rework tls configuration in healthcheck

orange-cloudfoundry · Sep 7, 2023 · f31b753 · f31b753
1 parent 86f37d2
commit f31b753
Show file tree

Hide file tree

Showing 10 changed files with 58 additions and 50 deletions.
diff --git a/app/app.go b/app/app.go
@@ -2,8 +2,6 @@ package app
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	consul "github.com/hashicorp/consul/api"
 	"github.com/orange-cloudfoundry/gsloc/config"
@@ -152,17 +150,7 @@ func (a *App) loadGSLBHandler() error {
 }
 
 func (a *App) loadHcHandler() error {
-	var caCertPool *x509.CertPool
-
-	if a.cnf.HealthCheckConfig.CA != "" {
-		caCertPool = x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM([]byte(a.cnf.HealthCheckConfig.CA))
-	}
-	tlsConf := &tls.Config{
-		InsecureSkipVerify: a.cnf.HealthCheckConfig.InsecureSkipVerify,
-		RootCAs:            caCertPool,
-	}
-	a.hcHandler = healthchecks.NewHcHandler(tlsConf)
+	a.hcHandler = healthchecks.NewHcHandler()
 	return nil
 }
 

diff --git a/config/hc.go b/config/hc.go
@@ -1,8 +1,6 @@
 package config
 
 type HealthCheckConfig struct {
-	InsecureSkipVerify bool   `yaml:"insecure_skip_verify"`
-	CA                 string `yaml:"ca"`
 	HealthcheckAddress string `yaml:"healthcheck_address"`
 }
 

diff --git a/go.mod b/go.mod
@@ -12,15 +12,15 @@ require (
 	github.com/miekg/dns v1.1.55
 	github.com/onsi/ginkgo/v2 v2.12.0
 	github.com/onsi/gomega v1.27.10
-	github.com/orange-cloudfoundry/gsloc-go-sdk v0.1.0
+	github.com/orange-cloudfoundry/gsloc-go-sdk v0.3.0
 	github.com/oschwald/geoip2-golang v1.9.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/quic-go/quic-go v0.38.1
 	github.com/samber/lo v1.38.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sourcegraph/conc v0.3.0
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.43.0
-	google.golang.org/grpc v1.57.0
+	google.golang.org/grpc v1.58.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -68,8 +68,8 @@ require (
 	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/tools v0.12.0 // indirect
-	google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 // indirect
+	google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
 cloud.google.com/go v0.110.4 h1:1JYyxKMN9hd5dR2MYTPWkGUgcoxVVhg0LKNKEo0qvmk=
-cloud.google.com/go/compute v1.20.1 h1:6aKEtlUiwEpJzM001l0yFkpXmUVXaN8W+fbkb2AZNbg=
+cloud.google.com/go/compute v1.21.0 h1:JNBsyXVoOoNJtTQcnEY5uYpZIbeCTYIeDe0Xh1bySMk=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 github.com/ArthurHlt/emitter v1.1.0 h1:DeD1o+EriC1jUAkrimMgGue5+erUqoy4SLoJ0wN5nEc=
 github.com/ArthurHlt/emitter v1.1.0/go.mod h1:iWgeciGVKYVJ/QcnrRqfxVA5SJ0lLbFKyrNpGkv393c=
@@ -166,8 +166,8 @@ github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI
 github.com/onsi/ginkgo/v2 v2.12.0/go.mod h1:ZNEzXISYlqpb8S36iN71ifqLi3vVD1rVJGvWRCJOUpQ=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
-github.com/orange-cloudfoundry/gsloc-go-sdk v0.1.0 h1:n6sQG52Edv60s/9Kmh+8M6q9z8M6X2Ur88L+FOkkmgA=
-github.com/orange-cloudfoundry/gsloc-go-sdk v0.1.0/go.mod h1:ONrFUgtg6m6Zc6OK+cCSy7hyYG/IGcJNPPWC6koAYHQ=
+github.com/orange-cloudfoundry/gsloc-go-sdk v0.3.0 h1:NgYINWEci7ckQ4qyVEXTXjtqtpQ/5pPXdk4m/QraRpI=
+github.com/orange-cloudfoundry/gsloc-go-sdk v0.3.0/go.mod h1:VdojO3XZ/TArQAXbbcCoOk2q6RTNbAo2X4Eit1vF6jg=
 github.com/oschwald/geoip2-golang v1.9.0 h1:uvD3O6fXAXs+usU+UGExshpdP13GAqp4GBrzN7IgKZc=
 github.com/oschwald/geoip2-golang v1.9.0/go.mod h1:BHK6TvDyATVQhKNbQBdrj9eAvuwOMi2zSFXizL3K81Y=
 github.com/oschwald/maxminddb-golang v1.11.0 h1:aSXMqYR/EPNjGE8epgqwDay+P30hCBZIveY0WZbAWh0=
@@ -264,7 +264,7 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -315,14 +315,14 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8=
-google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
+google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g=
+google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
 google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e h1:z3vDksarJxsAKM5dmEGv0GHwE2hKJ096wZra71Vs4sw=
 google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130 h1:2FZP5XuJY9zQyGM5N0rtovnoXjiMUEIUMvw0m9wlpLc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
-google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
+google.golang.org/grpc v1.58.0 h1:32JY8YpPMSR45K+c3o6b8VL73V+rR8k+DeMIr4vRH8o=
+google.golang.org/grpc v1.58.0/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=

diff --git a/gslb/entry.go b/gslb/entry.go
@@ -32,7 +32,7 @@ func (s *Server) SetEntry(ctx context.Context, request *gslbsvc.SetEntryRequest)
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	request.Entry.Fqdn = dns.Fqdn(request.GetEntry().GetFqdn())
+	request.Entry.Fqdn = dns.CanonicalName(request.GetEntry().GetFqdn())
 
 	signedEntry := &entries.SignedEntry{
 		Entry:       request.GetEntry(),
@@ -46,7 +46,7 @@ func (s *Server) SetEntry(ctx context.Context, request *gslbsvc.SetEntryRequest)
 }
 
 func (s *Server) GetEntryStatus(ctx context.Context, req *gslbsvc.GetEntryStatusRequest) (*gslbsvc.GetEntryStatusResponse, error) {
-	fqdn := dns.Fqdn(req.GetFqdn())
+	fqdn := dns.CanonicalName(req.GetFqdn())
 	pair, _, err := s.consulClient.KV().Get(config.ConsulKVEntriesPrefix+fqdn, nil)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
@@ -168,7 +168,7 @@ func (s *Server) DeleteEntry(ctx context.Context, request *gslbsvc.DeleteEntryRe
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 	_, err = s.consulClient.KV().Delete(config.ConsulKVEntriesPrefix+fqdn, nil)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to delete entry: %v", err)
@@ -182,7 +182,7 @@ func (s *Server) GetEntry(ctx context.Context, request *gslbsvc.GetEntryRequest)
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 	pair, _, err := s.consulClient.KV().Get(config.ConsulKVEntriesPrefix+fqdn, nil)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
@@ -207,7 +207,7 @@ func (s *Server) GetEntryWithStatus(ctx context.Context, request *gslbsvc.GetEnt
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 	pair, _, err := s.consulClient.KV().Get(config.ConsulKVEntriesPrefix+fqdn, nil)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {

diff --git a/gslb/healthcheck.go b/gslb/healthcheck.go
@@ -15,7 +15,7 @@ func (s *Server) SetHealthCheck(ctx context.Context, request *gslbsvc.SetHealthC
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 	signedEntry, err := s.retrieveSignedEntry(fqdn)
 	if err != nil {
 		return nil, err
@@ -34,7 +34,7 @@ func (s *Server) GetHealthCheck(ctx context.Context, request *gslbsvc.GetHealthC
 	if err != nil {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 
 	signedEntry, err := s.retrieveSignedEntry(fqdn)
 	if err != nil {

diff --git a/gslb/member.go b/gslb/member.go
@@ -31,7 +31,7 @@ func (s *Server) SetMember(ctx context.Context, request *gslbsvc.SetMemberReques
 		return nil, status.Errorf(codes.InvalidArgument, "invalid dc: %s", request.GetMember().GetDc())
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 
 	signedEntry, err := s.retrieveSignedEntry(fqdn)
 	if err != nil {
@@ -66,7 +66,7 @@ func (s *Server) DeleteMember(ctx context.Context, request *gslbsvc.DeleteMember
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 
 	signedEntry, err := s.retrieveSignedEntry(fqdn)
 	if err != nil {
@@ -193,7 +193,7 @@ func (s *Server) GetMember(ctx context.Context, request *gslbsvc.GetMemberReques
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 
 	signedEntry, err := s.retrieveSignedEntry(fqdn)
 	if err != nil {
@@ -220,7 +220,7 @@ func (s *Server) ListMembers(ctx context.Context, request *gslbsvc.ListMembersRe
 		return nil, status.Errorf(codes.InvalidArgument, "invalid request: %v", err)
 	}
 
-	fqdn := dns.Fqdn(request.GetFqdn())
+	fqdn := dns.CanonicalName(request.GetFqdn())
 
 	signedEntry, err := s.retrieveSignedEntry(fqdn)
 	if err != nil {

diff --git a/healthchecks/handler.go b/healthchecks/handler.go
@@ -1,7 +1,6 @@
 package healthchecks
 
 import (
-	"crypto/tls"
 	"fmt"
 	"github.com/gorilla/mux"
 	hcconf "github.com/orange-cloudfoundry/gsloc-go-sdk/gsloc/api/config/healthchecks/v1"
@@ -13,13 +12,11 @@ import (
 )
 
 type HcHandler struct {
-	tlsConf       *tls.Config
 	disabledEntIp *sync.Map
 }
 
-func NewHcHandler(tlsConf *tls.Config) *HcHandler {
+func NewHcHandler() *HcHandler {
 	return &HcHandler{
-		tlsConf:       tlsConf,
 		disabledEntIp: &sync.Map{},
 	}
 }
@@ -65,7 +62,7 @@ func (h *HcHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	hcker := MakeHealthCheck(hcDef, h.tlsConf)
+	hcker := MakeHealthCheck(hcDef, fqdn)
 	host := fmt.Sprintf("%s:%d", ip, hcDef.GetPort())
 	err = hcker.Check(host)
 	if err != nil {

diff --git a/healthchecks/interfaces.go b/healthchecks/interfaces.go
@@ -2,6 +2,7 @@ package healthchecks
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	hcconf "github.com/orange-cloudfoundry/gsloc-go-sdk/gsloc/api/config/healthchecks/v1"
 )
 
@@ -11,32 +12,56 @@ type HealthChecker interface {
 	Check(host string) error
 }
 
-func MakeHealthCheck(hcDef *hcconf.HealthCheck, tlsConf *tls.Config) HealthChecker {
+func MakeHealthCheck(hcDef *hcconf.HealthCheck, fqdn string) HealthChecker {
 	var hchecker HealthChecker
+	tlsEnable := hcDef.GetTlsConfig().GetEnable()
+	tlsConf := makeTlsConfig(hcDef.GetTlsConfig(), fqdn)
 	switch hcDef.GetHealthChecker().(type) {
 	case *hcconf.HealthCheck_GrpcHealthCheck:
 		hchecker = NewGrpcHealthCheck(
 			hcDef.GetGrpcHealthCheck(),
 			hcDef.GetTimeout().AsDuration(),
-			hcDef.GetEnableTls(),
+			tlsEnable,
 			tlsConf,
 		)
 	case *hcconf.HealthCheck_HttpHealthCheck:
 		hchecker = NewHttpHealthCheck(
 			hcDef.GetHttpHealthCheck(),
 			hcDef.GetTimeout().AsDuration(),
-			hcDef.GetEnableTls(),
+			tlsEnable,
 			tlsConf,
 		)
 	case *hcconf.HealthCheck_TcpHealthCheck:
 		hchecker = NewTcpHealthCheck(
 			hcDef.GetTcpHealthCheck(),
 			hcDef.GetTimeout().AsDuration(),
-			hcDef.GetEnableTls(),
+			tlsEnable,
 			tlsConf,
 		)
 	case *hcconf.HealthCheck_NoHealthCheck:
 		hchecker = NewNoHealthCheck()
 	}
 	return hchecker
 }
+
+func makeTlsConfig(tlsConf *hcconf.TlsConfig, fqdn string) *tls.Config {
+	if tlsConf == nil || !tlsConf.Enable {
+		return nil
+	}
+	if fqdn[len(fqdn)-1] == '.' {
+		fqdn = fqdn[:len(fqdn)-1]
+	}
+	serverName := fqdn
+	if tlsConf.GetServerName() != "" {
+		serverName = tlsConf.GetServerName()
+	}
+	var caCertPool *x509.CertPool
+	if tlsConf.GetCa() != "" {
+		caCertPool = x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(tlsConf.GetCa()))
+	}
+	return &tls.Config{
+		RootCAs:    caCertPool,
+		ServerName: serverName,
+	}
+}
diff --git a/rets/retriever.go b/rets/retriever.go
@@ -114,7 +114,7 @@ func (r *Retriever) pollKV() error {
 	p := pool.New().WithMaxGoroutines(r.nbWorkers)
 	for _, kvPair := range kvPairs {
 		kvPair := kvPair
-		fqdn := dns.Fqdn(kvPair.Key[len(config.ConsulKVEntriesPrefix):])
+		fqdn := dns.CanonicalName(kvPair.Key[len(config.ConsulKVEntriesPrefix):])
 		delete(toRemove, fqdn)
 		p.Go(func() {
 			signedEntry := &entries.SignedEntry{}