diff --git a/dialout/dialout_client/dialout_client.go b/dialout/dialout_client/dialout_client.go index 451a4c10c..08bbb6f57 100644 --- a/dialout/dialout_client/dialout_client.go +++ b/dialout/dialout_client/dialout_client.go @@ -5,18 +5,20 @@ import ( "crypto/tls" "errors" "fmt" + "net" + spb "github.com/Azure/sonic-telemetry/proto" sdc "github.com/Azure/sonic-telemetry/sonic_data_client" sdcfg "github.com/Azure/sonic-telemetry/sonic_db_config" + "github.com/Workiva/go-datastructures/queue" "github.com/go-redis/redis" log "github.com/golang/glog" gpb "github.com/openconfig/gnmi/proto/gnmi" "github.com/openconfig/ygot/ygot" - "github.com/Workiva/go-datastructures/queue" "golang.org/x/net/context" "google.golang.org/grpc" "google.golang.org/grpc/credentials" - "net" + //"reflect" "strconv" "strings" @@ -264,9 +266,14 @@ func newClient(ctx context.Context, dest Destination) (*Client, error) { opts := []grpc.DialOption{ grpc.WithBlock(), } + if clientCfg.TLS != nil { opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(clientCfg.TLS))) + } else { + opts = append(opts, grpc.WithInsecure()) + log.V(2).Infof("gRPC without TLS") } + conn, err := grpc.DialContext(ctx, dest.Addrs, opts...) if err != nil { return nil, fmt.Errorf("Dial to (%s, timeout %v): %v", dest, timeout, err) diff --git a/dialout/dialout_client_cli/dialout_client_cli.go b/dialout/dialout_client_cli/dialout_client_cli.go index d8d9014da..f0cd93aa1 100644 --- a/dialout/dialout_client_cli/dialout_client_cli.go +++ b/dialout/dialout_client_cli/dialout_client_cli.go @@ -4,13 +4,14 @@ package main import ( "crypto/tls" "flag" + "os" + "os/signal" + "time" + dc "github.com/Azure/sonic-telemetry/dialout/dialout_client" log "github.com/golang/glog" gpb "github.com/openconfig/gnmi/proto/gnmi" "golang.org/x/net/context" - "os" - "os/signal" - "time" ) var ( @@ -19,13 +20,15 @@ var ( RetryInterval: 30 * time.Second, Encoding: gpb.Encoding_JSON_IETF, Unidirectional: true, - TLS: &tls.Config{}, } + tlsCfg = tls.Config{} + tlsDisable bool ) func init() { - flag.StringVar(&clientCfg.TLS.ServerName, "server_name", "", "When set, use this hostname to verify server certificate during TLS handshake.") - flag.BoolVar(&clientCfg.TLS.InsecureSkipVerify, "insecure", false, "When set, client will not verify the server certificate during TLS handshake.") + flag.StringVar(&tlsCfg.ServerName, "server_name", "", "When set, use this hostname to verify server certificate during TLS handshake.") + flag.BoolVar(&tlsCfg.InsecureSkipVerify, "insecure", false, "When set, client will not verify the server certificate during TLS handshake.") + flag.BoolVar(&tlsDisable, "tls_disable", false, "Without TLS, only for testing") flag.DurationVar(&clientCfg.RetryInterval, "retry_interval", 30*time.Second, "Interval at which client tries to reconnect to destination servers") flag.BoolVar(&clientCfg.Unidirectional, "unidirectional", true, "No repesponse from server is expected") } @@ -41,6 +44,12 @@ func main() { cancel() }() log.V(1).Infof("Starting telemetry publish client") + + if !tlsDisable { + clientCfg.TLS = &tlsCfg + log.V(1).Infof("TLS enable") + } + err := dc.DialOutRun(ctx, &clientCfg) log.V(1).Infof("Exiting telemetry publish client: %v", err) log.Flush() diff --git a/dialout/dialout_server_cli/dialout_server_cli.go b/dialout/dialout_server_cli/dialout_server_cli.go index 02b9cee06..6b4c343d2 100644 --- a/dialout/dialout_server_cli/dialout_server_cli.go +++ b/dialout/dialout_server_cli/dialout_server_cli.go @@ -11,7 +11,6 @@ import ( "google.golang.org/grpc/credentials" ds "github.com/Azure/sonic-telemetry/dialout/dialout_server" - testcert "github.com/Azure/sonic-telemetry/testdata/tls" ) var ( @@ -21,6 +20,7 @@ var ( serverCert = flag.String("server_crt", "", "TLS server certificate") serverKey = flag.String("server_key", "", "TLS server private key") insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!") + tls_disable = flag.Bool("tls_disable", false, "Without TLS, for testing only!") allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.") ) @@ -35,12 +35,8 @@ func main() { var certificate tls.Certificate var err error - if *insecure { - certificate, err = testcert.NewCert() - if err != nil { - log.Exitf("could not load server key pair: %s", err) - } - } else { + var opts []grpc.ServerOption + if !*insecure { switch { case *serverCert == "": log.Errorf("serverCert must be set.") @@ -53,32 +49,33 @@ func main() { if err != nil { log.Exitf("could not load server key pair: %s", err) } - } - tlsCfg := &tls.Config{ - ClientAuth: tls.RequireAndVerifyClientCert, - Certificates: []tls.Certificate{certificate}, - } - if *allowNoClientCert { - // RequestClientCert will ask client for a certificate but won't - // require it to proceed. If certificate is provided, it will be - // verified. - tlsCfg.ClientAuth = tls.RequestClientCert - } + tlsCfg := &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + Certificates: []tls.Certificate{certificate}, + } - if *caCert != "" { - ca, err := ioutil.ReadFile(*caCert) - if err != nil { - log.Exitf("could not read CA certificate: %s", err) + if *allowNoClientCert { + // RequestClientCert will ask client for a certificate but won't + // require it to proceed. If certificate is provided, it will be + // verified. + tlsCfg.ClientAuth = tls.RequestClientCert } - certPool := x509.NewCertPool() - if ok := certPool.AppendCertsFromPEM(ca); !ok { - log.Exit("failed to append CA certificate") + + if *caCert != "" { + ca, err := ioutil.ReadFile(*caCert) + if err != nil { + log.Exitf("could not read CA certificate: %s", err) + } + certPool := x509.NewCertPool() + if ok := certPool.AppendCertsFromPEM(ca); !ok { + log.Exit("failed to append CA certificate") + } + tlsCfg.ClientCAs = certPool } - tlsCfg.ClientCAs = certPool + opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))} } - opts := []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))} cfg := &ds.Config{} cfg.Port = int64(*port) s, err := ds.NewServer(cfg, opts)