Merge pull request #14 from feng9797/main

etcd supports https,sql-driver remove write configurations to local
huaweicloud · May 10, 2022 · c157437 · c157437
2 parents 8baf764 + ccf03da
commit c157437
Show file tree

Hide file tree

Showing 11 changed files with 132 additions and 342 deletions.
diff --git a/common/etcd/client.go b/common/etcd/client.go
@@ -21,6 +21,7 @@ package etcd
 
 import (
 	"log"
+	"path/filepath"
 
 	"github.com/huaweicloud/devcloud-go/common/password"
 	"github.com/huaweicloud/devcloud-go/common/util"
@@ -40,13 +41,22 @@ type EtcdClient interface {
 // CreateEtcdClient according to yaml etcdConfiguration
 func CreateEtcdClient(etcdConfiguration *EtcdConfiguration) EtcdClient {
 	properties := &ClientProperties{
-		Endpoints: util.ConvertAddressStrToSlice(etcdConfiguration.Address),
+		Endpoints: util.ConvertAddressStrToSlice(etcdConfiguration.Address, etcdConfiguration.HTTPSEnable),
 	}
 	if etcdConfiguration.Username != "" {
 		properties.UserName = etcdConfiguration.Username
 		properties.Password = password.GetDecipher().Decode(etcdConfiguration.Password)
 		properties.NeedAuthentication = true
 	}
+	if etcdConfiguration.HTTPSEnable {
+		if etcdConfiguration.CaCert != "" && util.FileExists(etcdConfiguration.CaCert) &&
+			etcdConfiguration.ClientCert != "" && util.FileExists(etcdConfiguration.ClientCert) &&
+			etcdConfiguration.ClientKey != "" && util.FileExists(etcdConfiguration.ClientKey) {
+			properties.CaCert = filepath.Clean(etcdConfiguration.CaCert)
+			properties.ClientCert = filepath.Clean(etcdConfiguration.ClientCert)
+			properties.ClientKey = filepath.Clean(etcdConfiguration.ClientKey)
+		}
+	}
 	client, err := NewEtcdV3Client(properties)
 	if err != nil || client == nil {
 		log.Printf("ERROR: create etcd client failed, err %v", err)

diff --git a/common/etcd/client_properties.go b/common/etcd/client_properties.go
@@ -20,6 +20,9 @@ type ClientProperties struct {
 	UserName           string
 	Password           string
 	NeedAuthentication bool
+	ClientCert         string
+	ClientKey          string
+	CaCert             string
 }
 
 // KeyValue is etcd-Kv Simplified version
@@ -36,4 +39,7 @@ type EtcdConfiguration struct {
 	Username    string `yaml:"username"`
 	Password    string `yaml:"password"`
 	HTTPSEnable bool   `yaml:"httpsEnable"`
+	ClientCert  string `yaml:"clientCert"` // etcd cert file
+	ClientKey   string `yaml:"clientKey"`  // etcd cert-key file
+	CaCert      string `yaml:"caCert"`     // etcd ca file
 }
diff --git a/common/etcd/client_v3.go b/common/etcd/client_v3.go
@@ -16,7 +16,10 @@ package etcd
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
+	"io/ioutil"
 	"log"
 	"time"
 
@@ -46,6 +49,23 @@ func NewEtcdV3Client(props *ClientProperties) (*EtcdV3Client, error) {
 		config.Username = props.UserName
 		config.Password = props.Password
 	}
+	if props.CaCert != "" && props.ClientCert != "" && props.ClientKey != "" {
+		cert, err := tls.LoadX509KeyPair(props.ClientCert, props.ClientKey)
+		if err != nil {
+			return nil, err
+		}
+		caData, err := ioutil.ReadFile(props.CaCert)
+		if err != nil {
+			return nil, err
+		}
+		pool := x509.NewCertPool()
+		pool.AppendCertsFromPEM(caData)
+
+		config.TLS = &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      pool,
+		}
+	}
 
 	client, err := clientv3.New(*config)
 

diff --git a/common/util/util.go b/common/util/util.go
@@ -21,10 +21,14 @@ import (
 	"log"
 	"math"
 	"net"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 )
 
+const httpsPrefix = "https://"
+
 // ValidateHostPort validate that hostPort is correct.
 func ValidateHostPort(hostPort string) error {
 	host, port, err := net.SplitHostPort(hostPort)
@@ -46,7 +50,8 @@ func ValidateHostPort(hostPort string) error {
 }
 
 // ConvertAddressStrToSlice convert address like "127.0.0.1:2379,127.0.0.1:2380" to endpoints like ["127.0.0.1:2379", "127.0.0.1:2380"]
-func ConvertAddressStrToSlice(addressStr string) []string {
+// if enableHttps, the func will convert address to endpoints like ["https://127.0.0.1:2379","https://127.0.0.1:2380"]
+func ConvertAddressStrToSlice(addressStr string, enableHttps bool) []string {
 	addressSlice := strings.Split(addressStr, ",")
 	var res []string
 	for _, address := range addressSlice {
@@ -58,6 +63,9 @@ func ConvertAddressStrToSlice(addressStr string) []string {
 			log.Printf("ERROR: hostPort '%s' is invalid, %v", address, err)
 			continue
 		}
+		if enableHttps {
+			address = httpsPrefix + address
+		}
 		res = append(res, address)
 	}
 	return res
@@ -85,3 +93,14 @@ func GetNearest2Power(old int) int {
 	}
 	return n + 1
 }
+
+func FileExists(filePath string) bool {
+	_, err := os.Stat(filepath.Clean(filePath))
+	if err != nil {
+		if os.IsExist(err) {
+			return true
+		}
+		return false
+	}
+	return true
+}
diff --git a/common/util/util_test.go b/common/util/util_test.go
@@ -92,7 +92,7 @@ func TestConvertAddressStrToSlice(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := ConvertAddressStrToSlice(tt.args.addressStr); !reflect.DeepEqual(got, tt.want) {
+			if got := ConvertAddressStrToSlice(tt.args.addressStr, false); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("ConvertAddressStrToSlice() = %v, want %v", got, tt.want)
 			}
 		})

diff --git a/redis/config/server_configuration.go b/redis/config/server_configuration.go
@@ -54,7 +54,7 @@ const (
 func (s *ServerConfiguration) convertOptions() {
 	if s.Type == ServerTypeCluster {
 		clusterOpts := &redis.ClusterOptions{
-			Addrs: util.ConvertAddressStrToSlice(s.Hosts),
+			Addrs: util.ConvertAddressStrToSlice(s.Hosts, false),
 		}
 		if len(s.Password) > 0 {
 			clusterOpts.Password = password.GetDecipher().Decode(s.Password)

diff --git a/sql-driver/rds/config/loader/configuration_file_handler.go b/sql-driver/rds/config/loader/configuration_file_handler.go