Improve TLS support #54
Conversation
|
@mreiferson thoughts on this approach? |
|
It's interesting. But in this case, for these options, it's not actually necessary to use the plumbing, right? |
|
We can choose not to export this stuff; I didn't like the code structure of dumping everything in |
|
Validated this works. Thoughts on exposing this api for doing future translations for reader options, or do you want to land this w/o exporting that api? |
|
I agree that the super-long When we had been discussing config hooks a few weeks ago, I really meant it as a notification mechanism, not necessarily as a refactoring of how the |
|
There isn't actually any intimate knowledge of the |
|
Ok, it isn't "intimate". I'm just not sure how this is actually an improvement for this use case. Don't get me wrong, I like the idea of some sort of "notification" when values are changed, but we ended up going in a different direction. Just feels like overkill. More importantly, it's inconsistent with how all the other values are set. If we were to go in this direction they should all follow suit. However, I anticipate that the end result wouldn't really be any cleaner or easier to understand. |
|
per offline conversation. the interface for config handlers was unexported and will be re-exported in a later change that moves struct tag handling to use that interface. 🍔 |
We need to make a few changes to improve go-nsq support for TLS.
The default validation for TLS connections should be set to ServerName, and that should validate the broadcast_address used from lookupd, or the hostname of a direct nsqd connection against the certificate.
We also need to expose options for setting InsecureSkipVerify and the CA root so that they can be accessed via the config
Set(key, value)interface.cc: @mreiferson