From d398cd04d3cc8aba68b9713ad9cc5997f34fd843 Mon Sep 17 00:00:00 2001 From: Lubron Date: Wed, 1 May 2019 12:00:57 -0700 Subject: [PATCH] Add etcdctl-root cert to etcd job used for root authentication (#15) [#163786805] --- jobs/etcd/spec | 6 ++ .../templates/bin/authentication-setup.erb | 68 ++++++++++++------- .../templates/config/etcdctl-root.crt.erb | 1 + .../templates/config/etcdctl-root.key.erb | 1 + 4 files changed, 50 insertions(+), 26 deletions(-) create mode 100644 jobs/etcd/templates/config/etcdctl-root.crt.erb create mode 100644 jobs/etcd/templates/config/etcdctl-root.key.erb diff --git a/jobs/etcd/spec b/jobs/etcd/spec index be4a961..4431101 100644 --- a/jobs/etcd/spec +++ b/jobs/etcd/spec @@ -18,6 +18,8 @@ templates: config/etcdctl-ca.crt.erb: config/etcdctl-ca.crt config/etcdctl.crt.erb: config/etcdctl.crt config/etcdctl.key.erb: config/etcdctl.key + config/etcdctl-root.crt.erb: config/etcdctl-root.crt + config/etcdctl-root.key.erb: config/etcdctl-root.key config/peer-ca.crt.erb: config/peer-ca.crt config/peer.crt.erb: config/peer.crt config/peer.key.erb: config/peer.key @@ -57,6 +59,10 @@ properties: description: Certificate for etcdctl client authentication tls.etcdctl.private_key: description: Private key for etcdctl client authentication + tls.etcdctl-root.certificate: + description: Certificate for etcdctl client authentication with CN root + tls.etcdctl-root.private_key: + description: Private key for etcdctl client authentication with CN root tls.peer.ca: description: CA for peer authentication tls.peer.certificate: diff --git a/jobs/etcd/templates/bin/authentication-setup.erb b/jobs/etcd/templates/bin/authentication-setup.erb index 9f527e1..62c11c5 100644 --- a/jobs/etcd/templates/bin/authentication-setup.erb +++ b/jobs/etcd/templates/bin/authentication-setup.erb @@ -3,7 +3,23 @@ set -euo pipefail source /var/vcap/jobs/etcd/bin/utils.sh -etcdctl="/var/vcap/jobs/etcd/bin/etcdctl" +etcdctl_v3() { + ETCDCTL_API=3 /var/vcap/packages/etcd/bin/etcdctl \ + --cacert /var/vcap/jobs/etcd/config/etcdctl-ca.crt \ + --cert /var/vcap/jobs/etcd/config/etcdctl-root.crt \ + --key /var/vcap/jobs/etcd/config/etcdctl-root.key \ + --endpoints "${etcd_endpoints}" \ + "$@" +} + +etcdctl_v2() { + ETCDCTL_API=2 /var/vcap/packages/etcd/bin/etcdctl \ + --ca-file /var/vcap/jobs/etcd/config/etcdctl-ca.crt \ + --cert-file /var/vcap/jobs/etcd/config/etcdctl-root.crt \ + --key-file /var/vcap/jobs/etcd/config/etcdctl-root.key \ + --endpoints "${etcd_endpoints}" \ + "$@" +} etcdctl_add_user() { version=$1 @@ -11,12 +27,12 @@ etcdctl_add_user() { password=$3 if [ "$version" == "v3" ]; then - if [ -z "$(ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD user get $username)" ]; then - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD user add $username:$password --interactive=false + if [ -z "$(etcdctl_v3 user get $username)" ]; then + etcdctl_v3 user add $username:$password --interactive=false fi else - if [ -z "$(ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD user get $username)" ]; then - echo "$password" | ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD user add $username + if [ -z "$(etcdctl_v2 user get $username)" ]; then + echo "$password" | etcdctl_v2 user add $username fi fi } @@ -26,12 +42,12 @@ etcdctl_add_role() { role=$2 if [ "$version" == "v3" ]; then - if [ -z "$(ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role get $role)" ]; then - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role add $role + if [ -z "$(etcdctl_v3 role get $role)" ]; then + etcdctl_v3 role add $role fi else - if [ -z "$(ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role get $role)" ]; then - ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role add $role + if [ -z "$(etcdctl_v2 role get $role)" ]; then + etcdctl_v2 role add $role fi fi } @@ -49,11 +65,11 @@ etcdctl_grant_read_permission() { ## remove * from the end path=${path%?} fi - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role grant-permission $role read "$path" --prefix=$is_prefix + etcdctl_v3 role grant-permission $role read "$path" --prefix=$is_prefix else read_regex=".*KV Read:.*\s+$(printf '%q' $path)\s.*KV Write:.*" - if ! [[ $(ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role get $role) =~ $read_regex ]]; then - ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role grant $role --read --path "$path" + if ! [[ $(etcdctl_v2 role get $role) =~ $read_regex ]]; then + etcdctl_v2 role grant $role --read --path "$path" fi fi } @@ -73,15 +89,15 @@ etcdctl_grant_write_permission() { fi read_regex=".*KV Read:.*\s+$(printf '%q' $path)\s.*KV Write:.*|.*KV Read:.*\s+\(prefix $(printf '%q' $path)\).*KV Write:.*" - if [[ $(ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role get $role) =~ $read_regex ]]; then - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role grant-permission $role readwrite "$path" --prefix=$is_prefix + if [[ $(etcdctl_v3 role get $role) =~ $read_regex ]]; then + etcdctl_v3 role grant-permission $role readwrite "$path" --prefix=$is_prefix else - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role grant-permission $role write "$path" --prefix=$is_prefix + etcdctl_v3 role grant-permission $role write "$path" --prefix=$is_prefix fi else write_regex=".*KV Write:.*\s+$(printf '%q' $path)\s.*|.*KV Write:.*\s+$(printf '%q' $path)$" - if ! [[ $(ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role get $role) =~ $write_regex ]]; then - ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role grant $role --write --path "$path" + if ! [[ $(etcdctl_v2 role get $role) =~ $write_regex ]]; then + etcdctl_v2 role grant $role --write --path "$path" fi fi } @@ -92,11 +108,11 @@ etcdctl_bind_role_to_user() { role=$3 if [ "$version" == "v3" ]; then - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD user grant-role $username $role + etcdctl_v3 user grant-role $username $role else role_regex=".*Roles:.*\s+$(printf '%q' $role)\s.*|.*Roles:.*\s+$(printf '%q' $role)$" - if ! [[ "$(ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD user get $username)" =~ $role_regex ]]; then - ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD user grant $username --roles $role + if ! [[ "$(etcdctl_v2 user get $username)" =~ $role_regex ]]; then + etcdctl_v2 user grant $username --roles $role fi fi } @@ -107,11 +123,11 @@ etcdctl_show_user_role() { role=$3 if [ "$version" == "v3" ]; then - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD user get $username - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD role get $role + etcdctl_v3 user get $username + etcdctl_v3 role get $role else - ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD user get $username - ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD role get $role + etcdctl_v2 user get $username + etcdctl_v2 role get $role fi } @@ -181,7 +197,7 @@ turn_on_authentication() { v2_regex=".*v2.*" if [[ "$versions" =~ $v2_regex ]]; then set +e - result=$(ETCDCTL_API=2 $etcdctl --username root:$ROOT_PASSWORD auth enable 2>&1) + result=$(etcdctl_v2 auth enable 2>&1) status=$? set -e if [ "$status" -ne 0 ]; then @@ -196,7 +212,7 @@ turn_on_authentication() { v3_regex=".*v3.*" if [[ "$versions" =~ $v3_regex ]]; then - ETCDCTL_API=3 $etcdctl --user root:$ROOT_PASSWORD auth enable + etcdctl_v3 auth enable fi } diff --git a/jobs/etcd/templates/config/etcdctl-root.crt.erb b/jobs/etcd/templates/config/etcdctl-root.crt.erb new file mode 100644 index 0000000..39b326c --- /dev/null +++ b/jobs/etcd/templates/config/etcdctl-root.crt.erb @@ -0,0 +1 @@ +<%= p('tls.etcdctl-root.certificate') %> diff --git a/jobs/etcd/templates/config/etcdctl-root.key.erb b/jobs/etcd/templates/config/etcdctl-root.key.erb new file mode 100644 index 0000000..7127c31 --- /dev/null +++ b/jobs/etcd/templates/config/etcdctl-root.key.erb @@ -0,0 +1 @@ +<%= p('tls.etcdctl-root.private_key') %>