So here is my newest thought about the TLS etcd connection:
etcd:
......
tls:
mode: simple # TLS mode for communicating with the ETCD
# cluster, optional value can be:
# disable: do not setup a TLS connection
# to ETCD endpoints.
# simple: originate a TLS connection to the
# ETCD endpoint
# The default mode is disable.
verify: true. # Whether to verify the ETCD cluster certificate.
trusted_certificate_file: /path/to/ca # Specify a file path with trusted CA
certificates
# in the PEM format
to verfiy the ETCD cluster certificate.
The comments might need some improvements. Incidentally, we may put the
trusted_certificate_file option into the “apisix” section, not only for the
ETCD.
Chao Zhang
[email protected]
> On Oct 24, 2020, at 9:00 PM, Ming Wen <[email protected]> wrote:
>
> Nice, +1 for TLS etcd connection
>
> Zhang Chao <[email protected]>于2020年10月24日 周六下午8:57写道:
>
>> Agreed your idea.
>>
>> Chao Zhang
>> [email protected]
>>
>>
>>
>>> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <[email protected]> wrote:
>>>
>>>> taken here about the TLS SNI extension, the Session reuse and the SSL
>>> verification.
>>>
>>> I think we don't need to support SSL session reuse. Using TLS ticket is
>>> enough, which is supported by the client automatically.
>>>
>>>> an explicit item like “verify”
>>>
>>> I think we should also support customized trust CA like what
>>> `lua_ssl_trusted_certificate` does. It is useful for self signed
>>> certificates.
>>>
>>>
>>>
>>> Zhang Chao <[email protected]> 于2020年10月24日周六 上午11:04写道:
>>>
>>>> Hello Community!
>>>>
>>>> Recently I observed some issues and disscuss in the QQ group about the
>>>> support of HTTPS for ETCD cluster.
>>>>
>>>> I think it might be a necessary feature, although since the limitations
>> of
>>>> Cosocket we cannot support the mutual TLS
>>>> authentication, we can still support the simple TLS mode: only
>>>> authenticating the etcd cluster.
>>>>
>>>> So two things we need to do to support this.
>>>>
>>>> 1) lua-resty-etcd
>>>>
>>>> We should enhance lua-resty-etcd to support the optional SSL handshaking
>>>> after connecting to one of ETCD endpoint, care must be taken here about
>> the
>>>> TLS SNI extension, the Session reuse and the SSL verification.
>>>>
>>>> 2) APISIX
>>>>
>>>> We also should add some new items in the configuration, and use these
>> new
>>>> items when creating the etcd client objects.
>>>>
>>>> etcd:
>>>> ......
>>>>
>>>> tls:
>>>> mode: simple # TLS mode for communicating with the ETCD
>>>> # cluster, optional value can be:
>>>> # disable: do not setup a TLS connection
>>>> # to ETCD endpoints.
>>>> # simple: originate a TLS connection to the
>>>> # ETCD endpoint
>>>> # The default mode is disable.
>>>>
>>>> Something I cannot decide is how we configure the SNI, I don’t think
>>>> expose a configuration item like “sni” is a good way, I’m inclined to
>> use
>>>> existing items to deduce the SNI (like hosts?). On the other hand, I
>>>> haven’t decided yet about the SSL verification. Maybe we can add more
>>>> options for the mode like “weak”, “strict” or an explicit item like
>>>> “verify” is also OK. What’s your idea?
>>>>
>>>>
>>>> Chao Zhang
>>>> [email protected]
>>>>
>>>>
>>>>
>>>>
>>
>> --
> Thanks,
> Ming Wen, Apache APISIX & Apache SkyWalking
> Twitter: _WenMing
