reshifter
reshifter copied to clipboard
Support SSL-enabled clusters without client cert auth.
What version of Kubernetes (kubectl version
) are you using?
1.7.3
What version of etcd (etcdctl --version
) are you using?
3.2
What version of ReShifter are you using (for rcli: rcli version
otherwise at the bottom of the app)?
v0.3.21-alpha
Reshifter currently assumes that any etcd endpoint with the https:// prefix is configured to require client authentication. Our current cluster configuration is setup such that the etcd endpoints are TLS-enabled, and signed by a common CA between the Kubernetes masters/workers/etcd nodes, but do not require a client certificate or credentials to be passed along with the request.
It would be swell to allow for requests to be https:// without requiring that the RS_ETCD_* variables be set.
I haven't written a ton of Go personally, but if you can point me in the right direction I'd also be interested in giving a go at a patch.
@blardo thanks a lot for raising this issue, I think it makes a lot of sense. If you want to give it a try, it should be as 'easy' as patching: https://github.com/mhausenblas/reshifter/blob/3f3ce15aaa1ba6bd0da91a64897ce24b2016298b/pkg/util/etcd3.go#L32
That is, essentially providing a flag that creates a secure etcd3 client without the respective env variables.
One thing to remember is that the ReShifter library (i.e. everything under pkg/
is used by both rcli
and the app/HTTP API, so there will be different ways to pass the flag to the new function but I wouldn't worry about that for now. Or, put in other words: I'd focus on getting it done in the library and in rcli
and I can then take care of getting it implemented in the app/HTTP API. Makes sense? :)
Makes sense to me - will have something ready to review in the next couple of days. Thanks!