dex/storage/etcd/config.go

package etcd

import (
	"log/slog"
	"time"

	"go.etcd.io/etcd/client/pkg/v3/transport"
	clientv3 "go.etcd.io/etcd/client/v3"
	"go.etcd.io/etcd/client/v3/namespace"

	"github.com/dexidp/dex/storage"
)

var defaultDialTimeout = 2 * time.Second

// SSL represents SSL options for etcd databases.
type SSL struct {
	ServerName string `json:"serverName"`
	CAFile     string `json:"caFile"`
	KeyFile    string `json:"keyFile"`
	CertFile   string `json:"certFile"`
}

// Etcd options for connecting to etcd databases.
// If you are using a shared etcd cluster for storage, it might be useful to
// configure an etcd namespace either via Namespace field or using `etcd grpc-proxy
// --namespace=<prefix>`
type Etcd struct {
	Endpoints []string `json:"endpoints"`
	Namespace string   `json:"namespace"`
	Username  string   `json:"username"`
	Password  string   `json:"password"`
	SSL       SSL      `json:"ssl"`
}

// Open creates a new storage implementation backed by Etcd
func (p *Etcd) Open(logger *slog.Logger) (storage.Storage, error) {
	return p.open(logger)
}

func (p *Etcd) open(logger *slog.Logger) (*conn, error) {
	cfg := clientv3.Config{
		Endpoints:   p.Endpoints,
		DialTimeout: defaultDialTimeout,
		Username:    p.Username,
		Password:    p.Password,
	}

	var cfgtls *transport.TLSInfo
	tlsinfo := transport.TLSInfo{}
	if p.SSL.CertFile != "" {
		tlsinfo.CertFile = p.SSL.CertFile
		cfgtls = &tlsinfo
	}

	if p.SSL.KeyFile != "" {
		tlsinfo.KeyFile = p.SSL.KeyFile
		cfgtls = &tlsinfo
	}

	if p.SSL.CAFile != "" {
		tlsinfo.TrustedCAFile = p.SSL.CAFile
		cfgtls = &tlsinfo
	}

	if p.SSL.ServerName != "" {
		tlsinfo.ServerName = p.SSL.ServerName
		cfgtls = &tlsinfo
	}

	if cfgtls != nil {
		clientTLS, err := cfgtls.ClientConfig()
		if err != nil {
			return nil, err
		}
		cfg.TLS = clientTLS
	}

	db, err := clientv3.New(cfg)
	if err != nil {
		return nil, err
	}
	if len(p.Namespace) > 0 {
		db.KV = namespace.NewKV(db.KV, p.Namespace)
	}
	c := &conn{
		db:     db,
		logger: logger,
	}
	return c, nil
}