feat(cli): support etcd mTLS (apache#3836)

huangdx0726 · Mar 23, 2021 · 1a09b0d · 1a09b0d
1 parent e836474
commit 1a09b0d
Show file tree

Hide file tree

Showing 6 changed files with 126 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -121,6 +121,22 @@ jobs:
             -v ${{ github.workspace }}/t/certs:/certs \
             bitnami/etcd:3.4.0
 
+      - name: Running etcd server with mTLS
+        run: |
+            sudo docker run -d --rm --name etcd_mtls \
+            -p 22379:22379 -p 22380:22380 \
+            -e ALLOW_NONE_AUTHENTICATION=yes \
+            -e ETCD_ADVERTISE_CLIENT_URLS=https://0.0.0.0:22379 \
+            -e ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:22379 \
+            -e ETCD_CERT_FILE=/certs/mtls_server.crt \
+            -e ETCD_KEY_FILE=/certs/mtls_server.key \
+            -e ETCD_CLIENT_CERT_AUTH=true \
+            -e ETCD_TRUSTED_CA_FILE=/certs/mtls_ca.crt \
+            -e GITHUB_ACTIONS=true \
+            -e CI=true \
+            -v ${{ github.workspace }}/t/certs:/certs \
+            bitnami/etcd:3.4.0
+
       - name: Linux Install
         run: |
             sudo --preserve-env=OPENRESTY_VERSION \

diff --git a/.travis/linux_apisix_current_luarocks_runner.sh b/.travis/linux_apisix_current_luarocks_runner.sh
@@ -56,6 +56,8 @@ script() {
     cd ..
 
     # apisix cli test
+    ./utils/set-dns.sh
+
     for f in ./t/cli/test_*.sh; do
         sudo PATH="$PATH" "$f"
     done

diff --git a/apisix/cli/etcd.lua b/apisix/cli/etcd.lua
@@ -110,8 +110,20 @@ local function request(url, yaml_conf)
 
     if str_sub(url.url, 1, 8) == "https://" then
         local verify = "peer"
-        if yaml_conf.etcd.tls and yaml_conf.etcd.tls.verify == false then
-            verify = "none"
+        if yaml_conf.etcd.tls then
+            local cfg = yaml_conf.etcd.tls
+
+            if cfg.verify == false then
+                verify = "none"
+            end
+
+            url.certificate = cfg.cert
+            url.key = cfg.key
+
+            local apisix_ssl = yaml_conf.apisix.ssl
+            if apisix_ssl and apisix_ssl.ssl_trusted_certificate then
+                url.cafile = apisix_ssl.ssl_trusted_certificate
+            end
         end
 
         url.verify = verify

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -202,6 +202,11 @@ etcd:
   # user: root                    # root username for etcd
   # password: 5tHkHhYkjr6cQY      # root password for etcd
   tls:
+    # To enable etcd client certificate you need to build APISIX-Openresty, see
+    # http://apisix.apache.org/docs/apisix/how-to-build#6-build-openresty-for-apisix
+    # cert: /path/to/cert         # path of certificate used by the etcd client
+    # key: /path/to/key           # path of key used by the etcd client
+
     verify: true                  # whether to verify the etcd endpoint certificate when setup a TLS connection to etcd,
                                   # the default value is true, e.g. the certificate will be verified strictly.
 

diff --git a/t/cli/test_etcd_mtls.sh b/t/cli/test_etcd_mtls.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+. ./t/cli/common.sh
+
+# The 'admin.apisix.dev' is injected by utils/set-dns.sh
+
+# etcd mTLS verify
+echo '
+etcd:
+  host:
+    - "https://admin.apisix.dev:22379"
+  prefix: "/apisix"
+  tls:
+    cert: t/certs/mtls_client.crt
+    key: t/certs/mtls_client.key
+    verify: false
+  ' > conf/config.yaml
+
+out=$(make init 2>&1 || echo "ouch")
+if echo "$out" | grep "bad certificate"; then
+    echo "failed: apisix should not echo \"bad certificate\""
+    exit 1
+fi
+
+echo "passed: certificate verify success expectedly"
+
+echo '
+etcd:
+  host:
+    - "https://admin.apisix.dev:22379"
+  prefix: "/apisix"
+  tls:
+    verify: false
+  ' > conf/config.yaml
+
+out=$(make init 2>&1 || echo "ouch")
+if ! echo "$out" | grep "bad certificate"; then
+    echo "failed: apisix should echo \"bad certificate\""
+    exit 1
+fi
+
+echo "passed: certificate verify fail expectedly"
+
+# etcd mTLS verify with CA
+echo '
+apisix:
+  ssl:
+    ssl_trusted_certificate: t/certs/mtls_ca.crt
+etcd:
+  host:
+    - "https://admin.apisix.dev:22379"
+  prefix: "/apisix"
+  tls:
+    cert: t/certs/mtls_client.crt
+    key: t/certs/mtls_client.key
+  ' > conf/config.yaml
+
+out=$(make init 2>&1 || echo "ouch")
+if echo "$out" | grep "certificate verify failed"; then
+    echo "failed: apisix should not echo \"certificate verify failed\""
+    exit 1
+fi
+
+if echo "$out" | grep "ouch"; then
+    echo "failed: apisix should not fail"
+    exit 1
+fi
+
+echo "passed: certificate verify with CA success expectedly"
diff --git a/utils/set-dns.sh b/utils/set-dns.sh
@@ -19,7 +19,10 @@
 
 set -ex
 
+# test a domain name is configured as upstream
 echo "127.0.0.1 test.com" | sudo tee -a /etc/hosts
+# test certificate verification
+echo "127.0.0.1 admin.apisix.dev" | sudo tee -a /etc/hosts
 cat /etc/hosts # check GitHub Action's configuration
 
 echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf