-
Notifications
You must be signed in to change notification settings - Fork 740
cannot turn off client cert auth in etcd using v0.5.2 and v3.1.10 #1416
Comments
@raoofm |
I'm not sure what you need. Do you want me to paste the yaml files. deployment.yaml
@hongchaodeng As I need to talk to cluster from any machine using etcdctl or curl to add auth/kv |
I mean if the etcd cluster is just being used for kubernetes then it makes sense to have only clients with proper certs to talk to it. What if any microservice which doesn't have any certs but just needs to talk to the load balancer on https. |
my setup is as described here |
So by deployment I mean how do you use etcd cluster. From the context I saw that apps are talking to etcd cluster via a LB. Is it network (L4) load balancer, right? |
Without certs, this will only provide transport security, not authenticity. |
@hongchaodeng how about the above use case, say for maintainence
Yes
etcd has v3 auth to talk to for authentication. |
i need a public facing aws load balancer for the apps to talk to etcd |
Yeah. Your use case sounds good. I'm making sure it is clear here. So you want to disable "client-cert-auth", right? Ref: etcd docs. In your expected deployment, it has:
|
@hongchaodeng the problem is after creating the load balancer I'm unable to call the endpoint with curl or etcdctl (using the client certs that were generated for operator) so the lb is a layer4 and it just forwards the tcp traffic What is the intention here, the clients should call lb using http or https. That gets forwarded to etcd-dev-cluster-client-service-lb.etcd:2379 TCP When I used etcdctl with etcd-dev-cluster-client-service-lb.etcd:2379 endpoint from the etcd-operator pod (using sh) then it worked but not publicly. |
Did you add the LB domain name into the SAN of the cert? Check by:
The address that etcd client (e.g. etcdctl) talks to is checked against with the server cert's SAN. |
So if I understand correctly, you mean to distribute etcd-client-crt, etcd-client-key, etcd-client-ca (ref https://github.com/coreos/etcd-operator/blob/master/doc/user/cluster_tls.md#operatorsecret) to all the clients that need to talk to etcd Thats what I tried so below works from a pod, when I sh into one of the etcd-cluster pods but not from outside
It doesn't work from outside when I run below
|
So this is what I mean "the address etcd client talks to". |
@hongchaodeng awesome. So as the lb name is dynamic, i created a rout53 entry for it and added the name to the SAN. etcdctl worked fine
👍 On a separate note, can you consider the usecase of disabling client-cert-auth? (In case anyone wants to configure it that way) |
Well. It's easy to add new features but it's hard to maintain. That's why we need to justify when we add new features. I am not sure that disabling client auth would simplify things since CA cert still needs to be distributed. So that's like giving up a part of security but no gaining.. Maybe there are use cases I don't know. But so far that is not a wise choice. |
And actually disabling client auth won't solve your previous problem.. this issue should be renamed to about TLS setting. One improvement would be that server side returns better message like your address is not in SAN. |
I'm not sure if I understand this. If CA is trusted by everyone say Verisign/Digicert then why do we need to distribute anything. The tls would work as is without client cert auth. (Encrypted connection without auth, auth will be done by etcd v3 auth) |
I see. We usually use self signed CA. |
@hongchaodeng agree, I'm as well using self signed certs, I was just presenting a usecase. In my case even though I'm using self signed, I can impose the CA to be copied to every machines trust store (/etc/ssl/certs/) We can argue that the client certs can be copied over as well, but I want only the communication to be secure, I can be free to choose the auth channel or protection(clientCert/userPass/securityGroups/cors) |
@hongchaodeng @xiang90 the other challenge that we face is if we share the same client cert with all the clients which as per example is carrying the CN as client. The v3 auth says that if client-cert-auth is enabled and client is presenting the cert then CN will be used as user and it needs no pass. But we want to configure role based access where each user has access to limited keys. If we use client-cert-auth then we need to generate certs for each user. |
@raoofm
Auth support should be done first before addressing the CN name as user name issue. ref: #1051 |
@hongchaodeng I mentioned a comment here I think both are very important features. v3 auth is a must to have and addressing the problem of CN as user, which should be optional. |
@hongchaodeng The second issue of CN as user is fixed in etcd. After the disccusion etcd team agreed that user when passed in basic auth should take priority over CN as username. Check here etcd-io/etcd#8584. Now we just need to take care of enabling v3 auth as in #1051 |
also the ability to turn of client-cert-auth remains open too along with enabling v3 auth |
Part of the issue is resolved in etcd. |
@hongchaodeng enabling v3 basic auth and option to disable client-cert-auth are two different issues. I think #1416 and #1051 are two issues. Unless you want to copy this over there. |
Yeah.. Sorry my mistake. |
Note that "username over cert CN" feature in etcd is available after https://github.com/coreos/etcd/releases/tag/v3.3.0-rc.3 |
@hongchaodeng does that mean we should start looking at #1731 |
I have the same requirements, would like etcd-operator to use cert to do livenessprobe, and use user/pass auth for each clients, which means I don't want to set "client-cert-auth" to true so that I don't need to generate client certs for each client. |
i also also had the need to disable client cert auth, and it seems like you actually have to unset these two options: --trusted-ca-file just removing client-cert-auth is not enough, you have to also remove the trusted-ca-file option. |
I'm unable to access etcd via LoadBalancer after enabling tls. I thought this might be due to client-cert-auth=true flag being set. So I tried to disable client auth but the flag is being ignored by etcd as they have logic in place that ignores flag if already set.
2017-09-19 20:01:52.520944 I | pkg/flags: recognized environment variable ETCD_CLIENT_CERT_AUTH, but unused: shadowed by corresponding flag
https://github.com/coreos/etcd/blob/f1509a102c192035a5467304b34f1226e100d88a/pkg/flags/flag.go#L119
service.yaml
The text was updated successfully, but these errors were encountered: