Skip to content
Open
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions client/v2/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,18 @@ type HTTPConfig struct {
// DialContext specifies the dial function for creating unencrypted TCP connections.
// If DialContext is nil then the transport dials using package net.
DialContext func(ctx context.Context, network, addr string) (net.Conn, error)

// DialTLSContext specifies the dial function for creating TLS connections for
// non-proxied HTTPS requests. The returned connection is assumed to have
// already completed its TLS handshake. It allows the TLS configuration to be
// resolved per connection instead of being fixed when the client is created.
//
// When DialTLSContext is set, TLSConfig is only used for proxied requests,
// which tunnel through the proxy and so do not use this function. Set both to
// keep proxied requests working.
//
// If DialTLSContext is nil then DialContext and TLSConfig are used.
DialTLSContext func(ctx context.Context, network, addr string) (net.Conn, error)
}

// BatchPointsConfig is the config data needed to create an instance of the BatchPoints struct.
Expand Down Expand Up @@ -125,8 +137,9 @@ func NewHTTPClient(conf HTTPConfig) (HTTPClient, error) {
TLSClientConfig: &tls.Config{
InsecureSkipVerify: conf.InsecureSkipVerify,
},
Proxy: conf.Proxy,
DialContext: conf.DialContext,
Proxy: conf.Proxy,
DialContext: conf.DialContext,
DialTLSContext: conf.DialTLSContext,
}
if conf.TLSConfig != nil {
// A supplied TLSConfig is used as-is, including its own
Expand Down
36 changes: 26 additions & 10 deletions cmd/influxd/run/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/influxdata/influxdb/logger"
"github.com/influxdata/influxdb/models"
"github.com/influxdata/influxdb/monitor"
"github.com/influxdata/influxdb/pkg/tlsconfig"
prometheus2 "github.com/influxdata/influxdb/prometheus"
"github.com/influxdata/influxdb/query"
"github.com/influxdata/influxdb/query/control"
Expand Down Expand Up @@ -80,6 +81,10 @@ type Server struct {
err chan error
closing chan struct{}

// certMonitor is the TLS certificate monitor all TLSConfigManager objects
// in influxd should use.
certMonitor *tlsconfig.TLSCertMonitor

BindAddress string
Listener net.Listener

Expand Down Expand Up @@ -197,6 +202,8 @@ func NewServer(c *Config, buildInfo *BuildInfo) (*Server, error) {

reportingDisabled: c.ReportingDisabled,

certMonitor: tlsconfig.NewTLSCertMonitor(),

httpAPIAddr: c.HTTPD.BindAddress,
httpUseTLS: c.HTTPD.HTTPSEnabled,

Expand All @@ -217,7 +224,7 @@ func NewServer(c *Config, buildInfo *BuildInfo) (*Server, error) {
s.TSDBStore.EngineOptions.IndexVersion = c.Data.Index

// Create the Subscriber service
s.Subscriber = subscriber.NewService(c.Subscriber)
s.Subscriber = subscriber.NewService(c.Subscriber, s.certMonitor)

// Initialize points writer.
s.PointsWriter = coordinator.NewPointsWriter()
Expand Down Expand Up @@ -308,11 +315,11 @@ func (s *Server) appendRetentionPolicyService(c retention.Config) {
s.Services = append(s.Services, srv)
}

func (s *Server) appendHTTPDService(c httpd.Config) error {
func (s *Server) appendHTTPDService(c httpd.Config, certMonitor *tlsconfig.TLSCertMonitor) error {
if !c.Enabled {
return nil
}
srv := httpd.NewService(c)
srv := httpd.NewService(c, certMonitor)
srv.Handler.MetaClient = s.MetaClient
authorizer := meta.NewQueryAuthorizer(s.MetaClient)
srv.Handler.QueryAuthorizer = authorizer
Expand Down Expand Up @@ -361,11 +368,11 @@ func (s *Server) appendCollectdService(c collectd.Config) {
s.Services = append(s.Services, srv)
}

func (s *Server) appendOpenTSDBService(c opentsdb.Config) error {
func (s *Server) appendOpenTSDBService(c opentsdb.Config, certMonitor *tlsconfig.TLSCertMonitor) error {
if !c.Enabled {
return nil
}
srv, err := opentsdb.NewService(c)
srv, err := opentsdb.NewService(c, certMonitor)
if err != nil {
return err
}
Expand Down Expand Up @@ -437,6 +444,13 @@ func (s *Server) Open() error {
return err
}

// Configure and start certificate monitor. Do this early so we don't block
// on any of its channels.
s.certMonitor.SetLogger(s.Logger)
if err := s.certMonitor.Open(); err != nil {
return fmt.Errorf("error starting TLS certificate monitor: %w", err)
}

// Open shared TCP connection.
ln, err := net.Listen("tcp", s.BindAddress)
if err != nil {
Expand All @@ -453,7 +467,7 @@ func (s *Server) Open() error {
s.appendPrecreatorService(s.config.Precreator)
s.appendSnapshotterService()
s.appendContinuousQueryService(s.config.ContinuousQuery)
if err := s.appendHTTPDService(s.config.HTTPD); err != nil {
if err := s.appendHTTPDService(s.config.HTTPD, s.certMonitor); err != nil {
return err
}
s.appendRetentionPolicyService(s.config.Retention)
Expand All @@ -466,7 +480,7 @@ func (s *Server) Open() error {
s.appendCollectdService(i)
}
for _, i := range s.config.OpenTSDBInputs {
if err := s.appendOpenTSDBService(i); err != nil {
if err := s.appendOpenTSDBService(i, s.certMonitor); err != nil {
return err
}
}
Expand Down Expand Up @@ -542,6 +556,9 @@ func (s *Server) Open() error {
func (s *Server) Close() error {
s.stopProfile()

// Close the TLS certificate monitor.
s.certMonitor.Close()

// Close the listener first to stop any new connections
if s.Listener != nil {
s.Listener.Close()
Expand Down Expand Up @@ -613,10 +630,9 @@ func (s *Server) ApplyReloadedConfig(config *Config, log *zap.Logger) error {
}
}

// Reload the subscriber's client TLS certificate at its currently
// configured path so rotated certificates are picked up.
// Reload the subscriber's TLS configuration, including certificates, CAs, and other TLS settings.
if s.Subscriber != nil {
if af, err := s.Subscriber.PrepareReloadTLSCertificates(); err == nil {
if af, err := s.Subscriber.PrepareReloadTLSCertificates(config.Subscriber); err == nil {
applyFuncs = append(applyFuncs, af)
} else {
log.Error("error reloading subscriber service TLS certificate, no new configuration applied", zap.Error(err))
Expand Down
15 changes: 15 additions & 0 deletions etc/config.sample.toml
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,11 @@
# Allows insecure file permissions for https-certificate and https-private-key when enabled.
# https-insecure-certificate = false

# Loads https-certificate even when it fails the checks for whether a server can use it,
# such as the certificate not permitting server authentication. The failed checks are
# logged instead. A missing or unparseable certificate is still an error.
# https-ignore-sanity-checks = false

# The type of client certificate authentication (mutual TLS) to require. One of
# NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, or
# RequireAndVerifyClientCert. Unset leaves client authentication disabled (NoClientCert).
Expand Down Expand Up @@ -492,6 +497,11 @@
# Allows insecure file permissions on certificate and private-key when enabled.
# insecure-certificate = false

# Loads certificate even when it fails the checks for whether a server can use it, such as
# the certificate not permitting server authentication. The failed checks are logged
# instead. A missing or unparseable certificate is still an error.
# ignore-cert-sanity-checks = false

# The number of writer goroutines processing the write channel.
# write-concurrency = 40

Expand Down Expand Up @@ -612,6 +622,11 @@
# Allows insecure file permissions on certificate and private-key when enabled.
# insecure-certificate = false

# Loads certificate even when it fails the checks for whether a server can use it, such as
# the certificate not permitting server authentication. The failed checks are logged
# instead. A missing or unparseable certificate is still an error.
# ignore-cert-sanity-checks = false

# The type of client certificate authentication (mutual TLS) to require. One of
# NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, or
# RequireAndVerifyClientCert. Unset leaves client authentication disabled (NoClientCert).
Expand Down
1 change: 1 addition & 0 deletions pkg/testing/helper/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
// can be replaced by:
// defer CheckedClose(t, c)()
func CheckedClose(t require.TestingT, c io.Closer) func() {
require.NotNil(t, c, "CheckedClose cannot be used with a nil io.Closer")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll never guess why I added it 😅

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel seen

return func() {
if h, ok := t.(interface{ Helper() }); ok {
h.Helper()
Expand Down
26 changes: 25 additions & 1 deletion pkg/testing/selfsigned/selfsigned.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,14 @@ type CertOptions struct {

// CACommonName sets the CA certificate's Subject.CommonName field
CACommonName string

// ExtKeyUsage replaces the leaf certificate's extended key usages. It is
// only consulted when ExtKeyUsageSet is true, so that an empty value can
// omit the extension entirely rather than mean "unset".
ExtKeyUsage []x509.ExtKeyUsage

// ExtKeyUsageSet indicates ExtKeyUsage was configured with WithExtKeyUsage.
ExtKeyUsageSet bool
}

type CertOpt func(*CertOptions)
Expand Down Expand Up @@ -88,6 +96,16 @@ func WithCombinedFile() CertOpt {
}
}

// WithExtKeyUsage replaces the leaf certificate's extended key usages, which
// default to server and client authentication. Passing no usages omits the
// extension entirely, leaving the certificate unrestricted.
func WithExtKeyUsage(eku ...x509.ExtKeyUsage) CertOpt {
return func(o *CertOptions) {
o.ExtKeyUsage = eku
o.ExtKeyUsageSet = true
}
}

func WithCASubject(organization, commonName string) CertOpt {
return func(o *CertOptions) {
o.CAOrganization = organization
Expand Down Expand Up @@ -172,14 +190,20 @@ func NewSelfSignedCert(t *testing.T, opts ...CertOpt) *Cert {

serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
require.NoError(t, err)

extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
if options.ExtKeyUsageSet {
extKeyUsage = options.ExtKeyUsage
}

// Basically the same as the CA template, but its own serial, and with ip addresses and dns names.
template := x509.Certificate{
SerialNumber: serial,
NotBefore: options.NotBefore,
NotAfter: options.NotAfter,

KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
ExtKeyUsage: extKeyUsage,

BasicConstraintsValid: true,

Expand Down
Loading
Loading