tarantool / tarantool / 19548746781

coverage: 87.649% (+0.02%) from 87.63%
19548746781

push

github

sergepetrenko 
config: introduce an `iproto.ssl` section

This patch introduces a new `iproto.ssl` configuration section that can
be used to configure SSL. Previously, SSL might be configured by
providing `params` section in URIs as mentioned in the documentation
[^1]. The problem is that these URIs have been straightforwardly taken
from the configuration and instances tried to use other instances SSL
private keys to connect to them for replication and when using some of
the builtin modules such as `experimental.connpool`. The details are
available within #12030.

This fix aims to fix this problem. It introduces a new section `ssl`
that basically contains all the information the instance will use to
auth to other instances when using SSL. It uses the schema that
resembles existing `config.etcd.ssl`. Using this SSL works as intended.
Example of the new config.

```yaml
storage-1:
  iproto:
    listen:
      - uri: localhost:3301
        params:
          transport: 'ssl'
    ssl:
      ca_file: './certs/rootCA.pem'
      ssl_cert: './certs/storage-1-crt.pem'
      ssl_key: './certs/storage-1-key.pem'
storage-2:
  iproto:
    listen:
      - uri: localhost:3302
        params:
          transport: 'ssl'
    ssl:
      ca_file: './certs/rootCA.pem'
      ssl_cert: './certs/storage-2-crt.pem'
      ssl_key: './certs/storage-2-key.pem'
```

This configuration makes `storage-1` use the `storage-1` key/cert to set
the IProto socket up and to connect to `storage-2`. And `storage-2` uses
the `storage-2` key/cert to set its socket and to connect to `storage-1`
as it is expected.

Note that the old `param` section is still available. It will overwrite
less explicit behavior of the `ssl` section in favor of the backward
compatibility. Also, the parameters are not supplied to the connections
not using `ssl` as transport.

Unfortunately, using old `param` section is not alerted yet since using
configuration alert system will be introduced later since it requires
some non-trivial ... (continued)

70145 of 118117 branches covered (59.39%)

105316 of 120157 relevant lines covered (87.65%)

1359078.1 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

97.28
/src/box/lua/net_box.c


Source Not Available