FoundationDB backend TLS support and housekeeping (#5800)

* Fix typo in documentation * Update fdb-go-install.sh for new release tags * Exclude FoundationDB bindings from vendoring, delete vendored copy FoundationDB bindings are tightly coupled to the server version and client library version used in a specific deployment. Bindings need to be installed using the fdb-go-install.sh script, as documented in the foundationdb backend documentation. * Add TLS support to FoundationDB backend TLS support appeared in FoundationDB 5.2.4, raising the minimum API version for TLS-aware FoundationDB code to 520. * Update documentation for FoundationDB TLS support
hashicorp · Jan 8, 2019 · 29471c8 · 29471c8
1 parent 0e0f356
commit 29471c8
Show file tree

Hide file tree

Showing 26 changed files with 118 additions and 4,942 deletions.
diff --git a/physical/foundationdb/README.md b/physical/foundationdb/README.md
@@ -6,15 +6,28 @@ this procedure will fail with a descriptive error message at runtime.
 
 ## Installing the Go bindings
 
-You will need to install the FoundationDB Go bindings to build the FoundationDB
-backend. Make sure you have the FoundationDB client library installed on your
-system, along with Mono (core is enough), then install the Go bindings using
-the `fdb-go-install.sh` script:
+### Picking a version
+
+The version of the Go bindings and the FoundationDB client library used to
+build them must match.
+
+This version will determine the minimum API version that can be used, hence
+it should be no higher than the version of FoundationDB used in your cluster,
+and must also satisfy the requirements of the backend code.
+
+The minimum required API version for the FoundationDB backend is 520.
+
+### Installation
+
+Make sure you have Mono installed (core is enough), then install the
+Go bindings using the `fdb-go-install.sh` script:
 
 ```
-$ physical/foundationdb/fdb-go-install.sh
+$ physical/foundationdb/fdb-go-install.sh install --fdbver x.y.z
 ```
 
+By default, if `--fdbver x.y.z` is not specified, version 5.2.4 will be used.
+
 ## Building Vault
 
 To build Vault the FoundationDB backend, add FDB_ENABLED=1 when invoking

diff --git a/physical/foundationdb/fdb-go-install.sh b/physical/foundationdb/fdb-go-install.sh
@@ -12,7 +12,7 @@
 #
 
 DESTDIR="${DESTDIR:-}"
-FDBVER="${FDBVER:-5.1.0}"
+FDBVER="${FDBVER:-5.2.4}"
 REMOTE="${REMOTE:-github.com}"
 FDBREPO="${FDBREPO:-apple/foundationdb}"
 
@@ -210,18 +210,18 @@ else
             if [[ -d "${fdbdir}" ]] ; then
                 echo "Directory ${fdbdir} already exists ; checking out appropriate tag"
                 cmd1=( 'git' '-C' "${fdbdir}" 'fetch' 'origin' )
-                cmd2=( 'git' '-C' "${fdbdir}" 'checkout' "release-${FDBVER}" )
+                cmd2=( 'git' '-C' "${fdbdir}" 'checkout' "${FDBVER}" )
 
                 if ! echo "${cmd1[*]}" || ! "${cmd1[@]}" ; then
                     let status="${status} + 1"
                     echo "Could not pull latest changes from origin"
                 elif ! echo "${cmd2[*]}" ||  ! "${cmd2[@]}" ; then
                     let status="${status} + 1"
-                    echo "Could not checkout tag release-${FDBVER}."
+                    echo "Could not checkout tag ${FDBVER}."
                 fi
             else
                 echo "Downloading foundation repository into ${destdir}:"
-                cmd=( 'git' '-C' "${destdir}" 'clone' '--branch' "release-${FDBVER}" "https://${REMOTE}/${FDBREPO}.git" )
+                cmd=( 'git' '-C' "${destdir}" 'clone' '--branch' "${FDBVER}" "https://${REMOTE}/${FDBREPO}.git" )
 
                 echo "${cmd[*]}"
                 if ! "${cmd[@]}" ; then
@@ -238,7 +238,7 @@ else
             :
         elif [[ "${status}" -eq 0 ]] ; then
             echo "Building generated files."
-	    # FoundationDB starting with 5.2 can figure that out on its own
+	    # FoundationDB starting with 6.0 can figure that out on its own
 	    if [ -e '/usr/bin/mcs' ]; then
 		MCS_BIN=/usr/bin/mcs
 	    else

diff --git a/physical/foundationdb/foundationdb.go b/physical/foundationdb/foundationdb.go
@@ -27,6 +27,9 @@ import (
 )
 
 const (
+	// The minimum acceptable API version
+	minAPIVersion = 520
+
 	// The namespace under our top directory containing keys only for list operations
 	metaKeysNamespace = "_meta-keys"
 
@@ -137,6 +140,22 @@ func NewFDBBackend(conf map[string]string, logger log.Logger) (physical.Backend,
 
 	dirPath := strings.Split(strings.Trim(path, "/"), "/")
 
+	// TLS support
+	tlsCertFile, hasCertFile := conf["tls_cert_file"]
+	tlsKeyFile, hasKeyFile := conf["tls_key_file"]
+	tlsCAFile, hasCAFile := conf["tls_ca_file"]
+
+	tlsEnabled := hasCertFile && hasKeyFile && hasCAFile
+
+	if (hasCertFile || hasKeyFile || hasCAFile) && !tlsEnabled {
+		return nil, fmt.Errorf("FoundationDB TLS requires all 3 of tls_cert_file, tls_key_file, and tls_ca_file")
+	}
+
+	tlsVerifyPeers, ok := conf["tls_verify_peers"]
+	if !ok && tlsEnabled {
+		return nil, fmt.Errorf("Required option tls_verify_peers not set in configuration")
+	}
+
 	// FoundationDB API version
 	fdbApiVersionStr, ok := conf["api_version"]
 	if !ok {
@@ -147,6 +166,12 @@ func NewFDBBackend(conf map[string]string, logger log.Logger) (physical.Backend,
 	if err != nil {
 		return nil, errwrap.Wrapf("failed to parse fdb_api_version parameter: {{err}}", err)
 	}
+
+	// Check requested FDB API version against minimum required API version
+	if fdbApiVersionInt < minAPIVersion {
+		return nil, fmt.Errorf("Configured FoundationDB API version lower than minimum required version: %d < %d", fdbApiVersionInt, minAPIVersion)
+	}
+
 	logger.Debug("FoundationDB API version set", "fdb_api_version", fdbApiVersionInt)
 
 	// FoundationDB cluster file
@@ -174,6 +199,38 @@ func NewFDBBackend(conf map[string]string, logger log.Logger) (physical.Backend,
 		return nil, errwrap.Wrapf("failed to set FDB API version: {{err}}", err)
 	}
 
+	if tlsEnabled {
+		opts := fdb.Options()
+
+		tlsPassword, ok := conf["tls_password"]
+		if ok {
+			err := opts.SetTLSPassword(tlsPassword)
+			if err != nil {
+				return nil, errwrap.Wrapf("failed to set TLS password: {{err}}", err)
+			}
+		}
+
+		err := opts.SetTLSCaPath(tlsCAFile)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to set TLS CA bundle path: {{err}}", err)
+		}
+
+		err = opts.SetTLSCertPath(tlsCertFile)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to set TLS certificate path: {{err}}", err)
+		}
+
+		err = opts.SetTLSKeyPath(tlsKeyFile)
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to set TLS key path: {{err}}", err)
+		}
+
+		err = opts.SetTLSVerifyPeers([]byte(tlsVerifyPeers))
+		if err != nil {
+			return nil, errwrap.Wrapf("failed to set TLS peer verification criteria: {{err}}", err)
+		}
+	}
+
 	db, err := fdb.Open(fdbClusterFile, []byte("DB"))
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("failed to open database with cluster file '%s': {{err}}", fdbClusterFile), err)

diff --git a/physical/foundationdb/foundationdb_test.go b/physical/foundationdb/foundationdb_test.go
@@ -23,7 +23,7 @@ import (
 )
 
 func connectToFoundationDB(clusterFile string) (*fdb.Database, error) {
-	if err := fdb.APIVersion(510); err != nil {
+	if err := fdb.APIVersion(520); err != nil {
 		return nil, errwrap.Wrapf("failed to set FDB API version: {{err}}", err)
 	}
 
@@ -112,7 +112,7 @@ func TestFoundationDBBackend(t *testing.T) {
 	logger := logging.NewVaultLogger(log.Debug)
 	config := map[string]string{
 		"path":         topDir,
-		"api_version":  "510",
+		"api_version":  "520",
 		"cluster_file": clusterFile,
 	}
 

diff --git a/vendor/github.com/apple/foundationdb/LICENSE b/vendor/github.com/apple/foundationdb/LICENSE