[GitHub] [apisix] tokers commented on issue #5608: request help: apisix cannot connect to etcd when etcd auth enabled

Thu, 25 Nov 2021 17:35:08 -0800 


tokers commented on issue #5608:
URL: https://github.com/apache/apisix/issues/5608#issuecomment-979587311


   > > It seems that you don't configure the username and password fields in 
APISIX configuration, so it won't carry the credential to ETCD.
   > 
   > Thanks for your reply. I think username and password are not necessary. If 
an etcd server is launched with the option --client-cert-auth=true, the field 
of Common Name (CN) in the client’s TLS cert will be used as an etcd user.
   > 
   > I did not set the username and password on dashboard config, but dashboard 
works well.
   > 
   > And my ssl pem follows this rule.
   > 
   > > STEP 3: create apisix ssl pems
   > > ```
   > > #cat apisix-csr.json
   > > {
   > >   "CN": "apisix",
   > >   "hosts": [
   > >   ],
   > >   "key": {
   > >     "algo": "rsa",
   > >     "size": 2048
   > >   },
   > >   "names": [
   > >     {
   > >       "C": "CN",
   > >       "ST": "DUMMY",
   > >       "L": "DUMMY",
   > >       "O": "etcd",
   > >       "OU": "DUMMY"
   > >     }
   > >   ]
   > > }
   > > ```
   > 
   > refer to 
https://etcd.io/docs/v3.4/op-guide/authentication/#using-tls-common-name
   > 
   > I force enable the debug mode of init_etcd, and got the following errmsg:
   > 
   > ```
   > CommonName of client sending a request against gateway will be ignored and 
not used as expected
   > ```
   > 
   > The error was ignored since the keyword "error" was missing in the 
response. details see 
[apisix](https://github.com/apache/apisix/blob/master/apisix/cli/etcd.lua#L350-L356)
 and 
[etcd](https://github.com/etcd-io/etcd/blob/main/server/embed/serve.go#L330-L341)
   
   Just in the docs you share:
   
   > Note that this feature cannot be used with gRPC-proxy and gRPC-gateway. 
This is because gRPC-proxy terminates TLS from its client so all the clients 
share a cert of the proxy. gRPC-gateway uses a TLS connection internally for 
transforming HTTP request to gRPC request so it shares the same limitation
   
   APISIX uses the gRPC gateway to communicate with ETCD.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to