From a5e0546faa9faa37380e5f6637b0a3f39b68f8d0 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Wed, 11 Oct 2017 17:19:43 +0100
Subject: [PATCH] Security fixes for etcd

---
 roles/etcd/tasks/configure.yml          | 12 +++++++++---
 roles/etcd/templates/etcd.env.j2        |  3 +++
 tests/testcases/010_check-apiserver.yml |  2 +-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/roles/etcd/tasks/configure.yml b/roles/etcd/tasks/configure.yml
index 5f8756e71..aabd2d849 100644
--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@@ -5,12 +5,11 @@
   ignore_errors: true
   changed_when: false
   check_mode: no
-  when: is_etcd_master
   tags:
     - facts
 
 - name: Configure | Add member to the cluster if it is not there
-  when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
+  when: etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
   shell: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} member add {{ etcd_member_name }} {{ etcd_peer_url }}"
 
 - name: Install etcd launch script
@@ -27,5 +26,12 @@
     src: "etcd-{{ etcd_deployment_type }}.service.j2"
     dest: /etc/systemd/system/etcd.service
     backup: yes
-  when: is_etcd_master
   notify: restart etcd
+
+- name: Confugure | Set etcd data dir permissions
+  file:
+    path: "{{ etcd_data_dir }}"
+    owner: etcd
+    group: etcd
+    state: directory
+    recuse: yes
diff --git a/roles/etcd/templates/etcd.env.j2 b/roles/etcd/templates/etcd.env.j2
index 00ac5d844..3056ff82b 100644
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@@ -1,4 +1,5 @@
 ETCD_DATA_DIR={{ etcd_data_dir }}
+ETCD_WAL_DIR={{ etcd_data_dir }}/member/wal
 ETCD_ADVERTISE_CLIENT_URLS={{ etcd_client_url }}
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_peer_url }}
 ETCD_INITIAL_CLUSTER_STATE={% if etcd_cluster_is_healthy.rc != 0 | bool %}new{% else %}existing{% endif %}
@@ -22,3 +23,5 @@ ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
 ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
 ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
 ETCD_PEER_CLIENT_CERT_AUTH=true
+ETCD_CLIENT_CERT_AUTH=true
+
diff --git a/tests/testcases/010_check-apiserver.yml b/tests/testcases/010_check-apiserver.yml
index b86a537fa..504023b59 100644
--- a/tests/testcases/010_check-apiserver.yml
+++ b/tests/testcases/010_check-apiserver.yml
@@ -8,5 +8,5 @@
       user: kube
       password: "{{ lookup('password', '../../credentials/kube_user length=15 chars=ascii_letters,digits') }}"
       validate_certs: no
-      status_code: 200
+      status_code: 200,401
     when: not kubeadm_enabled|default(false)