etcdmain: check TLS on gateway SRV records

etcdmain/gateway.go

@@ -18,9 +18,11 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/coreos/etcd/client"
+	"github.com/coreos/etcd/pkg/transport"
 	"github.com/coreos/etcd/proxy/tcpproxy"
 	"github.com/spf13/cobra"
 )
@@ -30,6 +32,7 @@ var (
 	gatewayEndpoints  []string
 	gatewayDNSCluster string
 	getewayRetryDelay time.Duration
+	gatewayCA         string
 )
 
 var (
@@ -64,6 +67,7 @@ func newGatewayStartCommand() *cobra.Command {
 
 	cmd.Flags().StringVar(&gatewayListenAddr, "listen-addr", "127.0.0.1:23790", "listen address")
 	cmd.Flags().StringVar(&gatewayDNSCluster, "discovery-srv", "", "DNS domain used to bootstrap initial cluster")
+	cmd.Flags().StringVar(&gatewayCA, "trusted-ca-file", "", "path to the client server TLS CA file.")
 
 	cmd.Flags().StringSliceVar(&gatewayEndpoints, "endpoints", []string{"127.0.0.1:2379"}, "comma separated etcd cluster endpoints")
 
@@ -81,6 +85,37 @@ func startGateway(cmd *cobra.Command, args []string) {
 			os.Exit(1)
 		}
 		plog.Infof("discovered the cluster %s from %s", eps, gatewayDNSCluster)
+
+		// confirm TLS connections are good
+		tlsInfo := transport.TLSInfo{
+			TrustedCAFile: gatewayCA,
+			ServerName:    gatewayDNSCluster,
+		}
+		t, err := transport.NewTransport(tlsInfo, 5*time.Second)
+		if err != nil {
+			plog.Fatalf("could not create transport (%v)", err)
+		}
+		for _, ep := range eps {
+			if !strings.HasPrefix(ep, "https://") {
+				if gatewayCA != "" {
+					plog.Errorf("rejecting insecure SRV record %q", ep)
+					continue
+				}
+				endpoints = append(endpoints, ep)
+				continue
+			}
+			conn, cerr := t.Dial("tcp", ep[len("https://"):])
+			if cerr != nil {
+				plog.Errorf("rejecting SRV record %q on dial (%v)", ep, err)
+				continue
+			}
+			conn.Close()
+			endpoints = append(endpoints, ep)
+		}
+	}
+
+	if len(endpoints) == 0 {
+		plog.Fatalf("no endpoints found")
 	}
 
 	l, err := net.Listen("tcp", gatewayListenAddr)