Support etcd TLS certficates (#6719)

This PR supports two models for etcd certs - Client-to-server transport security with HTTPS - Client-to-server authentication with HTTPS client certificates
2025-04-03 19:30:29 -04:00 · 2018-10-29 11:14:12 -07:00 · 2018-10-29 11:14:12 -07:00 · 9fe51e392b
commit 9fe51e392b
parent 7e879a45d5
5 changed files with 39 additions and 15 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@ -17,6 +17,7 @@
 package cmd
 import (
 	"crypto/tls"
 	"errors"
 	"net"
 	"os"
@ -157,11 +158,27 @@ func handleCommonEnvVars() {
 	etcdEndpointsEnv, ok := os.LookupEnv("MINIO_ETCD_ENDPOINTS")
 	if ok {
 		etcdEndpoints := strings.Split(etcdEndpointsEnv, ",")
 		// This is only to support client side certificate authentication
 		// https://coreos.com/etcd/docs/latest/op-guide/security.html
 		etcdClientCertFile, ok1 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT")
 		etcdClientCertKey, ok2 := os.LookupEnv("MINIO_ETCD_CLIENT_CERT_KEY")
 		var getClientCertificate func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
 		if ok1 && ok2 {
 			getClientCertificate = func(unused *tls.CertificateRequestInfo) (*tls.Certificate, error) {
 				cert, err := tls.LoadX509KeyPair(etcdClientCertFile, etcdClientCertKey)
 				return &cert, err
 			}
 		}
 		var err error
 		globalEtcdClient, err = etcd.New(etcd.Config{
 			Endpoints:         etcdEndpoints,
 			DialTimeout:       defaultDialTimeout,
 			DialKeepAliveTime: defaultDialKeepAlive,
 			TLS: &tls.Config{
 				RootCAs:              globalRootCAs,
 				GetClientCertificate: getClientCertificate,
 			},
 		})
 		logger.FatalIf(err, "Unable to initialize etcd with %s", etcdEndpoints)
 	}
--- a/cmd/gateway-main.go
+++ b/cmd/gateway-main.go
@ -134,9 +134,6 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 	// Handle common command args.
 	handleCommonCmdArgs(ctx)
 	// Handle common env vars.
 	handleCommonEnvVars()
 	// Get port to listen on from gateway address
 	_, gatewayPort, pErr := net.SplitHostPort(gatewayAddr)
 	if pErr != nil {
@ -149,11 +146,6 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 	// To avoid this error situation we check for port availability.
 	logger.FatalIf(checkPortAvailability(gatewayPort), "Unable to start the gateway")
 	// Validate if we have access, secret set through environment.
 	if !globalIsEnvCreds {
 		logger.Fatal(uiErrEnvCredentialsMissingGateway(nil), "Unable to start gateway")
 	}
 	// Create certs path.
 	logger.FatalIf(createConfigDir(), "Unable to create configuration directories")
@ -166,6 +158,14 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
 	globalRootCAs, err = getRootCAs(getCADir())
 	logger.FatalIf(err, "Failed to read root CAs (%v)", err)
 	// Handle common env vars.
 	handleCommonEnvVars()
 	// Validate if we have access, secret set through environment.
 	if !globalIsEnvCreds {
 		logger.Fatal(uiErrEnvCredentialsMissingGateway(nil), "Unable to start gateway")
 	}
 	// Set system resources to maximum.
 	logger.LogIf(context.Background(), setMaxResources())
--- a/cmd/gateway/s3/gateway-s3.go
+++ b/cmd/gateway/s3/gateway-s3.go
@ -203,6 +203,9 @@ func newS3(url string) (*miniogo.Core, error) {
 		return nil, err
 	}
 	// Set custom transport
 	clnt.SetCustomTransport(minio.NewCustomHTTPTransport())
 	probeBucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "probe-bucket-sign-")
 	// Check if the provided keys are valid.
 	if _, err = clnt.BucketExists(probeBucketName); err != nil {
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@ -218,12 +218,6 @@ func serverMain(ctx *cli.Context) {
 		logger.EnableQuiet()
 	}
 	// Handle all server command args.
 	serverHandleCmdArgs(ctx)
 	// Handle all server environment vars.
 	serverHandleEnvVars()
 	// Create certs path.
 	logger.FatalIf(createConfigDir(), "Unable to initialize configuration files")
@ -236,6 +230,12 @@ func serverMain(ctx *cli.Context) {
 	globalRootCAs, err = getRootCAs(getCADir())
 	logger.FatalIf(err, "Failed to read root CAs (%v)", err)
 	// Handle all server command args.
 	serverHandleCmdArgs(ctx)
 	// Handle all server environment vars.
 	serverHandleEnvVars()
 	// Is distributed setup, error out if no certificates are found for HTTPS endpoints.
 	if globalIsDistXL {
 		if globalEndpoints.IsHTTPS() && !globalIsSSL {
--- a/docs/sts/etcd.md
+++ b/docs/sts/etcd.md
@ -29,6 +29,8 @@ rm -rf /tmp/etcd-data.tmp && mkdir -p /tmp/etcd-data.tmp && \
  --initial-cluster-state new
 ```
 You may also setup etcd with TLS following this documentation [here](https://coreos.com/etcd/docs/latest/op-guide/security.html)
 ### 3. Setup Minio with etcd
 Minio server expects environment variable for etcd as `MINIO_ETCD_ENDPOINTS`, this environment variable takes many comma separated entries.
 ```
@ -36,7 +38,9 @@ export MINIO_ETCD_ENDPOINTS=localhost:2379
 minio server /data
 ```
-### 5. Test with Minio STS API
+NOTE: If `etcd` is configured with `Client-to-server authentication with HTTPS client certificates` then you need to use additional envs such as `MINIO_ETCD_CLIENT_CERT` pointing to path to `etcd-client.crt` and `MINIO_ETCD_CLIENT_CERT_KEY` path to `etcd-client.key` .
 ### 4. Test with Minio STS API
 Assuming that you have configured Minio server to support STS API by following the doc [Minio STS Quickstart Guide](https://docs.minio.io/docs/minio-sts-quickstart-guide) and once you have obtained the JWT from WSO2 as mentioned in [WSO2 Quickstart Guide](https://github.com/minio/minio/blob/master/docs/sts/wso2.md).
 ```
 go run full-example.go -cid PoEgXP6uVO45IsENRngDXj5Au5Ya -csec eKsw6z8CtOJVBtrOWvhRWL4TUCga