search

kelseyhightower / confd

Manage local application configuration files using templates and data from etcd or consul
MIT License
8.36k stars 1.41k forks source link

[PATCH] improve client insecure mode #881

Open mapperr opened 1 year ago

mapperr commented 1 year ago

Hi everyone,

this is a patch with a re-apply the now missing parts of https://github.com/kelseyhightower/confd/pull/718 from @PascalChardon on master and cover the etcd --auto-tls use case (more on commit message).

Sorry to send it to you instead of pull-requesting, I'm currently too lazy to fork/clone/patch/gotogithubagain/pullrequest.

From 0d6bd81079d04cb8e3c099bbc1c7397cc5eb7ffa Mon Sep 17 00:00:00 2001
From: mapperr <mapperr@sdf.ee>
Date: Mon, 25 Sep 2023 20:11:36 +0200
Subject: [PATCH] improve client insecure mode

Cover the case of --auto-tls,
when you want transport security,
but not client authentication with certificates.
---
 backends/client.go        |  4 ++--
 backends/config.go        | 44 +++++++++++++++++++--------------------
 backends/etcd/client.go   |  6 +++++-
 backends/etcdv3/client.go |  8 +++++--
 4 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/backends/client.go b/backends/client.go
index 2c34d4c..74a7012 100644
--- a/backends/client.go
+++ b/backends/client.go
@@ -49,9 +49,9 @@ func New(config Config) (StoreClient, error) {
        )
    case "etcd":
        // etcd v2 has been deprecated and etcdv3 is now the client for both the etcd and etcdv3 backends.
-       return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.BasicAuth, config.Username, config.Password)
+       return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.ClientInsecure, config.BasicAuth, config.Username, config.Password)
    case "etcdv3":
-       return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.BasicAuth, config.Username, config.Password)
+       return etcdv3.NewEtcdClient(backendNodes, config.ClientCert, config.ClientKey, config.ClientCaKeys, config.ClientInsecure, config.BasicAuth, config.Username, config.Password)
    case "zookeeper":
        return zookeeper.NewZookeeperClient(backendNodes)
    case "rancher":
diff --git a/backends/config.go b/backends/config.go
index 9f58127..a080d18 100644
--- a/backends/config.go
+++ b/backends/config.go
@@ -5,26 +5,26 @@ import (
 )

 type Config struct {
-   AuthToken    string     `toml:"auth_token"`
-   AuthType     string     `toml:"auth_type"`
-   Backend      string     `toml:"backend"`
-   BasicAuth    bool       `toml:"basic_auth"`
-   ClientCaKeys string     `toml:"client_cakeys"`
-   ClientCert   string     `toml:"client_cert"`
-   ClientKey    string     `toml:"client_key"`
-        ClientInsecure bool     `toml:"client_insecure"`
-   BackendNodes util.Nodes `toml:"nodes"`
-   Password     string     `toml:"password"`
-   Scheme       string     `toml:"scheme"`
-   Table        string     `toml:"table"`
-   Separator    string     `toml:"separator"`
-   Username     string     `toml:"username"`
-   AppID        string     `toml:"app_id"`
-   UserID       string     `toml:"user_id"`
-   RoleID       string     `toml:"role_id"`
-   SecretID     string     `toml:"secret_id"`
-   YAMLFile     util.Nodes `toml:"file"`
-   Filter       string     `toml:"filter"`
-   Path         string     `toml:"path"`
-   Role         string
+   AuthToken      string     `toml:"auth_token"`
+   AuthType       string     `toml:"auth_type"`
+   Backend        string     `toml:"backend"`
+   BasicAuth      bool       `toml:"basic_auth"`
+   ClientCaKeys   string     `toml:"client_cakeys"`
+   ClientCert     string     `toml:"client_cert"`
+   ClientKey      string     `toml:"client_key"`
+   ClientInsecure bool       `toml:"client_insecure"`
+   BackendNodes   util.Nodes `toml:"nodes"`
+   Password       string     `toml:"password"`
+   Scheme         string     `toml:"scheme"`
+   Table          string     `toml:"table"`
+   Separator      string     `toml:"separator"`
+   Username       string     `toml:"username"`
+   AppID          string     `toml:"app_id"`
+   UserID         string     `toml:"user_id"`
+   RoleID         string     `toml:"role_id"`
+   SecretID       string     `toml:"secret_id"`
+   YAMLFile       util.Nodes `toml:"file"`
+   Filter         string     `toml:"filter"`
+   Path           string     `toml:"path"`
+   Role           string
 }
diff --git a/backends/etcd/client.go b/backends/etcd/client.go
index 2e3d3a6..daa5255 100644
--- a/backends/etcd/client.go
+++ b/backends/etcd/client.go
@@ -119,7 +119,11 @@ func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool,

    tlsEnabled := false
    tlsConfig := &tls.Config{
-       InsecureSkipVerify: false,
+       InsecureSkipVerify: true,
+   }
+
+   if clientInsecure {
+       tlsEnabled = true
    }

    if caCert != "" {
diff --git a/backends/etcdv3/client.go b/backends/etcdv3/client.go
index a3dc0a0..f1a3b1a 100644
--- a/backends/etcdv3/client.go
+++ b/backends/etcdv3/client.go
@@ -104,7 +104,7 @@ type Client struct {
 }

 // NewEtcdClient returns an *etcdv3.Client with a connection to named machines.
-func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool, username string, password string) (*Client, error) {
+func NewEtcdClient(machines []string, cert, key, caCert string, clientInsecure bool, basicAuth bool, username string, password string) (*Client, error) {
    cfg := clientv3.Config{
        Endpoints:            machines,
        DialTimeout:          5 * time.Second,
@@ -119,7 +119,11 @@ func NewEtcdClient(machines []string, cert, key, caCert string, basicAuth bool,

    tlsEnabled := false
    tlsConfig := &tls.Config{
-       InsecureSkipVerify: false,
+       InsecureSkipVerify: clientInsecure,
+   }
+
+   if clientInsecure {
+       tlsEnabled = true
    }

    if caCert != "" {
-- 
2.42.0