github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add tls support for etcd cert storage backend

Browse Source
pull/593/head
Erik Wilson 5 years ago
parent 9ccf3cbc9d
commit 8d979d675e
1 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File

42
pkg/daemons/control/ha.go
Unescape View File

@ -2,6 +2,8 @@ package control
import ( import (
"context" "context"
"crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"io/ioutil" "io/ioutil"
"os" "os"
@ -34,11 +36,16 @@ func setHAData(cfg *config.Control) error {
if cfg.StorageBackend != "etcd3" || cfg.CertStorageBackend != "etcd3" { if cfg.StorageBackend != "etcd3" || cfg.CertStorageBackend != "etcd3" {
return nil return nil
} }
tlsConfig, err := genTLSConfig(cfg)
if err != nil {
return err
}
endpoints := strings.Split(cfg.StorageEndpoint, ",") endpoints := strings.Split(cfg.StorageEndpoint, ",")
cli, err := clientv3.New(clientv3.Config{ cli, err := clientv3.New(clientv3.Config{
Endpoints: endpoints, Endpoints: endpoints,
DialTimeout: etcdDialTimeout, DialTimeout: etcdDialTimeout,
TLS: tlsConfig,
}) })
if err != nil { if err != nil {
return err return err
@ -71,10 +78,16 @@ func getHAData(cfg *config.Control) error {
if cfg.StorageBackend != "etcd3" || cfg.CertStorageBackend != "etcd3" { if cfg.StorageBackend != "etcd3" || cfg.CertStorageBackend != "etcd3" {
return nil return nil
} }
tlsConfig, err := genTLSConfig(cfg)
if err != nil {
return err
}
endpoints := strings.Split(cfg.StorageEndpoint, ",") endpoints := strings.Split(cfg.StorageEndpoint, ",")
cli, err := clientv3.New(clientv3.Config{ cli, err := clientv3.New(clientv3.Config{
Endpoints: endpoints, Endpoints: endpoints,
DialTimeout: etcdDialTimeout, DialTimeout: etcdDialTimeout,
TLS: tlsConfig,
}) })
if err != nil { if err != nil {
return err return err
@ -99,6 +112,35 @@ func getHAData(cfg *config.Control) error {
return writeRuntimeCertData(cfg.Runtime, serverRuntime) return writeRuntimeCertData(cfg.Runtime, serverRuntime)
} }
func genTLSConfig(cfg *config.Control) (*tls.Config, error) {
tlsConfig := &tls.Config{}
if cfg.StorageCertFile != "" && cfg.StorageKeyFile != "" {
certPem, err := ioutil.ReadFile(cfg.StorageCertFile)
if err != nil {
return nil, err
}
keyPem, err := ioutil.ReadFile(cfg.StorageKeyFile)
if err != nil {
return nil, err
}
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{tlsCert}
}
if cfg.StorageCAFile != "" {
caData, err := ioutil.ReadFile(cfg.StorageCAFile)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caData)
tlsConfig.RootCAs = certPool
}
return tlsConfig, nil
}
func readRuntimeCertData(runtime *config.ControlRuntime) ([]byte, error) { func readRuntimeCertData(runtime *config.ControlRuntime) ([]byte, error) {
serverHACerts := map[string]string{ serverHACerts := map[string]string{
runtime.ServerCA: "", runtime.ServerCA: "",

Write Preview
Loading…
Cancel
Save