After investigating more, I think wether to use TLS connection with etcd can be decided by the scheme in etcd endpoints, and we can just configure some auxiliary options in config-default.yaml like “verfiy”. PR was committed to Github.
On October 25, 2020 at 11:02:56 AM, Zhang Chao ([email protected]) wrote: So here is my newest thought about the TLS etcd connection: etcd: ...... tls: mode: simple # TLS mode for communicating with the ETCD # cluster, optional value can be: # disable: do not setup a TLS connection # to ETCD endpoints. # simple: originate a TLS connection to the # ETCD endpoint # The default mode is disable. verify: true. # Whether to verify the ETCD cluster certificate. trusted_certificate_file: /path/to/ca # Specify a file path with trusted CA certificates # in the PEM format to verfiy the ETCD cluster certificate. The comments might need some improvements. Incidentally, we may put the trusted_certificate_file option into the “apisix” section, not only for the ETCD. Chao Zhang [email protected] > On Oct 24, 2020, at 9:00 PM, Ming Wen <[email protected]> wrote: > > Nice, +1 for TLS etcd connection > > Zhang Chao <[email protected]>于2020年10月24日 周六下午8:57写道: > >> Agreed your idea. >> >> Chao Zhang >> [email protected] >> >> >> >>> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <[email protected]> wrote: >>> >>>> taken here about the TLS SNI extension, the Session reuse and the SSL >>> verification. >>> >>> I think we don't need to support SSL session reuse. Using TLS ticket is >>> enough, which is supported by the client automatically. >>> >>>> an explicit item like “verify” >>> >>> I think we should also support customized trust CA like what >>> `lua_ssl_trusted_certificate` does. It is useful for self signed >>> certificates. >>> >>> >>> >>> Zhang Chao <[email protected]> 于2020年10月24日周六 上午11:04写道: >>> >>>> Hello Community! >>>> >>>> Recently I observed some issues and disscuss in the QQ group about the >>>> support of HTTPS for ETCD cluster. >>>> >>>> I think it might be a necessary feature, although since the limitations >> of >>>> Cosocket we cannot support the mutual TLS >>>> authentication, we can still support the simple TLS mode: only >>>> authenticating the etcd cluster. >>>> >>>> So two things we need to do to support this. >>>> >>>> 1) lua-resty-etcd >>>> >>>> We should enhance lua-resty-etcd to support the optional SSL handshaking >>>> after connecting to one of ETCD endpoint, care must be taken here about >> the >>>> TLS SNI extension, the Session reuse and the SSL verification. >>>> >>>> 2) APISIX >>>> >>>> We also should add some new items in the configuration, and use these >> new >>>> items when creating the etcd client objects. >>>> >>>> etcd: >>>> ...... >>>> >>>> tls: >>>> mode: simple # TLS mode for communicating with the ETCD >>>> # cluster, optional value can be: >>>> # disable: do not setup a TLS connection >>>> # to ETCD endpoints. >>>> # simple: originate a TLS connection to the >>>> # ETCD endpoint >>>> # The default mode is disable. >>>> >>>> Something I cannot decide is how we configure the SNI, I don’t think >>>> expose a configuration item like “sni” is a good way, I’m inclined to >> use >>>> existing items to deduce the SNI (like hosts?). On the other hand, I >>>> haven’t decided yet about the SSL verification. Maybe we can add more >>>> options for the mode like “weak”, “strict” or an explicit item like >>>> “verify” is also OK. What’s your idea? >>>> >>>> >>>> Chao Zhang >>>> [email protected] >>>> >>>> >>>> >>>> >> >> -- > Thanks, > Ming Wen, Apache APISIX & Apache SkyWalking > Twitter: _WenMing
