support runner TLS certificates with specified certificate Common Names (#900)

* support runner TLS certificates with specified certificate Common Names

* removes duplicate constant

* run in insecure mode by default but expose ability to create tls-secured runner pools programmatically

* fixes runner tests to use new tls interfaces

api/agent/lb_agent_test.go

@@ -26,14 +26,14 @@ type mockRunner struct {
 
 type mockRunnerPool struct {
 	runners   []pool.Runner
-	generator insecureRunnerFactory
+	generator pool.MTLSRunnerFactory
 	pki       *pool.PKIData
 }
 
-func newMockRunnerPool(rf insecureRunnerFactory, runnerAddrs []string) *mockRunnerPool {
+func newMockRunnerPool(rf pool.MTLSRunnerFactory, runnerAddrs []string) *mockRunnerPool {
 	var runners []pool.Runner
 	for _, addr := range runnerAddrs {
-		r, err := rf(addr)
+		r, err := rf(addr, "", nil)
 		if err != nil {
 			continue
 		}
@@ -55,8 +55,8 @@ func (rp *mockRunnerPool) Shutdown(context.Context) error {
 	return nil
 }
 
-func NewMockRunnerFactory(sleep time.Duration, maxCalls int32) insecureRunnerFactory {
-	return func(addr string) (pool.Runner, error) {
+func NewMockRunnerFactory(sleep time.Duration, maxCalls int32) pool.MTLSRunnerFactory {
+	return func(addr, cn string, pki *pool.PKIData) (pool.Runner, error) {
 		return &mockRunner{
 			sleep:    sleep,
 			maxCalls: maxCalls,
@@ -65,8 +65,8 @@ func NewMockRunnerFactory(sleep time.Duration, maxCalls int32) insecureRunnerFac
 	}
 }
 
-func FaultyRunnerFactory() insecureRunnerFactory {
-	return func(addr string) (pool.Runner, error) {
+func FaultyRunnerFactory() pool.MTLSRunnerFactory {
+	return func(addr, cn string, pki *pool.PKIData) (pool.Runner, error) {
 		return &mockRunner{
 			addr: addr,
 		}, errors.New("Creation of new runner failed")

api/agent/runner_client.go

@@ -24,8 +24,8 @@ type gRPCRunner struct {
 	client  pb.RunnerProtocolClient
 }
 
-func SecureGRPCRunnerFactory(addr string, pki *pool.PKIData) (pool.Runner, error) {
-	conn, client, err := runnerConnection(addr, pki)
+func SecureGRPCRunnerFactory(addr, runnerCertCN string, pki *pool.PKIData) (pool.Runner, error) {
+	conn, client, err := runnerConnection(addr, runnerCertCN, pki)
 	if err != nil {
 		return nil, err
 	}
@@ -55,13 +55,13 @@ func (r *gRPCRunner) Close(ctx context.Context) error {
 	}
 }
 
-func runnerConnection(address string, pki *pool.PKIData) (*grpc.ClientConn, pb.RunnerProtocolClient, error) {
+func runnerConnection(address, runnerCertCN string, pki *pool.PKIData) (*grpc.ClientConn, pb.RunnerProtocolClient, error) {
 	ctx := context.Background()
 
 	var creds credentials.TransportCredentials
 	if pki != nil {
 		var err error
-		creds, err = grpcutil.CreateCredentials(pki.Cert, pki.Key, pki.Ca)
+		creds, err = grpcutil.CreateCredentials(pki.Cert, pki.Key, pki.Ca, runnerCertCN)
 		if err != nil {
 			logrus.WithError(err).Error("Unable to create credentials to connect to runner node")
 			return nil, nil, err

api/agent/static_pool.go

@@ -13,39 +13,24 @@ const (
 	staticPoolShutdownTimeout = 5 * time.Second
 )
 
-// allow factory to be overridden in tests
-type insecureRunnerFactory func(addr string) (pool.Runner, error)
-
-func insecureGRPCRunnerFactory(addr string) (pool.Runner, error) {
-	conn, client, err := runnerConnection(addr, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	return &gRPCRunner{
-		address: addr,
-		conn:    conn,
-		client:  client,
-	}, nil
-}
-
 // manages a single set of runners ignoring lb groups
 type staticRunnerPool struct {
-	generator insecureRunnerFactory
+	generator pool.MTLSRunnerFactory
+	pki       *pool.PKIData // can be nil when running in insecure mode
+	runnerCN  string
 	rMtx      *sync.RWMutex
 	runners   []pool.Runner
 }
 
-// DefaultStaticRunnerPool returns a RunnerPool consisting of a static set of runners
 func DefaultStaticRunnerPool(runnerAddresses []string) pool.RunnerPool {
-	return newStaticRunnerPool(runnerAddresses, insecureGRPCRunnerFactory)
+	return NewStaticRunnerPool(runnerAddresses, nil, "", SecureGRPCRunnerFactory)
 }
 
-func newStaticRunnerPool(runnerAddresses []string, runnerFactory insecureRunnerFactory) pool.RunnerPool {
+func NewStaticRunnerPool(runnerAddresses []string, pki *pool.PKIData, runnerCN string, runnerFactory pool.MTLSRunnerFactory) pool.RunnerPool {
 	logrus.WithField("runners", runnerAddresses).Info("Starting static runner pool")
 	var runners []pool.Runner
 	for _, addr := range runnerAddresses {
-		r, err := runnerFactory(addr)
+		r, err := runnerFactory(addr, runnerCN, pki)
 		if err != nil {
 			logrus.WithField("runner_addr", addr).Warn("Invalid runner")
 			continue
@@ -56,6 +41,8 @@ func newStaticRunnerPool(runnerAddresses []string, runnerFactory insecureRunnerF
 	return &staticRunnerPool{
 		rMtx:      &sync.RWMutex{},
 		runners:   runners,
+		pki:       pki,
+		runnerCN:  runnerCN,
 		generator: runnerFactory,
 	}
 }
@@ -73,7 +60,7 @@ func (rp *staticRunnerPool) AddRunner(address string) error {
 	rp.rMtx.Lock()
 	defer rp.rMtx.Unlock()
 
-	r, err := rp.generator(address)
+	r, err := rp.generator(address, rp.runnerCN, rp.pki)
 	if err != nil {
 		logrus.WithField("runner_addr", address).Warn("Failed to add runner")
 		return err

api/agent/static_pool_test.go

@@ -8,7 +8,7 @@ import (
 )
 
 func setupStaticPool(runners []string) pool.RunnerPool {
-	return newStaticRunnerPool(runners, mockRunnerFactory)
+	return NewStaticRunnerPool(runners, nil, "", mockRunnerFactory)
 }
 
 type mockStaticRunner struct {
@@ -27,7 +27,7 @@ func (r *mockStaticRunner) Address() string {
 	return r.address
 }
 
-func mockRunnerFactory(addr string) (pool.Runner, error) {
+func mockRunnerFactory(addr, cn string, pki *pool.PKIData) (pool.Runner, error) {
 	return &mockStaticRunner{address: addr}, nil
 }