Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

etcdmain: support --auto-tls and --insecure-skip-verify in grpcproxy

Browse Source
This commit is contained in:
Anthony Romano 2017-07-18 14:09:32 -07:00
parent 1365f87d40
commit efbee9d8c7
1 changed files with 28 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
etcdmain/grpc_proxy.go
View File

@ -22,6 +22,7 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
"path/filepath"
"time" "time"
"github.com/coreos/etcd/clientv3" "github.com/coreos/etcd/clientv3"
@ -46,18 +47,21 @@ var (
grpcProxyEndpoints []string grpcProxyEndpoints []string
grpcProxyDNSCluster string grpcProxyDNSCluster string
grpcProxyInsecureDiscovery bool grpcProxyInsecureDiscovery bool
grpcProxyDataDir string
// tls for connecting to etcd // tls for connecting to etcd
grpcProxyCA string grpcProxyCA string
grpcProxyCert string grpcProxyCert string
grpcProxyKey string grpcProxyKey string
grpcProxyInsecureSkipTLSVerify bool
// tls for clients connecting to proxy // tls for clients connecting to proxy
grpcProxyListenCA string grpcProxyListenCA string
grpcProxyListenCert string grpcProxyListenCert string
grpcProxyListenKey string grpcProxyListenKey string
grpcProxyListenAutoTLS bool
grpcProxyAdvertiseClientURL string grpcProxyAdvertiseClientURL string
grpcProxyResolverPrefix string grpcProxyResolverPrefix string
@ -100,16 +104,19 @@ func newGRPCProxyStartCommand() *cobra.Command {
cmd.Flags().IntVar(&grpcProxyResolverTTL, "resolver-ttl", 0, "specify TTL, in seconds, when registering proxy endpoints") cmd.Flags().IntVar(&grpcProxyResolverTTL, "resolver-ttl", 0, "specify TTL, in seconds, when registering proxy endpoints")
cmd.Flags().StringVar(&grpcProxyNamespace, "namespace", "", "string to prefix to all keys for namespacing requests") cmd.Flags().StringVar(&grpcProxyNamespace, "namespace", "", "string to prefix to all keys for namespacing requests")
cmd.Flags().BoolVar(&grpcProxyEnablePprof, "enable-pprof", false, `Enable runtime profiling data via HTTP server. Address is at client URL + "/debug/pprof/"`) cmd.Flags().BoolVar(&grpcProxyEnablePprof, "enable-pprof", false, `Enable runtime profiling data via HTTP server. Address is at client URL + "/debug/pprof/"`)
cmd.Flags().StringVar(&grpcProxyDataDir, "data-dir", "default.proxy", "Data directory for persistent data")
// client TLS for connecting to server // client TLS for connecting to server
cmd.Flags().StringVar(&grpcProxyCert, "cert", "", "identify secure connections with etcd servers using this TLS certificate file") cmd.Flags().StringVar(&grpcProxyCert, "cert", "", "identify secure connections with etcd servers using this TLS certificate file")
cmd.Flags().StringVar(&grpcProxyKey, "key", "", "identify secure connections with etcd servers using this TLS key file") cmd.Flags().StringVar(&grpcProxyKey, "key", "", "identify secure connections with etcd servers using this TLS key file")
cmd.Flags().StringVar(&grpcProxyCA, "cacert", "", "verify certificates of TLS-enabled secure etcd servers using this CA bundle") cmd.Flags().StringVar(&grpcProxyCA, "cacert", "", "verify certificates of TLS-enabled secure etcd servers using this CA bundle")
cmd.Flags().BoolVar(&grpcProxyInsecureSkipTLSVerify, "insecure-skip-tls-verify", false, "skip authentication of etcd server TLS certificates")
// client TLS for connecting to proxy // client TLS for connecting to proxy
cmd.Flags().StringVar(&grpcProxyListenCert, "cert-file", "", "identify secure connections to the proxy using this TLS certificate file") cmd.Flags().StringVar(&grpcProxyListenCert, "cert-file", "", "identify secure connections to the proxy using this TLS certificate file")
cmd.Flags().StringVar(&grpcProxyListenKey, "key-file", "", "identify secure connections to the proxy using this TLS key file") cmd.Flags().StringVar(&grpcProxyListenKey, "key-file", "", "identify secure connections to the proxy using this TLS key file")
cmd.Flags().StringVar(&grpcProxyListenCA, "trusted-ca-file", "", "verify certificates of TLS-enabled secure proxy using this CA bundle") cmd.Flags().StringVar(&grpcProxyListenCA, "trusted-ca-file", "", "verify certificates of TLS-enabled secure proxy using this CA bundle")
cmd.Flags().BoolVar(&grpcProxyListenAutoTLS, "auto-tls", false, "proxy TLS using generated certificates")
return &cmd return &cmd
} }
@ -118,6 +125,15 @@ func startGRPCProxy(cmd *cobra.Command, args []string) {
checkArgs() checkArgs()
tlsinfo := newTLS(grpcProxyListenCA, grpcProxyListenCert, grpcProxyListenKey) tlsinfo := newTLS(grpcProxyListenCA, grpcProxyListenCert, grpcProxyListenKey)
if tlsinfo == nil && grpcProxyListenAutoTLS {
host := []string{"https://" + grpcProxyListenAddr}
dir := filepath.Join(grpcProxyDataDir, "fixtures", "proxy")
autoTLS, err := transport.SelfCert(dir, host)
if err != nil {
plog.Fatal(err)
}
tlsinfo = &autoTLS
}
if tlsinfo != nil { if tlsinfo != nil {
plog.Infof("ServerTLS: %s", tlsinfo) plog.Infof("ServerTLS: %s", tlsinfo)
} }
@ -192,15 +208,19 @@ func newClientCfg(eps []string) (*clientv3.Config, error) {
Endpoints: eps, Endpoints: eps,
DialTimeout: 5 * time.Second, DialTimeout: 5 * time.Second,
} }
if tls := newTLS(grpcProxyCA, grpcProxyCert, grpcProxyKey); tls != nil { tls := newTLS(grpcProxyCA, grpcProxyCert, grpcProxyKey)
if tls == nil && grpcProxyInsecureSkipTLSVerify {
tls = &transport.TLSInfo{}
}
if tls != nil {
clientTLS, err := tls.ClientConfig() clientTLS, err := tls.ClientConfig()
if err != nil { if err != nil {
return nil, err return nil, err
} }
clientTLS.InsecureSkipVerify = grpcProxyInsecureSkipTLSVerify
cfg.TLS = clientTLS cfg.TLS = clientTLS
plog.Infof("ClientTLS: %s", tls) plog.Infof("ClientTLS: %s", tls)
} }
// TODO: support insecure tls
return &cfg, nil return &cfg, nil
} }