karlhjm
commented
3 months ago Why is it necessary to hard code "withTLS" to disable TLS for peerListener? Shouldn't withTLS be configured through TLSVerify or TLSPolicy?
Open karlhjm opened 3 months ago
karlhjm
commented
3 months ago Why is it necessary to hard code "withTLS" to disable TLS for peerListener? Shouldn't withTLS be configured through TLSVerify or TLSPolicy?
Bug report:
https://github.com/dragonflyoss/Dragonfly2/blob/505d53b83c3000eff62cfda00a062c11b2b77bae/client/daemon/daemon.go#L154
The meaning of AutoIssueCert is as follows, but when CACert is not empty, tls is still used for peer to connect to the manager
type GlobalSecurityOption struct { // AutoIssueCert indicates to issue client certificates for all grpc call // if AutoIssueCert is false, any other option in Security will be ignored AutoIssueCert bool
mapstructure:"autoIssueCert" yaml:"autoIssueCert"// CACert is the root CA certificate for all grpc tls handshake, it can be path or PEM format string CACert types.PEMContentmapstructure:"caCert" yaml:"caCert"// TLSVerify indicates to verify client certificates. TLSVerify boolmapstructure:"tlsVerify" yaml:"tlsVerify"// TLSPolicy controls the grpc shandshake behaviors: // force: both ClientHandshake and ServerHandshake are only support tls // prefer: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support tls // default: ServerHandshake supports tls and insecure (non-tls), ClientHandshake will only support insecure (non-tls) TLSPolicy stringmapstructure:"tlsPolicy" yaml:"tlsPolicy"// CertSpec is the desired state of certificate. CertSpec *CertSpecmapstructure:"certSpec" yaml:"certSpec"}Expected behavior:
when AutoIssueCert=false and CACert="a ca cert", dfdaemon still use non-tls to connect the manager
How to reproduce it:
set AutoIssueCert=false and CACert="a ca cert" in dfdaemon's global security config