Add etcd client certificate configuration (#2367)

* Add etcd client certificate
2019-03-27 13:53:40 +08:00 · 2019-03-27 13:53:40 +08:00 · fee94525db
parent a3fd8846a5
commit fee94525db
2 changed files with 37 additions and 2 deletions
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@ -114,6 +114,22 @@ cluster.autoclean = 5m
 ## Default: 1m, 1 minute
 ## cluster.etcd.node_ttl = 1m

+## Path to a file containing the client's private PEM-encoded key.
+##
+## Value: File
+## cluster.etcd.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+
+## The path to a file containing the client's certificate.
+##
+## Value: File
+## cluster.etcd.ssl.certfile = {{ platform_etc_dir }}/certs/client.pem
+
+## Path to the file containing PEM-encoded CA certificates. The CA certificates
+## are used during server authentication and when building the client certificate chain.
+##
+## Value: File
+## cluster.etcd.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+
 ##--------------------------------------------------------------------
 ## Cluster using Kubernates

--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@ -105,6 +105,18 @@
  {default, "1m"}
 ]}.

+{mapping, "cluster.etcd.ssl.keyfile", "ekka.cluster_discovery", [
+  {datatype, string}
+]}.
+
+{mapping, "cluster.etcd.ssl.certfile", "ekka.cluster_discovery", [
+  {datatype, string}
+]}.
+
+{mapping, "cluster.etcd.ssl.cacertfile", "ekka.cluster_discovery", [
+  {datatype, string}
+]}.
+
 %%--------------------------------------------------------------------
 %% Cluster on K8s

@ -149,9 +161,16 @@
                 [{name, cuttlefish:conf_get("cluster.dns.name", Conf)},
                  {app, cuttlefish:conf_get("cluster.dns.app", Conf)}];
               (etcd) ->
+                 SslOpts = fun(Conf) ->
+                              Options = cuttlefish_variable:filter_by_prefix("cluster.etcd.ssl", Conf),
+                              lists:map(fun({["cluster", "etcd", "ssl", Name], Value}) ->
+                                            {list_to_atom(Name), Value}
+                                        end, Options)
+                            end,
                 [{server, string:tokens(cuttlefish:conf_get("cluster.etcd.server", Conf), ",")},
                  {prefix, cuttlefish:conf_get("cluster.etcd.prefix", Conf, "emqcl")},
-                  {node_ttl, cuttlefish:conf_get("cluster.etcd.node_ttl", Conf, 60)}];
+                  {node_ttl, cuttlefish:conf_get("cluster.etcd.node_ttl", Conf, 60)},
+                  {ssl_options, SslOpts(Conf)}];
               (k8s) ->
                 [{apiserver, cuttlefish:conf_get("cluster.k8s.apiserver", Conf)},
                  {service_name, cuttlefish:conf_get("cluster.k8s.service_name", Conf)},
@ -2106,4 +2125,4 @@ end}.
  [{check_interval, cuttlefish:conf_get("vm_mon.check_interval", Conf)},
   {process_high_watermark, cuttlefish:conf_get("vm_mon.process_high_watermark", Conf)},
   {process_low_watermark, cuttlefish:conf_get("vm_mon.process_low_watermark", Conf)}]
-end}.
+end}.