mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

*: added client-{client,key}-file parameters for supporting separate client and server certs when communicating between peers

Browse Source 
In some environments, the CA is not able to sign certificates with both
'client auth' and 'server auth' extended usage parameters and so an operator
needs to be able to set a seperate client certificate to use when making
requests which is different to the certificate used for accepting requests.
This applies to both proxy and etcd member mode and is available as both a CLI
 flag and config file field for peer TLS.

Signed-off-by: Ben Meier <ben.meier@oracle.com>
This commit is contained in:
Ben Meier
2021-02-28 10:56:52 +00:00
parent d06d93d5b1
commit 3d44f5bf80
32 changed files with 556 additions and 374 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tests/integration/cluster_test.go
View File

@ -59,6 +59,16 @@ func TestTLSClusterOf3(t *testing.T) {
clusterMustProgress(t, c.Members)
}
// Test that a cluster can progress when using separate client and server certs when peering. This supports certificate
// authorities that don't issue dual-usage certificates.
func TestTLSClusterOf3WithSpecificUsage(t *testing.T) {
defer testutil.AfterTest(t)
c := NewClusterByConfig(t, &ClusterConfig{Size: 3, PeerTLS: &testTLSInfoWithSpecificUsage})
c.Launch(t)
defer c.Terminate(t)
clusterMustProgress(t, c.Members)
}
func TestClusterOf1UsingDiscovery(t *testing.T) { testClusterUsingDiscovery(t, 1) }
func TestClusterOf3UsingDiscovery(t *testing.T) { testClusterUsingDiscovery(t, 3) }