From ab4ac828f319e681d019c800508dd4f7f3c8be0b Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Tue, 2 Aug 2016 16:52:05 -0700 Subject: [PATCH] etcdmain: check TLS on gateway SRV records --- etcdmain/gateway.go | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/etcdmain/gateway.go b/etcdmain/gateway.go index 86187c4df..b348fb14b 100644 --- a/etcdmain/gateway.go +++ b/etcdmain/gateway.go @@ -21,15 +21,18 @@ import ( "time" "github.com/coreos/etcd/client" + "github.com/coreos/etcd/pkg/transport" "github.com/coreos/etcd/proxy/tcpproxy" "github.com/spf13/cobra" ) var ( - gatewayListenAddr string - gatewayEndpoints []string - gatewayDNSCluster string - getewayRetryDelay time.Duration + gatewayListenAddr string + gatewayEndpoints []string + gatewayDNSCluster string + gatewayInsecureDiscovery bool + getewayRetryDelay time.Duration + gatewayCA string ) var ( @@ -64,6 +67,8 @@ func newGatewayStartCommand() *cobra.Command { cmd.Flags().StringVar(&gatewayListenAddr, "listen-addr", "127.0.0.1:23790", "listen address") cmd.Flags().StringVar(&gatewayDNSCluster, "discovery-srv", "", "DNS domain used to bootstrap initial cluster") + cmd.Flags().BoolVar(&gatewayInsecureDiscovery, "insecure-discovery", false, "accept insecure SRV records") + cmd.Flags().StringVar(&gatewayCA, "trusted-ca-file", "", "path to the client server TLS CA file.") cmd.Flags().StringSliceVar(&gatewayEndpoints, "endpoints", []string{"127.0.0.1:2379"}, "comma separated etcd cluster endpoints") @@ -81,6 +86,23 @@ func startGateway(cmd *cobra.Command, args []string) { os.Exit(1) } plog.Infof("discovered the cluster %s from %s", eps, gatewayDNSCluster) + // confirm TLS connections are good + if !gatewayInsecureDiscovery { + tlsInfo := transport.TLSInfo{ + TrustedCAFile: gatewayCA, + ServerName: gatewayDNSCluster, + } + plog.Infof("validating discovered endpoints %v", eps) + endpoints, err = transport.ValidateSecureEndpoints(tlsInfo, eps) + if err != nil { + plog.Warningf("%v", err) + } + plog.Infof("using discovered endpoints %v", endpoints) + } + } + + if len(endpoints) == 0 { + plog.Fatalf("no endpoints found") } l, err := net.Listen("tcp", gatewayListenAddr)