github/dynamiclistener
1
0
Fork 1
mirror of https://github.com/rancher/dynamiclistener.git synced 2025-05-28 09:44:17 +00:00
Code Issues Projects Releases Wiki Activity
143 Commits 23 Branches 40 Tags 2.4 MiB
release/v0.4
Commit Graph

143 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nick Gerace
f147aa4166 Fix defaultNewSignedCertExpirationDays const 
This a quick fix for 2644a6ed16
 2021-11-19 12:31:47 -05:00
Kinara Shah
63157c59ce
Merge pull request #46 from nickgerace/days 
Allow for default expiration days to be loaded from env
 2021-11-19 08:59:57 -08:00
Nick Gerace
2644a6ed16 Allow for default expiration days to be loaded from env 2021-11-18 12:38:35 -05:00
Brian Downs
27f4642299
Add ability to force cert regeneration (#43) 
* add ability to force cert regeneration
 2021-11-15 13:50:26 -07:00
Caleb Bron
cd5d71f2fe
Merge pull request #44 from cmurphy/fix-type 
Fix net.Conn type assertion
 2021-11-04 13:09:48 -07:00
Colleen Murphy
fb66484384 Fix net.Conn type assertion 
Don't assert that all connections are wrapped, as they won't be if
the CloseConnOnCertChange setting is false. Only run the assertion
within a conditional for wrapped connections, where it is safe. This
prevents a panic from happening when CloseConnOnCertChange is not used.
 2021-10-29 11:03:02 -07:00
Darren Shepherd
6b37dc1212
Merge pull request #42 from cmurphy/fix-close-conn 
Skip closing an initializing connection
 2021-10-27 08:35:21 -07:00
Colleen Murphy
c7dd355394 Skip closing an initializing connection 
Without this change, if a cert is updated (e.g. to add CNs) while the
listener is in the middle of Accept()ing a new connection, the
connection gets dropped, we'll see a message like this in the server
logs:

  http: TLS handshake error from 127.0.0.1:51232: write tcp 127.0.7.1:8443->127.0.0.1:51232: use of closed network connection

and the client (like a browser) won't necessarily reconnect. This change
modifies the GetCertificate routine in the listener's tls.Config to
keep track of the state of the incoming connections and only close
connections that have completed GetCertificate and therefore are
finished with their TLS handshake, so that only old established
connections are closed.
 2021-10-25 13:17:24 -07:00
Darren Shepherd
94e22490cf
Merge pull request #41 from weihanglo/nil-defer-storage-tls 
Merge TLS only if TLS factory is set
 2021-08-03 10:23:59 -07:00
Weihang Lo
b45d8a455e
Merge TLS only if TLS factory is set 
Since `storage.tls` is optional, we should check it existence before
calling its methods.
 2021-07-12 18:25:01 +08:00
Darren Shepherd
9865ae859c Don't reset connections on the first load of the certs 2021-06-16 01:00:09 -07:00
Darren Shepherd
db883ae66a Don't reset connections on the first load of the certs 2021-06-16 00:23:14 -07:00
Darren Shepherd
9dfd7df057 Pass context to http server as BaseContext 2021-06-15 22:42:42 -07:00
Darren Shepherd
ff22834bde Avoid panic when secret is nil 2021-06-15 22:42:42 -07:00
Sjoerd Simons
dc7452dbb8 Accept IPv6 address as CN names 
Expand the cnRegexp to also accept ipv6 addresses such as:
  * ::1
  * 2a00:1450:400e:80e::
  * 2a00:1450:400e:80e::200e

Fixes: #37

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
 2021-06-14 11:07:13 -07:00
Dan Ramich
86af265dcd
Merge pull request #35 from dramich/panic 
Update IsStatic to check for nil annotations
 2021-04-26 09:21:45 -06:00
Dan Ramich
f373fc1c7c Update IsStatic to check for nil annotations 2021-04-23 14:56:14 -06:00
Darren Shepherd
e7b1adba70 Update to wrangler v0.8.0 and merge v0.2.x to master 2021-04-12 15:09:30 -07:00
Darren Shepherd
a60200ab9e Merge tag 'v0.2.3' 2021-04-12 15:00:05 -07:00
Hussein Galal
fc8cf5f3ea
Merge pull request #33 from galal-hussein/fix_load_certs 
Fixing loading certs to work with etcd only nodes
 2021-03-05 22:54:49 +02:00
galal-hussein
3878ff2a1f Fixing loading certs 2021-03-05 22:39:13 +02:00
Hussein Galal
1b2460c151
Merge pull request #32 from galal-hussein/fix_resversion 
Add check to update dynamic listener cert in etcd only nodes
 2021-03-01 21:58:18 +02:00
galal-hussein
e34610a1ae Add check to update dynamic listener cert in etcd only nodes 2021-03-01 21:52:45 +02:00
Darren Shepherd
9b1b7d3132 Add filter helper method 2020-11-09 21:52:17 -07:00
Darren Shepherd
85f32491cb Add dumb hook to set the organization in the client cert 2020-09-10 13:32:14 -07:00
Brad Davidson
7c224dcdfb
Merge pull request #29 from brandond/force_reissue_0.2 
Allow forcing cert reissuance (v0.2 backport)
 2020-08-11 12:58:42 -07:00
Brad Davidson
53f6b38760 Allow forcing cert reissuance (#28) 
Refreshing the cert should force renewal as opposed to returning
early if the SANs aren't changing. This is currently breaking refresh
of expired certs as per:
https://github.com/rancher/k3s/issues/1621#issuecomment-669464318

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-08-10 17:12:39 -07:00
Darren Shepherd
479ab335d6 Add LoadOrGenClient to handle client cert generation 2020-08-10 17:12:39 -07:00
Darren Shepherd
2bfb7bd0cb Fix error masking issue 
Also don't do an extra lookup of TLS secret after update.
 2020-08-10 17:12:39 -07:00
Darren Shepherd
ebebb82b9b Add LoadOrGenClient to handle client cert generation 2020-08-01 23:37:51 -07:00
Darren Shepherd
bafb051656
Merge pull request #27 from ibuildthecloud/master 
Fix error masking issue
 2020-07-27 22:48:58 -07:00
Darren Shepherd
3b42c52bec Fix error masking issue 
Also don't do an extra lookup of TLS secret after update.
 2020-07-27 22:48:13 -07:00
Darren Shepherd
207e8a5c14
Merge pull request #23 from KnicKnic/fix_certpath_windows 
fix certpath generation for windows
 2020-07-27 22:48:06 -07:00
Darren Shepherd
9c1939da3a
Merge pull request #25 from ibuildthecloud/master 
Stop using wrangler-api project
 2020-07-14 13:10:33 -07:00
Darren Shepherd
5529139fbe Update vendor 2020-07-14 13:09:07 -07:00
Darren Shepherd
bcbb612b24 Stop using wrangler-api project 2020-07-14 13:09:07 -07:00
Knic Knic
94e23c7edb fix certpath generation for windows 2020-04-25 22:59:52 -07:00
Darren Shepherd
52ede5ec92
Merge pull request #22 from ibuildthecloud/master 
Always allow configured SANs regardless of the FilterCN
 2020-04-17 19:33:42 -07:00
Darren Shepherd
5c222d5753 Don't parse x509 cert on each request 2020-04-17 19:31:42 -07:00
Darren Shepherd
74a61a850d Always allow configured SANs regardless of the FilterCN 2020-04-17 19:31:31 -07:00
Darren Shepherd
4436fc6b48
Merge pull request #21 from ibuildthecloud/master 
Add ability to confirm adding new CNs
 2020-04-02 22:10:05 -07:00
Darren Shepherd
4bac3f291f Add ability to confirm adding new CNs 2020-04-02 22:08:36 -07:00
Darren Shepherd
c992ce309c Reject bad CNs that will prevent the secret from being saved. 2020-04-02 22:07:45 -07:00
Darren Shepherd
763229ddcd
Merge pull request #20 from ibuildthecloud/master 
Add ability to limit the maximum number of SANs
 2020-03-18 23:17:31 -07:00
Darren Shepherd
171fcf6b79 If connection closing is enabled then don't support HTTP/2 2020-03-18 23:16:38 -07:00
Darren Shepherd
05d7922a86 Add ability to limit the maximum number of SANs 2020-03-18 23:16:38 -07:00
Darren Shepherd
1e67d402dc
Merge pull request #19 from ibuildthecloud/master 
For web browser based requests do not consider IPs in host headers
 2020-03-14 10:17:03 -07:00
Darren Shepherd
7e3fc0c594 For web browser based requests do not consider IPs in host headers 2020-03-14 10:16:11 -07:00
Darren Shepherd
111c5b43e9
Merge pull request #18 from ibuildthecloud/dropconn 
Wrong lock used to protect conn map
 2020-02-13 09:53:08 -07:00
Darren Shepherd
bd73d0d4bc Wrong lock used to protect conn map 2020-02-13 09:52:45 -07:00