Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

*: support auto tls on client side

Browse Source
This commit is contained in:
Xiang Li 2016-05-02 16:17:49 -07:00
parent a8139e2b0e
commit 973ad5aa7c
3 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Documentation/op-guide/configuration.md
View File

@ -201,6 +201,11 @@ The security flags help to [build a secure etcd cluster][security].
+ default: none + default: none
+ env variable: ETCD_TRUSTED_CA_FILE + env variable: ETCD_TRUSTED_CA_FILE
### --auto-tls
+ Client TLS using generated certificates
+ default: false
+ env variable: ETCD_AUTO_TLS
### --peer-ca-file [DEPRECATED] ### --peer-ca-file [DEPRECATED]
+ Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd will perform the same. + Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd will perform the same.
+ default: none + default: none
@ -226,6 +231,11 @@ The security flags help to [build a secure etcd cluster][security].
+ default: none + default: none
+ env variable: ETCD_PEER_TRUSTED_CA_FILE + env variable: ETCD_PEER_TRUSTED_CA_FILE
### --peer-auto-tls
+ Peer TLS using generated certificates
+ default: false
+ env variable: ETCD_PEER_AUTO_TLS
## Logging Flags ## Logging Flags
### --debug ### --debug

3
etcdmain/config.go
View File

@ -112,7 +112,7 @@ type config struct {
// security // security
clientTLSInfo, peerTLSInfo transport.TLSInfo clientTLSInfo, peerTLSInfo transport.TLSInfo
peerAutoTLS bool clientAutoTLS, peerAutoTLS bool
// logging // logging
debug bool debug bool
@ -207,6 +207,7 @@ func NewConfig() *config {
fs.StringVar(&cfg.clientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.StringVar(&cfg.clientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.")
fs.BoolVar(&cfg.clientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.BoolVar(&cfg.clientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
fs.StringVar(&cfg.clientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.") fs.StringVar(&cfg.clientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.")
fs.BoolVar(&cfg.clientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
fs.StringVar(&cfg.peerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.") fs.StringVar(&cfg.peerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.")
fs.StringVar(&cfg.peerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") fs.StringVar(&cfg.peerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
fs.StringVar(&cfg.peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.") fs.StringVar(&cfg.peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")

17
etcdmain/etcd.go
View File

@ -207,7 +207,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
for _, u := range cfg.lpurls { for _, u := range cfg.lpurls {
phosts = append(phosts, u.Host) phosts = append(phosts, u.Host)
} }
cfg.peerTLSInfo, err = transport.SelfCert(cfg.dir, phosts) cfg.peerTLSInfo, err = transport.SelfCert(path.Join(cfg.dir, "fixtures/peer"), phosts)
if err != nil { if err != nil {
plog.Fatalf("could not get certs (%v)", err) plog.Fatalf("could not get certs (%v)", err)
} }
@ -218,6 +218,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
if !cfg.peerTLSInfo.Empty() { if !cfg.peerTLSInfo.Empty() {
plog.Infof("peerTLS: %s", cfg.peerTLSInfo) plog.Infof("peerTLS: %s", cfg.peerTLSInfo)
} }
var plns []net.Listener var plns []net.Listener
for _, u := range cfg.lpurls { for _, u := range cfg.lpurls {
if u.Scheme == "http" { if u.Scheme == "http" {
@ -256,6 +257,19 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
plns = append(plns, l) plns = append(plns, l)
} }
if cfg.clientAutoTLS && cfg.clientTLSInfo.Empty() {
var chosts []string
for _, u := range cfg.lcurls {
chosts = append(chosts, u.Host)
}
cfg.clientTLSInfo, err = transport.SelfCert(path.Join(cfg.dir, "fixtures/client"), chosts)
if err != nil {
plog.Fatalf("could not get certs (%v)", err)
}
} else if cfg.clientAutoTLS {
plog.Warningf("ignoring client auto TLS since certs given")
}
var ctlscfg *tls.Config var ctlscfg *tls.Config
if !cfg.clientTLSInfo.Empty() { if !cfg.clientTLSInfo.Empty() {
plog.Infof("clientTLS: %s", cfg.clientTLSInfo) plog.Infof("clientTLS: %s", cfg.clientTLSInfo)
@ -264,6 +278,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
return nil, err return nil, err
} }
} }
sctxs := make(map[string]*serveCtx) sctxs := make(map[string]*serveCtx)
for _, u := range cfg.lcurls { for _, u := range cfg.lcurls {
if u.Scheme == "http" { if u.Scheme == "http" {