rpc: *almost* use tenant client certs (on tenants)

As of this commit, tenants would use their proper tenant client certs if it weren't for a manual override that was added. This override exists because the KV layer can not yet authenticate tenant client certs (this will change soon, in a follow-up to cockroachdb#50503). However, uncommenting both the override and the hack in `pkg/security/securitytest/test_certs/regenerate.sh` to make the tenant client certs match those used by the KV nodes gives early validation that this "will work" once the KV side plays ball. Touches cockroachdb#47898. Release note: None
tbg · Aug 4, 2020 · 98866a4 · 98866a4
1 parent 2566163
commit 98866a4
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/pkg/rpc/context.go b/pkg/rpc/context.go
@@ -717,13 +717,15 @@ func (ctx *Context) grpcDialOptions(
 	if ctx.Config.Insecure {
 		dialOpts = append(dialOpts, grpc.WithInsecure())
 	} else {
-		// TODO(tbg): complete this logic to use tenant client certs if ctx.tenID is
-		// not the system tenant.
-		const tenant = false
 		var err error
 		var tlsConfig *tls.Config
-		if !tenant {
+		// TODO(tbg): remove this override when the KV layer can authenticate tenant
+		// client certs.
+		const override = true
+		if override || ctx.tenID == roachpb.SystemTenantID {
 			tlsConfig, err = ctx.GetClientTLSConfig()
+		} else {
+			tlsConfig, err = ctx.GetTenantClientTLSConfig()
 		}
 
 		if err != nil {

diff --git a/pkg/rpc/tls.go b/pkg/rpc/tls.go
@@ -146,6 +146,30 @@ func (ctx *SecurityContext) GetClientTLSConfig() (*tls.Config, error) {
 	return tlsCfg, nil
 }
 
+// GetTenantClientTLSConfig returns the client TLS config for the tenant, provided
+// the SecurityContext operates on behalf of a secondary tenant (i.e. not the
+// system tenant).
+//
+// If Insecure is true, return a nil config, otherwise retrieves the client
+// certificate for the configured tenant from the cert manager.
+func (ctx *SecurityContext) GetTenantClientTLSConfig() (*tls.Config, error) {
+	// Early out.
+	if ctx.config.Insecure {
+		return nil, nil
+	}
+
+	cm, err := ctx.GetCertificateManager()
+	if err != nil {
+		return nil, wrapError(err)
+	}
+
+	tlsCfg, err := cm.GetTenantClientTLSConfig()
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return tlsCfg, nil
+}
+
 // getUIClientTLSConfig returns the client TLS config for Admin UI clients, initializing it if needed.
 // If Insecure is true, return a nil config, otherwise ask the certificate
 // manager for a TLS config configured to talk to the Admin UI.