Merge pull request #49 from yifan-gu/add_acl_support

*: Support init acl for the eco

Dockerfile

@@ -1,14 +1,14 @@
 #Min version required
 #See: https://github.com/golang/go/issues/29278#issuecomment-447537558
-FROM golang:1.11.4-alpine AS build-env
+FROM golang:1.13.3-alpine AS build-env
 
 WORKDIR /go/src/github.com/quentin-m/etcd-cloud-operator
 
 # Install & Cache dependencies
 RUN apk add --no-cache git curl gcc musl-dev
 
 RUN apk add --update openssl && \
-    wget https://github.com/coreos/etcd/releases/download/v3.3.3/etcd-v3.3.3-linux-amd64.tar.gz -O /tmp/etcd.tar.gz && \
+    wget https://github.com/coreos/etcd/releases/download/v3.4.4/etcd-v3.4.4-linux-amd64.tar.gz -O /tmp/etcd.tar.gz && \
     mkdir /etcd && \
     tar xzvf /tmp/etcd.tar.gz -C /etcd --strip-components=1 && \
     rm /tmp/etcd.tar.gz

README.md

@@ -36,6 +36,9 @@ failures.
     from the latest data revision available once the expected amount of instances
     are ready to start again.
 
+-   _ACL support_: A user can configure the ACL of etcd by providing an **init-acl** config
+    in the config file. See [init-acl.md](./docs/init-acl.md) for more information.
+
 The operator and etcd cluster can be easily configured using a [YAML file]. The
 configuration notably includes clients/peers TLS encryption/authentication, with
 the ability to automatically generate self-signed certificates if encryption

cmd/operator/config.go

@@ -78,6 +78,11 @@ func loadConfig(path string) (config, error) {
 		return config, err
 	}
 
+	err = config.ECO.Etcd.Validate()
+	if err != nil {
+		return config, err
+	}
+
 	log.Infof("loaded configuration file %v", path)
 	return config, err
 }

cmd/operator/operator.go

@@ -21,7 +21,7 @@ import (
 	"os"
 	"strings"
 
-	etcdcl "github.com/coreos/etcd/clientv3"
+	etcdcl "go.etcd.io/etcd/clientv3"
 	"github.com/coreos/pkg/capnslog"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/grpclog"
@@ -48,7 +48,7 @@ func main() {
 	log.SetOutput(os.Stdout)
 	log.SetLevel(logLevel)
 	log.SetFormatter(&log.TextFormatter{FullTimestamp: true})
-	capnslog.MustRepoLogger("github.com/coreos/etcd").SetLogLevel(map[string]capnslog.LogLevel{"etcdserver/api/v3rpc": capnslog.CRITICAL})
+	capnslog.MustRepoLogger("go.etcd.io/etcd").SetLogLevel(map[string]capnslog.LogLevel{"etcdserver/api/v3rpc": capnslog.CRITICAL})
 	etcdcl.SetLogger(grpclog.NewLoggerV2(ioutil.Discard, ioutil.Discard, os.Stderr))
 
 	// Read configuration.

cmd/tester/tester.go

@@ -38,7 +38,7 @@ func main() {
 	log.SetOutput(os.Stdout)
 	log.SetLevel(logLevel)
 	log.SetFormatter(&log.TextFormatter{FullTimestamp: true})
-	capnslog.MustRepoLogger("github.com/coreos/etcd").SetLogLevel(map[string]capnslog.LogLevel{"etcdserver/api/v3rpc": capnslog.CRITICAL})
+	capnslog.MustRepoLogger("go.etcd.io/etcd").SetLogLevel(map[string]capnslog.LogLevel{"etcdserver/api/v3rpc": capnslog.CRITICAL})
 
 	// Read configuration.
 	config, err := loadConfig(*flagConfigPath)

config.example.yaml

@@ -29,6 +29,36 @@ eco:
       peer-client-cert-auth: false
     # Defines the maximum amount of data that etcd can store, in bytes, before going into maintenance mode
     backend-quota: 2147483648
+    # Defines the initial acl that will be applied to the etcd during provisioning.
+    init-acl:
+      rootPassword: rootpw # Optional
+      roles:
+      - name: k8s-apiserver
+        permissions:
+        - mode: readwrite
+          key: /registry # Default value for k8s keys.
+          prefix: true
+      - name: k8s-agent
+        permissions:
+        - mode: readwrite
+          key: /kubernetes-agent
+          prefix: true
+      - name: range-example-role
+        permissions:
+        - mode: read
+          key: /foo1
+          rangeEnd: /foo5 # Gives read permission to [/foo1, /foo5).
+      users:
+      - name: k8s-apiserver
+        roles:
+        - k8s-apiserver
+      - name: k8s-agent
+        roles:
+        - k8s-agent
+      - name: ranger-user
+        password: foo # Password is optional.
+        roles:
+        - range-example-role
   # Configuration of the auto-scaling group provider.
   asg:
     provider: aws

docs/init-acl.md

@@ -0,0 +1,48 @@
+# Init ACL Config
+
+A user can configure the ACL of etcd by providing an **init-acl** config
+in the config file, (See [config.example.yaml](../config.example.yaml) for examples).
+
+The ACL config will be applied by the **Seeder** during provision, and it's **ONLY** applied once during that period.
+After that, if a user wants to update the **init-acl** config, he needs to restart the **Seeder**,
+or kill the **Seeder** and wait for another node to become the **Seeder**.
+
+Once the **init-acl** is applied, the [etcd authentication](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/authentication.md) will be turned on.
+The operator will not turn off the etcd authentication by itself, and after that moment,
+only a user with "root" access to the etcd are able to turn it off manually with ```etcdctl auth disable```.
+
+The **init-acl** config contains 3 parts, `rootPassword`, `roles` and `users`.
+
+### rootPassword
+
+The `rootPassword` is the password for the root user, it's optional.
+An etcd client could provide the `rootPassword` (if it's not empty),
+or provide a signed TLS ceritificate with `CN = root` (if the `rootPassword` is empty) to authenticate as a `root` user without password.
+
+### Roles
+
+The `roles` section defines a list of roles with their permissions.
+The permissions are consist of a list of range keys, mode, whether the key is prefixed.
+
+E.g.
+
+```
+- mode: readwrite
+  key: /registry
+  prefix: true
+```
+Allows the `readwrite` permission on all the paths whose prefix is `/registry`, such as `/registry/foo`, `/registry/bar`, etc.
+
+```
+- mode: read
+  key: /foo1
+  rangeEnd: /foo5
+```
+Allows the `read` permission on paths from `/foo1` to `/foo5`.
+
+
+### Users
+
+The `users` section defines a list of users, each user can be assigned to multiple roles.
+Optionally, a password can be also set for the user.
+Without a password, etcd will checks the client's TLS cert and use the `CommonName (CN)` to authenticate the user.

go.mod

@@ -1,76 +1,16 @@
 module github.com/quentin-m/etcd-cloud-operator
 
+go 1.13
+
 require (
-	github.com/aws/aws-sdk-go v1.13.30
-	github.com/beorn7/perks v0.0.0-20160229213445-3ac7bf7a47d1 // indirect
-	github.com/boltdb/bolt v1.3.1 // indirect
-	github.com/coreos/bbolt v1.3.1-coreos.6 // indirect
-	github.com/coreos/etcd v3.3.3+incompatible
-	github.com/coreos/go-semver v0.2.0 // indirect
-	github.com/coreos/go-systemd v0.0.0-20170731111925-d21964639418 // indirect
+	github.com/aws/aws-sdk-go v1.29.19
 	github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgrijalva/jwt-go v3.0.0+incompatible // indirect
-	github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-ini/ini v1.25.4 // indirect
-	github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 // indirect
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
-	github.com/golang/groupcache v0.0.0-20181024230925-c65c006176ff // indirect
-	github.com/google/btree v0.0.0-20161005200959-925471ac9e21 // indirect
-	github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect
-	github.com/googleapis/gnostic v0.2.0 // indirect
-	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
-	github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c // indirect
-	github.com/gregjones/httpcache v0.0.0-20181110185634-c63ab54fda8f // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170826090648-0dafe0d496ea // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.3.0 // indirect
-	github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8 // indirect
-	github.com/jonboulle/clockwork v0.1.0 // indirect
-	github.com/json-iterator/go v1.1.5 // indirect
-	github.com/jtolds/gls v4.2.1+incompatible // indirect
-	github.com/kr/pretty v0.1.0 // indirect
-	github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 // indirect
-	github.com/matttproud/golang_protobuf_extensions v0.0.0-20150406173934-fc2b8d3a73c4 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/onsi/ginkgo v1.7.0 // indirect
-	github.com/onsi/gomega v1.4.3 // indirect
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/philhofer/fwd v1.0.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7 // indirect
-	github.com/prometheus/client_golang v0.0.0-20171005112915-5cec1d0429b0
-	github.com/prometheus/client_model v0.0.0-20170216185247-6f3806018612 // indirect
-	github.com/prometheus/common v0.0.0-20171104095907-e3fb1a1acd76 // indirect
-	github.com/prometheus/procfs v0.0.0-20171017214025-a6e9df898b13 // indirect
-	github.com/sirupsen/logrus v1.0.5
-	github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d // indirect
-	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
-	github.com/soheilhy/cmux v0.1.3 // indirect
-	github.com/spf13/pflag v1.0.3 // indirect
-	github.com/stretchr/testify v1.2.2 // indirect
-	github.com/tinylib/msgp v1.1.0 // indirect
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8 // indirect
-	github.com/ugorji/go v0.0.0-20171019201919-bdcc60b419d1 // indirect
-	github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18 // indirect
-	go.etcd.io/bbolt v1.3.0
-	golang.org/x/crypto v0.0.0-20170930174604-9419663f5a44
-	golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890 // indirect
-	golang.org/x/sync v0.0.0-20181108010431-42b317875d0f // indirect
-	golang.org/x/time v0.0.0-20170420181420-c06e80d9300e
-	google.golang.org/appengine v1.3.0 // indirect
-	google.golang.org/genproto v0.0.0-20170731182057-09f6ed296fc6 // indirect
-	google.golang.org/grpc v1.7.5
-	gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect
-	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
-	gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.2.1
-	k8s.io/api v0.0.0-20181130031204-d04500c8c3dd
-	k8s.io/apimachinery v0.0.0-20181215012845-4d029f033399
-	k8s.io/client-go v10.0.0+incompatible
-	k8s.io/klog v0.1.0 // indirect
-	k8s.io/kubernetes v1.13.1
-	sigs.k8s.io/yaml v1.1.0 // indirect
+	github.com/sirupsen/logrus v1.2.0
+	go.etcd.io/bbolt v1.3.3
+	go.etcd.io/etcd v0.5.0-alpha.5.0.20200224211402-c65a9e2dd1fd
+	google.golang.org/grpc v1.23.1
+	gopkg.in/yaml.v2 v2.2.8
+	k8s.io/api v0.17.3
+	k8s.io/apimachinery v0.17.3
+	k8s.io/client-go v0.17.3
 )