Google Git
Sign in
bazel / bazel / 0a75645f03fcbdb14c6dfa54206d23e02e7edbd6
commit0a75645f03fcbdb14c6dfa54206d23e02e7edbd6[log] [tgz]
authorUlf Adams <ulf@engflow.com>Tue Mar 31 14:02:55 2020 -0700
committerCopybara-Service <copybara-worker@google.com>Tue Mar 31 14:04:02 2020 -0700
tree0859fd7922f3e446bbc1588ddd165b53577d8055
parent7fe4e8e45db7bea1565d6082a9df8c46999d8b5d [diff]
Implement mutual TLS authentication

Add a pair of flags tls_client_certificate / tls_client_key to specify a
certificate and corresponding key, which allow Bazel to authenticate itself
over TLS to a remote cache or remote executor.

Before this change, Bazel only supports Google Cloud authentication, which
requires an open network connection to Google Cloud on the client as well as
on the server.

I have heard from one user that they are tunneling their traffic over a VPN
and then perform no client authentication in their remote caching system. I
heard from another user that they have locally patched Bazel to enable mTLS
(but have not upstreamed the patch). Finally, there is also a pending
feature request.

Compared to other authentication mechanisms, mTLS is already supported by
gRPC out of the box.

I added test coverage by also adding a --tls_ca_certificate to the local
remote worker, and updating the existing TLS test to also run with an mTLS
configuration.

I had to generate a new ca cert/key pair in order to sign a new client
certificate (and also re-generate the server cert/key pair); these are
checked in as testdata. Note that the generator script given there already
supports generating both server and client cert/key pairs, so no change to
the documentation was necessary.

Fixes #10735.

Change-Id: I8c9fdab11d172a4cc8a2b80de43faa48086cc893

Closes #11030.

Change-Id: I8c9fdab11d172a4cc8a2b80de43faa48086cc893
NOKEYCHECK=True
PiperOrigin-RevId: 304041337
11 files changed
tree: 0859fd7922f3e446bbc1588ddd165b53577d8055
  1. .bazelci/
  2. examples/
  3. scripts/
  4. site/
  5. src/
  6. third_party/
  7. tools/
  8. .bazelrc
  9. .gitattributes
  10. .gitignore
  11. AUTHORS
  12. BUILD
  13. CHANGELOG.md
  14. CODEOWNERS
  15. combine_distfiles.py
  16. combine_distfiles_to_tar.sh
  17. compile.sh
  18. CONTRIBUTING.md
  19. CONTRIBUTORS
  20. distdir.bzl
  21. ISSUE_TEMPLATE.md
  22. LICENSE
  23. README.md
  24. WORKSPACE
README.md

Bazel

{Fast, Correct} - Choose two

Build and test software of any size, quickly and reliably.

  • Speed up your builds and tests: Bazel rebuilds only what is necessary. With advanced local and distributed caching, optimized dependency analysis and parallel execution, you get fast and incremental builds.

  • One tool, multiple languages: Build and test Java, C++, Android, iOS, Go, and a wide variety of other language platforms. Bazel runs on Windows, macOS, and Linux.

  • Scalable: Bazel helps you scale your organization, codebase, and continuous integration solution. It handles codebases of any size, in multiple repositories or a huge monorepo.

  • Extensible to your needs: Easily add support for new languages and platforms with Bazel's familiar extension language. Share and re-use language rules written by the growing Bazel community.

Getting Started

Documentation

Contributing to Bazel

See CONTRIBUTING.md

Build status