예제 #1
0
파일: etcd3.go 프로젝트: vmware/kubernetes
func newETCD3Storage(c storagebackend.Config) (storage.Interface, error) {
	tlsInfo := transport.TLSInfo{
		CertFile: c.CertFile,
		KeyFile:  c.KeyFile,
		CAFile:   c.CAFile,
	}
	tlsConfig, err := tlsInfo.ClientConfig()
	if err != nil {
		return nil, err
	}
	// NOTE: Client relies on nil tlsConfig
	// for non-secure connections, update the implicit variable
	if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.CAFile) == 0 {
		tlsConfig = nil
	}
	cfg := clientv3.Config{
		Endpoints: c.ServerList,
		TLS:       tlsConfig,
	}
	client, err := clientv3.New(cfg)
	if err != nil {
		return nil, err
	}
	etcd3.StartCompactor(context.Background(), client)
	return etcd3.New(client, c.Codec, c.Prefix), nil
}
예제 #2
0
func ExampleConfig_withTLS() {
	tlsInfo := transport.TLSInfo{
		CertFile:      "/tmp/test-certs/test-name-1.pem",
		KeyFile:       "/tmp/test-certs/test-name-1-key.pem",
		TrustedCAFile: "/tmp/test-certs/trusted-ca.pem",
	}
	tlsConfig, err := tlsInfo.ClientConfig()
	if err != nil {
		log.Fatal(err)
	}
	cli, err := clientv3.New(clientv3.Config{
		Endpoints:   endpoints,
		DialTimeout: dialTimeout,
		TLS:         tlsConfig,
	})
	if err != nil {
		log.Fatal(err)
	}
	defer cli.Close() // make sure to close the client

	_, err = cli.Put(context.TODO(), "foo", "bar")
	if err != nil {
		log.Fatal(err)
	}
}
예제 #3
0
파일: global.go 프로젝트: vsayer/etcd
func mustClient(endpoint, cert, key, cacert string) *clientv3.Client {
	// set tls if any one tls option set
	var cfgtls *transport.TLSInfo
	tls := transport.TLSInfo{}
	var file string
	if cert != "" {
		tls.CertFile = cert
		cfgtls = &tls
	}

	if key != "" {
		tls.KeyFile = key
		cfgtls = &tls
	}

	if cacert != "" {
		tls.CAFile = file
		cfgtls = &tls
	}

	cfg := clientv3.Config{
		Endpoints:   []string{endpoint},
		TLS:         cfgtls,
		DialTimeout: 20 * time.Second,
	}

	client, err := clientv3.New(cfg)
	if err != nil {
		ExitWithError(ExitBadConnection, err)
	}

	return client
}
예제 #4
0
파일: etcd_helper.go 프로젝트: 30x/shipyard
func (c *EtcdConfig) newHttpTransport() (*http.Transport, error) {
	info := transport.TLSInfo{
		CertFile: c.CertFile,
		KeyFile:  c.KeyFile,
		CAFile:   c.CAFile,
	}
	cfg, err := info.ClientConfig()
	if err != nil {
		return nil, err
	}

	// Copied from etcd.DefaultTransport declaration.
	// TODO: Determine if transport needs optimization
	tr := &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		MaxIdleConnsPerHost: 500,
		TLSClientConfig:     cfg,
	}

	return tr, nil
}
예제 #5
0
func newETCD3Storage(c storagebackend.Config) (storage.Interface, DestroyFunc, error) {
	tlsInfo := transport.TLSInfo{
		CertFile: c.CertFile,
		KeyFile:  c.KeyFile,
		CAFile:   c.CAFile,
	}
	tlsConfig, err := tlsInfo.ClientConfig()
	if err != nil {
		return nil, nil, err
	}
	// NOTE: Client relies on nil tlsConfig
	// for non-secure connections, update the implicit variable
	if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.CAFile) == 0 {
		tlsConfig = nil
	}
	cfg := clientv3.Config{
		Endpoints: c.ServerList,
		TLS:       tlsConfig,
	}
	client, err := clientv3.New(cfg)
	if err != nil {
		return nil, nil, err
	}
	ctx, cancel := context.WithCancel(context.Background())
	etcd3.StartCompactor(ctx, client)
	destroyFunc := func() {
		cancel()
		client.Close()
	}
	if c.Quorum {
		return etcd3.New(client, c.Codec, c.Prefix), destroyFunc, nil
	}
	return etcd3.NewWithNoQuorumRead(client, c.Codec, c.Prefix), destroyFunc, nil
}
예제 #6
0
func newEtcdClient(theEndpoints, certFile, keyFile, caFile string) (*clientv3.Client, error) {
	// Log the etcd endpoint for debugging purposes
	logger.Infof("ETCD Endpoints: %s", theEndpoints)

	// ETCD config
	etcdConfig := clientv3.Config{
		Endpoints:   strings.Split(theEndpoints, ","),
		DialTimeout: dialTimeout,
	}

	// Optionally, configure TLS transport
	if certFile != "" && keyFile != "" && caFile != "" {
		// Load client cert
		tlsInfo := transport.TLSInfo{
			CertFile:      certFile,
			KeyFile:       keyFile,
			TrustedCAFile: caFile,
		}

		// Setup HTTPS client
		tlsConfig, err := tlsInfo.ClientConfig()
		if err != nil {
			return nil, err
		}
		// Add TLS config
		etcdConfig.TLS = tlsConfig
	}

	// ETCD client
	return clientv3.New(etcdConfig)
}
예제 #7
0
func urlsFromStrings(input string, tlsInfo transport.TLSInfo) ([]url.URL, error) {
	urls := []url.URL{}
	for _, addr := range strings.Split(input, ",") {
		addrURL := url.URL{Scheme: "http", Host: addr}
		if !tlsInfo.Empty() {
			addrURL.Scheme = "https"
		}
		urls = append(urls, addrURL)
	}
	return urls, nil
}
예제 #8
0
파일: grpc_proxy.go 프로젝트: ringtail/etcd
func newClientCfg() (*clientv3.Config, error) {
	// set tls if any one tls option set
	var cfgtls *transport.TLSInfo
	tlsinfo := transport.TLSInfo{}
	if grpcProxyCert != "" {
		tlsinfo.CertFile = grpcProxyCert
		cfgtls = &tlsinfo
	}

	if grpcProxyKey != "" {
		tlsinfo.KeyFile = grpcProxyKey
		cfgtls = &tlsinfo
	}

	if grpcProxyCA != "" {
		tlsinfo.CAFile = grpcProxyCA
		cfgtls = &tlsinfo
	}

	cfg := clientv3.Config{
		Endpoints:   grpcProxyEndpoints,
		DialTimeout: 5 * time.Second,
	}
	if cfgtls != nil {
		clientTLS, err := cfgtls.ClientConfig()
		if err != nil {
			return nil, err
		}
		cfg.TLS = clientTLS
	}

	// TODO: support insecure tls

	return &cfg, nil
}
예제 #9
0
파일: client.go 프로젝트: luxas/flannel
func NewTransport(info transport.TLSInfo) (*Transport, error) {
	cfg, err := info.ClientConfig()
	if err != nil {
		return nil, err
	}

	t := &Transport{
		// timeouts taken from http.DefaultTransport
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		TLSClientConfig:     cfg,
	}

	return t, nil
}
예제 #10
0
파일: global.go 프로젝트: salatamartin/etcd
func mustClient(cmd *cobra.Command) *clientv3.Client {
	endpoint, err := cmd.Flags().GetString("endpoint")
	if err != nil {
		ExitWithError(ExitError, err)
	}

	// set tls if any one tls option set
	var cfgtls *transport.TLSInfo
	tls := transport.TLSInfo{}
	var file string
	if file, err = cmd.Flags().GetString("cert"); err == nil && file != "" {
		tls.CertFile = file
		cfgtls = &tls
	} else if cmd.Flags().Changed("cert") {
		ExitWithError(ExitBadArgs, errors.New("empty string is passed to --cert option"))
	}

	if file, err = cmd.Flags().GetString("key"); err == nil && file != "" {
		tls.KeyFile = file
		cfgtls = &tls
	} else if cmd.Flags().Changed("key") {
		ExitWithError(ExitBadArgs, errors.New("empty string is passed to --key option"))
	}

	if file, err = cmd.Flags().GetString("cacert"); err == nil && file != "" {
		tls.CAFile = file
		cfgtls = &tls
	} else if cmd.Flags().Changed("cacert") {
		ExitWithError(ExitBadArgs, errors.New("empty string is passed to --cacert option"))
	}

	cfg := clientv3.Config{
		Endpoints:   []string{endpoint},
		TLS:         cfgtls,
		DialTimeout: 20 * time.Second,
	}

	client, err := clientv3.New(cfg)
	if err != nil {
		ExitWithError(ExitBadConnection, err)
	}
	return client
}
예제 #11
0
파일: server.go 프로젝트: luxas/flannel
func listener(addr, cafile, certfile, keyfile string) (net.Listener, error) {
	rex := regexp.MustCompile("(?:([a-z]+)://)?(.*)")
	groups := rex.FindStringSubmatch(addr)

	var l net.Listener
	var err error

	switch {
	case groups == nil:
		return nil, fmt.Errorf("bad listener address")

	case groups[1] == "", groups[1] == "tcp":
		if l, err = net.Listen("tcp", groups[2]); err != nil {
			return nil, err
		}

	case groups[1] == "fd":
		if l, err = fdListener(groups[2]); err != nil {
			return nil, err
		}

	default:
		return nil, fmt.Errorf("bad listener scheme")
	}

	tlsinfo := transport.TLSInfo{
		CAFile:   cafile,
		CertFile: certfile,
		KeyFile:  keyfile,
	}

	if !tlsinfo.Empty() {
		cfg, err := tlsinfo.ServerConfig()
		if err != nil {
			return nil, err
		}

		l = tls.NewListener(l, cfg)
	}

	return l, nil
}
예제 #12
0
// newSecuredLocalListener opens a port localhost using any port
// with SSL enable
func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net.Listener {
	var l net.Listener
	l, err := net.Listen("tcp", "127.0.0.1:0")
	if err != nil {
		t.Fatal(err)
	}
	tlsInfo := transport.TLSInfo{
		CertFile: certFile,
		KeyFile:  keyFile,
		CAFile:   caFile,
	}
	tlscfg, err := tlsInfo.ServerConfig()
	if err != nil {
		t.Fatalf("unexpected serverConfig error: %v", err)
	}
	l, err = transport.NewKeepAliveListener(l, "https", tlscfg)
	if err != nil {
		t.Fatal(err)
	}
	return l
}
예제 #13
0
func newETCD3Storage(c storagebackend.Config) (storage.Interface, error) {
	tlsInfo := transport.TLSInfo{
		CertFile: c.CertFile,
		KeyFile:  c.KeyFile,
		CAFile:   c.CAFile,
	}
	tlsConfig, err := tlsInfo.ClientConfig()
	if err != nil {
		return nil, err
	}

	cfg := clientv3.Config{
		Endpoints: c.ServerList,
		TLS:       tlsConfig,
	}
	client, err := clientv3.New(cfg)
	if err != nil {
		return nil, err
	}
	etcd3.StartCompactor(context.Background(), client)
	return etcd3.New(client, c.Codec, c.Prefix), nil
}
예제 #14
0
파일: main.go 프로젝트: CMGS/skydns
func newHTTPSTransport(certFile, keyFile, caFile string) (*http.Transport, error) {
	info := transport.TLSInfo{
		CertFile: certFile,
		KeyFile:  keyFile,
		CAFile:   caFile,
	}
	cfg, err := info.ClientConfig()
	if err != nil {
		return nil, err
	}

	tr := &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		TLSClientConfig:     cfg,
	}

	return tr, nil
}
예제 #15
0
func newTransportForETCD2(certFile, keyFile, caFile string) (*http.Transport, error) {
	info := transport.TLSInfo{
		CertFile: certFile,
		KeyFile:  keyFile,
		CAFile:   caFile,
	}
	cfg, err := info.ClientConfig()
	if err != nil {
		return nil, err
	}
	// Copied from etcd.DefaultTransport declaration.
	// TODO: Determine if transport needs optimization
	tr := utilnet.SetTransportDefaults(&http.Transport{
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		MaxIdleConnsPerHost: 500,
		TLSClientConfig:     cfg,
	})
	return tr, nil
}
예제 #16
0
파일: flag.go 프로젝트: johnchengliu/etcd
// URLsFromFlags decides what URLs should be using two different flags
// as datasources. The first flag's Value must be of type URLs, while
// the second must be of type IPAddressPort. If both of these flags
// are set, an error will be returned. If only the first flag is set,
// the underlying url.URL objects will be returned unmodified. If the
// second flag happens to be set, the underlying IPAddressPort will be
// converted to a url.URL and returned. The Scheme of the returned
// url.URL will be http unless the provided TLSInfo object is non-empty.
// If neither of the flags have been explicitly set, the default value
// of the first flag will be returned unmodified.
func URLsFromFlags(fs *flag.FlagSet, urlsFlagName string, addrFlagName string, tlsInfo transport.TLSInfo) ([]url.URL, error) {
	visited := make(map[string]struct{})
	fs.Visit(func(f *flag.Flag) {
		visited[f.Name] = struct{}{}
	})

	_, urlsFlagIsSet := visited[urlsFlagName]
	_, addrFlagIsSet := visited[addrFlagName]

	if addrFlagIsSet {
		if urlsFlagIsSet {
			return nil, fmt.Errorf("Set only one of flags -%s and -%s", urlsFlagName, addrFlagName)
		}

		addr := *fs.Lookup(addrFlagName).Value.(*IPAddressPort)
		addrURL := url.URL{Scheme: "http", Host: addr.String()}
		if !tlsInfo.Empty() {
			addrURL.Scheme = "https"
		}
		return []url.URL{addrURL}, nil
	}

	return []url.URL(*fs.Lookup(urlsFlagName).Value.(*URLsValue)), nil
}
예제 #17
0
파일: client.go 프로젝트: luxas/flannel
func NewRemoteManager(listenAddr, cafile, certfile, keyfile string) (subnet.Manager, error) {
	tls := transport.TLSInfo{
		CAFile:   cafile,
		CertFile: certfile,
		KeyFile:  keyfile,
	}

	t, err := NewTransport(tls)
	if err != nil {
		return nil, err
	}

	var scheme string
	if tls.Empty() && tls.CAFile == "" {
		scheme = "http://"
	} else {
		scheme = "https://"
	}

	return &RemoteManager{
		base:      scheme + listenAddr + "/v1",
		transport: t,
	}, nil
}
예제 #18
0
파일: global.go 프로젝트: ringtail/etcd
func newClientCfg(endpoints []string, dialTimeout time.Duration, scfg *secureCfg, acfg *authCfg) (*clientv3.Config, error) {
	// set tls if any one tls option set
	var cfgtls *transport.TLSInfo
	tlsinfo := transport.TLSInfo{}
	if scfg.cert != "" {
		tlsinfo.CertFile = scfg.cert
		cfgtls = &tlsinfo
	}

	if scfg.key != "" {
		tlsinfo.KeyFile = scfg.key
		cfgtls = &tlsinfo
	}

	if scfg.cacert != "" {
		tlsinfo.CAFile = scfg.cacert
		cfgtls = &tlsinfo
	}

	cfg := &clientv3.Config{
		Endpoints:   endpoints,
		DialTimeout: dialTimeout,
	}
	if cfgtls != nil {
		clientTLS, err := cfgtls.ClientConfig()
		if err != nil {
			return nil, err
		}
		cfg.TLS = clientTLS
	}
	// if key/cert is not given but user wants secure connection, we
	// should still setup an empty tls configuration for gRPC to setup
	// secure connection.
	if cfg.TLS == nil && !scfg.insecureTransport {
		cfg.TLS = &tls.Config{}
	}

	// If the user wants to skip TLS verification then we should set
	// the InsecureSkipVerify flag in tls configuration.
	if scfg.insecureSkipVerify && cfg.TLS != nil {
		cfg.TLS.InsecureSkipVerify = true
	}

	if acfg != nil {
		cfg.Username = acfg.username
		cfg.Password = acfg.password
	}

	return cfg, nil
}