From 6491dfbbd68e4eeb3bd0c6a7f58033441b83404c Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 1 Nov 2018 21:41:11 -0700 Subject: [PATCH] Fix etcd TLS handling (#6748) etcd fails to connect if TLS config is set, make TLS conditional to input arguments instead --- cmd/common-main.go | 55 +++++++++++++++++++++++++++++++--------------- docs/sts/README.md | 2 +- docs/sts/etcd.md | 2 +- docs/sts/sts.env | 2 +- 4 files changed, 40 insertions(+), 21 deletions(-) diff --git a/cmd/common-main.go b/cmd/common-main.go index 0eb677248..98ce4b6d9 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -34,6 +34,7 @@ import ( "github.com/minio/minio/cmd/logger" "github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/dns" + xnet "github.com/minio/minio/pkg/net" ) // Check for updates and print a notification message @@ -159,27 +160,45 @@ func handleCommonEnvVars() { if ok { etcdEndpoints := strings.Split(etcdEndpointsEnv, ",") - // This is only to support client side certificate authentication - // https://coreos.com/etcd/docs/latest/op-guide/security.html - etcdClientCertFile, ok1 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT") - etcdClientCertKey, ok2 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT_KEY") - var getClientCertificate func(*tls.CertificateRequestInfo) (*tls.Certificate, error) - if ok1 && ok2 { - getClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) { - cert, err := tls.LoadX509KeyPair(etcdClientCertFile, etcdClientCertKey) - return &cert, err + var etcdSecure bool + for _, endpoint := range etcdEndpoints { + u, err := xnet.ParseURL(endpoint) + if err != nil { + logger.FatalIf(err, "Unable to initialize etcd with %s", etcdEndpoints) } + // If one of the endpoint is https, we will use https directly. + etcdSecure = etcdSecure || u.Scheme == "https" } + var err error - globalEtcdClient, err = etcd.New(etcd.Config{ - Endpoints: etcdEndpoints, - DialTimeout: defaultDialTimeout, - DialKeepAliveTime: defaultDialKeepAlive, - TLS: &tls.Config{ - RootCAs: globalRootCAs, - GetClientCertificate: getClientCertificate, - }, - }) + if etcdSecure { + // This is only to support client side certificate authentication + // https://coreos.com/etcd/docs/latest/op-guide/security.html + etcdClientCertFile, ok1 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT") + etcdClientCertKey, ok2 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT_KEY") + var getClientCertificate func(*tls.CertificateRequestInfo) (*tls.Certificate, error) + if ok1 && ok2 { + getClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) { + cert, terr := tls.LoadX509KeyPair(etcdClientCertFile, etcdClientCertKey) + return &cert, terr + } + } + globalEtcdClient, err = etcd.New(etcd.Config{ + Endpoints: etcdEndpoints, + DialTimeout: defaultDialTimeout, + DialKeepAliveTime: defaultDialKeepAlive, + TLS: &tls.Config{ + RootCAs: globalRootCAs, + GetClientCertificate: getClientCertificate, + }, + }) + } else { + globalEtcdClient, err = etcd.New(etcd.Config{ + Endpoints: etcdEndpoints, + DialTimeout: defaultDialTimeout, + DialKeepAliveTime: defaultDialKeepAlive, + }) + } logger.FatalIf(err, "Unable to initialize etcd with %s", etcdEndpoints) } diff --git a/docs/sts/README.md b/docs/sts/README.md index b42df6b6d..f37e5e12f 100644 --- a/docs/sts/README.md +++ b/docs/sts/README.md @@ -42,7 +42,7 @@ export MINIO_ACCESS_KEY=aws_access_key export MINIO_SECRET_KEY=aws_secret_key export MINIO_IAM_JWKS_URL=https://localhost:9443/oauth2/jwks export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz -export MINIO_ETCD_ENDPOINTS=localhost:2379 +export MINIO_ETCD_ENDPOINTS=http://localhost:2379 minio gateway s3 ``` diff --git a/docs/sts/etcd.md b/docs/sts/etcd.md index aa52971ed..c95cc1974 100644 --- a/docs/sts/etcd.md +++ b/docs/sts/etcd.md @@ -34,7 +34,7 @@ You may also setup etcd with TLS following this documentation [here](https://cor ### 3. Setup Minio with etcd Minio server expects environment variable for etcd as `MINIO_ETCD_ENDPOINTS`, this environment variable takes many comma separated entries. ``` -export MINIO_ETCD_ENDPOINTS=localhost:2379 +export MINIO_ETCD_ENDPOINTS=http://localhost:2379 minio server /data ``` diff --git a/docs/sts/sts.env b/docs/sts/sts.env index 793f578f1..7e72ad1dd 100644 --- a/docs/sts/sts.env +++ b/docs/sts/sts.env @@ -2,4 +2,4 @@ export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 export MINIO_IAM_JWKS_URL=http://localhost:9763/oauth2/jwks export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz -export MINIO_ETCD_ENDPOINTS=localhost:2379 +export MINIO_ETCD_ENDPOINTS=http://localhost:2379