mirror of
https://github.com/fnproject/fn.git
synced 2022-10-28 21:29:17 +03:00
support runner TLS certificates with specified certificate Common Names (#900)
* support runner TLS certificates with specified certificate Common Names * removes duplicate constant * run in insecure mode by default but expose ability to create tls-secured runner pools programmatically * fixes runner tests to use new tls interfaces
This commit is contained in:
Gerardo Viedma
committed by
jan grant
jan grant
parent
966890ac8f
commit
348bbaf36b
@@ -26,14 +26,14 @@ type mockRunner struct {
|
||||
|
||||
type mockRunnerPool struct {
|
||||
runners []pool.Runner
|
||||
generator insecureRunnerFactory
|
||||
generator pool.MTLSRunnerFactory
|
||||
pki *pool.PKIData
|
||||
}
|
||||
|
||||
func newMockRunnerPool(rf insecureRunnerFactory, runnerAddrs []string) *mockRunnerPool {
|
||||
func newMockRunnerPool(rf pool.MTLSRunnerFactory, runnerAddrs []string) *mockRunnerPool {
|
||||
var runners []pool.Runner
|
||||
for _, addr := range runnerAddrs {
|
||||
r, err := rf(addr)
|
||||
r, err := rf(addr, "", nil)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
@@ -55,8 +55,8 @@ func (rp *mockRunnerPool) Shutdown(context.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func NewMockRunnerFactory(sleep time.Duration, maxCalls int32) insecureRunnerFactory {
|
||||
return func(addr string) (pool.Runner, error) {
|
||||
func NewMockRunnerFactory(sleep time.Duration, maxCalls int32) pool.MTLSRunnerFactory {
|
||||
return func(addr, cn string, pki *pool.PKIData) (pool.Runner, error) {
|
||||
return &mockRunner{
|
||||
sleep: sleep,
|
||||
maxCalls: maxCalls,
|
||||
@@ -65,8 +65,8 @@ func NewMockRunnerFactory(sleep time.Duration, maxCalls int32) insecureRunnerFac
|
||||
}
|
||||
}
|
||||
|
||||
func FaultyRunnerFactory() insecureRunnerFactory {
|
||||
return func(addr string) (pool.Runner, error) {
|
||||
func FaultyRunnerFactory() pool.MTLSRunnerFactory {
|
||||
return func(addr, cn string, pki *pool.PKIData) (pool.Runner, error) {
|
||||
return &mockRunner{
|
||||
addr: addr,
|
||||
}, errors.New("Creation of new runner failed")
|
||||
|
||||
@@ -24,8 +24,8 @@ type gRPCRunner struct {
|
||||
client pb.RunnerProtocolClient
|
||||
}
|
||||
|
||||
func SecureGRPCRunnerFactory(addr string, pki *pool.PKIData) (pool.Runner, error) {
|
||||
conn, client, err := runnerConnection(addr, pki)
|
||||
func SecureGRPCRunnerFactory(addr, runnerCertCN string, pki *pool.PKIData) (pool.Runner, error) {
|
||||
conn, client, err := runnerConnection(addr, runnerCertCN, pki)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -55,13 +55,13 @@ func (r *gRPCRunner) Close(ctx context.Context) error {
|
||||
}
|
||||
}
|
||||
|
||||
func runnerConnection(address string, pki *pool.PKIData) (*grpc.ClientConn, pb.RunnerProtocolClient, error) {
|
||||
func runnerConnection(address, runnerCertCN string, pki *pool.PKIData) (*grpc.ClientConn, pb.RunnerProtocolClient, error) {
|
||||
ctx := context.Background()
|
||||
|
||||
var creds credentials.TransportCredentials
|
||||
if pki != nil {
|
||||
var err error
|
||||
creds, err = grpcutil.CreateCredentials(pki.Cert, pki.Key, pki.Ca)
|
||||
creds, err = grpcutil.CreateCredentials(pki.Cert, pki.Key, pki.Ca, runnerCertCN)
|
||||
if err != nil {
|
||||
logrus.WithError(err).Error("Unable to create credentials to connect to runner node")
|
||||
return nil, nil, err
|
||||
|
||||
@@ -13,39 +13,24 @@ const (
|
||||
staticPoolShutdownTimeout = 5 * time.Second
|
||||
)
|
||||
|
||||
// allow factory to be overridden in tests
|
||||
type insecureRunnerFactory func(addr string) (pool.Runner, error)
|
||||
|
||||
func insecureGRPCRunnerFactory(addr string) (pool.Runner, error) {
|
||||
conn, client, err := runnerConnection(addr, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &gRPCRunner{
|
||||
address: addr,
|
||||
conn: conn,
|
||||
client: client,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// manages a single set of runners ignoring lb groups
|
||||
type staticRunnerPool struct {
|
||||
generator insecureRunnerFactory
|
||||
generator pool.MTLSRunnerFactory
|
||||
pki *pool.PKIData // can be nil when running in insecure mode
|
||||
runnerCN string
|
||||
rMtx *sync.RWMutex
|
||||
runners []pool.Runner
|
||||
}
|
||||
|
||||
// DefaultStaticRunnerPool returns a RunnerPool consisting of a static set of runners
|
||||
func DefaultStaticRunnerPool(runnerAddresses []string) pool.RunnerPool {
|
||||
return newStaticRunnerPool(runnerAddresses, insecureGRPCRunnerFactory)
|
||||
return NewStaticRunnerPool(runnerAddresses, nil, "", SecureGRPCRunnerFactory)
|
||||
}
|
||||
|
||||
func newStaticRunnerPool(runnerAddresses []string, runnerFactory insecureRunnerFactory) pool.RunnerPool {
|
||||
func NewStaticRunnerPool(runnerAddresses []string, pki *pool.PKIData, runnerCN string, runnerFactory pool.MTLSRunnerFactory) pool.RunnerPool {
|
||||
logrus.WithField("runners", runnerAddresses).Info("Starting static runner pool")
|
||||
var runners []pool.Runner
|
||||
for _, addr := range runnerAddresses {
|
||||
r, err := runnerFactory(addr)
|
||||
r, err := runnerFactory(addr, runnerCN, pki)
|
||||
if err != nil {
|
||||
logrus.WithField("runner_addr", addr).Warn("Invalid runner")
|
||||
continue
|
||||
@@ -56,6 +41,8 @@ func newStaticRunnerPool(runnerAddresses []string, runnerFactory insecureRunnerF
|
||||
return &staticRunnerPool{
|
||||
rMtx: &sync.RWMutex{},
|
||||
runners: runners,
|
||||
pki: pki,
|
||||
runnerCN: runnerCN,
|
||||
generator: runnerFactory,
|
||||
}
|
||||
}
|
||||
@@ -73,7 +60,7 @@ func (rp *staticRunnerPool) AddRunner(address string) error {
|
||||
rp.rMtx.Lock()
|
||||
defer rp.rMtx.Unlock()
|
||||
|
||||
r, err := rp.generator(address)
|
||||
r, err := rp.generator(address, rp.runnerCN, rp.pki)
|
||||
if err != nil {
|
||||
logrus.WithField("runner_addr", address).Warn("Failed to add runner")
|
||||
return err
|
||||
|
||||
@@ -8,7 +8,7 @@ import (
|
||||
)
|
||||
|
||||
func setupStaticPool(runners []string) pool.RunnerPool {
|
||||
return newStaticRunnerPool(runners, mockRunnerFactory)
|
||||
return NewStaticRunnerPool(runners, nil, "", mockRunnerFactory)
|
||||
}
|
||||
|
||||
type mockStaticRunner struct {
|
||||
@@ -27,7 +27,7 @@ func (r *mockStaticRunner) Address() string {
|
||||
return r.address
|
||||
}
|
||||
|
||||
func mockRunnerFactory(addr string) (pool.Runner, error) {
|
||||
func mockRunnerFactory(addr, cn string, pki *pool.PKIData) (pool.Runner, error) {
|
||||
return &mockStaticRunner{address: addr}, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -21,6 +21,7 @@ type RunnerPool interface {
|
||||
Shutdown(context.Context) error
|
||||
}
|
||||
|
||||
// PKIData encapsulates TLS certificate data
|
||||
type PKIData struct {
|
||||
Ca string
|
||||
Key string
|
||||
@@ -28,7 +29,7 @@ type PKIData struct {
|
||||
}
|
||||
|
||||
// MTLSRunnerFactory represents a factory method for constructing runners using mTLS
|
||||
type MTLSRunnerFactory func(addr string, pki *PKIData) (Runner, error)
|
||||
type MTLSRunnerFactory func(addr, certCommonName string, pki *PKIData) (Runner, error)
|
||||
|
||||
// Runner is the interface to invoke the execution of a function call on a specific runner
|
||||
type Runner interface {
|
||||
|
||||
Reference in New Issue
Block a user