diff --git a/dgraph/cmd/alpha/run.go b/dgraph/cmd/alpha/run.go index 1b0d5fce7a2..842514735ea 100644 --- a/dgraph/cmd/alpha/run.go +++ b/dgraph/cmd/alpha/run.go @@ -197,7 +197,7 @@ they form a Raft group and provide synchronous replication. `Cache percentages summing up to 100 for various caches (FORMAT: PostingListCache,PstoreBlockCache,PstoreIndexCache,WAL).`) - x.RegisterClusterTLSFlags(flag) + x.RegisterNodeTLSFlags(flag) } func setupCustomTokenizers() { @@ -653,7 +653,7 @@ func run() { abortDur, err := time.ParseDuration(Alpha.Conf.GetString("abort_older_than")) x.Check(err) - tlsConf, err := x.LoadClusterTLSClientHelperConfig(Alpha.Conf) + tlsConf, err := x.LoadNodeTLSClientHelperConfig(Alpha.Conf) if err != nil { glog.Error("unable to read tls config for internal communication ", err) return @@ -674,7 +674,7 @@ func run() { LudicrousMode: Alpha.Conf.GetBool("ludicrous_mode"), LudicrousConcurrency: Alpha.Conf.GetInt("ludicrous_concurrency"), TLSClientConfig: tlsConf, - TLSDir: Alpha.Conf.GetString("cluster_tls_dir"), + TLSDir: Alpha.Conf.GetString("node_tls_dir"), } x.WorkerConfig.Parse(Alpha.Conf) diff --git a/dgraph/cmd/bulk/loader.go b/dgraph/cmd/bulk/loader.go index 4ada9db0be2..a309c107f51 100644 --- a/dgraph/cmd/bulk/loader.go +++ b/dgraph/cmd/bulk/loader.go @@ -115,7 +115,7 @@ func newLoader(opt *options) *loader { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - config, err := x.LoadClusterTLSClientHelperConfig(Bulk.Conf) + config, err := x.LoadNodeTLSClientHelperConfig(Bulk.Conf) x.Check(err) tlsConf, err := x.GenerateClientTLSConfig(config) x.Check(err) diff --git a/dgraph/cmd/bulk/run.go b/dgraph/cmd/bulk/run.go index 3e0b75922db..f572b210faa 100644 --- a/dgraph/cmd/bulk/run.go +++ b/dgraph/cmd/bulk/run.go @@ -117,7 +117,7 @@ func init() { "Cache percentages summing up to 100 for various caches"+ " (FORMAT: BlockCacheSize, IndexCacheSize).") - x.RegisterClusterTLSFlags(flag) + x.RegisterNodeTLSFlags(flag) // Encryption and Vault options enc.RegisterFlags(flag) diff --git a/dgraph/cmd/live/run.go b/dgraph/cmd/live/run.go index e986deef4e7..5f06853c8ad 100644 --- a/dgraph/cmd/live/run.go +++ b/dgraph/cmd/live/run.go @@ -166,7 +166,7 @@ func init() { enc.RegisterFlags(flag) // TLS configuration x.RegisterClientTLSFlags(flag) - x.RegisterClusterTLSFlags(flag) + x.RegisterNodeTLSFlags(flag) } func getSchema(ctx context.Context, dgraphClient *dgo.Dgraph) (*schema, error) { @@ -544,7 +544,7 @@ func setup(opts batchMutationOptions, dc *dgo.Dgraph, conf *viper.Viper) *loader tlsConfig, tlsErr = x.SlashTLSConfig(conf.GetString("slash_grpc_endpoint")) x.Checkf(tlsErr, "Unable to generate TLS Cert Pool") } else { - helperConfig, err := x.LoadClusterTLSClientHelperConfig(conf) + helperConfig, err := x.LoadNodeTLSClientHelperConfig(conf) x.Checkf(err, "Unable to generate helper TLS config") tlsConfig, err = x.GenerateClientTLSConfig(helperConfig) x.Checkf(err, "Unable to generate TLS Cert Pool") diff --git a/dgraph/cmd/zero/run.go b/dgraph/cmd/zero/run.go index 28c25facd22..b3ddef8c11d 100644 --- a/dgraph/cmd/zero/run.go +++ b/dgraph/cmd/zero/run.go @@ -95,7 +95,7 @@ instances to achieve high-availability. flag.Duration("rebalance_interval", 8*time.Minute, "Interval for trying a predicate move.") flag.String("enterprise_license", "", "Path to the enterprise license file.") - x.RegisterClusterTLSFlags(flag) + x.RegisterNodeTLSFlags(flag) } func setupListener(addr string, port int, kind string) (listener net.Listener, err error) { @@ -119,7 +119,7 @@ func (st *state) serveGRPC(l net.Listener, store *raftwal.DiskStorage) { grpc.StatsHandler(&ocgrpc.ServerHandler{}), } - cnf := x.LoadClusterTLSServerHelperConfig(Zero.Conf.GetString("cluster_tls_dir")) + cnf := x.LoadNodeTLSServerHelperConfig(Zero.Conf.GetString("node_tls_dir")) tlsConf, err := x.GenerateServerTLSConfig(cnf) x.Check(err) @@ -182,7 +182,7 @@ func run() { tlsDisRoutes = strings.Split(Zero.Conf.GetString("tls_disabled_route"), ",") } - tlsConf, err := x.LoadClusterTLSClientHelperConfig(Zero.Conf) + tlsConf, err := x.LoadNodeTLSClientHelperConfig(Zero.Conf) if err != nil { glog.Error("unable to load tls config for internal communication ", err) return diff --git a/ee/backup/run.go b/ee/backup/run.go index 1d0453eb33a..b28dd5f7b71 100644 --- a/ee/backup/run.go +++ b/ee/backup/run.go @@ -122,7 +122,7 @@ $ dgraph restore -p . -l /var/backups/dgraph -z localhost:5080 "update the timestamp and max uid when you start the cluster. The correct values are "+ "printed near the end of this command's output.") enc.RegisterFlags(flag) - x.RegisterClusterTLSFlags(flag) + x.RegisterNodeTLSFlags(flag) _ = Restore.Cmd.MarkFlagRequired("postings") _ = Restore.Cmd.MarkFlagRequired("location") } @@ -198,7 +198,7 @@ func runRestoreCmd() error { ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() - helperConfig, err := x.LoadClusterTLSClientHelperConfig(Restore.Conf) + helperConfig, err := x.LoadNodeTLSClientHelperConfig(Restore.Conf) x.Checkf(err, "Unable to generate helper TLS config") tlsConfig, err := x.GenerateClientTLSConfig(helperConfig) x.Checkf(err, "Unable to generate TLS Cert Pool") diff --git a/tlstest/mtls_internal/acl/docker-compose.yml b/tlstest/mtls_internal/acl/docker-compose.yml index e4ea9d5248f..a2cd1ffffcd 100644 --- a/tlstest/mtls_internal/acl/docker-compose.yml +++ b/tlstest/mtls_internal/acl/docker-compose.yml @@ -23,7 +23,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 100 --my=alpha1:7180 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha1 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --tls_dir /dgraph-tls + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha1 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --tls_dir /dgraph-tls --tls_client_auth VERIFYIFGIVEN --acl_secret_file /dgraph-acl/hmac-secret zero1: image: dgraph/dgraph:latest @@ -43,6 +43,6 @@ services: source: ../tls/zero1 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --logtostderr --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero1 + command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --logtostderr --node_tls_dir /dgraph-tls --node_tls_server_name zero1 -v=2 --bindall volumes: {} diff --git a/tlstest/mtls_internal/ha_6_node/docker-compose.yml b/tlstest/mtls_internal/ha_6_node/docker-compose.yml index b59446859fa..a75da79e3fb 100644 --- a/tlstest/mtls_internal/ha_6_node/docker-compose.yml +++ b/tlstest/mtls_internal/ha_6_node/docker-compose.yml @@ -19,7 +19,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 100 --my=alpha1:7180 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha1 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha1 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha2: image: dgraph/dgraph:latest @@ -40,7 +40,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 200 --my=alpha2:7280 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha2 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha2 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha3: image: dgraph/dgraph:latest @@ -61,7 +61,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 300 --my=alpha3:7380 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha3 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha3 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 zero1: image: dgraph/dgraph:latest @@ -81,7 +81,7 @@ services: source: ../tls/zero1 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 100 --idx=1 --replicas 3 --my=zero1:5180 --logtostderr --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero1 + command: /gobin/dgraph zero -o 100 --idx=1 --replicas 3 --my=zero1:5180 --logtostderr --node_tls_dir /dgraph-tls --node_tls_server_name zero1 -v=2 --bindall zero2: image: dgraph/dgraph:latest @@ -101,7 +101,7 @@ services: source: ../tls/zero2 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 200 --idx=2 --replicas 3 --my=zero2:5280 --logtostderr --peer zero1:5180 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero2 + command: /gobin/dgraph zero -o 200 --idx=2 --replicas 3 --my=zero2:5280 --logtostderr --peer zero1:5180 --node_tls_dir /dgraph-tls --node_tls_server_name zero2 -v=2 --bindall zero3: image: dgraph/dgraph:latest @@ -121,6 +121,6 @@ services: source: ../tls/zero3 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 300 --idx=3 --replicas 3 --my=zero3:5380 --logtostderr --peer zero1:5180 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero3 + command: /gobin/dgraph zero -o 300 --idx=3 --replicas 3 --my=zero3:5380 --logtostderr --peer zero1:5180 --node_tls_dir /dgraph-tls --node_tls_server_name zero3 -v=2 --bindall volumes: {} diff --git a/tlstest/mtls_internal/multi_group/docker-compose.yml b/tlstest/mtls_internal/multi_group/docker-compose.yml index 2b970822480..da51e3f7782 100644 --- a/tlstest/mtls_internal/multi_group/docker-compose.yml +++ b/tlstest/mtls_internal/multi_group/docker-compose.yml @@ -19,7 +19,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 100 --my=alpha1:7180 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha1 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha1 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha2: image: dgraph/dgraph:latest @@ -40,7 +40,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 200 --my=alpha2:7280 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha2 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha2 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha3: image: dgraph/dgraph:latest @@ -61,7 +61,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 300 --my=alpha3:7380 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha3 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha3 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 zero1: image: dgraph/dgraph:latest @@ -81,6 +81,6 @@ services: source: ../tls/zero1 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --logtostderr --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero1 + command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --logtostderr --node_tls_dir /dgraph-tls --node_tls_server_name zero1 -v=2 --bindall volumes: {} diff --git a/tlstest/mtls_internal/online-restore/docker-compose.yml b/tlstest/mtls_internal/online-restore/docker-compose.yml index 6c8989c3d04..d7f8f193593 100644 --- a/tlstest/mtls_internal/online-restore/docker-compose.yml +++ b/tlstest/mtls_internal/online-restore/docker-compose.yml @@ -27,7 +27,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 100 --my=alpha1:7180 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha1 --idx=1 --encryption_key_file /data/keys/enc_key + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha1 --idx=1 --encryption_key_file /data/keys/enc_key --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha2: image: dgraph/dgraph:latest @@ -58,7 +58,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 102 --my=alpha2:7182 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha2 --idx=2 --encryption_key_file /data/keys/enc_key + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha2 --idx=2 --encryption_key_file /data/keys/enc_key --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha3: image: dgraph/dgraph:latest @@ -89,7 +89,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 103 --my=alpha3:7183 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha3 --idx=3 --encryption_key_file /data/keys/enc_key + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha3 --idx=3 --encryption_key_file /data/keys/enc_key --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha4: image: dgraph/dgraph:latest @@ -120,7 +120,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 104 --my=alpha4:7184 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha4 --idx=4 --encryption_key_file /data/keys/enc_key + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha4 --idx=4 --encryption_key_file /data/keys/enc_key --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha5: image: dgraph/dgraph:latest @@ -151,7 +151,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 105 --my=alpha5:7185 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha5 --idx=5 --encryption_key_file /data/keys/enc_key + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha5 --idx=5 --encryption_key_file /data/keys/enc_key --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 alpha6: image: dgraph/dgraph:latest @@ -182,7 +182,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 106 --my=alpha6:7186 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha6 --idx=6 --encryption_key_file /data/keys/enc_key + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha6 --idx=6 --encryption_key_file /data/keys/enc_key --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 ratel: image: dgraph/dgraph:latest @@ -208,6 +208,6 @@ services: source: ../tls/zero1 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --replicas=3 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero1 --logtostderr + command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --replicas=3 --node_tls_dir /dgraph-tls --node_tls_server_name zero1 --logtostderr -v=2 --bindall volumes: {} diff --git a/tlstest/mtls_internal/single_node/docker-compose.yml b/tlstest/mtls_internal/single_node/docker-compose.yml index dfe7ee3481f..8110bbfb53c 100644 --- a/tlstest/mtls_internal/single_node/docker-compose.yml +++ b/tlstest/mtls_internal/single_node/docker-compose.yml @@ -19,7 +19,7 @@ services: target: /dgraph-tls read_only: true command: /gobin/dgraph alpha -o 100 --my=alpha1:7180 --zero=zero1:5180 - --logtostderr -v=2 --cluster_tls_dir /dgraph-tls --cluster_tls_server_name alpha1 + --logtostderr -v=2 --node_tls_dir /dgraph-tls --node_tls_server_name alpha1 --whitelist=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 zero1: image: dgraph/dgraph:latest @@ -39,6 +39,6 @@ services: source: ../tls/zero1 target: /dgraph-tls read_only: true - command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --logtostderr --cluster_tls_dir /dgraph-tls --cluster_tls_server_name zero1 + command: /gobin/dgraph zero -o 100 --idx=1 --my=zero1:5180 --logtostderr --node_tls_dir /dgraph-tls --node_tls_server_name zero1 -v=2 --bindall volumes: {} diff --git a/worker/worker.go b/worker/worker.go index 7b6567cda7d..0665bacaaf6 100644 --- a/worker/worker.go +++ b/worker/worker.go @@ -71,7 +71,7 @@ func Init(ps *badger.DB) { grpc.StatsHandler(&ocgrpc.ServerHandler{}), } - cnf := x.LoadClusterTLSServerHelperConfig(x.WorkerConfig.TLSDir) + cnf := x.LoadNodeTLSServerHelperConfig(x.WorkerConfig.TLSDir) tlsConf, err := x.GenerateServerTLSConfig(cnf) x.Check(err) diff --git a/x/tls_helper.go b/x/tls_helper.go index ab7a4216b22..9a8fecd5aec 100644 --- a/x/tls_helper.go +++ b/x/tls_helper.go @@ -55,14 +55,14 @@ func RegisterClientTLSFlags(flag *pflag.FlagSet) { "provided by the client to the server.") } -func RegisterClusterTLSFlags(flag *pflag.FlagSet) { - flag.String("cluster_tls_dir", "", +func RegisterNodeTLSFlags(flag *pflag.FlagSet) { + flag.String("node_tls_dir", "", "Path to directory that has mTLS certificates and keys for dgraph internal communication") - flag.String("cluster_tls_server_name", "", + flag.String("node_tls_server_name", "", "server name to be used for mTLS for dgraph internal communication") } -func LoadClusterTLSServerHelperConfig(certDir string) *TLSHelperConfig { +func LoadNodeTLSServerHelperConfig(certDir string) *TLSHelperConfig { if certDir == "" { return nil } @@ -78,22 +78,21 @@ func LoadClusterTLSServerHelperConfig(certDir string) *TLSHelperConfig { return conf } -func LoadClusterTLSClientHelperConfig(v *viper.Viper) (*TLSHelperConfig, error) { +func LoadNodeTLSClientHelperConfig(v *viper.Viper) (*TLSHelperConfig, error) { conf := &TLSHelperConfig{} conf.UseSystemCACerts = true - conf.CertDir = v.GetString("cluster_tls_dir") + conf.CertDir = v.GetString("node_tls_dir") if conf.CertDir != "" { conf.CertRequired = true conf.RootCACert = path.Join(conf.CertDir, tlsRootCert) - conf.Cert = path.Join(conf.CertDir, "client." + v.GetString("cluster_tls_server_name") + ".crt") - conf.Key = path.Join(conf.CertDir, "client." + v.GetString("cluster_tls_server_name") + ".key") - conf.ClientAuth = "REQUIREANDVERIFY" - conf.ServerName= v.GetString("cluster_tls_server_name") + conf.Cert = path.Join(conf.CertDir, "client." + v.GetString("node_tls_server_name") + ".crt") + conf.Key = path.Join(conf.CertDir, "client." + v.GetString("node_tls_server_name") + ".key") + conf.ServerName= v.GetString("node_tls_server_name") return conf, nil } - if v.GetString("cluster_tls_server_name") != "" { - return nil, errors.Errorf("--cluster_tls_dir is required for enabling TLS") + if v.GetString("node_tls_server_name") != "" { + return nil, errors.Errorf("--node_tls_dir is required for enabling TLS") } return nil, nil