github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add tls support for etcd cert storage backend

pull/593/head
Erik Wilson 5 years ago
parent
9ccf3cbc9d
commit
8d979d675e
1 changed files with 42 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 42
      pkg/daemons/control/ha.go

42
pkg/daemons/control/ha.go
Unescape View File

@ -2,6 +2,8 @@ package control
import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/json"
"io/ioutil"
"os"
@ -34,11 +36,16 @@ func setHAData(cfg *config.Control) error {
if cfg.StorageBackend != "etcd3" || cfg.CertStorageBackend != "etcd3" {
return nil
}
tlsConfig, err := genTLSConfig(cfg)
if err != nil {
return err
}
endpoints := strings.Split(cfg.StorageEndpoint, ",")
cli, err := clientv3.New(clientv3.Config{
Endpoints: endpoints,
DialTimeout: etcdDialTimeout,
TLS: tlsConfig,
})
if err != nil {
return err
@ -71,10 +78,16 @@ func getHAData(cfg *config.Control) error {
if cfg.StorageBackend != "etcd3" || cfg.CertStorageBackend != "etcd3" {
return nil
}
tlsConfig, err := genTLSConfig(cfg)
if err != nil {
return err
}
endpoints := strings.Split(cfg.StorageEndpoint, ",")
cli, err := clientv3.New(clientv3.Config{
Endpoints: endpoints,
DialTimeout: etcdDialTimeout,
TLS: tlsConfig,
})
if err != nil {
return err
@ -99,6 +112,35 @@ func getHAData(cfg *config.Control) error {
return writeRuntimeCertData(cfg.Runtime, serverRuntime)
}
func genTLSConfig(cfg *config.Control) (*tls.Config, error) {
tlsConfig := &tls.Config{}
if cfg.StorageCertFile != "" && cfg.StorageKeyFile != "" {
certPem, err := ioutil.ReadFile(cfg.StorageCertFile)
if err != nil {
return nil, err
}
keyPem, err := ioutil.ReadFile(cfg.StorageKeyFile)
if err != nil {
return nil, err
}
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{tlsCert}
}
if cfg.StorageCAFile != "" {
caData, err := ioutil.ReadFile(cfg.StorageCAFile)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caData)
tlsConfig.RootCAs = certPool
}
return tlsConfig, nil
}
func readRuntimeCertData(runtime *config.ControlRuntime) ([]byte, error) {
serverHACerts := map[string]string{
runtime.ServerCA: "",

Write Preview
Loading…
Cancel
Save