You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/10/28 07:54:26 UTC

[GitHub] [apisix] tokers opened a new pull request #2548: feat: support TLS connection with etcd.

tokers opened a new pull request #2548:
URL: https://github.com/apache/apisix/pull/2548


   ### What this PR does / why we need it:
   
   Support the TLS connection when communicating with etcd cluster. We added a configuration item to custom the certificate verification. Whether to setup TLS connection or not depends on the endpoints' scheme, for instance, when endpoints are:
   
   ```
   etcd:
     host:
       - "https://127.0.0.1:2379"
       - "https://127.0.0.1:3379"
   ```
   
   APISIX will originate TLS connection automatically, and the Server Name Indication extention will be set by the endpoint host (`127.0.0.1` in above case).
   
   This PR depends on https://github.com/api7/lua-resty-etcd/pull/86.
   
   ### Pre-submission checklist:
   
   * [x] Did you explain what problem does this PR solve? Or what new features have been added?
   * [ ] Have you added corresponding test cases?
   * [ ] Have you modified the corresponding document?
   * [x] Is this PR backward compatible?
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

membphis commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-720919403


   @tokers merged, many thx for your contribution.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

tokers commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-717979616


   Will add test cases after the corresponding pr in lua-resty-etcd is merged.
   
   
   -- 
   Zhang Chao
   
   On 2020年10月28日 at 22:32:05, YuanSheng Wang (notifications@github.com) wrote:
   
   > missing test case ^_^
   >
   > —
   > You are receiving this because you authored the thread.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/apisix/pull/2548#issuecomment-717972996>, or
   > unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/ACPR7LPLLIBF5UR7XRALZLDSNATOLANCNFSM4TB6Q56Q>
   > .
   >
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] juzhiyuan commented on a change in pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

juzhiyuan commented on a change in pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#discussion_r514614005



##########
File path: apisix/core/config_etcd.lua
##########
@@ -472,6 +472,10 @@ function _M.new(key, opts)
     etcd_conf.protocol = "v3"
     etcd_conf.api_prefix = "/v3"
 
+    if etcd_conf.tls and etcd_conf.tls then

Review comment:
       Why double variable?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis merged pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

membphis merged pull request #2548:
URL: https://github.com/apache/apisix/pull/2548


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

tokers commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-719148269


   > > I think we can also use the etcd proxy localily as an interim solution
   > > [Apache APISIX -> etcd proxy(cert) ]--http mTLS-->[etcd]
   > 
   > Do you means add sidecar for etcd proxy(cert)?
   
   I think not the sidecar but a "central bus", a bunch of etcd proxy instances to deligate the backend etcd cluster. Actually it loses the real effect to use client certificate auth, since the proxy can be accessed by any users.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

membphis commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-717972996


   missing test case ^_^


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Miss-you edited a comment on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

Miss-you edited a comment on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-718889945


   I think we can also use the etcd proxy localily as an interim solution
   
   [Apache APISIX -> etcd proxy(cert) ]--http mTLS-->[etcd]


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on a change in pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

tokers commented on a change in pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#discussion_r514696232



##########
File path: apisix/core/config_etcd.lua
##########
@@ -472,6 +472,10 @@ function _M.new(key, opts)
     etcd_conf.protocol = "v3"
     etcd_conf.api_prefix = "/v3"
 
+    if etcd_conf.tls and etcd_conf.tls then

Review comment:
       Oops, it may because my naughty vim.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Miss-you commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

Miss-you commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-718889945


   I think we can also use the etcd proxy localily.
   [Apache APISIX -> etcd proxy(cert) ]--http mTLS-->[etcd]


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

tokers commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-720416970






----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] moonming commented on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

moonming commented on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-719071635


   > I think we can also use the etcd proxy localily as an interim solution
   > 
   > 
   > 
   > [Apache APISIX -> etcd proxy(cert) ]--http mTLS-->[etcd]
   
   Do you means add sidecar for etcd proxy(cert)?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers edited a comment on pull request #2548: feat: support TLS connection with etcd.

Posted by GitBox <gi...@apache.org>.

tokers edited a comment on pull request #2548:
URL: https://github.com/apache/apisix/pull/2548#issuecomment-719148269


   > > I think we can also use the etcd proxy localily as an interim solution
   > > [Apache APISIX -> etcd proxy(cert) ]--http mTLS-->[etcd]
   > 
   > Do you means add sidecar for etcd proxy(cert)?
   
   I think not the sidecar but a "central bus", a bunch of etcd proxy instances to delegate the backend etcd cluster.
   Actually it loses the real effect to use client certificate auth, since the proxy can be accessed by any users.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org