-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to disable mTLS #181
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -71,5 +71,8 @@ func startServer(config *config.Config, airbrakeNotifier *gobrake.Notifier, logg | |
if server.TLSConfig, err = config.ExtractServiceTLSConfig(logger); err != nil { | ||
return err | ||
} | ||
if config.DisableTLS { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Move this up, no point in extracting |
||
return server.ListenAndServe() | ||
} | ||
return server.ListenAndServeTLS(config.TLS.ServerCert, config.TLS.ServerKey) | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -47,6 +47,10 @@ type Config struct { | |
// TLS contains certificates & CA info for the webserver | ||
TLS *TLS `json:"tls,omitempty"` | ||
|
||
// DisableTLS disables mTLS | ||
// Only set to true if there's a reverse proxy in front taking care of mTLS handling | ||
DisableTLS bool `json:"disable_tls,omitempty"` | ||
|
||
// UseDefaultEngCA overrides default CA to eng | ||
UseDefaultEngCA bool `json:"use_default_eng_ca"` | ||
|
||
|
@@ -183,10 +187,14 @@ func (c *Config) AirbrakeTlsConfig() (*tls.Config, error) { | |
|
||
// ExtractServiceTLSConfig return the TLS config needed for stating the mTLS Server | ||
func (c *Config) ExtractServiceTLSConfig(logger *logrus.Logger) (*tls.Config, error) { | ||
if c.TLS == nil { | ||
if c.TLS == nil && !c.DisableTLS { | ||
return nil, errors.New("tls config is empty - telemetry server is mTLS only, make sure to provide certificates in the config") | ||
} | ||
|
||
if c.DisableTLS { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Don't enter this code path at all if TLS disabled? |
||
return nil, nil | ||
} | ||
|
||
var caFileBytes []byte | ||
var caEnv string | ||
if c.UseDefaultEngCA { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. imo no need for this example file since |
||
"host": "0.0.0.0", | ||
"port": 80, | ||
"log_level": "info", | ||
"json_log_enable": true, | ||
"namespace": "tesla_telemetry", | ||
"reliable_ack": false, | ||
"monitoring": { | ||
"prometheus_metrics_port": 9090, | ||
"profiler_port": 4269, | ||
"profiling_path": "/tmp/trace.out" | ||
}, | ||
"rate_limit": { | ||
"enabled": true, | ||
"message_interval_time": 30, | ||
"message_limit": 1000 | ||
}, | ||
"records": { | ||
"alerts": [ | ||
"logger" | ||
], | ||
"errors": [ | ||
"logger" | ||
], | ||
"V": [ | ||
"logger" | ||
] | ||
}, | ||
"disable_tls": true | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -72,7 +72,7 @@ func InitServer(c *config.Config, airbrakeHandler *airbrake.AirbrakeHandler, pro | |
|
||
mux := http.NewServeMux() | ||
mux.HandleFunc("/", socketServer.ServeBinaryWs(c)) | ||
mux.Handle("/status", socketServer.airbrakeHandler.WithReporting(http.HandlerFunc(socketServer.Status()))) | ||
mux.Handle("/status", socketServer.airbrakeHandler.WithReporting(http.HandlerFunc(socketServer.Status(c)))) | ||
|
||
server := &http.Server{Addr: fmt.Sprintf("%v:%v", c.Host, c.Port), Handler: serveHTTPWithLogs(mux, logger)} | ||
go socketServer.handleAcks() | ||
|
@@ -111,9 +111,13 @@ func serveHTTPWithLogs(h http.Handler, logger *logrus.Logger) http.Handler { | |
} | ||
|
||
// Status API shows server with mtls config is up | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. comment incorrect now |
||
func (s *Server) Status() func(w http.ResponseWriter, r *http.Request) { | ||
func (s *Server) Status(config *config.Config) func(w http.ResponseWriter, r *http.Request) { | ||
return func(w http.ResponseWriter, r *http.Request) { | ||
fmt.Fprint(w, "mtls ok") | ||
if config.DisableTLS { | ||
fmt.Fprint(w, "ok") | ||
} else { | ||
fmt.Fprint(w, "mtls ok") | ||
} | ||
} | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which takes care of mTLS handling
=>which handles mTLS