-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy authentication issues with auto-tls #9301
Comments
@YeruchamB I believe you need to also set |
@hexfusion Wouldn't that mean that I'd have to use authentication between the client and the proxy? |
@YeruchamB yeah but I was able to get that to work using curl. I think the issue I run into is that v2 etcdctl lacks https://github.com/hexfusion/etcd-compose-examples/blob/master/issues/9301/docker-compose.yml and then curl --insecure https://172.16.26.42:2379/v2/members against proxy and it works. I think if cluster is set with |
@hexfusion Can you explain the --insecure-verify-tls flag a bit? I'm really just looking for a way to have all communication be encrypted without having to deal directly with certificates. If I decide to forgo the proxy and use a Go client to communicate directly with the cluster, am I able to:
|
Sure so in the case you are outlining you have. etcd and the go
So that is Now on the So what this is saying is we are going to basically pass the go So you can't have etcd server with auto-tls and expect proxy to connect to it without that flag. etcd forces you to use So basically if you want to use v2 proxy and v2 etcdctl in the above manner. The way I see it you are out of luck currently. Which is why I brought up the v3 grpc-proxy.
Please read this over https://github.com/coreos/etcd/blob/master/Documentation/op-guide/security.md it outlines a lot of what I just said. But your bash script from what I can tell does what you want. Sorry to long be winded I hope this is useful |
@gyuho mind reading this over please? |
@hexfusion I've read the security.md guide previously but there doesn't exist an explanation there for how to the client is expected to communicate with the servers when they're configured to auto-tls.. Anyway, I took your advise and am running into a different error now.. I ran it with --debug and got: |
Good point so I did a bit more digging. @YeruchamB, I made some assumptions there which were false it seems regarding the client connection. So as noted in the issue #7654 auto-tls generates local key/cert. These are still required to connect your client even with --insecure-skip-tls-verify. Also noted is this should be used for testing only. So you would want to make sure your etcd is listening to localhost as well for this to work. But for production you would still generate your own certs.
|
@hexfusion Thanks. I would suggest that you possibly change it so that if im using --insecure-skip-tls-verify, it seems unnecessary to require a cert and key. Moving on, I generated a self-signed key pair and was able to run etcdctl succesfully. I tried writing a simple go binary that would just connect and watch on "foo" and im having connection errors... go code: import ( func main() {
} Error: Can you tell me what im doing wrong? |
Yeah, I need to review that further. It seems that way for a reason, probably to stop folks from using
@YeruchamB would love to help you but we are kind of moving off topic. Would you mind closing this issue and opening a new one re: clientv3? Maybe just back ref this ticket? Thanks! |
I recently found that you can connect to the v2 API with
I believe this because of https://pkg.go.dev/crypto/x509#CreateCertificate:
In our use case (inside Kubernetes pods) the
Our working example:
|
Hey I'm having similar problems as ###7930
I'm currently just trying to run a simple single-node cluster with one proxy as a POC.
I need the traffic between the proxy and server to be encrypted but not between the client and the proxy.
Cluster configuration:
#!/usr/bin/env bash
THIS_IP="$1"
THIS_NAME=infra-${THIS_IP}
TOKEN=token-02
CLUSTER_STATE=new
etcd --data-dir=data.etcd --name ${THIS_NAME}
--auto-tls --peer-auto-tls
--initial-advertise-peer-urls https://${THIS_IP}:2380 --listen-peer-urls https://${THIS_IP}:2380
--advertise-client-urls https://${THIS_IP}:2379 --listen-client-urls https://${THIS_IP}:2379
--discovery https://discovery.etcd.io/48f750c4f2254d71e7726b45abef4379
--initial-cluster-state ${CLUSTER_STATE} --initial-cluster-token ${TOKEN}
Proxy Configuration:
etcd --proxy on
--listen-client-urls http://127.0.0.1:2379
--peer-auto-tls
--discovery https://discovery.etcd.io/48f750c4f2254d71e7726b45abef4379 \
Trying to run a simple etcdctl command results in the following error:
ETCDCTL_API=2 ./etcdctl member list
2018-02-04 09:52:57.871465 I | proxy/httpproxy: failed to direct request to https://10.40.4.112:2379: x509: certificate signed by unknown authority
2018-02-04 09:52:57.871492 I | proxy/httpproxy: marked endpoint https://10.40.4.112:2379 unavailable
2018-02-04 09:52:57.871513 I | proxy/httpproxy: unable to get response from 1 endpoint(s)
2018-02-04 09:52:57.872778 I | proxy/httpproxy: zero endpoints currently available
client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:4001: getsockopt: connection refused
; error #1: client: etcd member http://127.0.0.1:2379 has no leader
The text was updated successfully, but these errors were encountered: