You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The meaning of AutoIssueCert is as follows, but when CACert is not empty, tls is still used for peer to connect to the manager
type GlobalSecurityOption struct {
// AutoIssueCert indicates to issue client certificates for all grpc call
// if AutoIssueCert is false, any other option in Security will be ignored
AutoIssueCert bool mapstructure:"autoIssueCert" yaml:"autoIssueCert"
// CACert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string
CACert types.PEMContent mapstructure:"caCert" yaml:"caCert"
// TLSVerify indicates to verify client certificates.
TLSVerify bool mapstructure:"tlsVerify" yaml:"tlsVerify"
// TLSPolicy controls the grpc shandshake behaviors:
// force: both ClientHandshake and ServerHandshake are only support tls
// prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
// default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
TLSPolicy string mapstructure:"tlsPolicy" yaml:"tlsPolicy"
// CertSpec is the desired state of certificate.
CertSpec *CertSpec mapstructure:"certSpec" yaml:"certSpec"
}
Expected behavior:
when AutoIssueCert=false and CACert="a ca cert", dfdaemon still use non-tls to connect the manager
How to reproduce it:
set AutoIssueCert=false and CACert="a ca cert" in dfdaemon's global security config
The text was updated successfully, but these errors were encountered:
Bug report:
https://github.com/dragonflyoss/Dragonfly2/blob/505d53b83c3000eff62cfda00a062c11b2b77bae/client/daemon/daemon.go#L154
The meaning of AutoIssueCert is as follows, but when CACert is not empty, tls is still used for peer to connect to the manager
type GlobalSecurityOption struct {
// AutoIssueCert indicates to issue client certificates for all grpc call
// if AutoIssueCert is false, any other option in Security will be ignored
AutoIssueCert bool
mapstructure:"autoIssueCert" yaml:"autoIssueCert"
// CACert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string
CACert types.PEMContent
mapstructure:"caCert" yaml:"caCert"
// TLSVerify indicates to verify client certificates.
TLSVerify bool
mapstructure:"tlsVerify" yaml:"tlsVerify"
// TLSPolicy controls the grpc shandshake behaviors:
// force: both ClientHandshake and ServerHandshake are only support tls
// prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls
// default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls)
TLSPolicy string
mapstructure:"tlsPolicy" yaml:"tlsPolicy"
// CertSpec is the desired state of certificate.
CertSpec *CertSpec
mapstructure:"certSpec" yaml:"certSpec"
}
Expected behavior:
when AutoIssueCert=false and CACert="a ca cert", dfdaemon still use non-tls to connect the manager
How to reproduce it:
set AutoIssueCert=false and CACert="a ca cert" in dfdaemon's global security config
The text was updated successfully, but these errors were encountered: