Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-01 10:43:17 -04:00
Code Issues Packages Projects Releases Wiki Activity

Use common TLS parsing routine for etcd (#476)

Browse Source 
* Use common TLS parsing routine for etcd

Change to use the new common routine, and update the docs to reflect
the different options for passing TLS configuration.

* Move middleware/tls to middleware/pkg/tls

This was put in the wrong place originally.
This commit is contained in:
John Belamaric
2017-01-12 03:14:24 -05:00
committed by Miek Gieben
parent 94c59da577
commit 2e366459c5
5 changed files with 26 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
middleware/etcd/setup.go
View File

@@ -2,8 +2,6 @@ package etcd
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net"
"net/http"
"time"
@@ -12,6 +10,7 @@ import (
"github.com/miekg/coredns/middleware"
"github.com/miekg/coredns/middleware/pkg/dnsutil"
"github.com/miekg/coredns/middleware/pkg/singleflight"
mwtls "github.com/miekg/coredns/middleware/pkg/tls"
"github.com/miekg/coredns/middleware/proxy"
etcdc "github.com/coreos/etcd/client"
@@ -57,11 +56,10 @@ func etcdParse(c *caddy.Controller) (*Etcd, bool, error) {
Stubmap: &stub,
}
var (
tlsCertFile = ""
tlsKeyFile = ""
tlsCAcertFile = ""
endpoints = []string{defaultEndpoint}
stubzones = false
tlsConfig *tls.Config
err error
endpoints = []string{defaultEndpoint}
stubzones = false
)
for c.Next() {
if c.Val() == "etcd" {
@@ -101,10 +99,10 @@ func etcdParse(c *caddy.Controller) (*Etcd, bool, error) {
etc.Proxy = proxy.New(ups)
case "tls": // cert key cacertfile
args := c.RemainingArgs()
if len(args) != 3 {
return &Etcd{}, false, c.ArgErr()
tlsConfig, err = mwtls.NewTLSConfigFromArgs(args...)
if err != nil {
return &Etcd{}, false, err
}
tlsCertFile, tlsKeyFile, tlsCAcertFile = args[0], args[1], args[2]
default:
if c.Val() != "}" {
return &Etcd{}, false, c.Errf("unknown property '%s'", c.Val())
@@ -139,10 +137,10 @@ func etcdParse(c *caddy.Controller) (*Etcd, bool, error) {
etc.Proxy = proxy.New(ups)
case "tls": // cert key cacertfile
args := c.RemainingArgs()
if len(args) != 3 {
return &Etcd{}, false, c.ArgErr()
tlsConfig, err = mwtls.NewTLSConfigFromArgs(args...)
if err != nil {
return &Etcd{}, false, err
}
tlsCertFile, tlsKeyFile, tlsCAcertFile = args[0], args[1], args[2]
default:
if c.Val() != "}" { // TODO(miek): this feels like I'm doing it completely wrong.
return &Etcd{}, false, c.Errf("unknown property '%s'", c.Val())
@@ -151,7 +149,7 @@ func etcdParse(c *caddy.Controller) (*Etcd, bool, error) {
}
}
client, err := newEtcdClient(endpoints, tlsCertFile, tlsKeyFile, tlsCAcertFile)
client, err := newEtcdClient(endpoints, tlsConfig)
if err != nil {
return &Etcd{}, false, err
}
@@ -164,10 +162,10 @@ func etcdParse(c *caddy.Controller) (*Etcd, bool, error) {
return &Etcd{}, false, nil
}
func newEtcdClient(endpoints []string, tlsCert, tlsKey, tlsCACert string) (etcdc.KeysAPI, error) {
func newEtcdClient(endpoints []string, cc *tls.Config) (etcdc.KeysAPI, error) {
etcdCfg := etcdc.Config{
Endpoints: endpoints,
Transport: newHTTPSTransport(tlsCert, tlsKey, tlsCACert),
Transport: newHTTPSTransport(cc),
}
cli, err := etcdc.New(etcdCfg)
if err != nil {
@@ -176,25 +174,10 @@ func newEtcdClient(endpoints []string, tlsCert, tlsKey, tlsCACert string) (etcdc
return etcdc.NewKeysAPI(cli), nil
}
func newHTTPSTransport(tlsCertFile, tlsKeyFile, tlsCACertFile string) etcdc.CancelableTransport {
var cc *tls.Config
if tlsCertFile != "" && tlsKeyFile != "" {
var rpool *x509.CertPool
if tlsCACertFile != "" {
if pemBytes, err := ioutil.ReadFile(tlsCACertFile); err == nil {
rpool = x509.NewCertPool()
rpool.AppendCertsFromPEM(pemBytes)
}
}
if tlsCert, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile); err == nil {
cc = &tls.Config{
RootCAs: rpool,
Certificates: []tls.Certificate{tlsCert},
InsecureSkipVerify: true,
}
}
func newHTTPSTransport(cc *tls.Config) etcdc.CancelableTransport {
// this seems like a bad idea but was here in the previous version
if cc != nil {
cc.InsecureSkipVerify = true
}
tr := &http.Transport{