config: add etcd authentication

Author: jipperinbham

Documentation/deployment-and-configuration.md

@@ -12,6 +12,40 @@ Each `fleetd` daemon must be configured to talk to the same [etcd cluster][etcd]
 
 [etcd]: https://coreos.com/docs/cluster-management/setup/getting-started-with-etcd
 
+### Basic Authentication
+
+If your etcd cluster has [Basic authentication][etcd-authentication] enabled, you will need to configure fleet to use an username/password combination for a valid user in the system. Also, because [Basic authentication][etcd-authentication] is Base64 encoded and easily deciphered, it is recommended to also use [TLS authentication][etcd-security] for transport level encryption by providing an `etcd_cafile`. *Authentication is only available since etcd 2.1.X and greater.*
+The examples below show how to achieve this:
+
+#### Using systemd Drop-Ins
+
+```ini
+[Service]
+Environment="FLEET_ETCD_SERVERS=https://192.0.2.12:2379"
+Environment="FLEET_ETCD_USERNAME=root"
+Environment="FLEET_ETCD_PASSWORD=coreos"
+```
+
+#### Using CoreOS Cloud Config
+
+```yaml
+#cloud-config
+
+coreos:
+  fleet:
+    etcd_servers: "https://192.0.2.12:2379"
+    etcd_username: root
+    etcd_password: coreos
+```
+
+#### Using fleet configuration file
+
+```ini
+etcd_servers=["https://192.0.2.12:2379"]
+etcd_username=root
+etcd_password=coreos
+```
+
 ## systemd
 
 The `fleetd` daemon communicates with systemd (v207+) running locally on a given machine. It requires D-Bus (v1.6.12+) to do this.
@@ -129,3 +163,7 @@ Default: "30s"
 Interval in seconds at which the engine should reconcile the cluster schedule in etcd.
 
 Default: 2
+
+[etcd]: https://github.com/coreos/etcd/blob/v3.0.4/Documentation/docs.md
+[etcd-security]: https://github.com/coreos/etcd/blob/v3.0.4/Documentation/op-guide/security.md
+[etcd-authentication]: https://github.com/coreos/etcd/blob/v3.0.4/Documentation/v2/authentication.md

Documentation/using-the-client.md

@@ -17,6 +17,12 @@ Alternatively, `--endpoint` can be provided through the `FLEETCTL_ENDPOINT` envi
 
     FLEETCTL_ENDPOINT=http://<IP:[PORT]> fleetctl list-units
 
+### Using etcd Authentication
+
+If your `etcd` cluster is configured with authentication enabled, use the `--etcd-username` and `--etc-password` flags to provide credentials to the command-line tool.
+
+*It is not recommended to use Authentication without also using TLS Transport by also providing the `--ca-file` flag*
+
 ### From an External Host
 
 If you prefer to execute fleetctl from an external host (i.e. your laptop), the `--tunnel` flag can be used to tunnel communication with your fleet cluster over SSH:
@@ -27,7 +33,7 @@ One can also provide `--tunnel` through the environment variable `FLEETCTL_TUNNE
 
     FLEETCTL_TUNNEL=<IP[:PORT]> fleetctl list-units
 
-When using `--tunnel` and `--endpoint` together, it is important to note that all etcd requests will be made through the SSH tunnel. 
+When using `--tunnel` and `--endpoint` together, it is important to note that all etcd requests will be made through the SSH tunnel.
 The address in the `--endpoint` flag must be routable from the server hosting the tunnel.
 
 If the external host requires a username other than `core`, the `--ssh-username` flag can be used to set an alternative username.
@@ -136,7 +142,7 @@ hello.service	ping.service	pong.service
 $ fleetctl submit examples/*
 ```
 
-Submission of units to a fleet cluster does not cause them to be scheduled. 
+Submission of units to a fleet cluster does not cause them to be scheduled.
 The unit will be visible in a `fleetctl list-unit-files` command, but have no reported state in `fleetctl list-units`.
 
 A unit can be removed from a cluster with the `destroy` command:

config/config.go

@@ -20,6 +20,8 @@ import (
 
 type Config struct {
 	EtcdServers             []string
+	EtcdUsername            string
+	EtcdPassword            string
 	EtcdKeyPrefix           string
 	EtcdKeyFile             string
 	EtcdCertFile            string

fleet.conf.sample

@@ -16,6 +16,10 @@
 # etcd_keyfile=/path/to/keyfile
 # etcd_certfile=/path/to/certfile
 
+# Provide Authentication configuration when basic authentication is enabled in etcd endpoints
+# etcd_username=root
+# etcd_password=coreos
+
 # IP address that should be published with any socket information. By default,
 # no IP address is published.
 # public_ip=""

fleetd/fleetd.go

@@ -66,6 +66,8 @@ func main() {
 	cfgset := flag.NewFlagSet("fleet", flag.ExitOnError)
 	cfgset.Int("verbosity", 0, "Logging level")
 	cfgset.Var(&pkg.StringSlice{"http://127.0.0.1:2379", "http://127.0.0.1:4001"}, "etcd_servers", "List of etcd endpoints")
+	cfgset.String("etcd_username", "", "username for secure etcd communication")
+	cfgset.String("etcd_password", "", "password for secure etcd communication")
 	cfgset.String("etcd_keyfile", "", "SSL key file used to secure etcd communication")
 	cfgset.String("etcd_certfile", "", "SSL certification file used to secure etcd communication")
 	cfgset.String("etcd_cafile", "", "SSL Certificate Authority file used to secure etcd communication")
@@ -178,6 +180,8 @@ func getConfig(flagset *flag.FlagSet, userCfgFile string) (*config.Config, error
 	cfg := config.Config{
 		Verbosity:               (*flagset.Lookup("verbosity")).Value.(flag.Getter).Get().(int),
 		EtcdServers:             (*flagset.Lookup("etcd_servers")).Value.(flag.Getter).Get().(pkg.StringSlice),
+		EtcdUsername:            (*flagset.Lookup("etcd_username")).Value.(flag.Getter).Get().(string),
+		EtcdPassword:            (*flagset.Lookup("etcd_password")).Value.(flag.Getter).Get().(string),
 		EtcdKeyPrefix:           (*flagset.Lookup("etcd_key_prefix")).Value.(flag.Getter).Get().(string),
 		EtcdKeyFile:             (*flagset.Lookup("etcd_keyfile")).Value.(flag.Getter).Get().(string),
 		EtcdCertFile:            (*flagset.Lookup("etcd_certfile")).Value.(flag.Getter).Get().(string),

server/server.go

@@ -84,7 +84,10 @@ func New(cfg config.Config) (*Server, error) {
 	eCfg := etcd.Config{
 		Transport: &http.Transport{TLSClientConfig: tlsConfig},
 		Endpoints: cfg.EtcdServers,
+		Username:  cfg.EtcdUsername,
+		Password:  cfg.EtcdPassword,
 	}
+
 	eClient, err := etcd.New(eCfg)
 	if err != nil {
 		return nil, err