This is an automated email from the ASF dual-hosted git repository.
liuhan pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/skywalking-rover.git
The following commit(s) were added to refs/heads/main by this push:
new a5281ba Support for connecting to the backend server over TLS without
requiring `ca.pem` (#164)
a5281ba is described below
commit a5281babf7e70126c3a8997438ab98acc4d585eb
Author: mrproliu <[email protected]>
AuthorDate: Mon Dec 9 11:17:30 2024 +0900
Support for connecting to the backend server over TLS without requiring
`ca.pem` (#164)
---
CHANGES.md | 1 +
configs/rover_configs.yaml | 6 +++---
pkg/core/backend/client.go | 18 ++++++++++--------
3 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index db16ffa..5c27ece 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -11,6 +11,7 @@ Release Notes.
* Improve the build of skywalking-rover by adding some options.
* Decode the BPF data by self instant `binary.Read` to reduce CPU usage.
* Fix the unaligned memory accesses for `upload_socket_data_buf`.
+* Support for connecting to the backend server over TLS without requiring
`ca.pem`.
#### Bug Fixes
* Fix the base image cannot run in the arm64.
diff --git a/configs/rover_configs.yaml b/configs/rover_configs.yaml
index 54811fa..f86ef0a 100644
--- a/configs/rover_configs.yaml
+++ b/configs/rover_configs.yaml
@@ -28,13 +28,13 @@ core:
# The TLS switch
enable_TLS: ${ROVER_BACKEND_ENABLE_TLS:false}
# The file path of client.pem. The config only works when opening the TLS
switch.
- client_pem_path: ${ROVER_BACKEND_PEM_PATH:"client.pem"}
+ client_pem_path: ${ROVER_BACKEND_PEM_PATH:""}
# The file path of client.key. The config only works when opening the TLS
switch.
- client_key_path: ${ROVER_BACKEND_KEY_PATH:"client.key"}
+ client_key_path: ${ROVER_BACKEND_KEY_PATH:""}
# InsecureSkipVerify controls whether a client verifies the server's
certificate chain and host name.
insecure_skip_verify: ${ROVER_BACKEND_INSECURE_SKIP_VERIFY:false}
# The file path oca.pem. The config only works when opening the TLS switch.
- ca_pem_path: ${ROVER_BACKEND_CA_PEM_PATH:"ca.pem"}
+ ca_pem_path: ${ROVER_BACKEND_CA_PEM_PATH:""}
# How frequently to check the connection(second)
check_period: ${ROVER_BACKEND_CHECK_PERIOD:5}
# The auth value when send request
diff --git a/pkg/core/backend/client.go b/pkg/core/backend/client.go
index ab4d74a..10284d7 100644
--- a/pkg/core/backend/client.go
+++ b/pkg/core/backend/client.go
@@ -124,15 +124,17 @@ func configTLS(conf *Config) (tc *tls.Config, tlsErr
error) {
tlsConfig := new(tls.Config)
tlsConfig.Renegotiation = tls.RenegotiateNever
tlsConfig.InsecureSkipVerify = conf.InsecureSkipVerify
- caPem, err := os.ReadFile(conf.CaPemPath)
- if err != nil {
- return nil, err
- }
- certPool := x509.NewCertPool()
- if !certPool.AppendCertsFromPEM(caPem) {
- return nil, fmt.Errorf("failed to append certificates")
+ if conf.CaPemPath != "" {
+ caPem, err := os.ReadFile(conf.CaPemPath)
+ if err != nil {
+ return nil, err
+ }
+ certPool := x509.NewCertPool()
+ if !certPool.AppendCertsFromPEM(caPem) {
+ return nil, fmt.Errorf("failed to append certificates")
+ }
+ tlsConfig.RootCAs = certPool
}
- tlsConfig.RootCAs = certPool
if conf.ClientKeyPath != "" && conf.ClientPemPath != "" {
if err := checkTLSFile(conf.ClientKeyPath); err != nil {
