From e218834b581dea0bfa34ace863da0859faf44f3d Mon Sep 17 00:00:00 2001 From: Anthony Romano Date: Tue, 2 Aug 2016 10:52:21 -0700 Subject: [PATCH] etcdctl: set ServerName for TLS when using --discovery-srv --- etcdctl/ctlv2/command/util.go | 43 ++++++++++++++++++++++++++--------- etcdctl/ctlv2/ctl.go | 1 + 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/etcdctl/ctlv2/command/util.go b/etcdctl/ctlv2/command/util.go index 1bff41b6c..376aebd53 100644 --- a/etcdctl/ctlv2/command/util.go +++ b/etcdctl/ctlv2/command/util.go @@ -85,13 +85,7 @@ func getPeersFlagValue(c *cli.Context) []string { } func getDomainDiscoveryFlagValue(c *cli.Context) ([]string, error) { - domainstr := c.GlobalString("discovery-srv") - - // Use an environment variable if nothing was supplied on the - // command line - if domainstr == "" { - domainstr = os.Getenv("ETCDCTL_DISCOVERY_SRV") - } + domainstr, insecure := getDiscoveryDomain(c) // If we still don't have domain discovery, return nothing if domainstr == "" { @@ -103,8 +97,30 @@ func getDomainDiscoveryFlagValue(c *cli.Context) ([]string, error) { if err != nil { return nil, err } + if insecure { + return eps, err + } + // strip insecure connections + ret := []string{} + for _, ep := range eps { + if strings.HasPrefix("http://", ep) { + fmt.Fprintf(os.Stderr, "ignoring discovered insecure endpoint %q\n", ep) + continue + } + ret = append(ret, ep) + } + return ret, err +} - return eps, err +func getDiscoveryDomain(c *cli.Context) (domainstr string, insecure bool) { + domainstr = c.GlobalString("discovery-srv") + // Use an environment variable if nothing was supplied on the + // command line + if domainstr == "" { + domainstr = os.Getenv("ETCDCTL_DISCOVERY_SRV") + } + insecure = c.GlobalBool("insecure-discovery") || (os.Getenv("ETCDCTL_INSECURE_DISCOVERY") != "") + return domainstr, insecure } func getEndpoints(c *cli.Context) ([]string, error) { @@ -151,10 +167,15 @@ func getTransport(c *cli.Context) (*http.Transport, error) { keyfile = os.Getenv("ETCDCTL_KEY_FILE") } + discoveryDomain, insecure := getDiscoveryDomain(c) + if insecure { + discoveryDomain = "" + } tls := transport.TLSInfo{ - CAFile: cafile, - CertFile: certfile, - KeyFile: keyfile, + CAFile: cafile, + CertFile: certfile, + KeyFile: keyfile, + ServerName: discoveryDomain, } dialTimeout := defaultDialTimeout diff --git a/etcdctl/ctlv2/ctl.go b/etcdctl/ctlv2/ctl.go index b04598917..5686c273d 100644 --- a/etcdctl/ctlv2/ctl.go +++ b/etcdctl/ctlv2/ctl.go @@ -39,6 +39,7 @@ func Start() { cli.BoolFlag{Name: "no-sync", Usage: "don't synchronize cluster information before sending request"}, cli.StringFlag{Name: "output, o", Value: "simple", Usage: "output response in the given format (`simple`, `extended` or `json`)"}, cli.StringFlag{Name: "discovery-srv, D", Usage: "domain name to query for SRV records describing cluster endpoints"}, + cli.BoolFlag{Name: "insecure-discovery", Usage: "accept insecure SRV records describing cluster endpoints"}, cli.StringFlag{Name: "peers, C", Value: "", Usage: "DEPRECATED - \"--endpoints\" should be used instead"}, cli.StringFlag{Name: "endpoint", Value: "", Usage: "DEPRECATED - \"--endpoints\" should be used instead"}, cli.StringFlag{Name: "endpoints", Value: "", Usage: "a comma-delimited list of machine addresses in the cluster (default: \"http://127.0.0.1:2379,http://127.0.0.1:4001\")"},