You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
212 lines
5.5 KiB
212 lines
5.5 KiB
/*
|
|
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package etcd
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/coreos/etcd/clientv3"
|
|
"github.com/minio/minio/cmd/config"
|
|
"github.com/minio/minio/pkg/env"
|
|
xnet "github.com/minio/minio/pkg/net"
|
|
)
|
|
|
|
const (
|
|
// Default values used while communicating with etcd.
|
|
defaultDialTimeout = 5 * time.Second
|
|
defaultDialKeepAlive = 30 * time.Second
|
|
)
|
|
|
|
// etcd environment values
|
|
const (
|
|
Endpoints = "endpoints"
|
|
CoreDNSPath = "coredns_path"
|
|
ClientCert = "client_cert"
|
|
ClientCertKey = "client_cert_key"
|
|
|
|
EnvEtcdState = "MINIO_ETCD_STATE"
|
|
EnvEtcdEndpoints = "MINIO_ETCD_ENDPOINTS"
|
|
EnvEtcdCoreDNSPath = "MINIO_ETCD_COREDNS_PATH"
|
|
EnvEtcdClientCert = "MINIO_ETCD_CLIENT_CERT"
|
|
EnvEtcdClientCertKey = "MINIO_ETCD_CLIENT_CERT_KEY"
|
|
)
|
|
|
|
// DefaultKVS - default KV settings for etcd.
|
|
var (
|
|
DefaultKVS = config.KVS{
|
|
config.KV{
|
|
Key: config.State,
|
|
Value: config.StateOff,
|
|
},
|
|
config.KV{
|
|
Key: Endpoints,
|
|
Value: "",
|
|
},
|
|
config.KV{
|
|
Key: CoreDNSPath,
|
|
Value: "/skydns",
|
|
},
|
|
config.KV{
|
|
Key: ClientCert,
|
|
Value: "",
|
|
},
|
|
config.KV{
|
|
Key: ClientCertKey,
|
|
Value: "",
|
|
},
|
|
}
|
|
)
|
|
|
|
// Config - server etcd config.
|
|
type Config struct {
|
|
Enabled bool `json:"enabled"`
|
|
CoreDNSPath string `json:"coreDNSPath"`
|
|
clientv3.Config
|
|
}
|
|
|
|
// New - initialize new etcd client.
|
|
func New(cfg Config) (*clientv3.Client, error) {
|
|
if !cfg.Enabled {
|
|
return nil, nil
|
|
}
|
|
return clientv3.New(cfg.Config)
|
|
}
|
|
|
|
func parseEndpoints(endpoints string) ([]string, bool, error) {
|
|
etcdEndpoints := strings.Split(endpoints, config.ValueSeparator)
|
|
|
|
var etcdSecure bool
|
|
for _, endpoint := range etcdEndpoints {
|
|
u, err := xnet.ParseHTTPURL(endpoint)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
if etcdSecure && u.Scheme == "http" {
|
|
return nil, false, fmt.Errorf("all endpoints should be https or http: %s", endpoint)
|
|
}
|
|
// If one of the endpoint is https, we will use https directly.
|
|
etcdSecure = etcdSecure || u.Scheme == "https"
|
|
}
|
|
|
|
return etcdEndpoints, etcdSecure, nil
|
|
}
|
|
|
|
func lookupLegacyConfig(rootCAs *x509.CertPool) (Config, error) {
|
|
cfg := Config{}
|
|
endpoints := env.Get(EnvEtcdEndpoints, "")
|
|
if endpoints == "" {
|
|
return cfg, nil
|
|
}
|
|
etcdEndpoints, etcdSecure, err := parseEndpoints(endpoints)
|
|
if err != nil {
|
|
return cfg, err
|
|
}
|
|
cfg.Enabled = true
|
|
cfg.DialTimeout = defaultDialTimeout
|
|
cfg.DialKeepAliveTime = defaultDialKeepAlive
|
|
cfg.Endpoints = etcdEndpoints
|
|
cfg.CoreDNSPath = "/skydns"
|
|
if etcdSecure {
|
|
cfg.TLS = &tls.Config{
|
|
RootCAs: rootCAs,
|
|
}
|
|
// This is only to support client side certificate authentication
|
|
// https://coreos.com/etcd/docs/latest/op-guide/security.html
|
|
etcdClientCertFile := env.Get(EnvEtcdClientCert, "")
|
|
etcdClientCertKey := env.Get(EnvEtcdClientCertKey, "")
|
|
if etcdClientCertFile != "" && etcdClientCertKey != "" {
|
|
cfg.TLS.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
cert, err := tls.LoadX509KeyPair(etcdClientCertFile, etcdClientCertKey)
|
|
return &cert, err
|
|
}
|
|
}
|
|
}
|
|
return cfg, nil
|
|
}
|
|
|
|
// LookupConfig - Initialize new etcd config.
|
|
func LookupConfig(kvs config.KVS, rootCAs *x509.CertPool) (Config, error) {
|
|
cfg := Config{}
|
|
if err := config.CheckValidKeys(config.EtcdSubSys, kvs, DefaultKVS); err != nil {
|
|
return cfg, err
|
|
}
|
|
|
|
stateBool, err := config.ParseBool(env.Get(EnvEtcdState, config.StateOn))
|
|
if err != nil {
|
|
return cfg, err
|
|
}
|
|
|
|
if stateBool {
|
|
// By default state is 'on' to honor legacy config.
|
|
cfg, err = lookupLegacyConfig(rootCAs)
|
|
if err != nil {
|
|
return cfg, err
|
|
}
|
|
// If old legacy config is enabled honor it.
|
|
if cfg.Enabled {
|
|
return cfg, nil
|
|
}
|
|
}
|
|
|
|
stateBool, err = config.ParseBool(env.Get(EnvEtcdState, kvs.Get(config.State)))
|
|
if err != nil {
|
|
if kvs.Empty() {
|
|
return cfg, nil
|
|
}
|
|
return cfg, err
|
|
}
|
|
|
|
if !stateBool {
|
|
return cfg, nil
|
|
}
|
|
|
|
endpoints := env.Get(EnvEtcdEndpoints, kvs.Get(Endpoints))
|
|
if endpoints == "" {
|
|
return cfg, config.Error("'endpoints' key cannot be empty to enable etcd")
|
|
}
|
|
|
|
etcdEndpoints, etcdSecure, err := parseEndpoints(endpoints)
|
|
if err != nil {
|
|
return cfg, err
|
|
}
|
|
|
|
cfg.Enabled = true
|
|
cfg.DialTimeout = defaultDialTimeout
|
|
cfg.DialKeepAliveTime = defaultDialKeepAlive
|
|
cfg.Endpoints = etcdEndpoints
|
|
cfg.CoreDNSPath = env.Get(EnvEtcdCoreDNSPath, kvs.Get(CoreDNSPath))
|
|
if etcdSecure {
|
|
cfg.TLS = &tls.Config{
|
|
RootCAs: rootCAs,
|
|
}
|
|
// This is only to support client side certificate authentication
|
|
// https://coreos.com/etcd/docs/latest/op-guide/security.html
|
|
etcdClientCertFile := env.Get(EnvEtcdClientCert, kvs.Get(ClientCert))
|
|
etcdClientCertKey := env.Get(EnvEtcdClientCertKey, kvs.Get(ClientCertKey))
|
|
if etcdClientCertFile != "" && etcdClientCertKey != "" {
|
|
cfg.TLS.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
cert, err := tls.LoadX509KeyPair(etcdClientCertFile, etcdClientCertKey)
|
|
return &cert, err
|
|
}
|
|
}
|
|
}
|
|
return cfg, nil
|
|
}
|
|
|