*: new tls configuration for operator

Makefile

@@ -45,10 +45,11 @@ cmd_%:
 	go build $(BUILDFLAGS) -o $(OUTPUT) $(SOURCE)
 
 test: ./bin/gocovmerge
+	rm -f .cover.*
 	go test -coverprofile=.cover.pkg ./...
 	cd lib && go test -coverprofile=../.cover.lib ./...
 	./bin/gocovmerge .cover.* > .cover
-	rm .cover.*
+	rm -f .cover.*
 	go tool cover -html=.cover -o .cover.html
 
 ./bin/gocovmerge:

conf/weirproxy.yaml

@@ -20,6 +20,36 @@ log:
     max-backups: 1
 security:
   rsa-key-size: 4096
+  # tls object is either of type server, client, or peer
+  # xxxx:
+  #   ca: ca.pem
+  #   cert: c.pem
+  #   key: k.pem
+  #   auto-certs: true
+  #   skip-ca: trure
+  # client object:
+  #   1. requires: ca or skip-ca(skip verify server certs)
+  #   2. optionally: cert/key will be used if server asks
+  #   3. useless/forbid: auto-certs
+  # server object:
+  #   1. requires: cert/key or auto-certs(generate a temporary cert, mostly for testing)
+  #   2. optionally: ca will enable server-side client verification.
+  #   3. useless/forbid: skip-ca
+  # peer object:
+  #   1. requires: cert/key/ca or auto-certs
+  #   2. useless/forbid: skip-ca
+  cluster-tls: # client object
+    # access to other components like TiDB or PD, will use this
+    skip-ca: true
+  sql-tls: # client object
+    # access to TiDB sql port, it has a standalone TLS configuration
+    skip-ca: true
+  server-tls: # server object
+    # proxy SQL or HTTP port will use this
+    auto-certs: true
+  peer-tls: # peer object
+    # internal communication between proxies
+    auto-certs: true
 advance:
   # ignore-wrong-namespace: true
   # peer-port: "3081"

docker/Dockerfile

@@ -13,6 +13,6 @@ RUN sh ./proxy/apk-fastest-mirror.sh
 RUN apk add --no-cache --progress git make go
 ARG BUILDFLAGS
 ARG GOPROXY
-RUN export BUILDFLAGS=${BUILDFLAGS} && export GOPROXY=${GOPROXY} && cd proxy && ls -al && cat Makefile && make cmd && cp bin/* /bin/ && cp -a conf /etc/proxy && cd .. && rm -rf proxy
+RUN export BUILDFLAGS=${BUILDFLAGS} && export GOPROXY=${GOPROXY} && cd proxy && make cmd && cp bin/* /bin/ && cp -a conf /etc/proxy && cd .. && rm -rf proxy
 RUN rm -rf $(go env GOMODCACHE GOCACHE) && apk del git make go
 ENTRYPOINT ["/bin/weirproxy", "-conf", "/etc/proxy/weirproxy.yaml"]

lib/config/namespace.go

@@ -22,11 +22,11 @@ type Namespace struct {
 }
 
 type FrontendNamespace struct {
-	Security TLSCert `yaml:"security" json:"security" toml:"security"`
+	Security TLSConfig `yaml:"security" json:"security" toml:"security"`
 }
 
 type BackendNamespace struct {
-	Instances    []string `yaml:"instances" json:"instances" toml:"instances"`
-	SelectorType string   `yaml:"selector-type" json:"selector-type" toml:"selector-type"`
-	Security     TLSCert  `yaml:"security" json:"security" toml:"security"`
+	Instances    []string  `yaml:"instances" json:"instances" toml:"instances"`
+	SelectorType string    `yaml:"selector-type" json:"selector-type" toml:"selector-type"`
+	Security     TLSConfig `yaml:"security" json:"security" toml:"security"`
 }

lib/config/namespace_test.go

@@ -24,19 +24,21 @@ import (
 var testNamespaceConfig = Namespace{
 	Namespace: "test_ns",
 	Frontend: FrontendNamespace{
-		Security: TLSCert{
-			CA:   "t",
-			Cert: "t",
-			Key:  "t",
+		Security: TLSConfig{
+			CA:        "t",
+			Cert:      "t",
+			Key:       "t",
+			AutoCerts: true,
 		},
 	},
 	Backend: BackendNamespace{
 		Instances:    []string{"127.0.0.1:4000", "127.0.0.1:4001"},
 		SelectorType: "random",
-		Security: TLSCert{
-			CA:   "t",
-			Cert: "t",
-			Key:  "t",
+		Security: TLSConfig{
+			CA:     "t",
+			Cert:   "t",
+			Key:    "t",
+			SkipCA: true,
 		},
 	},
 }

lib/config/proxy.go

@@ -75,24 +75,28 @@ type LogFile struct {
 	MaxBackups int    `yaml:"max-backups,omitempty" toml:"max-backups,omitempty" json:"max-backups,omitempty"`
 }
 
-type TLSCert struct {
-	CA   string `yaml:"ca,omitempty" toml:"ca,omitempty" json:"ca,omitempty"`
-	Cert string `yaml:"cert,omitempty" toml:"cert,omitempty" json:"cert,omitempty"`
-	Key  string `yaml:"key,omitempty" toml:"key,omitempty" json:"key,omitempty"`
+type TLSConfig struct {
+	Cert      string `yaml:"cert,omitempty" toml:"cert,omitempty" json:"cert,omitempty"`
+	Key       string `yaml:"key,omitempty" toml:"key,omitempty" json:"key,omitempty"`
+	AutoCerts bool   `yaml:"auto-certs,omitempty" toml:"auto-certs,omitempty" json:"auto-certs,omitempty"`
+	CA        string `yaml:"ca,omitempty" toml:"ca,omitempty" json:"ca,omitempty"`
+	SkipCA    bool   `yaml:"skip-ca,omitempty" toml:"skip-ca,omitempty" json:"skip-ca,omitempty"`
 }
 
-func (c TLSCert) HasCert() bool {
+func (c TLSConfig) HasCert() bool {
 	return !(c.Cert == "" && c.Key == "")
 }
 
-func (c TLSCert) HasCA() bool {
+func (c TLSConfig) HasCA() bool {
 	return c.CA != ""
 }
 
 type Security struct {
-	RSAKeySize int     `yaml:"rsa-key-size,omitempty" toml:"rsa-key-size,omitempty" json:"rsa-key-size,omitempty"`
-	Server     TLSCert `yaml:"server,omitempty" toml:"server,omitempty" json:"server,omitempty"`
-	Cluster    TLSCert `yaml:"cluster,omitempty" toml:"cluster,omitempty" json:"cluster,omitempty"`
+	RSAKeySize int       `yaml:"rsa-key-size,omitempty" toml:"rsa-key-size,omitempty" json:"rsa-key-size,omitempty"`
+	ServerTLS  TLSConfig `yaml:"server-tls,omitempty" toml:"server-tls,omitempty" json:"server-tls,omitempty"`
+	PeerTLS    TLSConfig `yaml:"peer-tls,omitempty" toml:"peer-tls,omitempty" json:"peer-tls,omitempty"`
+	ClusterTLS TLSConfig `yaml:"cluster-tls,omitempty" toml:"cluster-tls,omitempty" json:"cluster-tls,omitempty"`
+	SQLTLS     TLSConfig `yaml:"sql-tls,omitempty" toml:"sql-tls,omitempty" json:"sql-tls,omitempty"`
 }
 
 func NewConfig(data []byte) (*Config, error) {

lib/config/proxy_test.go

@@ -57,15 +57,29 @@ var testProxyConfig = Config{
 	},
 	Security: Security{
 		RSAKeySize: 64,
-		Server: TLSCert{
-			CA:   "a",
-			Cert: "b",
-			Key:  "c",
+		ServerTLS: TLSConfig{
+			CA:        "a",
+			Cert:      "b",
+			Key:       "c",
+			AutoCerts: true,
 		},
-		Cluster: TLSCert{
-			CA:   "a",
-			Cert: "b",
-			Key:  "c",
+		PeerTLS: TLSConfig{
+			CA:        "a",
+			Cert:      "b",
+			Key:       "c",
+			AutoCerts: true,
+		},
+		ClusterTLS: TLSConfig{
+			CA:     "a",
+			SkipCA: true,
+			Cert:   "b",
+			Key:    "c",
+		},
+		SQLTLS: TLSConfig{
+			CA:     "a",
+			SkipCA: true,
+			Cert:   "b",
+			Key:    "c",
 		},
 	},
 }

lib/go.mod

@@ -3,10 +3,10 @@ module github.com/pingcap/TiProxy/lib
 go 1.19
 
 require (
-	github.com/pingcap/errors v0.11.4
 	github.com/pingcap/log v1.1.0
 	github.com/spf13/cobra v1.5.0
 	github.com/stretchr/testify v1.8.0
+	go.etcd.io/etcd/client/pkg/v3 v3.5.4
 	go.uber.org/atomic v1.9.0
 	go.uber.org/zap v1.23.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -17,9 +17,12 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/pingcap/errors v0.11.4 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 )

lib/go.sum

@@ -2,11 +2,13 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
+github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -21,8 +23,9 @@ github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pingcap/log v1.1.0 h1:ELiPxACz7vdo1qAvvaWJg1NrYFoY6gqAh/+Uo6aXdD8=
 github.com/pingcap/log v1.1.0/go.mod h1:DWQW5jICDR7UJh4HtxXSM20Churx4CQL0fwL/SoOSA4=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -38,6 +41,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+go.etcd.io/etcd/client/pkg/v3 v3.5.4 h1:lrneYvz923dvC14R54XcA7FXoZ3mlGZAgmwhfm7HqOg=
+go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@@ -46,6 +51,7 @@ go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
 go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
+go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.23.0 h1:OjGQ5KQDEUawVHxNwQgPpiypGHOxo2mNZsOqTak4fFY=
 go.uber.org/zap v1.23.0/go.mod h1:D+nX8jyLsMHMYrln8A0rJjFt/T/9/bGgIhAqxv5URuY=
@@ -55,6 +61,9 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=