Skip to content

Commit

Permalink
Merge pull request coreos#1630 from endocode/dongsu/etcd-basic-auth
Browse files Browse the repository at this point in the history
config: add basic etcd authentication
  • Loading branch information
Dongsu Park authored Jul 14, 2016
2 parents 1278ba4 + 0b8d669 commit 26f9bef
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 3 deletions.
37 changes: 36 additions & 1 deletion Documentation/deployment-and-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,40 @@ etcd_certfile=/etc/ssl/etcd/client.pem
etcd_keyfile=/etc/ssl/etcd/client-key.pem
```

### Basic Authentication

If your etcd cluster has [Basic authentication][etcd-authentication] enabled, you will need to configure fleet to use an username/password combination for a valid user in the system. Also, because [Basic authentication][etcd-authentication] is Base64 encoded and easily deciphered, it is recommended to also use [TLS authentication][etcd-security] for transport level encryption by providing an `etcd_cafile`. *Authentication is only available since etcd 2.1.X and greater.*
The examples below show how to achieve this:

#### Using systemd Drop-Ins

```ini
[Service]
Environment="FLEET_ETCD_SERVERS=https://192.0.2.12:2379"
Environment="FLEET_ETCD_USERNAME=root"
Environment="FLEET_ETCD_PASSWORD=coreos"
```

#### Using CoreOS Cloud Config

```yaml
#cloud-config

coreos:
fleet:
etcd_servers: "https://192.0.2.12:2379"
etcd_username: root
etcd_password: coreos
```
#### Using fleet configuration file
```ini
etcd_servers=["https://192.0.2.12:2379"]
etcd_username=root
etcd_password=coreos
```

## systemd

The `fleetd` daemon communicates with systemd (v207+) running locally on a given machine. It requires D-Bus (v1.6.12+) to do this.
Expand Down Expand Up @@ -214,7 +248,8 @@ Default: false
[api-doc]: api-v1.md
[config]: /fleet.conf.sample
[etcd]: https://github.com/coreos/docs/blob/master/etcd/getting-started-with-etcd.md
[etcd-security]: https://github.com/coreos/etcd/blob/master/Documentation/security.md
[etcd-security]: https://github.com/coreos/etcd/blob/master/Documentation/v2/security.md
[etcd-authentication]: https://github.com/coreos/etcd/blob/master/Documentation/v2/authentication.md
[fleet-inject-ssh]: /scripts/fleetctl-inject-ssh.sh
[fleet-scale]: fleet-scaling.md#implemented-quick-wins
[socket-unit]: http://www.freedesktop.org/software/systemd/man/systemd.socket.html
Expand Down
10 changes: 8 additions & 2 deletions Documentation/using-the-client.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ FLEETCTL_ENDPOINT=http://<IP:[PORT]> fleetctl list-units

*It is not recommended to listen fleet API TCP socket over public and even private networks.* Fleet API socket doesn't support encryption and authorization so it could cause full root access to your machine. Please use [ssh tunnel][ssh-tunnel] to access remote fleet API.

### Using etcd Authentication

If your `etcd` cluster is configured with authentication enabled, set `etcd_username` and `etcd_password` options in fleet.conf to provide credentials. It is not possible to provide credentials to the command-line tool.

*It is not recommended to use Authentication without also using TLS Transport by also providing the `--ca-file` flag*

### From an External Host

If you prefer to execute fleetctl from an external host (i.e. your laptop), the `--tunnel` flag can be used to tunnel communication with your fleet cluster over SSH:
Expand All @@ -37,7 +43,7 @@ One can also provide `--tunnel` through the environment variable `FLEETCTL_TUNNE
FLEETCTL_TUNNEL=<IP[:PORT]> fleetctl list-units
```

When using `--tunnel` and `--endpoint` together, it is important to note that all etcd requests will be made through the SSH tunnel.
When using `--tunnel` and `--endpoint` together, it is important to note that all etcd requests will be made through the SSH tunnel.
The address in the `--endpoint` flag must be routable from the server hosting the tunnel.

If the external host requires a username other than `core`, the `--ssh-username` flag can be used to set an alternative username.
Expand Down Expand Up @@ -158,7 +164,7 @@ hello.service ping.service pong.service
$ fleetctl submit examples/*
```

Submission of units to a fleet cluster does not cause them to be scheduled.
Submission of units to a fleet cluster does not cause them to be scheduled.
The unit will be visible in a `fleetctl list-unit-files` command, but have no reported state in `fleetctl list-units`.

A unit can be removed from a cluster with the `destroy` command:
Expand Down
2 changes: 2 additions & 0 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (

type Config struct {
EtcdServers []string
EtcdUsername string
EtcdPassword string
EtcdKeyPrefix string
EtcdKeyFile string
EtcdCertFile string
Expand Down
4 changes: 4 additions & 0 deletions fleet.conf.sample
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@
# etcd_keyfile=/path/to/keyfile
# etcd_certfile=/path/to/certfile

# Provide Authentication configuration when basic authentication is enabled in etcd endpoints
# etcd_username=root
# etcd_password=coreos

# IP address that should be published with any socket information. By default,
# no IP address is published.
# public_ip=""
Expand Down
4 changes: 4 additions & 0 deletions fleetd/fleetd.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ func main() {
cfgset := flag.NewFlagSet("fleet", flag.ExitOnError)
cfgset.Int("verbosity", 0, "Logging level")
cfgset.Var(&pkg.StringSlice{"http://127.0.0.1:2379", "http://127.0.0.1:4001"}, "etcd_servers", "List of etcd endpoints")
cfgset.String("etcd_username", "", "username for secure etcd communication")
cfgset.String("etcd_password", "", "password for secure etcd communication")
cfgset.String("etcd_keyfile", "", "SSL key file used to secure etcd communication")
cfgset.String("etcd_certfile", "", "SSL certification file used to secure etcd communication")
cfgset.String("etcd_cafile", "", "SSL Certificate Authority file used to secure etcd communication")
Expand Down Expand Up @@ -215,6 +217,8 @@ func getConfig(flagset *flag.FlagSet, userCfgFile string) (*config.Config, error
cfg := config.Config{
Verbosity: (*flagset.Lookup("verbosity")).Value.(flag.Getter).Get().(int),
EtcdServers: (*flagset.Lookup("etcd_servers")).Value.(flag.Getter).Get().(pkg.StringSlice),
EtcdUsername: (*flagset.Lookup("etcd_username")).Value.(flag.Getter).Get().(string),
EtcdPassword: (*flagset.Lookup("etcd_password")).Value.(flag.Getter).Get().(string),
EtcdKeyPrefix: (*flagset.Lookup("etcd_key_prefix")).Value.(flag.Getter).Get().(string),
EtcdKeyFile: (*flagset.Lookup("etcd_keyfile")).Value.(flag.Getter).Get().(string),
EtcdCertFile: (*flagset.Lookup("etcd_certfile")).Value.(flag.Getter).Get().(string),
Expand Down
3 changes: 3 additions & 0 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,10 @@ func New(cfg config.Config, listeners []net.Listener) (*Server, error) {
Transport: &http.Transport{TLSClientConfig: tlsConfig},
Endpoints: cfg.EtcdServers,
HeaderTimeoutPerRequest: (time.Duration(cfg.EtcdRequestTimeout*1000) * time.Millisecond),
Username: cfg.EtcdUsername,
Password: cfg.EtcdPassword,
}

eClient, err := etcd.New(eCfg)
if err != nil {
return nil, err
Expand Down

0 comments on commit 26f9bef

Please sign in to comment.