*: added client-{client,key}-file parameters for supporting separate client and server certs when communicating between peers

In some environments, the CA is not able to sign certificates with both 'client auth' and 'server auth' extended usage parameters and so an operator needs to be able to set a seperate client certificate to use when making requests which is different to the certificate used for accepting requests. This applies to both proxy and etcd member mode and is available as both a CLI flag and config file field for peer TLS. Signed-off-by: Ben Meier <ben.meier@oracle.com>
2021-02-28 10:56:52 +00:00
parent d06d93d5b1
commit 3d44f5bf80
32 changed files with 556 additions and 374 deletions
--- a/tests/integration/cluster.go
+++ b/tests/integration/cluster.go
@ -87,6 +87,15 @@ var (
 		ClientCertAuth: true,
 	}

+	testTLSInfoWithSpecificUsage = transport.TLSInfo{
+		KeyFile:        "../fixtures/server-serverusage.key.insecure",
+		CertFile:       "../fixtures/server-serverusage.crt",
+		ClientKeyFile:  "../fixtures/client-clientusage.key.insecure",
+		ClientCertFile: "../fixtures/client-clientusage.crt",
+		TrustedCAFile:  "../fixtures/ca.crt",
+		ClientCertAuth: true,
+	}
+
 	testTLSInfoIP = transport.TLSInfo{
 		KeyFile:        "../fixtures/server-ip.key.insecure",
 		CertFile:       "../fixtures/server-ip.crt",