diff --git a/client/client.go b/client/client.go index 40801a4a0..acb1bffd3 100644 --- a/client/client.go +++ b/client/client.go @@ -167,8 +167,8 @@ var ( func NewClient(cfg *config.Config, consulSyncer *consul.Syncer, logger *log.Logger) (*Client, error) { //Create the tls wrapper var tlsWrap tlsutil.Wrapper - if cfg.RpcTLS { - tw, err := cfg.TLSConfig().OutgoingTLSWrapper() + if cfg.TLSConfig.EnableRPC { + tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper() if err != nil { return nil, err } diff --git a/client/config/config.go b/client/config/config.go index 14a689030..2cf6d8de4 100644 --- a/client/config/config.go +++ b/client/config/config.go @@ -134,31 +134,8 @@ type Config struct { // allocation metrics to remote Telemetry sinks PublishAllocationMetrics bool - // HttpTLS enables TLS for the HTTP endpoints on the clients. - HttpTLS bool - - // RpcTLS enables TLS for the outgoing TLS connections to the Nomad servers. - RpcTLS bool - - // VerifyServerHostname is used to enable hostname verification of servers. This - // ensures that the certificate presented is valid for server... - // This prevents a compromised client from being restarted as a server, and then - // intercepting request traffic as well as being added as a raft peer. This should be - // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break - // existing clients. - VerifyServerHostname bool - - // CAFile is a path to a certificate authority file. This is used with VerifyIncoming - // or VerifyOutgoing to verify the TLS connection. - CAFile string - - // CertFile is used to provide a TLS certificate that is used for serving TLS connections. - // Must be provided to serve TLS connections. - CertFile string - - // KeyFile is used to provide a TLS key that is used for serving TLS connections. - // Must be provided to serve TLS connections. - KeyFile string + // TLSConfig holds various TLS related configurations + TLSConfig *config.TLSConfig } func (c *Config) Copy() *Config { @@ -255,14 +232,14 @@ func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string } // TLSConfig returns a TLSUtil Config based on the client configuration -func (c *Config) TLSConfig() *tlsutil.Config { +func (c *Config) TLSConfiguration() *tlsutil.Config { tlsConf := &tlsutil.Config{ VerifyIncoming: true, VerifyOutgoing: true, - VerifyServerHostname: c.VerifyServerHostname, - CAFile: c.CAFile, - CertFile: c.CertFile, - KeyFile: c.KeyFile, + VerifyServerHostname: c.TLSConfig.VerifyServerHostname, + CAFile: c.TLSConfig.CAFile, + CertFile: c.TLSConfig.CertFile, + KeyFile: c.TLSConfig.KeyFile, ServerName: c.Node.Name, } return tlsConf diff --git a/command/agent/agent.go b/command/agent/agent.go index 62f38d2ef..8a110119d 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -244,13 +244,8 @@ func (a *Agent) serverConfig() (*nomad.Config, error) { conf.ConsulConfig = a.config.Consul conf.VaultConfig = a.config.Vault - // Set the TLS related configs - conf.RpcTLS = a.config.TLSConfig.EnableRPC - conf.RequireTLS = conf.RpcTLS - conf.VerifyServerHostname = a.config.TLSConfig.VerifyServerHostname - conf.CAFile = a.config.TLSConfig.CAFile - conf.CertFile = a.config.TLSConfig.CertFile - conf.KeyFile = a.config.TLSConfig.KeyFile + // Set the TLS config + conf.TLSConfig = a.config.TLSConfig return conf, nil } @@ -367,12 +362,7 @@ func (a *Agent) clientConfig() (*clientconfig.Config, error) { conf.PublishAllocationMetrics = a.config.Telemetry.PublishAllocationMetrics // Set the TLS related configs - conf.HttpTLS = a.config.TLSConfig.EnableHTTP - conf.RpcTLS = a.config.TLSConfig.EnableRPC - conf.VerifyServerHostname = a.config.TLSConfig.VerifyServerHostname - conf.CAFile = a.config.TLSConfig.CAFile - conf.CertFile = a.config.TLSConfig.CertFile - conf.KeyFile = a.config.TLSConfig.KeyFile + conf.TLSConfig = a.config.TLSConfig return conf, nil } diff --git a/command/agent/config.go b/command/agent/config.go index 19dd5995b..91e7f2018 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -114,7 +114,7 @@ type Config struct { // TLSConfig provides TLS related configuration for the Nomad server and // client - TLSConfig *TLSConfig `mapstructure:"tls"` + TLSConfig *config.TLSConfig `mapstructure:"tls"` // HTTPAPIResponseHeaders allows users to configure the Nomad http agent to // set arbritrary headers on API responses @@ -139,36 +139,6 @@ type AtlasConfig struct { Endpoint string `mapstructure:"endpoint"` } -// TLSConfig provides TLS related configuration -type TLSConfig struct { - - // EnableHTTP enabled TLS for http traffic to the Nomad server and clients - EnableHTTP bool `mapstructure:"http"` - - // EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers - EnableRPC bool `mapstructure:"rpc"` - - // VerifyServerHostname is used to enable hostname verification of servers. This - // ensures that the certificate presented is valid for server... - // This prevents a compromised client from being restarted as a server, and then - // intercepting request traffic as well as being added as a raft peer. This should be - // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break - // existing clients. - VerifyServerHostname bool `mapstructure:"verify_server_hostname"` - - // CAFile is a path to a certificate authority file. This is used with VerifyIncoming - // or VerifyOutgoing to verify the TLS connection. - CAFile string `mapstructure:"ca_file"` - - // CertFile is used to provide a TLS certificate that is used for serving TLS connections. - // Must be provided to serve TLS connections. - CertFile string `mapstructure:"cert_file"` - - // KeyFile is used to provide a TLS key that is used for serving TLS connections. - // Must be provided to serve TLS connections. - KeyFile string `mapstructure:"key_file"` -} - // ClientConfig is configuration specific to the client mode type ClientConfig struct { // Enabled controls if we are a client @@ -520,7 +490,7 @@ func DefaultConfig() *Config { CollectionInterval: "1s", collectionInterval: 1 * time.Second, }, - TLSConfig: &TLSConfig{}, + TLSConfig: &config.TLSConfig{}, } } @@ -807,32 +777,6 @@ func (a *ClientConfig) Merge(b *ClientConfig) *ClientConfig { return &result } -// Merge is used to merge two TLS configs together -func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig { - result := *t - - if b.EnableHTTP { - result.EnableHTTP = true - } - if b.EnableRPC { - result.EnableRPC = true - } - if b.VerifyServerHostname { - result.VerifyServerHostname = true - } - if b.CAFile != "" { - result.CAFile = b.CAFile - } - if b.CertFile != "" { - result.CertFile = b.CertFile - } - if b.KeyFile != "" { - result.KeyFile = b.KeyFile - } - - return &result -} - // Merge is used to merge two telemetry configs together func (a *Telemetry) Merge(b *Telemetry) *Telemetry { result := *a diff --git a/command/agent/config_parse.go b/command/agent/config_parse.go index 2f12c216e..b0f2ced7b 100644 --- a/command/agent/config_parse.go +++ b/command/agent/config_parse.go @@ -652,7 +652,7 @@ func parseConsulConfig(result **config.ConsulConfig, list *ast.ObjectList) error return nil } -func parseTLSConfig(result **TLSConfig, list *ast.ObjectList) error { +func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error { list = list.Elem() if len(list.Items) > 1 { return fmt.Errorf("only one 'tls' block allowed") @@ -679,7 +679,7 @@ func parseTLSConfig(result **TLSConfig, list *ast.ObjectList) error { return err } - var tlsConfig TLSConfig + var tlsConfig config.TLSConfig if err := mapstructure.WeakDecode(m, &tlsConfig); err != nil { return err } diff --git a/nomad/config.go b/nomad/config.go index 212a1262f..37d57bc43 100644 --- a/nomad/config.go +++ b/nomad/config.go @@ -193,28 +193,8 @@ type Config struct { // place, and a small jitter is applied to avoid a thundering herd. RPCHoldTimeout time.Duration - // Enable TLS for incoming RPC calls from Nomad clients - RpcTLS bool - - // VerifyServerHostname is used to enable hostname verification of servers. This - // ensures that the certificate presented is valid for server... - // This prevents a compromised client from being restarted as a server, and then - // intercepting request traffic as well as being added as a raft peer. This should be - // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break - // existing clients. - VerifyServerHostname bool - - // CAFile is a path to a certificate authority file. This is used with VerifyIncoming - // or VerifyOutgoing to verify the TLS connection. - CAFile string - - // CertFile is used to provide a TLS certificate that is used for serving TLS connections. - // Must be provided to serve TLS connections. - CertFile string - - // KeyFile is used to provide a TLS key that is used for serving TLS connections. - // Must be provided to serve TLS connections. - KeyFile string + // TLSConfig holds various TLS related configurations + TLSConfig *config.TLSConfig } // CheckVersion is used to check if the ProtocolVersion is valid @@ -293,10 +273,10 @@ func (c *Config) tlsConfig() *tlsutil.Config { tlsConf := &tlsutil.Config{ VerifyIncoming: true, VerifyOutgoing: true, - VerifyServerHostname: c.VerifyServerHostname, - CAFile: c.CAFile, - CertFile: c.CertFile, - KeyFile: c.KeyFile, + VerifyServerHostname: c.TLSConfig.VerifyServerHostname, + CAFile: c.TLSConfig.CAFile, + CertFile: c.TLSConfig.CertFile, + KeyFile: c.TLSConfig.KeyFile, ServerName: c.NodeName, } return tlsConf diff --git a/nomad/server.go b/nomad/server.go index 68c02355a..9617ebfc8 100644 --- a/nomad/server.go +++ b/nomad/server.go @@ -190,7 +190,7 @@ func NewServer(config *Config, consulSyncer *consul.Syncer, logger *log.Logger) // Configure TLS var tlsWrap tlsutil.Wrapper var incomingTLS *tls.Config - if config.RpcTLS { + if config.TLSConfig.EnableRPC { tlsConf := config.tlsConfig() tw, err := tlsConf.OutgoingTLSWrapper() if err != nil { diff --git a/nomad/structs/config/tls.go b/nomad/structs/config/tls.go new file mode 100644 index 000000000..1d1ff290c --- /dev/null +++ b/nomad/structs/config/tls.go @@ -0,0 +1,57 @@ +package config + +// TLSConfig provides TLS related configuration +type TLSConfig struct { + + // EnableHTTP enabled TLS for http traffic to the Nomad server and clients + EnableHTTP bool `mapstructure:"http"` + + // EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers + EnableRPC bool `mapstructure:"rpc"` + + // VerifyServerHostname is used to enable hostname verification of servers. This + // ensures that the certificate presented is valid for server... + // This prevents a compromised client from being restarted as a server, and then + // intercepting request traffic as well as being added as a raft peer. This should be + // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break + // existing clients. + VerifyServerHostname bool `mapstructure:"verify_server_hostname"` + + // CAFile is a path to a certificate authority file. This is used with VerifyIncoming + // or VerifyOutgoing to verify the TLS connection. + CAFile string `mapstructure:"ca_file"` + + // CertFile is used to provide a TLS certificate that is used for serving TLS connections. + // Must be provided to serve TLS connections. + CertFile string `mapstructure:"cert_file"` + + // KeyFile is used to provide a TLS key that is used for serving TLS connections. + // Must be provided to serve TLS connections. + KeyFile string `mapstructure:"key_file"` +} + +// Merge is used to merge two TLS configs together +func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig { + result := *t + + if b.EnableHTTP { + result.EnableHTTP = true + } + if b.EnableRPC { + result.EnableRPC = true + } + if b.VerifyServerHostname { + result.VerifyServerHostname = true + } + if b.CAFile != "" { + result.CAFile = b.CAFile + } + if b.CertFile != "" { + result.CertFile = b.CertFile + } + if b.KeyFile != "" { + result.KeyFile = b.KeyFile + } + + return &result +}