
AllowedHostname string `json:"allowed-hostname"`
}

// NewConfig creates a new Config populated with default values.
Expand Down Expand Up @@ -629,6 +631,8 @@ func (cfg *configYAML) configFromFile(path string) error {
tls.ClientKeyFile = ysc.ClientKeyFile
tls.ClientCertAuth = ysc.CertAuth
tls.TrustedCAFile = ysc.TrustedCAFile
tls.AllowedCN = ysc.AllowedCN
tls.AllowedHostname = ysc.AllowedHostname
}
copySecurityDetails(&cfg.ClientTLSInfo, &cfg.ClientSecurityJSON)
copySecurityDetails(&cfg.PeerTLSInfo, &cfg.PeerSecurityJSON)
Expand Down
10 changes: 8 additions & 2 deletions server/embed/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ func notFoundErr(service, domain string) error {

func TestConfigFileOtherFields(t *testing.T) {
ctls := securityConfig{TrustedCAFile: "cca", CertFile: "ccert", KeyFile: "ckey"}
ptls := securityConfig{TrustedCAFile: "pca", CertFile: "pcert", KeyFile: "pkey"}
// Note AllowedCN and AllowedHostname are mutually exclusive, this test is just to verify the fields can be correctly marshalled & unmarshalled.
ptls := securityConfig{TrustedCAFile: "pca", CertFile: "pcert", KeyFile: "pkey", AllowedCN: "etcd", AllowedHostname: "whatever.example.com"}
yc := struct {
ClientSecurityCfgFile securityConfig `json:"client-transport-security"`
PeerSecurityCfgFile securityConfig `json:"peer-transport-security"`
Expand Down Expand Up @@ -155,7 +156,12 @@ func TestUpdateDefaultClusterFromNameOverwrite(t *testing.T) {
func (s *securityConfig) equals(t *transport.TLSInfo) bool {
return s.CertFile == t.CertFile &&
s.CertAuth == t.ClientCertAuth &&
s.TrustedCAFile == t.TrustedCAFile
s.TrustedCAFile == t.TrustedCAFile &&
s.ClientCertFile == t.ClientCertFile &&
s.ClientKeyFile == t.ClientKeyFile &&
s.KeyFile == t.KeyFile &&
s.AllowedCN == t.AllowedCN &&
s.AllowedHostname == t.AllowedHostname
}

func mustCreateCfgFile(t *testing.T, b []byte) *os.File {
Expand Down

0 comments on commit 47c5fb8

Please sign in to comment.