From e9b2bd751d8e79b0908ae3ee4d55ee04aa15d9f2 Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Tue, 9 Feb 2016 12:56:13 -0800 Subject: [PATCH] etcdmain: add --peer-auto-tls option Lets the peer generate its own (unsigned) certs. --- etcdmain/config.go | 2 ++ etcdmain/etcd.go | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/etcdmain/config.go b/etcdmain/config.go index 5fbc69fe2..6c468462c 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -111,6 +111,7 @@ type config struct { // security clientTLSInfo, peerTLSInfo transport.TLSInfo + peerAutoTLS bool // logging debug bool @@ -211,6 +212,7 @@ func NewConfig() *config { fs.StringVar(&cfg.peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.") fs.BoolVar(&cfg.peerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.") fs.StringVar(&cfg.peerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.") + fs.BoolVar(&cfg.peerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") // logging fs.BoolVar(&cfg.debug, "debug", false, "Enable debug-level logging for etcd.") diff --git a/etcdmain/etcd.go b/etcdmain/etcd.go index e6cdf649d..d19557bca 100644 --- a/etcdmain/etcd.go +++ b/etcdmain/etcd.go @@ -203,9 +203,23 @@ func startEtcd(cfg *config) (<-chan struct{}, error) { return nil, fmt.Errorf("error setting up initial cluster: %v", err) } + if cfg.peerAutoTLS && cfg.peerTLSInfo.Empty() { + phosts := make([]string, 0) + for _, u := range cfg.lpurls { + phosts = append(phosts, u.Host) + } + cfg.peerTLSInfo, err = transport.SelfCert(cfg.dir, phosts) + if err != nil { + plog.Fatalf("could not get certs (%v)", err) + } + } else if cfg.peerAutoTLS { + plog.Warningf("ignoring peer auto TLS since certs given") + } + if !cfg.peerTLSInfo.Empty() { plog.Infof("peerTLS: %s", cfg.peerTLSInfo) } + plns := make([]net.Listener, 0) for _, u := range cfg.lpurls { if u.Scheme == "http" && !cfg.peerTLSInfo.Empty() {