Add TLS client config option to disable it (linkerd#1856)

TLS is enabled if the TLS param is set at all. In the case of a per-client config, this means that if any matching config for a client enables TLS, it is impossible for a later client config to override this with a value that disables TLS. We add an `enabled` property to the TLS client config which defaults to true, but can be set to false to disable client TLS. Example config excerpt: ``` client: kind: io.l5d.static configs: # enables TLS for all "inet" clients - prefix: "/$/inet/{service}" tls: commonName: "{service}" # override the above to disable TLS for localhost - prefix: /$/inet/localhost tls: enabled: false ``` Fixes linkerd#1845 Signed-off-by: Alex Leong <[email protected]>
wendellxoo · Mar 26, 2018 · 019608d · 019608d
1 parent c1c1e29
commit 019608d
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 3 deletions.
diff --git a/finagle/buoyant/src/main/scala/com/twitter/finagle/buoyant/TlsClientConfig.scala b/finagle/buoyant/src/main/scala/com/twitter/finagle/buoyant/TlsClientConfig.scala
@@ -10,21 +10,24 @@ import java.io._
 import scala.util.control.NoStackTrace
 
 case class TlsClientConfig(
+  enabled: Option[Boolean],
   disableValidation: Option[Boolean],
   commonName: Option[String],
   trustCerts: Option[Seq[String]] = None,
   clientAuth: Option[ClientAuth] = None
 ) {
   def params: Stack.Params = this match {
-    case TlsClientConfig(Some(true), _, _, clientAuth) =>
+    case TlsClientConfig(Some(false), _, _, _, _) =>
+      Stack.Params.empty + Transport.ClientSsl(None)
+    case TlsClientConfig(_, Some(true), _, _, clientAuth) =>
       val tlsConfig = SslClientConfiguration(
         trustCredentials = TrustCredentials.Insecure,
         keyCredentials = keyCredentials(clientAuth)
       )
       Stack.Params.empty + Transport.ClientSsl(Some(tlsConfig)) +
         SslClientEngineFactory.Param(Netty4ClientEngineFactory())
 
-    case TlsClientConfig(_, Some(cn), certs, clientAuth) =>
+    case TlsClientConfig(_, _, Some(cn), certs, clientAuth) =>
       // map over the optional certs parameter - we want to pass
       // `TrustCredentials.CertCollection` if we were given a list of certs,
       // but `TrustCredentials.Unspecified` (rather than an empty cert
@@ -60,7 +63,7 @@ case class TlsClientConfig(
       Stack.Params.empty + Transport.ClientSsl(Some(tlsConfig)) +
         SslClientEngineFactory.Param(Netty4ClientEngineFactory())
 
-    case TlsClientConfig(Some(false) | None, None, _, _) =>
+    case TlsClientConfig(_, Some(false) | None, None, _, _) =>
       val msg = "tls is configured with validation but `commonName` is not set"
       throw new IllegalArgumentException(msg) with NoStackTrace
   }

diff --git a/interpreter/namerd/src/main/scala/io/buoyant/namerd/iface/NamerdInterpreterInitializer.scala b/interpreter/namerd/src/main/scala/io/buoyant/namerd/iface/NamerdInterpreterInitializer.scala
@@ -42,6 +42,7 @@ case class Retry(
 case class ClientTlsConfig(commonName: String, caCert: Option[String]) {
   def params: Stack.Params = {
     TlsClientConfig(
+      enabled = Some(true),
       disableValidation = Some(false),
       commonName = Some(commonName),
       trustCerts = caCert.map(Seq(_)),

diff --git a/linkerd/core/src/main/scala/io/buoyant/linkerd/ClientConfig.scala b/linkerd/core/src/main/scala/io/buoyant/linkerd/ClientConfig.scala
@@ -36,6 +36,7 @@ trait ClientConfig {
 }
 
 case class TlsClientConfig(
+  enabled: Option[Boolean],
   disableValidation: Option[Boolean],
   commonName: Option[String],
   trustCerts: Option[Seq[String]] = None,
@@ -47,6 +48,7 @@ case class TlsClientConfig(
   )
   def params(vars: Map[String, String]): Stack.Params =
     FTlsClientConfig(
+      enabled,
       disableValidation,
       commonName.map(PathMatcher.substitute(vars, _)),
       trustCerts,

diff --git a/linkerd/docs/client_tls.md b/linkerd/docs/client_tls.md
@@ -20,6 +20,7 @@ the server.
 
 Key | Default Value | Description
 --- | ------------- | -----------
+enabled | true | Enable TLS on outgoing connections.
 certPath | _required_ | File path to the TLS certificate file.
 keyPath | _required_ | File path to the TLS key file.
 requireClientAuth | false | If true, only accept requests with valid client certificates.

diff --git a/linkerd/examples/disable-tls.yaml b/linkerd/examples/disable-tls.yaml
@@ -0,0 +1,20 @@
+namers: []
+
+routers:
+- protocol: http
+  dtab: |
+    /svc/foo => /$/inet/www.google.com/443 ;
+    /svc/bar => /$/inet/localhost/7777
+
+  servers:
+  - port: 4140
+
+  client:
+    kind: io.l5d.static
+    configs:
+    - prefix: "/$/inet/{service}"
+      tls:
+        commonName: "{service}"
+    - prefix: /$/inet/localhost
+      tls:
+        enabled: false