Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AutoIssueCert loses control when opt.Security. CACert is not empty #3422

Open
karlhjm opened this issue Aug 8, 2024 · 1 comment
Open

AutoIssueCert loses control when opt.Security. CACert is not empty #3422

karlhjm opened this issue Aug 8, 2024 · 1 comment
Labels

Comments

@karlhjm
Copy link
Contributor

karlhjm commented Aug 8, 2024

Bug report:

https://github.com/dragonflyoss/Dragonfly2/blob/505d53b83c3000eff62cfda00a062c11b2b77bae/client/daemon/daemon.go#L154

The meaning of AutoIssueCert is as follows, but when CACert is not empty, tls is still used for peer to connect to the manager

type GlobalSecurityOption struct {
// AutoIssueCert indicates to issue client certificates for all grpc call
// if AutoIssueCert is false, any other option in Security will be ignored
AutoIssueCert bool mapstructure:"autoIssueCert" yaml:"autoIssueCert"
// CACert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string
CACert types.PEMContent mapstructure:"caCert" yaml:"caCert"
// TLSVerify indicates to verify client certificates.
TLSVerify bool mapstructure:"tlsVerify" yaml:"tlsVerify"
// TLSPolicy controls the grpc shandshake behaviors:
// force: both ClientHandshake and ServerHandshake are only support tls
// prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
// default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
TLSPolicy string mapstructure:"tlsPolicy" yaml:"tlsPolicy"
// CertSpec is the desired state of certificate.
CertSpec *CertSpec mapstructure:"certSpec" yaml:"certSpec"
}

Expected behavior:

when AutoIssueCert=false and CACert="a ca cert", dfdaemon still use non-tls to connect the manager

How to reproduce it:

set AutoIssueCert=false and CACert="a ca cert" in dfdaemon's global security config

@karlhjm karlhjm added the bug label Aug 8, 2024
@karlhjm
Copy link
Contributor Author

karlhjm commented Aug 8, 2024

Why is it necessary to hard code "withTLS" to disable TLS for peerListener? Shouldn't withTLS be configured through TLSVerify or TLSPolicy?

https://github.com/dragonflyoss/Dragonfly2/blob/505d53b83c3000eff62cfda00a062c11b2b77bae/client/daemon/daemon.go#L512

https://github.com/dragonflyoss/Dragonfly2/blob/505d53b83c3000eff62cfda00a062c11b2b77bae/client/daemon/daemon.go#L608

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant