flanneld: add etcd authentication

expose username and password as options for configuration to etcd Fixes #419
flannel-io · Mar 24, 2016 · 0915f48 · 0915f48
1 parent 6c95ca9
commit 0915f48
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 8 deletions.
diff --git a/main.go b/main.go
@@ -47,6 +47,8 @@ type CmdLineOpts struct {
 	etcdKeyfile    string
 	etcdCertfile   string
 	etcdCAFile     string
+	etcdUsername   string
+	etcdPassword   string
 	help           bool
 	version        bool
 	listen         string
@@ -64,6 +66,8 @@ func init() {
 	flag.StringVar(&opts.etcdKeyfile, "etcd-keyfile", "", "SSL key file used to secure etcd communication")
 	flag.StringVar(&opts.etcdCertfile, "etcd-certfile", "", "SSL certification file used to secure etcd communication")
 	flag.StringVar(&opts.etcdCAFile, "etcd-cafile", "", "SSL Certificate Authority file used to secure etcd communication")
+	flag.StringVar(&opts.etcdUsername, "etcd-username", "", "username for secure etcd communication")
+	flag.StringVar(&opts.etcdPassword, "etcd-password", "", "password for secure etcd communication")
 	flag.StringVar(&opts.listen, "listen", "", "run as server and listen on specified address (e.g. ':8080')")
 	flag.StringVar(&opts.remote, "remote", "", "run as client and connect to server on specified address (e.g. '10.1.2.3:8080')")
 	flag.StringVar(&opts.remoteKeyfile, "remote-keyfile", "", "SSL key file used to secure client/server communication")
@@ -75,7 +79,14 @@ func init() {
 
 func newSubnetManager() (subnet.Manager, error) {
 	if opts.remote != "" {
-		return remote.NewRemoteManager(opts.remote, opts.remoteCAFile, opts.remoteCertfile, opts.remoteKeyfile)
+		return remote.NewRemoteManager(
+			opts.remote,
+			opts.remoteCAFile,
+			opts.remoteCertfile,
+			opts.remoteKeyfile,
+			opts.etcdUsername,
+			opts.etcdPassword,
+		)
 	}
 
 	cfg := &subnet.EtcdConfig{
@@ -84,6 +95,8 @@ func newSubnetManager() (subnet.Manager, error) {
 		Certfile:  opts.etcdCertfile,
 		CAFile:    opts.etcdCAFile,
 		Prefix:    opts.etcdPrefix,
+		Username:  opts.etcdUsername,
+		Password:  opts.etcdPassword,
 	}
 
 	return subnet.NewLocalManager(cfg)

diff --git a/remote/client.go b/remote/client.go
@@ -22,6 +22,7 @@ import (
 	"io/ioutil"
 	"net"
 	"net/http"
+	"net/url"
 	"path"
 	"time"
 
@@ -57,7 +58,7 @@ func NewTransport(info transport.TLSInfo) (*Transport, error) {
 	return t, nil
 }
 
-func NewRemoteManager(listenAddr, cafile, certfile, keyfile string) (subnet.Manager, error) {
+func NewRemoteManager(listenAddr, cafile, certfile, keyfile, username, password string) (subnet.Manager, error) {
 	tls := transport.TLSInfo{
 		CAFile:   cafile,
 		CertFile: certfile,
@@ -76,8 +77,13 @@ func NewRemoteManager(listenAddr, cafile, certfile, keyfile string) (subnet.Mana
 		scheme = "https://"
 	}
 
+	var userInfo string
+	if username != "" && password != "" {
+		userInfo = username + ":" + password
+	}
+
 	return &RemoteManager{
-		base:      scheme + listenAddr + "/v1",
+		base:      scheme + userInfo + listenAddr + "/v1",
 		transport: t,
 	}, nil
 }
@@ -348,17 +354,26 @@ func (m *RemoteManager) httpDo(ctx context.Context, req *http.Request) (*http.Re
 	}
 }
 
-func (m *RemoteManager) httpVerb(ctx context.Context, method, url, contentType string, body []byte) (*http.Response, error) {
+func (m *RemoteManager) httpVerb(ctx context.Context, method, requestURL, contentType string, body []byte) (*http.Response, error) {
 	var r io.Reader
 	if body != nil {
 		r = bytes.NewBuffer(body)
 	}
 
-	req, err := http.NewRequest(method, url, r)
+	req, err := http.NewRequest(method, requestURL, r)
 	if err != nil {
 		return nil, err
 	}
 
+	u, err := url.Parse(requestURL)
+	if err != nil {
+		return nil, err
+	}
+	if u.User != nil {
+		password, _ := u.User.Password()
+		req.SetBasicAuth(u.User.Username(), password)
+	}
+
 	if contentType != "" {
 		req.Header.Set("Content-Type", contentType)
 	}

diff --git a/remote/remote_test.go b/remote/remote_test.go
@@ -58,7 +58,7 @@ func newFixture(t *testing.T) *fixture {
 	}()
 
 	var err error
-	f.sm, err = NewRemoteManager(f.srvAddr, "", "", "")
+	f.sm, err = NewRemoteManager(f.srvAddr, "", "", "", "", "")
 	if err != nil {
 		panic(fmt.Sprintf("Failed to create remote mananager: %v", err))
 	}

diff --git a/subnet/registry.go b/subnet/registry.go
@@ -55,6 +55,8 @@ type EtcdConfig struct {
 	Certfile  string
 	CAFile    string
 	Prefix    string
+	Username  string
+	Password  string
 }
 
 type etcdNewFunc func(c *EtcdConfig) (etcd.KeysAPI, error)
@@ -79,10 +81,16 @@ func newEtcdClient(c *EtcdConfig) (etcd.KeysAPI, error) {
 		return nil, err
 	}
 
-	cli, err := etcd.New(etcd.Config{
+	eCfg := etcd.Config{
 		Endpoints: c.Endpoints,
 		Transport: t,
-	})
+	}
+	if c.Username != "" && c.Password != "" {
+		eCfg.Username = c.Username
+		eCfg.Password = c.Password
+	}
+
+	cli, err := etcd.New(eCfg)
 	if err != nil {
 		return nil, err
 	}