Reuse the Kine TLS options for a DB connection

Author: melgenek

pkg/drivers/fdb/fdb.go

@@ -8,6 +8,7 @@ import (
 	"github.com/k3s-io/kine/pkg/broadcaster"
 	"github.com/k3s-io/kine/pkg/drivers"
 	"github.com/k3s-io/kine/pkg/server"
+	"github.com/k3s-io/kine/pkg/tls"
 	"github.com/sirupsen/logrus"
 	"sync/atomic"
 	"time"
@@ -24,10 +25,11 @@ func init() {
 
 func New(_ context.Context, cfg *drivers.Config) (bool, server.Backend, error) {
 	logrus.Info("New FDB backend")
-	return false, NewFdbStructured(cfg.DataSourceName, Directory), nil
+	return false, NewFdbStructured(cfg.DataSourceName, cfg.BackendTLSConfig, Directory), nil
 }
 
 type FDB struct {
+	tlsConfig        tls.Config
 	connectionString string
 	dirName          string
 
@@ -46,10 +48,11 @@ type FDB struct {
 	lastWatchRev atomic.Int64
 }
 
-func NewFdbStructured(connectionString string, dirName string) server.Backend {
+func NewFdbStructured(connectionString string, tlsConfig tls.Config, dirName string) server.Backend {
 	logrus.Infof("Creating a FoundationDB driver with directory: '%s'", dirName)
 	ThisFDB = &FDB{
 		connectionString: connectionString,
+		tlsConfig:        tlsConfig,
 		dirName:          dirName,
 	}
 	return &FdbLogger{
@@ -62,7 +65,7 @@ func (f *FDB) Start(ctx context.Context) error {
 	fdb.MustAPIVersion(730)
 	f.ctx = ctx
 
-	if err := setTLSConfig(); err != nil {
+	if err := f.setTLSConfig(); err != nil {
 		return err
 	}
 
@@ -115,29 +118,26 @@ func (f *FDB) Start(ctx context.Context) error {
 	return nil
 }
 
-func setTLSConfig() error {
-	if TLSCertificateFile != "" {
-		if err := fdb.Options().SetTLSCertPath(TLSCertificateFile); err != nil {
+// https://apple.github.io/foundationdb/tls.html#configuring-tls
+func (f *FDB) setTLSConfig() error {
+	if f.tlsConfig.CertFile != "" {
+		if err := fdb.Options().SetTLSCertPath(f.tlsConfig.CertFile); err != nil {
 			return err
 		}
 	}
-	if TLSKeyFile != "" {
-		if err := fdb.Options().SetTLSKeyPath(TLSKeyFile); err != nil {
+	if f.tlsConfig.KeyFile != "" {
+		if err := fdb.Options().SetTLSKeyPath(f.tlsConfig.KeyFile); err != nil {
 			return err
 		}
 	}
-	if TLSPassword != "" {
-		if err := fdb.Options().SetTLSPassword(TLSPassword); err != nil {
+	if f.tlsConfig.CAFile != "" {
+		if err := fdb.Options().SetTLSCaPath(f.tlsConfig.CAFile); err != nil {
 			return err
 		}
 	}
-	if TLSCAFile != "" {
-		if err := fdb.Options().SetTLSCaPath(TLSCAFile); err != nil {
-			return err
-		}
-	}
-	if TLSVerifyPeers != "" {
-		if err := fdb.Options().SetTLSVerifyPeers([]byte(TLSVerifyPeers)); err != nil {
+	if f.tlsConfig.SkipVerify {
+		// https://apple.github.io/foundationdb/tls.html#turning-down-the-validation
+		if err := fdb.Options().SetTLSVerifyPeers([]byte("Check.Valid=0")); err != nil {
 			return err
 		}
 	}

pkg/drivers/fdb/fdb_config.go

@@ -8,15 +8,7 @@ var (
 	Directory          = "etcd"
 	CleanDirOnStart    = false
 	LogConflictingKeys = false
-
-	// FDB TLS
-	// https://apple.github.io/foundationdb/tls.html#configuring-tls
-	TLSCertificateFile = ""
-	TLSKeyFile         = ""
-	TLSPassword        = ""
-	TLSCAFile          = ""
-	TLSVerifyPeers     = ""
-
+	
 	// For testing only
 	UseSequentialId = false
 	APITest         = false
@@ -35,31 +27,6 @@ func ConfigFlags() []cli.Flag {
 			Usage:       "Clean the directory on start. Useful for testing.",
 			Destination: &CleanDirOnStart,
 		},
-		&cli.StringFlag{
-			Name:        "fdb-tls-certificate-file",
-			Usage:       "Path to the file from which the local certificates can be loaded",
-			Destination: &TLSCertificateFile,
-		},
-		&cli.StringFlag{
-			Name:        "fdb-tls-key-file",
-			Usage:       "Path to the file from which to load the private key",
-			Destination: &TLSKeyFile,
-		},
-		&cli.StringFlag{
-			Name:        "fdb-tls-password",
-			Usage:       "The byte-string representing the passcode for unencrypting the private key",
-			Destination: &TLSPassword,
-		},
-		&cli.StringFlag{
-			Name:        "fdb-tls-ca-file",
-			Usage:       "The byte-string for the verification of peer certificates and sessions",
-			Destination: &TLSCAFile,
-		},
-		&cli.StringFlag{
-			Name:        "fdb-tls-verify-peers",
-			Usage:       "The byte-string for the verification of peer certificates and sessions",
-			Destination: &TLSVerifyPeers,
-		},
 		&cli.BoolFlag{
 			Name:        "fdb-log-conflicting-keys",
 			Usage:       "Log conflicting keys when a transaction conflict occurs. Useful for debugging.",

pkg/drivers/fdb/fdb_test.go

@@ -36,7 +36,7 @@ func TestMain(m *testing.M) {
 func TestFDB(t *testing.T) {
 	n := 4
 	sameKeyN := 3
-	f := NewFdbStructured(connectionString, "dir1")
+	f := NewFdbStructured(connectionString,, "dir1")
 	ctx, cancelCtx := context.WithTimeout(context.Background(), time.Duration(60)*time.Second)
 	err := f.Start(ctx)
 	require.NoError(t, err)
@@ -45,7 +45,7 @@ func TestFDB(t *testing.T) {
 
 	forceRetryTransaction = func(i int) bool { return i < 2 }
 
-	f = NewFdbStructured(connectionString, "dir2")
+	f = NewFdbStructured(connectionString,, "dir2")
 	ctx, cancelCtx = context.WithTimeout(context.Background(), time.Duration(60)*time.Second)
 	defer cancelCtx()
 	err = f.Start(ctx)
@@ -255,7 +255,7 @@ func TestFDB(t *testing.T) {
 func TestFDBLargeRecords(t *testing.T) {
 	forceRetryTransaction = func(i int) bool { return i < 1 }
 
-	f := NewFdbStructured(connectionString, "dir1")
+	f := NewFdbStructured(connectionString,, "dir1")
 	ctx, cancelCtx := context.WithTimeout(context.Background(), time.Duration(100)*time.Second)
 	defer cancelCtx()
 
@@ -341,7 +341,7 @@ func TestCompaction(t *testing.T) {
 	newValue := []byte("newVal123")
 	updatedLease := int64(123)
 
-	f := NewFdbStructured(connectionString, "dir1")
+	f := NewFdbStructured(connectionString,, "dir1")
 	ctx, cancelCtx := context.WithTimeout(context.Background(), time.Duration(20)*time.Second)
 	defer cancelCtx()
 
@@ -472,7 +472,7 @@ func TestWatchAll(t *testing.T) {
 	maxBatchSize = 10
 	recordsCount := 53
 
-	f := NewFdbStructured(connectionString, "dir1")
+	f := NewFdbStructured(connectionString,, "dir1")
 	ctx, cancelCtx := context.WithTimeout(context.Background(), time.Duration(3)*time.Second)
 	defer cancelCtx()
 
@@ -502,7 +502,7 @@ func TestExceedSizeLarge(t *testing.T) {
 	_, err := rand.Read(value)
 	require.NoError(t, err)
 
-	f := NewFdbStructured(connectionString, "dir1")
+	f := NewFdbStructured(connectionString,, "dir1")
 	ctx, cancelCtx := context.WithTimeout(context.Background(), time.Duration(3)*time.Second)
 	defer cancelCtx()
 

tests/k3s/docker-compose.yaml

@@ -39,19 +39,17 @@ services:
       dockerfile: Dockerfile
     volumes:
       - ./fdb_pki:/opt/fdb/tls:ro
+    environment:
+      FDB_TLS_PASSWORD: client_password
     command:
       - --endpoint
       - "fdb://docker:docker@fdb:4500:tls"
-      - --fdb-tls-certificate-file
+      - --cert-file
       - "/opt/fdb/tls/client-certificate.pem"
-      - --fdb-tls-key-file
+      - --key-file
       - "/opt/fdb/tls/client-private-key.pem"
-      - --fdb-tls-password
-      - "client_password"
-      - --fdb-tls-ca-file
+      - --ca-file
       - "/opt/fdb/tls/ca-certificate.pem"
-      - --fdb-tls-verify-peers
-      - "Check.Valid=1"
   k3s:
     container_name: k3s
     depends_on: