Support etcd TLS certficates (#6719)

This PR supports two models for etcd certs - Client-to-server transport security with HTTPS - Client-to-server authentication with HTTPS client certificates
2025-11-07 21:02:58 -05:00 · 2018-10-29 11:14:12 -07:00
parent 7e879a45d5
commit 9fe51e392b
5 changed files with 39 additions and 15 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -17,6 +17,7 @@
 package cmd

 import (
+	"crypto/tls"
 	"errors"
 	"net"
 	"os"
@@ -157,11 +158,27 @@ func handleCommonEnvVars() {
 	etcdEndpointsEnv, ok := os.LookupEnv("MINIO_ETCD_ENDPOINTS")
 	if ok {
 		etcdEndpoints := strings.Split(etcdEndpointsEnv, ",")
+
+		// This is only to support client side certificate authentication
+		// https://coreos.com/etcd/docs/latest/op-guide/security.html
+		etcdClientCertFile, ok1 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT")
+		etcdClientCertKey, ok2 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT_KEY")
+		var getClientCertificate func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
+		if ok1 && ok2 {
+			getClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+				cert, err := tls.LoadX509KeyPair(etcdClientCertFile, etcdClientCertKey)
+				return &cert, err
+			}
+		}
 		var err error
 		globalEtcdClient, err = etcd.New(etcd.Config{
 			Endpoints:         etcdEndpoints,
 			DialTimeout:       defaultDialTimeout,
 			DialKeepAliveTime: defaultDialKeepAlive,
+			TLS: &tls.Config{
+				RootCAs:              globalRootCAs,
+				GetClientCertificate: getClientCertificate,
+			},
 		})
 		logger.FatalIf(err, "Unable to initialize etcd with %s", etcdEndpoints)
 	}