On Fri, Oct 30, 2020 at 10:45 AM Zhang Chao <[email protected]> wrote:
> After investigating more, I think wether to use TLS connection with etcd > can be decided by the scheme in etcd endpoints, and we can just configure > some auxiliary options in config-default.yaml like “verfiy”. PR was > committed to Github. > nice ^_^ > > > On October 25, 2020 at 11:02:56 AM, Zhang Chao ([email protected]) > wrote: > > So here is my newest thought about the TLS etcd connection: > > > etcd: > ...... > > tls: > mode: simple # TLS mode for communicating with the ETCD > # cluster, optional value can be: > # disable: do not setup a TLS connection > # to ETCD endpoints. > # simple: originate a TLS connection to the > # ETCD endpoint > # The default mode is disable. > verify: true. # Whether to verify the ETCD cluster certificate. > > trusted_certificate_file: /path/to/ca # Specify a file path with trusted CA > certificates > # in the PEM format to verfiy the ETCD cluster certificate. > > > The comments might need some improvements. Incidentally, we may put the > trusted_certificate_file option into the “apisix” section, not only for the > ETCD. > > > Chao Zhang > [email protected] > > > > > On Oct 24, 2020, at 9:00 PM, Ming Wen <[email protected]> wrote: > > > > Nice, +1 for TLS etcd connection > > > > Zhang Chao <[email protected]>于2020年10月24日 周六下午8:57写道: > > > >> Agreed your idea. > >> > >> Chao Zhang > >> [email protected] > >> > >> > >> > >>> On Oct 24, 2020, at 7:38 PM, Zexuan Luo <[email protected]> > wrote: > >>> > >>>> taken here about the TLS SNI extension, the Session reuse and the SSL > >>> verification. > >>> > >>> I think we don't need to support SSL session reuse. Using TLS ticket is > >>> enough, which is supported by the client automatically. > >>> > >>>> an explicit item like “verify” > >>> > >>> I think we should also support customized trust CA like what > >>> `lua_ssl_trusted_certificate` does. It is useful for self signed > >>> certificates. > >>> > >>> > >>> > >>> Zhang Chao <[email protected]> 于2020年10月24日周六 上午11:04写道: > >>> > >>>> Hello Community! > >>>> > >>>> Recently I observed some issues and disscuss in the QQ group about the > >>>> support of HTTPS for ETCD cluster. > >>>> > >>>> I think it might be a necessary feature, although since the > limitations > >> of > >>>> Cosocket we cannot support the mutual TLS > >>>> authentication, we can still support the simple TLS mode: only > >>>> authenticating the etcd cluster. > >>>> > >>>> So two things we need to do to support this. > >>>> > >>>> 1) lua-resty-etcd > >>>> > >>>> We should enhance lua-resty-etcd to support the optional SSL > handshaking > >>>> after connecting to one of ETCD endpoint, care must be taken here > about > >> the > >>>> TLS SNI extension, the Session reuse and the SSL verification. > >>>> > >>>> 2) APISIX > >>>> > >>>> We also should add some new items in the configuration, and use these > >> new > >>>> items when creating the etcd client objects. > >>>> > >>>> etcd: > >>>> ...... > >>>> > >>>> tls: > >>>> mode: simple # TLS mode for communicating with the ETCD > >>>> # cluster, optional value can be: > >>>> # disable: do not setup a TLS connection > >>>> # to ETCD endpoints. > >>>> # simple: originate a TLS connection to the > >>>> # ETCD endpoint > >>>> # The default mode is disable. > >>>> > >>>> Something I cannot decide is how we configure the SNI, I don’t think > >>>> expose a configuration item like “sni” is a good way, I’m inclined to > >> use > >>>> existing items to deduce the SNI (like hosts?). On the other hand, I > >>>> haven’t decided yet about the SSL verification. Maybe we can add more > >>>> options for the mode like “weak”, “strict” or an explicit item like > >>>> “verify” is also OK. What’s your idea? > >>>> > >>>> > >>>> Chao Zhang > >>>> [email protected] > >>>> > >>>> > >>>> > >>>> > >> > >> -- > > Thanks, > > Ming Wen, Apache APISIX & Apache SkyWalking > > Twitter: _WenMing > -- *MembPhis* My GitHub: https://github.com/membphis Apache APISIX: https://github.com/apache/apisix
