diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md index 7c56fc037..6506e8424 100644 --- a/Documentation/op-guide/configuration.md +++ b/Documentation/op-guide/configuration.md @@ -201,6 +201,11 @@ The security flags help to [build a secure etcd cluster][security]. + default: none + env variable: ETCD_TRUSTED_CA_FILE +### --auto-tls ++ Client TLS using generated certificates ++ default: false ++ env variable: ETCD_AUTO_TLS + ### --peer-ca-file [DEPRECATED] + Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd will perform the same. + default: none @@ -226,6 +231,11 @@ The security flags help to [build a secure etcd cluster][security]. + default: none + env variable: ETCD_PEER_TRUSTED_CA_FILE +### --peer-auto-tls ++ Peer TLS using generated certificates ++ default: false ++ env variable: ETCD_PEER_AUTO_TLS + ## Logging Flags ### --debug diff --git a/etcdmain/config.go b/etcdmain/config.go index e5fdd6ea1..975e35f0f 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -112,7 +112,7 @@ type config struct { // security clientTLSInfo, peerTLSInfo transport.TLSInfo - peerAutoTLS bool + clientAutoTLS, peerAutoTLS bool // logging debug bool @@ -207,6 +207,7 @@ func NewConfig() *config { fs.StringVar(&cfg.clientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.BoolVar(&cfg.clientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.StringVar(&cfg.clientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.") + fs.BoolVar(&cfg.clientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") fs.StringVar(&cfg.peerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.") fs.StringVar(&cfg.peerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") fs.StringVar(&cfg.peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.") diff --git a/etcdmain/etcd.go b/etcdmain/etcd.go index e8d1516b5..5f0eb1211 100644 --- a/etcdmain/etcd.go +++ b/etcdmain/etcd.go @@ -207,7 +207,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) { for _, u := range cfg.lpurls { phosts = append(phosts, u.Host) } - cfg.peerTLSInfo, err = transport.SelfCert(cfg.dir, phosts) + cfg.peerTLSInfo, err = transport.SelfCert(path.Join(cfg.dir, "fixtures/peer"), phosts) if err != nil { plog.Fatalf("could not get certs (%v)", err) } @@ -218,6 +218,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) { if !cfg.peerTLSInfo.Empty() { plog.Infof("peerTLS: %s", cfg.peerTLSInfo) } + var plns []net.Listener for _, u := range cfg.lpurls { if u.Scheme == "http" { @@ -256,6 +257,19 @@ func startEtcd(cfg *config) (<-chan struct{}, error) { plns = append(plns, l) } + if cfg.clientAutoTLS && cfg.clientTLSInfo.Empty() { + var chosts []string + for _, u := range cfg.lcurls { + chosts = append(chosts, u.Host) + } + cfg.clientTLSInfo, err = transport.SelfCert(path.Join(cfg.dir, "fixtures/client"), chosts) + if err != nil { + plog.Fatalf("could not get certs (%v)", err) + } + } else if cfg.clientAutoTLS { + plog.Warningf("ignoring client auto TLS since certs given") + } + var ctlscfg *tls.Config if !cfg.clientTLSInfo.Empty() { plog.Infof("clientTLS: %s", cfg.clientTLSInfo) @@ -264,6 +278,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) { return nil, err } } + sctxs := make(map[string]*serveCtx) for _, u := range cfg.lcurls { if u.Scheme == "http" {