You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/02/18 09:07:52 UTC
[GitHub] [apisix] zackzhangkai opened a new issue #3599: request help:
zackzhangkai opened a new issue #3599:
URL: https://github.com/apache/apisix/issues/3599
### Issue description
```
# etcd:
# host:
# - "http://127.0.0.1:2379"
#
# To configure via environment variables, you can use `${{VAR}}` syntax. For instance:
#
# etcd:
# host:
# - "http://${{ETCD_HOST}}:2379"
```
How to config etcd private key and pem, if my etcd use https?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782566439
It's about the etcd pem and key, not the address.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781253352
My confguration is as follows, but it doesn't work:
```bash
etcd:
host:
- "https://127.0.0.1:2379"
tls:
verify: true
ssl_trusted_certificate: /etc/ssl/etcd/ssl/ # Specifies a file path with trusted CA certificates in the PEM format
...
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782575030
configmap:
```bash
data:
config.yaml: |
etcd:
host:
- "https://etcd.kube-system.svc.cluster.local:2379"
tls:
verify: true
apisix:
ssl:
ssl_trusted_certificate: /etc/ssl/etcd/ssl/
```
deployment mount this volume:
```bash
- mountPath: /etc/ssl/etcd/ssl
name: etcd-certs-0
readOnly: true
...
volumes:
- hostPath:
path: /etc/ssl/etcd/ssl
type: DirectoryOrCreate
name: etcd-certs-0
```
Errors:
```
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
request etcd endpoint 'https://etcd.kube-system.svc.cluster.local:2379/version' error, certificate verify failed
```
the certs have no problem.
```bash
[root@ssa3 ~]# curl https://127.0.0.1:2379/version --cacert /etc/ssl/etcd/ssl/ca.pem --cert /etc/ssl/etcd/ssl/admin-ssa3.pem --key /etc/ssl/etcd/ssl/admin-ssa3-key.pem
{"etcdserver":"3.3.12","etcdcluster":"3.3.0"}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782583617
Got it, Thank you. It is really mtls.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781252008
This is used password , not use cerfile. How can I config my cafile path , such as `/etc/ssl/etcd/ssl` ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] dingwood commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
dingwood commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-791192362
hope the mtls function coming soon .....
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781247314
You can look here:https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L193-L204
It should help you.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782130374
configmap as follows:
```bash
data:
config.yaml: |
etcd:
host:
- "https://127.0.0.1:2379"
apisix:
admin_key:
- name: "admin"
# yamllint disable rule:comments-indentation
key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment
# yamllint enable rule:comments-indentation
role: admin
kind: ConfigMap
```
errors as follows:
```
k logs -f apisix-gw-deployment-57997cbbcd-q9j8n
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd
request etcd endpoint 'https://127.0.0.1:2379/version' error, connection refused
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781736956
> Not the mTLS, just https, you can understand as single tls.
Sorry, I misunderstood your mean since I saw the CA configuration.
What's the behavior of "not work"? Could you paste some error logs?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers edited a comment on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers edited a comment on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781736956
> Not the mTLS, just https, you can understand as single tls.
Sorry, I misunderstood your mean since I saw the CA configuration.
What's the behavior of "not work"? Could you paste some error logs?
Also, please tell us what the apisix version you are using.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781908606
I have consult the codes, and cannot find where to placeholder the certificates. The configuration `ssl_trusted_certificate` maybe not correct. I just test it, and it takes no effect. I just want to know how to configure with https with certificate.
Apisix version is latest.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781267876
@zackzhangkai You may try to use etcd proxy.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781267157
@zackzhangkai Currently the mTLS is not support yet.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782518181
@zackzhangkai How did you deploy APISIX and etcd cluster? Do they in the same pod? If not, you cannot access etcd from APISIX by `127.0,0.1`. You should, however, filling the correct IP address or domain like "{etcd-service-name}.{namespace}.svc.cluster.local".
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782566372
```bash
# curl https://127.0.0.1:2379/version --cacert /etc/ssl/etcd/ssl/ca.pem --cert /etc/ssl/etcd/ssl/admin-ssa3.pem --key /etc/ssl/etcd/ssl/admin-ssa3-key.pem
{"etcdserver":"3.3.12","etcdcluster":"3.3.0"}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-781291786
Not the mTLS, just https, you can understand as single tls.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782566554
> ```shell
> # curl https://127.0.0.1:2379/version --cacert /etc/ssl/etcd/ssl/ca.pem --cert /etc/ssl/etcd/ssl/admin-ssa3.pem --key /etc/ssl/etcd/ssl/admin-ssa3-key.pem
> {"etcdserver":"3.3.12","etcdcluster":"3.3.0"}
> ```
Since you mentioned that your etcd cluster doesn't enable the mTLS, why your curl call still carries the client cert, key and cacert?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai removed a comment on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai removed a comment on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782566439
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782579829
Though I curl with certificate , it does not indicate the communication is mTLS. It's just because of my etcd has enabled tls. I think we get misunderstanding with mTLS.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai closed issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai closed issue #3599:
URL: https://github.com/apache/apisix/issues/3599
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782002141
@zackzhangkai You don't need to configure certificates on APISIX side. Just use "https" scheme in `etcd.host` is enough.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782615428
@zackzhangkai Unfortunately, APISIX is not capable to use mTLS now, it's in our TODO list.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-783162296
Thanks a lot.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zackzhangkai commented on issue #3599: request help: How to config etcd with https
Posted by GitBox <gi...@apache.org>.
zackzhangkai commented on issue #3599:
URL: https://github.com/apache/apisix/issues/3599#issuecomment-782577162
> > ```shell
> > # curl https://127.0.0.1:2379/version --cacert /etc/ssl/etcd/ssl/ca.pem --cert /etc/ssl/etcd/ssl/admin-ssa3.pem --key /etc/ssl/etcd/ssl/admin-ssa3-key.pem
> > {"etcdserver":"3.3.12","etcdcluster":"3.3.0"}
> > ```
>
> Since you mentioned that your etcd cluster doesn't enable the mTLS, why your curl call still carries the client cert, key and cacert?
really, I got confused with the mTLS. It's my fault. By the way, does it has a proposal to support mTLS?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org