-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support TLS connection with etcd. #2548
Conversation
missing test case ^_^ |
Will add test cases after the corresponding pr in lua-resty-etcd is merged.
…--
Zhang Chao
On 2020年10月28日 at 22:32:05, YuanSheng Wang ***@***.***) wrote:
missing test case ^_^
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2548 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACPR7LPLLIBF5UR7XRALZLDSNATOLANCNFSM4TB6Q56Q>
.
|
I think we can also use the etcd proxy localily as an interim solution [Apache APISIX -> etcd proxy(cert) ]--http mTLS-->[etcd] |
Do you means add sidecar for etcd proxy(cert)? |
8911931
to
2084efa
Compare
I think not the sidecar but a "central bus", a bunch of etcd proxy instances to delegate the backend etcd cluster. |
2084efa
to
d3cd815
Compare
I have added some test cases. |
d3cd815
to
d647e90
Compare
We'd better keep far away from |
OK. |
… of resorting to service container
90936ed
to
d7960b1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need more test cases.
After enabling TLS, confirm that we can successfully set/get route.
Fair enough. |
@membphis Cases supplemented |
@tokers merged, many thx for your contribution. |
What this PR does / why we need it:
Support the TLS connection when communicating with etcd cluster. We added a configuration item to custom the certificate verification. Whether to setup TLS connection or not depends on the endpoints' scheme, for instance, when endpoints are:
APISIX will originate TLS connection automatically, and the Server Name Indication extention will be set by the endpoint host (
127.0.0.1
in above case). Note by default APISIX will verify the certificate, close the verification in configuration explicitly if you want to bypass it.Commits will be rebased after the changes are LGTM.
Pre-submission checklist: