Merge pull request #527 from galal-hussein/add_storage_flag

Add storage flags

pkg/cli/cmds/server.go

@@ -23,7 +23,11 @@ type Server struct {
 	ExtraSchedulerArgs  cli.StringSlice
 	ExtraControllerArgs cli.StringSlice
 	Rootless            bool
+	StorageBackend      string
 	StorageEndpoint     string
+	StorageCAFile       string
+	StorageCertFile     string
+	StorageKeyFile      string
 }
 
 var ServerConfig Server
@@ -138,12 +142,36 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 				Usage:       "(experimental) Run rootless",
 				Destination: &ServerConfig.Rootless,
 			},
+			cli.StringFlag{
+				Name:        "storage-backend",
+				Usage:       "Specify storage type etcd3 or kvsql",
+				Destination: &ServerConfig.StorageBackend,
+				EnvVar:      "K3S_STORAGE_BACKEND",
+			},
 			cli.StringFlag{
 				Name:        "storage-endpoint",
-				Usage:       "Specify Mysql, Postgres, or Sqlite (default) data source name",
+				Usage:       "Specify etcd, Mysql, Postgres, or Sqlite (default) data source name",
 				Destination: &ServerConfig.StorageEndpoint,
 				EnvVar:      "K3S_STORAGE_ENDPOINT",
 			},
+			cli.StringFlag{
+				Name:        "storage-cafile",
+				Usage:       "SSL Certificate Authority file used to secure storage backend communication",
+				Destination: &ServerConfig.StorageCAFile,
+				EnvVar:      "K3S_STORAGE_CAFILE",
+			},
+			cli.StringFlag{
+				Name:        "storage-certfile",
+				Usage:       "SSL certification file used to secure storage backend communication",
+				Destination: &ServerConfig.StorageCertFile,
+				EnvVar:      "K3S_STORAGE_CERTFILE",
+			},
+			cli.StringFlag{
+				Name:        "storage-keyfile",
+				Usage:       "SSL key file used to secure storage backend communication",
+				Destination: &ServerConfig.StorageKeyFile,
+				EnvVar:      "K3S_STORAGE_KEYFILE",
+			},
 			NodeIPFlag,
 			NodeNameFlag,
 			DockerFlag,

pkg/cli/server/server.go

@@ -109,6 +109,10 @@ func run(app *cli.Context, cfg *cmds.Server) error {
 	serverConfig.ControlConfig.ExtraSchedulerAPIArgs = cfg.ExtraSchedulerArgs
 	serverConfig.ControlConfig.ClusterDomain = cfg.ClusterDomain
 	serverConfig.ControlConfig.StorageEndpoint = cfg.StorageEndpoint
+	serverConfig.ControlConfig.StorageBackend = cfg.StorageBackend
+	serverConfig.ControlConfig.StorageCAFile = cfg.StorageCAFile
+	serverConfig.ControlConfig.StorageCertFile = cfg.StorageCertFile
+	serverConfig.ControlConfig.StorageKeyFile = cfg.StorageKeyFile
 
 	_, serverConfig.ControlConfig.ClusterIPRange, err = net2.ParseCIDR(cfg.ClusterCIDR)
 	if err != nil {

pkg/daemons/config/types.go

@@ -72,7 +72,11 @@ type Control struct {
 	KubeConfigMode        string
 	DataDir               string
 	Skips                 []string
+	StorageBackend        string
 	StorageEndpoint       string
+	StorageCAFile         string
+	StorageCertFile       string
+	StorageKeyFile        string
 	NoScheduler           bool
 	ExtraAPIArgs          []string
 	ExtraControllerArgs   []string

pkg/daemons/control/server.go

@@ -146,6 +146,8 @@ func scheduler(cfg *config.Control, runtime *config.ControlRuntime) {
 
 func apiServer(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) (authenticator.Request, http.Handler, error) {
 	argsMap := make(map[string]string)
+
+	setupStorageBackend(argsMap, cfg)
 	if len(cfg.StorageEndpoint) > 0 {
 		argsMap["etcd-servers"] = cfg.StorageEndpoint
 	}
@@ -599,3 +601,24 @@ func kubeConfig(dest, url, cert, user, password string) error {
 
 	return kubeconfigTemplate.Execute(output, &data)
 }
+
+func setupStorageBackend(argsMap map[string]string, cfg *config.Control) {
+	// setup the storage backend
+	if len(cfg.StorageBackend) > 0 {
+		argsMap["storage-backend"] = cfg.StorageBackend
+	}
+	// specify the endpoints
+	if len(cfg.StorageEndpoint) > 0 {
+		argsMap["etcd-servers"] = cfg.StorageEndpoint
+	}
+	// storage backend tls configuration
+	if len(cfg.StorageCAFile) > 0 {
+		argsMap["etcd-cafile"] = cfg.StorageCAFile
+	}
+	if len(cfg.StorageCertFile) > 0 {
+		argsMap["etcd-certfile"] = cfg.StorageCertFile
+	}
+	if len(cfg.StorageKeyFile) > 0 {
+		argsMap["etcd-keyfile"] = cfg.StorageKeyFile
+	}
+}

vendor.conf

@@ -123,7 +123,7 @@ golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
 gopkg.in/inf.v0 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
 gopkg.in/yaml.v2 v2.2.1
 #github.com/ibuildthecloud/kvsql 788464096f5af361d166858efccf26c12dc5b427
-github.com/ibuildthecloud/kvsql d37dd2b0829b44a4964e48c9396e14b0536fefb6 https://github.com/erikwilson/rancher-kvsql.git
+github.com/ibuildthecloud/kvsql 1afc2d8ad7d7e263c1971b05cb37e83aa5562561 https://github.com/erikwilson/rancher-kvsql.git
 
 # rootless
 github.com/rootless-containers/rootlesskit  893c1c3de71f54c301fdb85a7c0dd15c1933c159

vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/mysql/mysql.go

@@ -1,6 +1,7 @@
 package mysql
 
 import (
+	"crypto/tls"
 	"database/sql"
 	"strings"
 
@@ -64,7 +65,7 @@ func NewMySQL() *driver.Generic {
 	}
 }
 
-func Open(dataSourceName string) (*sql.DB, error) {
+func Open(dataSourceName string, tlsConfig *tls.Config) (*sql.DB, error) {
 	if dataSourceName == "" {
 		dataSourceName = "root@unix(/var/run/mysqld/mysqld.sock)/"
 	}
@@ -77,6 +78,17 @@ func Open(dataSourceName string) (*sql.DB, error) {
 		}
 		dataSourceName = dataSourceName + "kubernetes"
 	}
+
+	// setting up tlsConfig
+	if tlsConfig != nil {
+		mysql.RegisterTLSConfig("custom", tlsConfig)
+		if strings.Contains(dataSourceName, "?") {
+			dataSourceName = dataSourceName + ",tls=custom"
+		} else {
+			dataSourceName = dataSourceName + "?tls=custom"
+		}
+	}
+
 	db, err := sql.Open("mysql", dataSourceName)
 	if err != nil {
 		return nil, err

vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/pgsql/pgsql.go

@@ -68,6 +68,8 @@ func NewPGSQL() *driver.Generic {
 func Open(dataSourceName string) (*sql.DB, error) {
 	if dataSourceName == "" {
 		dataSourceName = "postgres://postgres:postgres@localhost/"
+	} else {
+		dataSourceName = "postgres://" + dataSourceName
 	}
 	// get database name
 	dsList := strings.Split(dataSourceName, "/")

vendor/github.com/ibuildthecloud/kvsql/clientv3/kv.go

@@ -115,7 +115,7 @@ func newKV(cfg Config) (*kv, error) {
 		}
 		driver = sqlite.NewSQLite()
 	case "mysql":
-		if db, err = mysql.Open(parts[1]); err != nil {
+		if db, err = mysql.Open(parts[1], cfg.TLS); err != nil {
 			return nil, err
 		}
 		driver = mysql.NewMySQL()

vendor/github.com/ibuildthecloud/kvsql/factory.go

@@ -18,12 +18,14 @@ package factory
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"sync/atomic"
 	"time"
 
+	"github.com/coreos/etcd/pkg/transport"
 	"github.com/ibuildthecloud/kvsql/clientv3"
-	"github.com/ibuildthecloud/kvsql/storage"
+	etcd3 "github.com/ibuildthecloud/kvsql/storage"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
@@ -65,8 +67,22 @@ func NewKVSQLHealthCheck(c storagebackend.Config) (func() error, error) {
 }
 
 func newETCD3Client(c storagebackend.Config) (*clientv3.Client, error) {
+	tlsInfo := transport.TLSInfo{
+		CertFile: c.Transport.CertFile,
+		KeyFile:  c.Transport.KeyFile,
+		CAFile:   c.Transport.CAFile,
+	}
+	tlsConfig, err := tlsInfo.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig.MinVersion = tls.VersionTLS11
+	if len(c.Transport.CertFile) == 0 && len(c.Transport.KeyFile) == 0 && len(c.Transport.CAFile) == 0 {
+		tlsConfig = nil
+	}
 	cfg := clientv3.Config{
 		Endpoints: c.Transport.ServerList,
+		TLS:       tlsConfig,
 	}
 
 	if len(cfg.Endpoints) == 0 {