Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: support talking to etcd via TLS. #158

Closed
membphis opened this issue Jun 26, 2019 · 9 comments
Closed

feature: support talking to etcd via TLS. #158

membphis opened this issue Jun 26, 2019 · 9 comments
Milestone
1.0

Comments

@membphis
Copy link
Member

No description provided.

@membphis membphis added this to the 0.6 milestone Jun 26, 2019
@membphis membphis mentioned this issue Jun 26, 2019
Closed
6 tasks
@membphis membphis changed the title feature: support to connect etcd with TLS. feature: support talking to etcd via TLS. Jun 28, 2019
@membphis
Copy link
Member Author

membphis commented Jul 4, 2019
edited
Loading

The TLS authentication for etcd is usually bidirectional, but cosocket is not supported now, but fortunately, there is currently a PR in progress.

we need to fix this first: openresty/lua-nginx-module#997

@membphis membphis mentioned this issue Jul 4, 2019
Closed
@membphis membphis modified the milestones: 0.6, 0.7 Jul 17, 2019
@membphis membphis modified the milestones: 0.7, 1.0 Jul 31, 2019
@moonming
Copy link
Member

moonming commented Aug 5, 2019

The TLS authentication is important for auth between end to end, not just for etcd.

@moonming
Copy link
Member

based on this PR: openresty/lua-nginx-module#1599, we can do more things about auth between end to end.

@Miss-you
Copy link
Member

Hi, I believe that we don't need to support the TLS or the priority of this requirement is not high or even a pseudo-demand. TLS/HTTPS solved the risk of data being hijacked at WAN. APISIX usually access etcd via LAN, and messages in the LAN usually do not need to be considered for hijacking.
If we need to access etcd via the WAN, encryption methods such as TLS are necessary.

@phin1x
Copy link

phin1x commented Aug 11, 2020
edited
Loading

Is there any progress on this issue? TLS communication and mTLS auth ist very important for etcd.
accessing the etcd via lan is no excuse. In enterprise or shared enviroments you have dozens of applications running in the same network. if one of those apps got hijacked, it can easy access your data.
for development purpose it is ok to run a insecure setup, in production end to end encryption and authentication is a basic requirement, no matter where etcd is running!

@membphis
Copy link
Member Author

Is there any progress on this issue?

the official openresty still not support the mTLS now. we have to wait

@moonming
Copy link
Member

moonming commented Aug 13, 2020 via email

@membphis
Copy link
Member Author

OpenResty already support mTLS.

openresty/lua-resty-core#278

We still need to wait more time.

@spacewander
Copy link
Member

Solved by #2584 . Server side TLS verification is enough to use by now.

@yuluo-yx yuluo-yx mentioned this issue Aug 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
5 participants
@Miss-you @spacewander @membphis @moonming @phin1x