Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple values for allowed client and peer TLS identities #18015

Merged
merged 1 commit into from
Jun 7, 2024

Conversation

lhy1024
Copy link
Contributor

@lhy1024 lhy1024 commented May 15, 2024

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

From #13460

We also need the similiar features, and hope etcd can support multiple values for allowed client. Ref tikv/pd#5134

Fixes #11728

@k8s-ci-robot
Copy link

Hi @lhy1024. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link
Member

@jmhbnz jmhbnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @lhy1024 - Thanks for proposing this. It looks like some of the commits are not signed. Can you please take a look and ensure all commits are signed so the developer certificate of origin check passes?

In this case it may involve changing author or re-doing some of the commits to ensure you can sign them off.

@jmhbnz
Copy link
Member

jmhbnz commented May 16, 2024

/ok-to-test

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

/test pull-etcd-e2e-amd64

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

/retest-required

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

/retest

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

/test pull-etcd-e2e-amd64

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

/test pull-etcd-unit-test

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

/retest-required

@lhy1024
Copy link
Contributor Author

lhy1024 commented May 23, 2024

@jmhbnz PTAL.

BTW, could this pr be picked to 3.5 or 3.4?

Copy link
Member

@jmhbnz jmhbnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for resurrecting this @lhy1024. I think it would be helpful if you could expand on your reasons/motivations for wanting this in the pr description so the why is clear.

Overall I think the changes themselves seem reasonable, besides the potential breaking change decision mentioned below. However to set expectations given this is TLS we need wider careful review which can take a while.

cc @ahrtr, @serathius to please also take a look at this.

client/pkg/transport/listener.go Show resolved Hide resolved
@lhy1024
Copy link
Contributor Author

lhy1024 commented May 25, 2024

Thanks for resurrecting this @lhy1024. I think it would be helpful if you could expand on your reasons/motivations for wanting this in the pr description so the why is clear.

Overall I think the changes themselves seem reasonable, besides the potential breaking change decision mentioned below. However to set expectations given this is TLS we need wider careful review which can take a while.

cc @ahrtr, @serathius to please also take a look at this.

I am part of the team at PingCAP, a company dedicated to open-source database solutions. Our database comprises three core components: TiDB, TiKV, and PD. Currently, we are working to enhance our database's capabilities by supporting multiple CNs for SSL/TLS certificates, which is crucial for many of our users' security configurations.

However, we've encountered a limitation with PD, which relies on an embedded etcd. Unfortunately, etcd does not currently support multiple CNs, which has prompted the need for this pull request. By merging this PR, we aim to overcome this limitation, thereby aligning TiDB with the security flexibility required by modern distributed systems.

Additionally, I noticed that Datadog, another prominent player in the industry, has also implemented a similar feature by picking old PRs for their fork. This observation suggests that there is a broader demand for such a feature, indicating its potential utility and impact within the community.

Given the nature of this update and its implications on TLS configurations, I understand and appreciate the need for a thorough and careful review process. I look forward to the feedback from the community and thank you in advance for your careful consideration.

@ahrtr ahrtr self-requested a review May 25, 2024 16:11
@lhy1024
Copy link
Contributor Author

lhy1024 commented May 30, 2024

PTAL @jmhbnz

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 3, 2024

Friendly ping @jmhbnz @ahrtr

server/embed/config.go Outdated Show resolved Hide resolved
server/etcdmain/help.go Outdated Show resolved Hide resolved
tests/e2e/etcd_config_test.go Outdated Show resolved Hide resolved
tests/e2e/etcd_config_test.go Outdated Show resolved Hide resolved
tests/e2e/etcd_config_test.go Outdated Show resolved Hide resolved
@ahrtr
Copy link
Member

ahrtr commented Jun 3, 2024

Overall looks good with a couple of minor comments. Thanks

@ahrtr
Copy link
Member

ahrtr commented Jun 3, 2024

Please squash the commits into one commit.

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 3, 2024

/test pull-etcd-unit-test

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 3, 2024

/test pull-etcd-integration-1-cpu-amd64

Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Please also add a changelog item for 3.6, in this PR or in a separate PR.

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 3, 2024

LGTM

Please also add a changelog item for 3.6, in this PR or in a separate PR.

OK, I will do it in another PR. BTW, could this PR be picked to 3.5 or other release?

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 4, 2024

LGTM - Nice work @lhy1024

Thank you for reviewing the changes. Could you please let me know when this PR might be merged? Is there anything else I need to do to speed up this process?

@jmhbnz
Copy link
Member

jmhbnz commented Jun 4, 2024

Thank you for reviewing the changes. Could you please let me know when this PR might be merged? Is there anything else I need to do to speed up this process?

cc @serathius for additional review.

@lhy1024 lhy1024 requested a review from serathius June 5, 2024 03:13
@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 6, 2024

Friendly ping @serathius

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 7, 2024

Will we merge it? @serathius @jmhbnz @ahrtr

@jmhbnz jmhbnz merged commit 8a376e8 into etcd-io:main Jun 7, 2024
47 checks passed
@jmhbnz
Copy link
Member

jmhbnz commented Jun 7, 2024

Merged. Thanks @lhy1024 please also add a changelog item for 3.6 in a separate PR.

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 7, 2024

Merged. Thanks @lhy1024 please also add a changelog item for 3.6 in a separate PR.

I've added change log #18140. BTW, will this PR be picked to 3.4 or 3.5? If so, what steps should I follow next?

@lhy1024 lhy1024 deleted the cn branch June 7, 2024 03:47
@serathius
Copy link
Member

No picking, this is a feature so we will not backport it.

@ahrtr
Copy link
Member

ahrtr commented Jun 7, 2024

No picking, this is a feature so we will not backport it.

General thoughts from my side.

  • I agree that we shouldn't backport a feature to 3.4, since we encourage users to upgrade to 3.5.
  • But I have no objection to backport a feature to 3.5 if
    • It isn't a major change, or doesn't change the etcdserver core.
    • and more users push it

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 7, 2024

No picking, this is a feature so we will not backport it.

General thoughts from my side.

  • I agree that we shouldn't backport a feature to 3.4, since we encourage users to upgrade to 3.5.

  • But I have no objection to backport a feature to 3.5 if

    • It isn't a major change, or doesn't change the etcdserver core.
    • and more users push it

Yes, I would also like it to be picked so that more users can use this feature. That's why I committed this PR, PingCAP needs this feature. And I noticed, a similar PR #17861 also picked to 3.5.

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 12, 2024

Could you please let me know whether this PR will be picked to 3.5? @serathius @jmhbnz

@ahrtr
Copy link
Member

ahrtr commented Jun 12, 2024

Could you please let me know whether this PR will be picked to 3.5? @serathius @jmhbnz

Note etcd is an open source & community driven project. If you want something, you need to drive it, and try to get as much support as possible.

@lhy1024
Copy link
Contributor Author

lhy1024 commented Jun 12, 2024

Could you please let me know whether this PR will be picked to 3.5? @serathius @jmhbnz

Note etcd is an open source & community driven project. If you want something, you need to drive it, and try to get as much support as possible.

Thank you for your support and suggestions. My previous question was just to make sure whether the community supports this behavior. I have tried to open a PR to pick it. PTAL. #18160

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

allowed-hostname only supports a single hostname
5 participants