Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

embedetcd: Allow passing in a *tls.Config object for the embedded ETCD Server #17130

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

RaphSku
Copy link

@RaphSku RaphSku commented Dec 16, 2023

The idea is that not only paths to certificate file paths should be possible to define in *embed.Config.ClientTLSInfo and *embed.Config.PeerTLSInfo but also *tls.Config where the certificates could be generated programmatically.

For more details, see the issue: #16339

@k8s-ci-robot
Copy link

Hi @RaphSku. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@NHAS
Copy link

NHAS commented Feb 18, 2024

Has there been any movement on this? I'd very much like to see this be merged

@RaphSku
Copy link
Author

RaphSku commented Feb 18, 2024

Has there been any movement on this? I'd very much like to see this be merged

I'm on it, just had not much time at hand during new year transition but I'm picking up again, hope I will submit a valid PR in approx. 2 weeks.

@NHAS
Copy link

NHAS commented Feb 18, 2024

Oh that's totally fine! Thank you so much for your work, it's geniuely very helpful.

@RaphSku RaphSku marked this pull request as ready for review April 7, 2024 14:59
@RaphSku
Copy link
Author

RaphSku commented Apr 7, 2024

Hey everyone, I needed to refactor and restructure a lot of the code in the embed code. Its passing the tests but I will probably still need to add a few tests, at least another integration test but I wanted to get feedback from you all whether this is going into the right direction or if I am over-engineering it. Thank you all a lot!

@JSmith-Aura
Copy link

I unfortunately dont have the ability to test this right at this second. But I am pinging this thread as I very much want this to be part of the etcd project as it will remove a lot of projects using the antipattern of generating 10 year long certs and enables integration with acme.

@siyuanfoundation
Copy link
Contributor

cc @awadmhamad

@jmhbnz
Copy link
Member

jmhbnz commented Jun 6, 2024

Discussed during sig-etcd triage meeting, @RaphSku do you have capacity to continue this work? If so can you please rebase this pr. Thanks

@RaphSku
Copy link
Author

RaphSku commented Jun 7, 2024

@jmhbnz I have rebased the PR. Thank you for asking. Yes, I have capacity to work on it. - I still have to fix a few errors that I have introduced by rebasing

server/embed/config.go Fixed Show fixed Hide fixed
@RaphSku
Copy link
Author

RaphSku commented Jun 7, 2024

@jmhbnz I have fixed the rebase changes. The tests are green again. But as I said, would be good if someone could take a look and point me to the right direction.

@jmhbnz
Copy link
Member

jmhbnz commented Jun 8, 2024

/ok-to-test

RaphSku added 4 commits July 27, 2024 10:43
only allow transport.TLSInfo but also tls.Config

Fields CustomClientTLSConfig and CustomPeerTLSConfig added to
embed.Config to allow for the injection of programmatically generated
TLS configurations. Therefore, the above mentioned functions were
refactored to allow the usage of both. Also, two unit tests were being
added to config_test.go.

Signed-off-by: Raphael Skuza <rapsku.dev@gmail.com>
…D server

Fields CustomClientTLSConfig and CustomPeerTLSConfig added to embed. Config to allow for the injection of programmatically generated TLS configurations. Therefore, refactoring of the embed ETCD code is necessary.

Signed-off-by: Raphael Skuza <rapsku.dev@gmail.com>
…D server

Fields CustomClientTLSConfig and CustomPeerTLSConfig added to embed Config to allow for the injection of programmatically generated TLS configuration.
Added a new interface called tlsConfigConstraint that allows in to pass tls.Config and transport.TLSInfo such that we do not have to change the
function signature.

Signed-off-by: Raphael Skuza <rapsku.dev@gmail.com>
…D server

Added filterOutInsecureCipherSuitesByID function to filter out all
insecure ciphers that would be passed to tls.Config in
updateCipherSuites function.

Signed-off-by: Raphael Skuza <rapsku.dev@gmail.com>
@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RaphSku
Once this PR has been reviewed and has the lgtm label, please assign wenjiaswe for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

server/embed/config.go Fixed Show fixed Hide fixed
…D server

Removed the update of TLS Cipher Suites if tls Config is passed since
tls CipherSuites are secure by default if tls.Config.CipherSuites is
nil.

Signed-off-by: Raphael Skuza <rapsku.dev@gmail.com>
@RaphSku
Copy link
Author

RaphSku commented Jul 27, 2024

/retest

1 similar comment
@RaphSku
Copy link
Author

RaphSku commented Jul 27, 2024

/retest

@RaphSku
Copy link
Author

RaphSku commented Jul 27, 2024

@jmhbnz All checks have passed, is there someone available that would have time to review this PR?

@k8s-ci-robot
Copy link

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@NHAS
Copy link

NHAS commented Oct 27, 2024

Is anyone able to give this a look at merge it?

@lingyuan2014
Copy link

Bump -- would be great if one of the repo owners could help merge.

@NHAS
Copy link

NHAS commented Nov 23, 2024

Double bump I think this would be an excellent feature to have and simplify the tls cert management in other products like k3s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

7 participants