Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit adds the option to configure TLS or mTLS on the server.
There is also a script to generate certs for testing which can be found
at `hack/scripts/gen_local_certs.sh`.
To manually test I did the following:
```
./hack/scripts/gen_local_certs.sh all --host localhost --cfssl $(which
ssl --cfssljson $(which cfssljson)
make build
sudo ./bin/flintlockd run \
--containerd-socket=/run/containerd-dev/containerd.sock \
--parent-iface="${NET_DEVICE}" \
--grpc-endpoint=localhost:9091 \
--tls-cert localhost/localhost.pem \
--tls-key localhost/localhost-key.pem \
--tls-client-ca localhost/intermediate-ca.pem \
--tls-client-validate
```
I added `localhost/liquidmetalclient1.pem` and the ca to `hammertime`,
and verified that the request failed without the certs.
On start, flintlockd will log whether TLS is enabled or disabled:
```
...
INFO[0000] flintlockd, version=undefined, built_on=undefined, commit=undefined
INFO[0000] flintlockd grpc api server starting
WARN[0000] basic authentication is DISABLED
INFO[0000] TLS is enabled
INFO[0000] starting microvm controller
INFO[0000] starting microvm controller with 1 workers controller=microvm
...
```
There are unit tests for the validation, but to test that the certs have
been wired in to the server properly, I will need to add some e2e layer
testing. I am going to tackle that in another ticket.
Co-authored-by: Richard Case <richard@weave.works>- Loading branch information
1 parent
b4cb1b7
commit 9a5de2f