Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: enable setup common name whitelist for tls checking #1036

Merged
merged 1 commit into from
Apr 11, 2018

Conversation

yyb196
Copy link
Collaborator

@yyb196 yyb196 commented Apr 2, 2018

Signed-off-by: Frank Yang yyb196@gmail.com

Ⅰ. Describe what this PR did

enable setup common name whitelist for tls checking, not all the certificates which recognized by pouchd can connect to pouchd, if --manager-whitelist is specified only certificates whose common name in the whitelist will be accept by the pouchd.

Ⅱ. Does this pull request fix one issue?

close #802

Ⅲ. Describe how you did it

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

main.go Outdated
@@ -82,7 +82,8 @@ func setupFlags(cmd *cobra.Command) {
flagSet.StringVar(&cfg.TLS.Key, "tlskey", "", "Specify key file of TLS")
flagSet.StringVar(&cfg.TLS.Cert, "tlscert", "", "Specify cert file of TLS")
flagSet.StringVar(&cfg.TLS.CA, "tlscacert", "", "Specify CA file of TLS")
flagSet.BoolVar(&cfg.TLS.VerifyRemote, "tlsverify", false, "Use TLS and verify remote")
flagSet.BoolVar(&cfg.TLS.VerifyRemote, "tlsverify", false, "Use TLS and verify re")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

%s/re/remote :)

@codecov-io
Copy link

codecov-io commented Apr 2, 2018

Codecov Report

Merging #1036 into master will decrease coverage by 0.25%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1036      +/-   ##
==========================================
- Coverage   15.96%   15.71%   -0.26%     
==========================================
  Files         161      139      -22     
  Lines        8856     8484     -372     
==========================================
- Hits         1414     1333      -81     
+ Misses       7339     7050     -289     
+ Partials      103      101       -2
Impacted Files Coverage Δ
client/client.go 15.78% <0%> (-12.79%) ⬇️
pkg/kernel/kernel.go 72.72% <0%> (-7.28%) ⬇️
daemon/mgr/image.go 32.12% <0%> (-0.34%) ⬇️
ctrd/snapshot.go 0% <0%> (ø) ⬆️
cli/network.go 0% <0%> (ø) ⬆️
daemon/mgr/spec_volume.go 0% <0%> (ø) ⬆️
ctrd/watch.go 0% <0%> (ø) ⬆️
daemon/mgr/cri_stream.go 0% <0%> (ø) ⬆️
daemon/mgr/container_types.go 15.38% <0%> (ø) ⬆️
... and 42 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6678f07...23578fe. Read the comment docs.

@pouchrobot pouchrobot added size/XL and removed size/L labels Apr 2, 2018
@allencloud allencloud changed the title [feature] enable setup common name whitelist for tls checking feature: enable setup common name whitelist for tls checking Apr 3, 2018
@allencloud
Copy link
Collaborator

Could you help to review this pr for @yyb196 ? @Ace-Tang
Thanks a lot.

@Ace-Tang
Copy link
Contributor

LGTM

@pouchrobot pouchrobot added LGTM one maintainer or community participant agrees to merge the pull reuqest. conflict/needs-rebase and removed LGTM one maintainer or community participant agrees to merge the pull reuqest. conflict/needs-rebase labels Apr 10, 2018
@pouchrobot pouchrobot removed the size/S label Apr 10, 2018
@allencloud
Copy link
Collaborator

I rerun the CI and submitted an issue #1095 to record this flaky test.

s.addRoute(r, http.MethodGet, "/containers/{name:.*}/json", s.getContainer)
s.addRoute(r, http.MethodDelete, "/containers/{name:.*}", s.removeContainers)
s.addRoute(r, http.MethodPost, "/containers/{name:.*}/exec", s.createContainerExec)
s.addRoute(r, http.MethodPost, "/exec/{name:.*}/start", s.startContainerExec)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is your missing line of code addRoute(r, http.MethodGet, "/exec/{name:.*}/json", s.getExecInfo) leads to the CI failure.

Signed-off-by: Frank Yang <yyb196@gmail.com>
@allencloud
Copy link
Collaborator

LGTM

@pouchrobot pouchrobot added the LGTM one maintainer or community participant agrees to merge the pull reuqest. label Apr 11, 2018
@allencloud
Copy link
Collaborator

I am wondering if we add more document in https://github.com/alibaba/pouch/blob/master/docs/features/pouch_with_tls.md to tell people how to use this feature. Thanks. @yyb196

@allencloud allencloud merged commit 34c5a06 into AliyunContainerService:master Apr 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature LGTM one maintainer or community participant agrees to merge the pull reuqest. size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[feature request] need ability to set tls name whitelist for client who can connect to pouch daemon
6 participants