etcdmain: added peer-client-{client,key}-file parameters for supporting separate client and server certs when communicating between peers #12705
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ptabor
suggested changes
Feb 22, 2021
Codecov Report
@@ Coverage Diff @@
## master #12705 +/- ##
===========================================
- Coverage 72.74% 58.93% -13.82%
===========================================
Files 422 422
Lines 33018 33035 +17
===========================================
- Hits 24019 19469 -4550
- Misses 7081 11780 +4699
+ Partials 1918 1786 -132
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
ptabor
approved these changes
Feb 28, 2021
There was a problem hiding this comment.
LGTM. Thank you.
Please fix the formatting nit:
'gofmt' started at Sun Feb 28 11:08:07 UTC 2021
integration/cluster.go
diff -u integration/cluster.go.orig integration/cluster.go
--- integration/cluster.go.orig 2021-02-28 11:08:11.164866774 +0000
+++ integration/cluster.go 2021-02-28 11:08:11.164866774 +0000
@@ -90,7 +90,7 @@
testTLSInfoWithSpecificUsage = transport.TLSInfo{
KeyFile: "../fixtures/server-serverusage.key.insecure",
CertFile: "../fixtures/server-serverusage.crt",
- ClientKeyFile: "../fixtures/client-clientusage.key.insecure",
+ ClientKeyFile: "../fixtures/client-clientusage.key.insecure",
ClientCertFile: "../fixtures/client-clientusage.crt",
TrustedCAFile: "../fixtures/ca.crt",
ClientCertAuth: true,
./scripts/fix.sh should do the trick.
astromechza
changed the title
|
Thanks @ptabor, sorry for the delay here, the e2e tests are a bit flakey on my machine so it took a bit to be confident in the change. Certs are working well now. |
…client and server certs when communicating between peers In some environments, the CA is not able to sign certificates with both 'client auth' and 'server auth' extended usage parameters and so an operator needs to be able to set a seperate client certificate to use when making requests which is different to the certificate used for accepting requests. This applies to both proxy and etcd member mode and is available as both a CLI flag and config file field for peer TLS. Signed-off-by: Ben Meier <ben.meier@oracle.com>
|
A further adjustment added to make it clear this works for proxy mode as well. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to some certificate authorities not issuing certificates with both client and server usage modes. We needed a way of providing explicit override certs for the server side.
The api is a little awkard, but aims to not break compatibility. Any alternative suggestions are welcomed.