-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor tls configs #564
Refactor tls configs #564
Conversation
extend namers with group part for ocsp/crl back previous names for ocsp/crl flags
network/ocsp.go
Outdated
if val == nil { | ||
checkOnlyLeafCert = false | ||
} else { | ||
if !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, is it even possible when the getter returns not-nil
value but the ok
will be false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm. you are right. actually is not. but if we will leave:
val, _ := getter.Get().(*bool)
if val == nil {
checkOnlyLeafCert = false
} else {
checkOnlyLeafCert = *val
}
as for me, it will not be so obvious after several month why it did so. And I will need spend a time to understand that it is legal)
network/crl.go
Outdated
crlCacheSize = val | ||
} | ||
if f := flags.Lookup(namerFunc(name, "cache_time", "crl")); f != nil { | ||
getter, ok := f.Value.(flag.Getter) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you think to use just some Parse
methods for flag parsing?
crlCacheSize, err = strconv.ParseUint(f.Value.String(), 10, 0)
if err != nil {
log.WithField("value", getter.Get()).Fatalf("Can't cast %s to integer value", namerFunc(name, "cache_time", "crl"))
}
It will reduce the amount of code plus we can avoid these runtime interface castings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right. will do
network/tls_wrapper.go
Outdated
// incorrect -tls_database_ocsp_url: | ||
|
||
// NamerFunc func compile final parameter name for specified service name | ||
type NamerFunc func(serviceName, parameterName, groupName string) string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like too generic name for me. Maybe we can rename it to something like CLIParamNameConstructorFunc
or something that says that this function constructs the final name for CLI parameters for a specific service. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, will rename
CHANGELOG_DEV.md
Outdated
@@ -1,3 +1,9 @@ | |||
# 0.94.0 - 2022-08-18 | |||
- Removed deprecated `--tls_db_sni` flag. Now is available only `--tls_database_sni`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Removed deprecated `--tls_db_sni` flag. Now is available only `--tls_database_sni`. | |
- Removed deprecated `--tls_db_sni` flag. Now only `--tls_database_sni` is available. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, will do it in next batch of commits to run CI once
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
applied your suggestions, @Zhaars , @iamnotacake
network/ocsp.go
Outdated
if val == nil { | ||
checkOnlyLeafCert = false | ||
} else { | ||
if !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm. you are right. actually is not. but if we will leave:
val, _ := getter.Get().(*bool)
if val == nil {
checkOnlyLeafCert = false
} else {
checkOnlyLeafCert = *val
}
as for me, it will not be so obvious after several month why it did so. And I will need spend a time to understand that it is legal)
network/crl.go
Outdated
crlCacheSize = val | ||
} | ||
if f := flags.Lookup(namerFunc(name, "cache_time", "crl")); f != nil { | ||
getter, ok := f.Value.(flag.Getter) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right. will do
network/tls_wrapper.go
Outdated
// incorrect -tls_database_ocsp_url: | ||
|
||
// NamerFunc func compile final parameter name for specified service name | ||
type NamerFunc func(serviceName, parameterName, groupName string) string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, will rename
CHANGELOG_DEV.md
Outdated
@@ -1,3 +1,9 @@ | |||
# 0.94.0 - 2022-08-18 | |||
- Removed deprecated `--tls_db_sni` flag. Now is available only `--tls_database_sni`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, will do it in next batch of commits to run CI once
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Here is added function for registering flags for tls configs and final construction tls.Config structs. First candidate for use is Redis. This update will help easily register similar flags to generate config with ocsp/crl usage, same wording and naming. Additionally, it allows generate flags for components that works as client or database which represented in naming (as we do now) and extra flags (like SNI for clients).
Why clients may need separate configuration for different components? For example, if they have several cloud solutions with TLS support, with own CA and server's certificates. For example, if service deployed on AWS, uses AWS's database, uses Elastic cloud for search features and cloud managed Hashicorp Vault.
There are left base common flags (
tls_key/tls_cert/tls_auth/tls_ca
) that works as one-place configuration for all configs that allows to specify only them in the simplest cases.Also, remove the previously deprecated
tls_db_sni
parameter that breaks general design of TLS configuration. And much easier to remove it instead of supporting edge-case.Additionally such configuration extended current
client
/database
parameter separation with separate ocsp/crl parameters.P.S. it is re-created PR from local to repo branch.
Checklist
with new changes