Allow proxy agent to connect to non local server.

cheftako · cheftako · commit 1e5f50285248 · 2019-05-15T14:17:31.000-07:00
Added configuration for where the proxy server is.
Also improvend cert related errors for easier debug.
diff --git a/Makefile b/Makefile
@@ -63,8 +63,10 @@ cfssljson:
 	chmod +x cfssljson
 
 certs: easy-rsa-master cfssl cfssljson
+	# set up easy-rsa
 	cp -rf easy-rsa-master/easyrsa3 easy-rsa-master/master
 	cp -rf easy-rsa-master/easyrsa3 easy-rsa-master/agent
+	# create the client <-> server-proxy connection certs
 	cd easy-rsa-master/master; \
 	./easyrsa init-pki; \
 	./easyrsa --batch "--req-cn=127.0.0.1@$(date +%s)" build-ca nopass; \
@@ -76,6 +78,7 @@ certs: easy-rsa-master cfssl cfssljson
 	cp -r easy-rsa-master/master/pki/private certs/master
 	cp -r easy-rsa-master/master/pki/issued certs/master
 	cp easy-rsa-master/master/pki/ca.crt certs/master/issued
+	# create the agent <-> server-proxy connection certs
 	cd easy-rsa-master/agent; \
 	./easyrsa init-pki; \
 	./easyrsa --batch "--req-cn=127.0.0.1@$(date +%s)" build-ca nopass; \
diff --git a/cmd/agent/main.go b/cmd/agent/main.go
@@ -55,47 +55,59 @@ func main() {
 }
 
 type GrpcProxyAgentOptions struct {
+	// Configuration for authenticating with the proxy-server
 	agentCert string
 	agentKey  string
 	caCert    string
+
+	// Configuration for connecting to the proxy-server
+	proxyServerHost string
+	proxyServerPort int
 }
 
 func (o *GrpcProxyAgentOptions) Flags() *pflag.FlagSet {
 	flags := pflag.NewFlagSet("proxy-agent", pflag.ContinueOnError)
 	flags.StringVar(&o.agentCert, "agentCert", o.agentCert, "If non-empty secure communication with this cert.")
 	flags.StringVar(&o.agentKey, "agentKey", o.agentKey, "If non-empty secure communication with this key.")
 	flags.StringVar(&o.caCert, "caCert", o.caCert, "If non-empty the CAs we use to validate clients.")
+	flags.StringVar(&o.proxyServerHost, "proxyServerHost", o.proxyServerHost, "The hostname to use to connect to the proxy-server.")
+	flags.IntVar(&o.proxyServerPort, "proxyServerPort", o.proxyServerPort, "The port the proxy server is listening on.")
 	return flags
 }
 
 func (o *GrpcProxyAgentOptions) Print() {
 	klog.Warningf("AgentCert set to \"%s\".\n", o.agentCert)
 	klog.Warningf("AgentKey set to \"%s\".\n", o.agentKey)
 	klog.Warningf("CACert set to \"%s\".\n", o.caCert)
+	klog.Warningf("ProxyServerHost set to \"%s\".\n", o.proxyServerHost)
+	klog.Warningf("ProxyServerPort set to %d.\n", o.proxyServerPort)
 }
 
 func (o *GrpcProxyAgentOptions) Validate() error {
 	if o.agentKey != "" {
 		if _, err := os.Stat(o.agentKey); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking agent key %s, got %v", o.agentKey, err)
 		}
 		if o.agentCert == "" {
 			return fmt.Errorf("cannot have agent cert empty when agent key is set to \"%s\"", o.agentKey)
 		}
 	}
 	if o.agentCert != "" {
 		if _, err := os.Stat(o.agentCert); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking agent cert %s, got %v", o.agentCert, err)
 		}
 		if o.agentKey == "" {
 			return fmt.Errorf("cannot have agent key empty when agent cert is set to \"%s\"", o.agentCert)
 		}
 	}
 	if o.caCert != "" {
 		if _, err := os.Stat(o.caCert); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking agent CA cert %s, got %v", o.caCert, err)
 		}
 	}
+	if o.proxyServerPort <= 0 {
+		return fmt.Errorf("proxy server port %d must be greater than 0", o.proxyServerPort)
+	}
 	return nil
 }
 
@@ -104,6 +116,8 @@ func newGrpcProxyAgentOptions() *GrpcProxyAgentOptions {
 		agentCert: "",
 		agentKey:  "",
 		caCert:    "",
+		proxyServerHost: "127.0.0.1",
+		proxyServerPort: 8091,
 	}
 	return &o
 }
@@ -126,15 +140,15 @@ type Agent struct {
 func (a *Agent) run(o *GrpcProxyAgentOptions) error {
 	o.Print()
 	if err := o.Validate(); err != nil {
-		return err
+		return fmt.Errorf("failed to validate agent options with %v", err)
 	}
 
 	if err := a.runProxyConnection(o); err != nil {
-		return err
+		return fmt.Errorf("failed to run proxy connection with %v", err)
 	}
 
 	if err := a.runAdminServer(o); err != nil {
-		return err
+		return fmt.Errorf("failed to run admin server with %v", err)
 	}
 
 	stopCh := make(chan struct{})
@@ -146,28 +160,28 @@ func (a *Agent) run(o *GrpcProxyAgentOptions) error {
 func (p *Agent) runProxyConnection(o *GrpcProxyAgentOptions) error {
 	agentCert, err := tls.LoadX509KeyPair(o.agentCert, o.agentKey)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to load X509 key pair %s and %s: %v", o.agentCert, o.agentKey, err)
 	}
 	certPool := x509.NewCertPool()
 	caCert, err := ioutil.ReadFile(o.caCert)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to read agent CA cert %s: %v", o.caCert, err)
 	}
 	ok := certPool.AppendCertsFromPEM(caCert)
 	if !ok {
 		return fmt.Errorf("failed to append CA cert to the cert pool")
 	}
 
 	transportCreds := credentials.NewTLS(&tls.Config{
-		ServerName:   "127.0.0.1",
+		ServerName:   o.proxyServerHost,
 		Certificates: []tls.Certificate{agentCert},
 		RootCAs:      certPool,
 	})
 	dialOption := grpc.WithTransportCredentials(transportCreds)
-	client := agentclient.NewAgentClient("localhost:8091")
+	client := agentclient.NewAgentClient(fmt.Sprintf("%s:%d", o.proxyServerHost, o.proxyServerPort))
 
 	if err := client.Connect(dialOption); err != nil {
-		return err
+		return fmt.Errorf("failed to connect to proxy-server: %v", err)
 	}
 
 	stopCh := make(chan struct{})
diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go
@@ -107,44 +107,44 @@ func (o *ProxyRunOptions) Print() {
 func (o *ProxyRunOptions) Validate() error {
 	if o.serverKey != "" {
 		if _, err := os.Stat(o.serverKey); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking server key %s, got %v", o.serverKey, err)
 		}
 		if o.serverCert == "" {
 			return fmt.Errorf("cannot have server cert empty when server key is set to %q", o.serverKey)
 		}
 	}
 	if o.serverCert != "" {
 		if _, err := os.Stat(o.serverCert); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking server cert %s, got %v", o.serverCert, err)
 		}
 		if o.serverKey == "" {
 			return fmt.Errorf("cannot have server key empty when server cert is set to %q", o.serverCert)
 		}
 	}
 	if o.serverCaCert != "" {
 		if _, err := os.Stat(o.serverCaCert); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking server CA cert %s, got %v", o.serverCaCert, err)
 		}
 	}
 	if o.clusterKey != "" {
 		if _, err := os.Stat(o.clusterKey); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking cluster key %s, got %v", o.clusterKey, err)
 		}
 		if o.clusterCert == "" {
 			return fmt.Errorf("cannot have cluster cert empty when cluster key is set to %q", o.clusterKey)
 		}
 	}
 	if o.clusterCert != "" {
 		if _, err := os.Stat(o.clusterCert); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking cluster cert %s, got %v", o.clusterCert, err)
 		}
 		if o.clusterKey == "" {
 			return fmt.Errorf("cannot have cluster key empty when cluster cert is set to %q", o.clusterCert)
 		}
 	}
 	if o.clusterCaCert != "" {
 		if _, err := os.Stat(o.clusterCaCert); os.IsNotExist(err) {
-			return err
+			return fmt.Errorf("error checking cluster CA cert %s, got %v", o.clusterCaCert, err)
 		}
 	}
 	if o.mode != "grpc" && o.mode != "http-connect" {
@@ -205,26 +205,26 @@ type Proxy struct {
 func (p *Proxy) run(o *ProxyRunOptions) error {
 	o.Print()
 	if err := o.Validate(); err != nil {
-		return err
+		return fmt.Errorf("failed to validate server options with %v", err)
 	}
 	server := agentserver.NewProxyServer()
 
 	klog.Info("Starting master server for client connections.")
 	err := p.runMasterServer(o, server)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to run the master server: %v", err)
 	}
 
 	klog.Info("Starting agent server for tunnel connections.")
 	err = p.runAgentServer(o, server)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to run the agent server: %v", err)
 	}
 
 	klog.Info("Starting admin server for debug connections.")
 	err = p.runAdminServer(o, server)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to run the admin server: %v", err)
 	}
 
 	stopCh := make(chan struct{})
@@ -236,12 +236,12 @@ func (p *Proxy) run(o *ProxyRunOptions) error {
 func (p *Proxy) runMasterServer(o *ProxyRunOptions, server *agentserver.ProxyServer) error {
 	proxyCert, err := tls.LoadX509KeyPair(o.serverCert, o.serverKey)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to load X509 key pair %s and %s: %v", o.serverCert, o.serverKey, err)
 	}
 	certPool := x509.NewCertPool()
 	caCert, err := ioutil.ReadFile(o.serverCaCert)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to read server CA cert %s: %v", o.serverCaCert, err)
 	}
 	ok := certPool.AppendCertsFromPEM(caCert)
 	if !ok {
@@ -261,7 +261,7 @@ func (p *Proxy) runMasterServer(o *ProxyRunOptions, server *agentserver.ProxySer
 		agent.RegisterProxyServiceServer(grpcServer, server)
 		lis, err := net.Listen("tcp", addr)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to listen on %s: %v", addr, err)
 		}
 		go grpcServer.Serve(lis)
 	} else {
@@ -288,12 +288,12 @@ func (p *Proxy) runMasterServer(o *ProxyRunOptions, server *agentserver.ProxySer
 func (p *Proxy) runAgentServer(o *ProxyRunOptions, server *agentserver.ProxyServer) error {
 	clusterCert, err := tls.LoadX509KeyPair(o.clusterCert, o.clusterKey)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to load X509 key pair %s and %s: %v", o.clusterCert, o.clusterKey, err)
 	}
 	certPool := x509.NewCertPool()
 	caCert, err := ioutil.ReadFile(o.clusterCaCert)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to read cluster CA cert %s: %v", o.clusterCaCert, err)
 	}
 	ok := certPool.AppendCertsFromPEM(caCert)
 	if !ok {
@@ -311,7 +311,7 @@ func (p *Proxy) runAgentServer(o *ProxyRunOptions, server *agentserver.ProxyServ
 	agent.RegisterAgentServiceServer(grpcServer, server)
 	lis, err := net.Listen("tcp", addr)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to listen on %s: %v", addr, err)
 	}
 	go grpcServer.Serve(lis)
 

Original file line number	Diff line number	Diff line change
`@@ -55,47 +55,59 @@ func main() {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`type GrpcProxyAgentOptions struct {`
	`58`	`+ // Configuration for authenticating with the proxy-server`
`58`	`59`	`agentCert string`
`59`	`60`	`agentKey string`
`60`	`61`	`caCert string`
	`62`	`+`
	`63`	`+ // Configuration for connecting to the proxy-server`
	`64`	`+ proxyServerHost string`
	`65`	`+ proxyServerPort int`
`61`	`66`	`}`
`62`	`67`
`63`	`68`	`func (o GrpcProxyAgentOptions) Flags() pflag.FlagSet {`
`64`	`69`	`flags := pflag.NewFlagSet("proxy-agent", pflag.ContinueOnError)`
`65`	`70`	`flags.StringVar(&o.agentCert, "agentCert", o.agentCert, "If non-empty secure communication with this cert.")`
`66`	`71`	`flags.StringVar(&o.agentKey, "agentKey", o.agentKey, "If non-empty secure communication with this key.")`
`67`	`72`	`flags.StringVar(&o.caCert, "caCert", o.caCert, "If non-empty the CAs we use to validate clients.")`
	`73`	`+ flags.StringVar(&o.proxyServerHost, "proxyServerHost", o.proxyServerHost, "The hostname to use to connect to the proxy-server.")`
	`74`	`+ flags.IntVar(&o.proxyServerPort, "proxyServerPort", o.proxyServerPort, "The port the proxy server is listening on.")`
`68`	`75`	`return flags`
`69`	`76`	`}`
`70`	`77`
`71`	`78`	`func (o *GrpcProxyAgentOptions) Print() {`
`72`	`79`	`klog.Warningf("AgentCert set to \"%s\".\n", o.agentCert)`
`73`	`80`	`klog.Warningf("AgentKey set to \"%s\".\n", o.agentKey)`
`74`	`81`	`klog.Warningf("CACert set to \"%s\".\n", o.caCert)`
	`82`	`+ klog.Warningf("ProxyServerHost set to \"%s\".\n", o.proxyServerHost)`
	`83`	`+ klog.Warningf("ProxyServerPort set to %d.\n", o.proxyServerPort)`
`75`	`84`	`}`
`76`	`85`
`77`	`86`	`func (o *GrpcProxyAgentOptions) Validate() error {`
`78`	`87`	`if o.agentKey != "" {`
`79`	`88`	`if _, err := os.Stat(o.agentKey); os.IsNotExist(err) {`
`80`		`- return err`
	`89`	`+ return fmt.Errorf("error checking agent key %s, got %v", o.agentKey, err)`
`81`	`90`	`}`
`82`	`91`	`if o.agentCert == "" {`
`83`	`92`	`return fmt.Errorf("cannot have agent cert empty when agent key is set to \"%s\"", o.agentKey)`
`84`	`93`	`}`
`85`	`94`	`}`
`86`	`95`	`if o.agentCert != "" {`
`87`	`96`	`if _, err := os.Stat(o.agentCert); os.IsNotExist(err) {`
`88`		`- return err`
	`97`	`+ return fmt.Errorf("error checking agent cert %s, got %v", o.agentCert, err)`
`89`	`98`	`}`
`90`	`99`	`if o.agentKey == "" {`
`91`	`100`	`return fmt.Errorf("cannot have agent key empty when agent cert is set to \"%s\"", o.agentCert)`
`92`	`101`	`}`
`93`	`102`	`}`
`94`	`103`	`if o.caCert != "" {`
`95`	`104`	`if _, err := os.Stat(o.caCert); os.IsNotExist(err) {`
`96`		`- return err`
	`105`	`+ return fmt.Errorf("error checking agent CA cert %s, got %v", o.caCert, err)`
`97`	`106`	`}`
`98`	`107`	`}`
	`108`	`+ if o.proxyServerPort <= 0 {`
	`109`	`+ return fmt.Errorf("proxy server port %d must be greater than 0", o.proxyServerPort)`
	`110`	`+ }`
`99`	`111`	`return nil`
`100`	`112`	`}`
`101`	`113`
`@@ -104,6 +116,8 @@ func newGrpcProxyAgentOptions() *GrpcProxyAgentOptions {`
`104`	`116`	`agentCert: "",`
`105`	`117`	`agentKey: "",`
`106`	`118`	`caCert: "",`
	`119`	`+ proxyServerHost: "127.0.0.1",`
	`120`	`+ proxyServerPort: 8091,`
`107`	`121`	`}`
`108`	`122`	`return &o`
`109`	`123`	`}`
`@@ -126,15 +140,15 @@ type Agent struct {`
`126`	`140`	`func (a Agent) run(o GrpcProxyAgentOptions) error {`
`127`	`141`	`o.Print()`
`128`	`142`	`if err := o.Validate(); err != nil {`
`129`		`- return err`
	`143`	`+ return fmt.Errorf("failed to validate agent options with %v", err)`
`130`	`144`	`}`
`131`	`145`
`132`	`146`	`if err := a.runProxyConnection(o); err != nil {`
`133`		`- return err`
	`147`	`+ return fmt.Errorf("failed to run proxy connection with %v", err)`
`134`	`148`	`}`
`135`	`149`
`136`	`150`	`if err := a.runAdminServer(o); err != nil {`
`137`		`- return err`
	`151`	`+ return fmt.Errorf("failed to run admin server with %v", err)`
`138`	`152`	`}`
`139`	`153`
`140`	`154`	`stopCh := make(chan struct{})`
`@@ -146,28 +160,28 @@ func (a Agent) run(o GrpcProxyAgentOptions) error {`
`146`	`160`	`func (p Agent) runProxyConnection(o GrpcProxyAgentOptions) error {`
`147`	`161`	`agentCert, err := tls.LoadX509KeyPair(o.agentCert, o.agentKey)`
`148`	`162`	`if err != nil {`
`149`		`- return err`
	`163`	`+ return fmt.Errorf("failed to load X509 key pair %s and %s: %v", o.agentCert, o.agentKey, err)`
`150`	`164`	`}`
`151`	`165`	`certPool := x509.NewCertPool()`
`152`	`166`	`caCert, err := ioutil.ReadFile(o.caCert)`
`153`	`167`	`if err != nil {`
`154`		`- return err`
	`168`	`+ return fmt.Errorf("failed to read agent CA cert %s: %v", o.caCert, err)`
`155`	`169`	`}`
`156`	`170`	`ok := certPool.AppendCertsFromPEM(caCert)`
`157`	`171`	`if !ok {`
`158`	`172`	`return fmt.Errorf("failed to append CA cert to the cert pool")`
`159`	`173`	`}`
`160`	`174`
`161`	`175`	`transportCreds := credentials.NewTLS(&tls.Config{`
`162`		`- ServerName: "127.0.0.1",`
	`176`	`+ ServerName: o.proxyServerHost,`
`163`	`177`	`Certificates: []tls.Certificate{agentCert},`
`164`	`178`	`RootCAs: certPool,`
`165`	`179`	`})`
`166`	`180`	`dialOption := grpc.WithTransportCredentials(transportCreds)`
`167`		`- client := agentclient.NewAgentClient("localhost:8091")`
	`181`	`+ client := agentclient.NewAgentClient(fmt.Sprintf("%s:%d", o.proxyServerHost, o.proxyServerPort))`
`168`	`182`
`169`	`183`	`if err := client.Connect(dialOption); err != nil {`
`170`		`- return err`
	`184`	`+ return fmt.Errorf("failed to connect to proxy-server: %v", err)`
`171`	`185`	`}`
`172`	`186`
`173`	`187`	`stopCh := make(chan struct{})`
Original file line number	Diff line number	Diff line change
`@@ -107,44 +107,44 @@ func (o *ProxyRunOptions) Print() {`
`107`	`107`	`func (o *ProxyRunOptions) Validate() error {`
`108`	`108`	`if o.serverKey != "" {`
`109`	`109`	`if _, err := os.Stat(o.serverKey); os.IsNotExist(err) {`
`110`		`- return err`
	`110`	`+ return fmt.Errorf("error checking server key %s, got %v", o.serverKey, err)`
`111`	`111`	`}`
`112`	`112`	`if o.serverCert == "" {`
`113`	`113`	`return fmt.Errorf("cannot have server cert empty when server key is set to %q", o.serverKey)`
`114`	`114`	`}`
`115`	`115`	`}`
`116`	`116`	`if o.serverCert != "" {`
`117`	`117`	`if _, err := os.Stat(o.serverCert); os.IsNotExist(err) {`
`118`		`- return err`
	`118`	`+ return fmt.Errorf("error checking server cert %s, got %v", o.serverCert, err)`
`119`	`119`	`}`
`120`	`120`	`if o.serverKey == "" {`
`121`	`121`	`return fmt.Errorf("cannot have server key empty when server cert is set to %q", o.serverCert)`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`	`if o.serverCaCert != "" {`
`125`	`125`	`if _, err := os.Stat(o.serverCaCert); os.IsNotExist(err) {`
`126`		`- return err`
	`126`	`+ return fmt.Errorf("error checking server CA cert %s, got %v", o.serverCaCert, err)`
`127`	`127`	`}`
`128`	`128`	`}`
`129`	`129`	`if o.clusterKey != "" {`
`130`	`130`	`if _, err := os.Stat(o.clusterKey); os.IsNotExist(err) {`
`131`		`- return err`
	`131`	`+ return fmt.Errorf("error checking cluster key %s, got %v", o.clusterKey, err)`
`132`	`132`	`}`
`133`	`133`	`if o.clusterCert == "" {`
`134`	`134`	`return fmt.Errorf("cannot have cluster cert empty when cluster key is set to %q", o.clusterKey)`
`135`	`135`	`}`
`136`	`136`	`}`
`137`	`137`	`if o.clusterCert != "" {`
`138`	`138`	`if _, err := os.Stat(o.clusterCert); os.IsNotExist(err) {`
`139`		`- return err`
	`139`	`+ return fmt.Errorf("error checking cluster cert %s, got %v", o.clusterCert, err)`
`140`	`140`	`}`
`141`	`141`	`if o.clusterKey == "" {`
`142`	`142`	`return fmt.Errorf("cannot have cluster key empty when cluster cert is set to %q", o.clusterCert)`
`143`	`143`	`}`
`144`	`144`	`}`
`145`	`145`	`if o.clusterCaCert != "" {`
`146`	`146`	`if _, err := os.Stat(o.clusterCaCert); os.IsNotExist(err) {`
`147`		`- return err`
	`147`	`+ return fmt.Errorf("error checking cluster CA cert %s, got %v", o.clusterCaCert, err)`
`148`	`148`	`}`
`149`	`149`	`}`
`150`	`150`	`if o.mode != "grpc" && o.mode != "http-connect" {`
`@@ -205,26 +205,26 @@ type Proxy struct {`
`205`	`205`	`func (p Proxy) run(o ProxyRunOptions) error {`
`206`	`206`	`o.Print()`
`207`	`207`	`if err := o.Validate(); err != nil {`
`208`		`- return err`
	`208`	`+ return fmt.Errorf("failed to validate server options with %v", err)`
`209`	`209`	`}`
`210`	`210`	`server := agentserver.NewProxyServer()`
`211`	`211`
`212`	`212`	`klog.Info("Starting master server for client connections.")`
`213`	`213`	`err := p.runMasterServer(o, server)`
`214`	`214`	`if err != nil {`
`215`		`- return err`
	`215`	`+ return fmt.Errorf("failed to run the master server: %v", err)`
`216`	`216`	`}`
`217`	`217`
`218`	`218`	`klog.Info("Starting agent server for tunnel connections.")`
`219`	`219`	`err = p.runAgentServer(o, server)`
`220`	`220`	`if err != nil {`
`221`		`- return err`
	`221`	`+ return fmt.Errorf("failed to run the agent server: %v", err)`
`222`	`222`	`}`
`223`	`223`
`224`	`224`	`klog.Info("Starting admin server for debug connections.")`
`225`	`225`	`err = p.runAdminServer(o, server)`
`226`	`226`	`if err != nil {`
`227`		`- return err`
	`227`	`+ return fmt.Errorf("failed to run the admin server: %v", err)`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`stopCh := make(chan struct{})`
`@@ -236,12 +236,12 @@ func (p Proxy) run(o ProxyRunOptions) error {`
`236`	`236`	`func (p Proxy) runMasterServer(o ProxyRunOptions, server *agentserver.ProxyServer) error {`
`237`	`237`	`proxyCert, err := tls.LoadX509KeyPair(o.serverCert, o.serverKey)`
`238`	`238`	`if err != nil {`
`239`		`- return err`
	`239`	`+ return fmt.Errorf("failed to load X509 key pair %s and %s: %v", o.serverCert, o.serverKey, err)`
`240`	`240`	`}`
`241`	`241`	`certPool := x509.NewCertPool()`
`242`	`242`	`caCert, err := ioutil.ReadFile(o.serverCaCert)`
`243`	`243`	`if err != nil {`
`244`		`- return err`
	`244`	`+ return fmt.Errorf("failed to read server CA cert %s: %v", o.serverCaCert, err)`
`245`	`245`	`}`
`246`	`246`	`ok := certPool.AppendCertsFromPEM(caCert)`
`247`	`247`	`if !ok {`
`@@ -261,7 +261,7 @@ func (p Proxy) runMasterServer(o ProxyRunOptions, server *agentserver.ProxySer`
`261`	`261`	`agent.RegisterProxyServiceServer(grpcServer, server)`
`262`	`262`	`lis, err := net.Listen("tcp", addr)`
`263`	`263`	`if err != nil {`
`264`		`- return err`
	`264`	`+ return fmt.Errorf("failed to listen on %s: %v", addr, err)`
`265`	`265`	`}`
`266`	`266`	`go grpcServer.Serve(lis)`
`267`	`267`	`} else {`
`@@ -288,12 +288,12 @@ func (p Proxy) runMasterServer(o ProxyRunOptions, server *agentserver.ProxySer`
`288`	`288`	`func (p Proxy) runAgentServer(o ProxyRunOptions, server *agentserver.ProxyServer) error {`
`289`	`289`	`clusterCert, err := tls.LoadX509KeyPair(o.clusterCert, o.clusterKey)`
`290`	`290`	`if err != nil {`
`291`		`- return err`
	`291`	`+ return fmt.Errorf("failed to load X509 key pair %s and %s: %v", o.clusterCert, o.clusterKey, err)`
`292`	`292`	`}`
`293`	`293`	`certPool := x509.NewCertPool()`
`294`	`294`	`caCert, err := ioutil.ReadFile(o.clusterCaCert)`
`295`	`295`	`if err != nil {`
`296`		`- return err`
	`296`	`+ return fmt.Errorf("failed to read cluster CA cert %s: %v", o.clusterCaCert, err)`
`297`	`297`	`}`
`298`	`298`	`ok := certPool.AppendCertsFromPEM(caCert)`
`299`	`299`	`if !ok {`
`@@ -311,7 +311,7 @@ func (p Proxy) runAgentServer(o ProxyRunOptions, server *agentserver.ProxyServ`
`311`	`311`	`agent.RegisterAgentServiceServer(grpcServer, server)`
`312`	`312`	`lis, err := net.Listen("tcp", addr)`
`313`	`313`	`if err != nil {`
`314`		`- return err`
	`314`	`+ return fmt.Errorf("failed to listen on %s: %v", addr, err)`
`315`	`315`	`}`
`316`	`316`	`go grpcServer.Serve(lis)`
`317`	`317`