etcd authentication (#2070)

Signed-off-by: Simon Plourde <simon@sensu.io>
sensu · Sep 20, 2018 · ffe8576 · ffe8576
1 parent 6edced7
commit ffe8576
Show file tree

Hide file tree

Showing 12 changed files with 314 additions and 102 deletions.
diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,9 @@ yarn-error.log*
 *.test
 *.prof
 coverage.out
+*.csr
+*.pem
+ca-config.json
 
 # packaging
 *.log

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Versioning](http://semver.org/spec/v2.0.0.html).
 
 ### Added
 - Add windows/386 to binary gcs releases
+- TLS authentication and encryption for etcd client and peer communication.
 
 ### Removed
 - Staging resources and configurations have been removed from sensu-go.
@@ -31,6 +32,8 @@ used by providing the --no-embed option. In this case, the client will dial
 the URLs provided by --listen-client-urls.
 - Deprecated daemon `Status()` functions and `/info` (`/info` will be
 re-implemented in https://github.com/sensu/sensu-go/issues/1739).
+- The sensu-backend flags related to etcd are now all prefixed with `etcd` and
+the older versions are now deprecated.
 - Web ui entity recent events are sorted by last ok
 
 ### Fixed

diff --git a/backend/backend.go b/backend/backend.go
@@ -76,16 +76,9 @@ func newClient(config *Config, backend *Backend) (*clientv3.Client, error) {
 	cfg.InitialAdvertisePeerURL = config.EtcdInitialAdvertisePeerURL
 	cfg.Name = config.EtcdName
 
-	if config.TLS != nil {
-		cfg.TLSConfig = &etcd.TLSConfig{
-			Info: etcd.TLSInfo{
-				CertFile:      config.TLS.CertFile,
-				KeyFile:       config.TLS.KeyFile,
-				TrustedCAFile: config.TLS.TrustedCAFile,
-			},
-			TLS: tlsConfig,
-		}
-	}
+	// Etcd TLS config
+	cfg.ClientTLSInfo = config.EtcdClientTLSInfo
+	cfg.PeerTLSInfo = config.EtcdPeerTLSInfo
 
 	// Start etcd
 	e, err := etcd.NewEtcd(cfg)

diff --git a/backend/backend_test.go b/backend/backend_test.go
@@ -68,7 +68,15 @@ func TestBackendHTTPListener(t *testing.T) {
 			dashboardPort := ports[4]
 			initCluster := fmt.Sprintf("default=%s", apURL)
 
-			tlsOpts := tc.tls
+			var tlsInfo etcd.TLSInfo
+			if tc.tls != nil {
+				tlsInfo = etcd.TLSInfo{
+					ClientCertAuth: true,
+					CertFile:       tc.tls.CertFile,
+					KeyFile:        tc.tls.KeyFile,
+					TrustedCAFile:  tc.tls.TrustedCAFile,
+				}
+			}
 
 			b, err := Initialize(&Config{
 				AgentHost:                   "127.0.0.1",
@@ -78,13 +86,15 @@ func TestBackendHTTPListener(t *testing.T) {
 				DashboardHost:               "127.0.0.1",
 				DashboardPort:               dashboardPort,
 				StateDir:                    path,
+				TLS:                         tc.tls,
 				EtcdListenClientURL:         clURL,
 				EtcdListenPeerURL:           apURL,
 				EtcdInitialCluster:          initCluster,
 				EtcdInitialClusterState:     etcd.ClusterStateNew,
 				EtcdInitialAdvertisePeerURL: apURL,
 				EtcdName:                    "default",
-				TLS:                         tlsOpts,
+				EtcdClientTLSInfo:           tlsInfo,
+				EtcdPeerTLSInfo:             tlsInfo,
 			})
 			assert.NoError(t, err)
 			if err != nil {

diff --git a/backend/cmd/start.go b/backend/cmd/start.go
diff --git a/backend/cmd/version.go b/backend/cmd/version.go
@@ -0,0 +1,28 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/sensu/sensu-go/version"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(newVersionCommand())
+}
+
+func newVersionCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "version",
+		Short: "Show the sensu-backend version information",
+		Run: func(cmd *cobra.Command, args []string) {
+			fmt.Printf("sensu-backend version %s, build %s, built %s\n",
+				version.Semver(),
+				version.BuildSHA,
+				version.BuildDate,
+			)
+		},
+	}
+
+	return cmd
+}
diff --git a/backend/config.go b/backend/config.go
@@ -1,6 +1,9 @@
 package backend
 
-import "github.com/sensu/sensu-go/types"
+import (
+	"github.com/sensu/sensu-go/backend/etcd"
+	"github.com/sensu/sensu-go/types"
+)
 
 const (
 	// DefaultEtcdName is the default etcd member node name (single-node cluster only)
@@ -43,5 +46,9 @@ type Config struct {
 	EtcdName                    string
 	NoEmbedEtcd                 bool
 
+	// Etcd TLS configuration
+	EtcdClientTLSInfo etcd.TLSInfo
+	EtcdPeerTLSInfo   etcd.TLSInfo
+
 	TLS *types.TLSOptions
 }
diff --git a/backend/etcd/etcd.go b/backend/etcd/etcd.go
@@ -8,7 +8,6 @@ package etcd
 
 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -21,6 +20,7 @@ import (
 	"github.com/coreos/etcd/embed"
 	"github.com/coreos/etcd/pkg/transport"
 	"github.com/coreos/pkg/capnslog"
+	"github.com/sensu/sensu-go/types"
 	"google.golang.org/grpc/grpclog"
 )
 
@@ -58,13 +58,9 @@ type Config struct {
 	InitialClusterState     string
 	InitialClusterToken     string
 	InitialAdvertisePeerURL string
-	TLSConfig               *TLSConfig
-}
 
-// TLSConfig wraps Crypto TLSInfo
-type TLSConfig struct {
-	Info TLSInfo
-	TLS  *tls.Config
+	ClientTLSInfo TLSInfo
+	PeerTLSInfo   TLSInfo
 }
 
 // TLSInfo wraps etcd transport TLSInfo
@@ -179,12 +175,9 @@ func NewEtcd(config *Config) (*Etcd, error) {
 	// Default to 4G etcd size. TODO: make this configurable.
 	cfg.QuotaBackendBytes = int64(4 * 1024 * 1024 * 1024)
 
-	if config.TLSConfig != nil {
-		cfg.ClientTLSInfo = (transport.TLSInfo)(config.TLSConfig.Info)
-		cfg.PeerTLSInfo = (transport.TLSInfo)(config.TLSConfig.Info)
-		cfg.ClientTLSInfo.ClientCertAuth = false
-		cfg.PeerTLSInfo.ClientCertAuth = false
-	}
+	// Etcd TLS config
+	cfg.ClientTLSInfo = (transport.TLSInfo)(config.ClientTLSInfo)
+	cfg.PeerTLSInfo = (transport.TLSInfo)(config.PeerTLSInfo)
 
 	capnslog.SetFormatter(NewLogrusFormatter())
 
@@ -224,9 +217,17 @@ func (e *Etcd) Shutdown() error {
 
 // NewClient returns a new etcd v3 client. Clients must be closed after use.
 func (e *Etcd) NewClient() (*clientv3.Client, error) {
-	var tlsCfg *tls.Config
-	if e.cfg.TLSConfig != nil {
-		tlsCfg = e.cfg.TLSConfig.TLS
+	// Define the TLS options for the client using the etcd client config
+	tlsOptions := &types.TLSOptions{
+		CertFile:      e.cfg.ClientTLSInfo.CertFile,
+		KeyFile:       e.cfg.ClientTLSInfo.KeyFile,
+		TrustedCAFile: e.cfg.ClientTLSInfo.TrustedCAFile,
+	}
+
+	// Translate our TLS options to a *tls.Config
+	tlsConfig, err := tlsOptions.ToTLSConfig()
+	if err != nil {
+		return nil, err
 	}
 
 	listeners := e.etcd.Clients
@@ -237,8 +238,9 @@ func (e *Etcd) NewClient() (*clientv3.Client, error) {
 	cli, err := clientv3.New(clientv3.Config{
 		Endpoints:   e.clientURLs,
 		DialTimeout: 5 * time.Second,
-		TLS:         tlsCfg,
+		TLS:         tlsConfig,
 	})
+
 	if err != nil {
 		return nil, err
 	}

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -2,7 +2,7 @@ version: '3'
 services:
   backend1:
     image: sensu/sensu:master
-    command: sensu-backend start --listen-client-urls http://0.0.0.0:2379 --name backend1 --initial-cluster backend1=http://backend1:2380,backend2=http://backend2:2380,backend3=http://backend3:2380 --initial-cluster-state new --initial-advertise-peer-urls http://backend1:2380 --state-dir /var/lib/sensu/etcd1 --listen-peer-urls http://0.0.0.0:2380 --log-level debug
+    command: sensu-backend start --etcd-listen-client-urls http://0.0.0.0:2379 --etcd-name backend1 --etcd-initial-cluster backend1=http://backend1:2380,backend2=http://backend2:2380,backend3=http://backend3:2380 --etcd-initial-cluster-state new --etcd-initial-advertise-peer-urls http://backend1:2380 --state-dir /var/lib/sensu/etcd1 --etcd-listen-peer-urls http://0.0.0.0:2380 --log-level debug
     hostname: backend1
     restart: always
     ports:
@@ -12,7 +12,7 @@ services:
       - "8081:8081"
   backend2:
     image: sensu/sensu:master
-    command: sensu-backend start --listen-client-urls http://0.0.0.0:2379 --name backend2 --initial-cluster backend1=http://backend1:2380,backend2=http://backend2:2380,backend3=http://backend3:2380 --initial-cluster-state new --initial-advertise-peer-urls http://backend2:2380 --state-dir /var/lib/sensu/etcd2 --listen-peer-urls http://0.0.0.0:2380 --log-level debug
+    command: sensu-backend start --etcd-listen-client-urls http://0.0.0.0:2379 --etcd-name backend2 --etcd-initial-cluster backend1=http://backend1:2380,backend2=http://backend2:2380,backend3=http://backend3:2380 --etcd-initial-cluster-state new --etcd-initial-advertise-peer-urls http://backend2:2380 --state-dir /var/lib/sensu/etcd2 --etcd-listen-peer-urls http://0.0.0.0:2380 --log-level debug
     hostname: backend2
     restart: always
     ports:
@@ -22,7 +22,7 @@ services:
       - "18081:8081"
   backend3:
     image: sensu/sensu:master
-    command: sensu-backend start --listen-client-urls http://0.0.0.0:2379 --name backend3 --initial-cluster backend1=http://backend1:2380,backend2=http://backend2:2380,backend3=http://backend3:2380 --initial-cluster-state new --initial-advertise-peer-urls http://backend3:2380 --state-dir /var/lib/sensu/etcd3 --listen-peer-urls http://0.0.0.0:2380 --log-level debug
+    command: sensu-backend start --etcd-listen-client-urls http://0.0.0.0:2379 --name backend3 --etcd-initial-cluster backend1=http://backend1:2380,backend2=http://backend2:2380,backend3=http://backend3:2380 --etcd-initial-cluster-state new --etcd-initial-advertise-peer-urls http://backend3:2380 --state-dir /var/lib/sensu/etcd3 --etcd-listen-peer-urls http://0.0.0.0:2380 --log-level debug
     hostname: backend3
     restart: always
     ports:

diff --git a/packaging/files/backend.yml.example b/packaging/files/backend.yml.example
@@ -27,13 +27,13 @@ state-dir: "/var/lib/sensu"
 ##
 # store configuration
 ##
-#listen-client-urls: ""
-#listen-peer-urls: ""
-#initial-cluster: ""
-#initial-advertise-peer-urls: ""
-#initial-cluster-state: ""
-#initial-cluster-token: ""
-#name: ""
+#etcd-listen-client-urls: ""
+#etcd-listen-peer-urls: ""
+#etcd-initial-cluster: ""
+#etcd-initial-advertise-peer-urls: ""
+#etcd-initial-cluster-state: ""
+#etcd-initial-cluster-token: ""
+#etcd-name: ""
 
 ##
 # dashboard configuration

diff --git a/packaging/files/windows/backend.yml.example b/packaging/files/windows/backend.yml.example
@@ -27,13 +27,13 @@ state-dir: "C:\ProgramData\sensu\data"
 ##
 # store configuration
 ##
-#listen-client-urls: ""
-#listen-peer-urls: ""
-#initial-cluster: ""
-#initial-advertise-peer-urls: ""
-#initial-cluster-state: ""
-#initial-cluster-token: ""
-#name: ""
+#etcd-listen-client-urls: ""
+#etcd-listen-peer-urls: ""
+#etcd-initial-cluster: ""
+#etcd-initial-advertise-peer-urls: ""
+#etcd-initial-cluster-state: ""
+#etcd-initial-cluster-token: ""
+#etcd-name: ""
 
 ##
 # dashboard configuration

diff --git a/testing/e2e/process_test.go b/testing/e2e/process_test.go
@@ -102,13 +102,13 @@ func (b *backendProcess) Start() error {
 		"--api-port", strconv.FormatInt(int64(b.APIPort), 10),
 		"--dashboard-host", b.DashboardHost,
 		"--dashboard-port", strconv.FormatInt(int64(b.DashboardPort), 10),
-		"--listen-client-urls", b.EtcdClientURL,
-		"--listen-peer-urls", b.EtcdPeerURL,
-		"--initial-cluster", b.EtcdInitialCluster,
-		"--initial-cluster-state", b.EtcdInitialClusterState,
-		"--name", b.EtcdName,
-		"--initial-advertise-peer-urls", b.EtcdPeerURL,
-		"--initial-cluster-token", b.EtcdInitialClusterToken,
+		"--etcd-listen-client-urls", b.EtcdClientURL,
+		"--etcd-listen-peer-urls", b.EtcdPeerURL,
+		"--etcd-initial-cluster", b.EtcdInitialCluster,
+		"--etcd-initial-cluster-state", b.EtcdInitialClusterState,
+		"--etcd-name", b.EtcdName,
+		"--etcd-initial-advertise-peer-urls", b.EtcdPeerURL,
+		"--etcd-initial-cluster-token", b.EtcdInitialClusterToken,
 		"--log-level", "warn",
 	)
 	stdout, err := cmd.StdoutPipe()