feat: support tls for etcd client (#1390)

* feat: support tls for etcd client * chore: fix typo * refactor: rename TrustedCAFile to CACertFile * docs: add comments * fix: missing tls registration * feat: add InsecureSkipVerify config for testing
2022-01-02 20:23:50 +08:00
parent a8e7fafebf
commit a7aeb8ac0e
8 changed files with 100 additions and 16 deletions
--- a/core/discov/internal/accountmanager.go
+++ b/core/discov/internal/accountmanager.go
@@ -1,10 +1,16 @@
 package internal

-import "sync"
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"sync"
+)

 var (
-	accounts = make(map[string]Account)
-	lock     sync.RWMutex
+	accounts   = make(map[string]Account)
+	tlsConfigs = make(map[string]*tls.Config)
+	lock       sync.RWMutex
 )

 // Account holds the username/password for an etcd cluster.
@@ -24,6 +30,32 @@ func AddAccount(endpoints []string, user, pass string) {
 	}
 }

+// AddTLS adds the tls cert files for the given etcd cluster.
+func AddTLS(endpoints []string, certFile, certKeyFile, caFile string, insecureSkipVerify bool) error {
+	cert, err := tls.LoadX509KeyPair(certFile, certKeyFile)
+	if err != nil {
+		return err
+	}
+
+	caData, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return err
+	}
+
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(caData)
+
+	lock.Lock()
+	defer lock.Unlock()
+	tlsConfigs[getClusterKey(endpoints)] = &tls.Config{
+		Certificates:       []tls.Certificate{cert},
+		RootCAs:            pool,
+		InsecureSkipVerify: insecureSkipVerify,
+	}
+
+	return nil
+}
+
 // GetAccount gets the username/password for the given etcd cluster.
 func GetAccount(endpoints []string) (Account, bool) {
 	lock.RLock()
@@ -32,3 +64,12 @@ func GetAccount(endpoints []string) (Account, bool) {
 	account, ok := accounts[getClusterKey(endpoints)]
 	return account, ok
 }
+
+// GetTLS gets the tls config for the given etcd cluster.
+func GetTLS(endpoints []string) (*tls.Config, bool) {
+	lock.RLock()
+	defer lock.RUnlock()
+
+	cfg, ok := tlsConfigs[getClusterKey(endpoints)]
+	return cfg, ok
+}
--- a/core/discov/internal/registry.go
+++ b/core/discov/internal/registry.go
@@ -337,6 +337,9 @@ func DialClient(endpoints []string) (EtcdClient, error) {
 		cfg.Username = account.User
 		cfg.Password = account.Pass
 	}
+	if tlsCfg, ok := GetTLS(endpoints); ok {
+		cfg.TLS = tlsCfg
+	}

 	return clientv3.New(cfg)
 }