From 177375e02cdf81b7e61957b75f2e97748e10259a Mon Sep 17 00:00:00 2001
From: Aleksandr Mogylchenko <amogylchenko@mirantis.com>
Date: Wed, 8 Feb 2017 15:40:48 +0100
Subject: [PATCH] TLS support for etcd

This commit also introduces local etcd.tls.enabled switch, which is True
by default.

Change-Id: I4934f733228d6f7704e74e4fbf03029c39ffba30
---
 service/etcd.yaml               | 25 +++++++++++++++++++++++--
 service/files/defaults.yaml     |  2 ++
 service/files/entrypoint.sh.j2  | 12 ++++++++++++
 service/files/server-key.pem.j2 |  1 +
 service/files/server.pem.j2     |  1 +
 5 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 service/files/entrypoint.sh.j2
 create mode 100644 service/files/server-key.pem.j2
 create mode 100644 service/files/server.pem.j2

diff --git a/service/etcd.yaml b/service/etcd.yaml
index cbea60b..a9c6a47 100644
--- a/service/etcd.yaml
+++ b/service/etcd.yaml
@@ -12,5 +12,26 @@ service:
     - name: etcd
       image: etcd
       daemon:
-        command: etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}
-                      --advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
+        command: /opt/ccp/bin/entrypoint.sh
+        files:
+          - entrypoint
+      # {% if security.tls.enabled %}
+          - server_certificate
+          - server_key
+      # {% endif %}
+
+files:
+  entrypoint:
+    path: /opt/ccp/bin/entrypoint.sh
+    content: entrypoint.sh.j2
+    perm: "0755"
+# {% if security.tls.enabled %}
+  server_certificate:
+    path: /opt/ccp/etc/tls/etcd_server_certificate.pem
+    content: server.pem.j2
+    perm: "0644"
+  server_key:
+    path: /opt/ccp/etc/tls/etcd_server_key.pem
+    content: server-key.pem.j2
+    perm: "0644"
+# {% endif %}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 78b9c48..b98955e 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -6,6 +6,8 @@ configs:
       cont: 2379
     server_port:
       cont: 2380
+    tls:
+      enabled: true
 
 versions:
   etcd_version: v3.0.12
diff --git a/service/files/entrypoint.sh.j2 b/service/files/entrypoint.sh.j2
new file mode 100644
index 0000000..e11bfec
--- /dev/null
+++ b/service/files/entrypoint.sh.j2
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+{% if security.tls.enabled and etcd.tls.enabled %}
+etcd --listen-client-urls=https://{{ network_topology["private"]["address"] }}:{{ etcd.client_port.cont }},http://127.0.0.1:{{ etcd.client_port.cont }}\
+     --advertise-client-urls=https://{{ address("etcd", etcd.client_port, with_scheme=False) }}\
+     --peer-auto-tls\
+     --cert-file=/opt/ccp/etc/tls/etcd_server_certificate.pem\
+     --key-file=/opt/ccp/etc/tls/etcd_server_key.pem\
+{% else %}
+etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}\
+     --advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
+{% endif %}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/files/server.pem.j2 b/service/files/server.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}