feat(dgraph): enabling TLS config in http zero #6691
Conversation
aman-bansal
force-pushed
the
aman/enable_http_tls_zero
branch
from
4945380 to
5bc0812
Compare
![codelingo[bot]](https://avatars.githubusercontent.com/in/14339?s=60&v=4){kind=small}
aman-bansal
requested review from
manishrjain and
vvbalaji-dgraph
as code owners
aman-bansal
force-pushed
the
aman/enable_http_tls_zero
branch
from
31437dc to
080704a
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 10 files reviewed, 2 unresolved discussions (waiting on @aman-bansal, @manishrjain, and @vvbalaji-dgraph)
dgraph/cmd/zero/http.go, line 246 at r1 (raw file):
} func (st *state) serveHTTP(l net.Listener) {
should be renamed as it serves both HTTP and HTTPS
dgraph/cmd/zero/http.go, line 278 at r1 (raw file):
func startServers(m cmux.CMux) { // if tls enabled http rule will check that the requested route should not be part of tls_enabled_routes
The naming needs to be fixed here.
|
-all tests for the combination of tls config (on/off) and enabled routes (0 , all, some).
|
aman-bansal
force-pushed
the
aman/enable_http_tls_zero
branch
from
1544682 to
8e467c3
Compare
|
Both bulk live or other clients connect with GRPC port of zero. This change doesn't affect any of those. We already have tests running to check those features. For ratel, I have tested this locally. But couldn't find anything that tests end to end integration of zero, alpha, ratel. |
aman-bansal
force-pushed
the
aman/enable_http_tls_zero
branch
from
8e467c3 to
93b2fd3
Compare
aman-bansal
force-pushed
the
aman/enable_http_tls_zero
branch
from
93b2fd3 to
a3398f4
Compare
|
I changed the enable flag to disable because there are many endpoints like /debug which isn't initiated directly. We can introduce some side effects with negation logic. Also this align more with manish comment |
aman-bansal
force-pushed
the
aman/enable_http_tls_zero
branch
from
5c3348d to
a228342
Compare
There was a problem hiding this comment.
Reviewed 4 of 10 files at r1, 4 of 6 files at r2, 2 of 2 files at r3.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @aman-bansal, @manishrjain, and @vvbalaji-dgraph)
dgraph/cmd/zero/run.go, line 97 at r3 (raw file):
flag.Bool("tls_use_system_ca", true, "Include System CA into CA Certs.") flag.String("tls_client_auth", "VERIFYIFGIVEN", "Enable TLS client authentication") flag.String("tls_disabled_route", "", "comma separated zero endpoint which will disabled from TLS encryption."+
which will be ....
tlstest/zero_https/no_tls/no_tls_test.go, line 58 at r3 (raw file):
defer func() { _ = do.Body.Close() }() body, err := ioutil.ReadAll(do.Body) if err != nil {
require.NoError(t, err)
* enabling TLS config in http zero * making zero https configured * changing behaviour of cmux + adding test cases * fixing zero address in test * fixing docker files * adding alpha in docker compose * fixing test generate cert pool * renaming functions based on review * making zero https more vigilant with more checks * changing the enabled to disabled flag * fixing test case * fixing zero cmd flag desc and refactoring test cases
Enabling TLS based encryption in Dgraph zero.
Fixes https://dgraph.atlassian.net/browse/DGRAPH-1366. Based on discussion here https://discuss.dgraph.io/t/enabling-tls-configuration-for-internal-ports-making-dgraph-more-secure/10860/2
The same variables are used which needs to be defined for alpha tls configuration
Things to consider:
This change is
Docs Preview: