Create TLS-capable clients if security enabled (#286)

lllamnyp · web-flow · commit 92c9f3569e73 · 2025-04-18T16:09:43.000+04:00
diff --git a/internal/controller/factory/etcd_client.go b/internal/controller/factory/etcd_client.go
@@ -2,7 +2,11 @@ package factory
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
+	"time"
 
 	"github.com/aenix-io/etcd-operator/api/v1alpha1"
 	clientv3 "go.etcd.io/etcd/client/v3"
@@ -57,8 +61,72 @@ func configFromCluster(ctx context.Context, cluster *v1alpha1.EtcdCluster, cli c
 		}
 	}
 	for name := range names {
-		urls = append(urls, fmt.Sprintf("%s.%s.%s:%s", name, ep.Name, ep.Namespace, "2379"))
+		urls = append(urls, fmt.Sprintf("%s.%s.%s.svc:%s", name, ep.Name, ep.Namespace, "2379"))
 	}
+	etcdClient := clientv3.Config{Endpoints: urls, DialTimeout: 5 * time.Second}
 
-	return clientv3.Config{Endpoints: urls}, nil
+	if s := cluster.Spec.Security; s != nil {
+		if s.TLS.ClientSecret == "" {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: security enabled, but client certificates not set")
+		}
+		clientSecret := &v1.Secret{}
+		err := cli.Get(ctx, types.NamespacedName{Namespace: cluster.Namespace, Name: s.TLS.ClientSecret}, clientSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to get client certificate: %w", err)
+		}
+		cert, err := parseTLSSecret(clientSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to extract keypair from client secret: %w", err)
+		}
+		etcdClient.TLS = &tls.Config{}
+		etcdClient.TLS.Certificates = []tls.Certificate{cert}
+		etcdClient.TLS.GetClientCertificate = func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return &etcdClient.TLS.Certificates[0], nil
+		}
+		caSecret := &v1.Secret{}
+		err = cli.Get(ctx, types.NamespacedName{Namespace: cluster.Namespace, Name: s.TLS.ServerSecret}, caSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to get server CA secret: %w", err)
+		}
+		ca, err := parseTLSSecretCA(caSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to extract Root CA from server secret: %w", err)
+		}
+		pool := x509.NewCertPool()
+		pool.AddCert(ca)
+		etcdClient.TLS.RootCAs = pool
+	}
+
+	return etcdClient, nil
+}
+
+func parseTLSSecret(secret *v1.Secret) (cert tls.Certificate, err error) {
+	certPem, ok := secret.Data["tls.crt"]
+	if !ok {
+		return tls.Certificate{}, fmt.Errorf("tls.crt not found in secret")
+	}
+	keyPem, ok := secret.Data["tls.key"]
+	if !ok {
+		return tls.Certificate{}, fmt.Errorf("tls.key not found in secret")
+	}
+	cert, err = tls.X509KeyPair(certPem, keyPem)
+	if err != nil {
+		err = fmt.Errorf("failed to load x509 key pair: %w", err)
+	}
+	return
+}
+
+func parseTLSSecretCA(secret *v1.Secret) (ca *x509.Certificate, err error) {
+	caPemBytes, ok := secret.Data["ca.crt"]
+	if !ok {
+		err = fmt.Errorf("secret does not contain ca.crt")
+		return
+	}
+	block, _ := pem.Decode(caPemBytes)
+	if block == nil {
+		err = fmt.Errorf("failed to decode PEM bytes")
+		return
+	}
+	ca, err = x509.ParseCertificate(block.Bytes)
+	return
 }
