clientv3: Set authority used in cert checks to host of endpoint #11184
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a35b10a to
507f680
Compare
jpbetz
commented
Sep 25, 2019
gyuho
reviewed
Sep 25, 2019
| } | ||
| } | ||
|
|
||
| func (tc *transportCredential) OverrideServerName(serverNameOverride string) error { | ||
| return tc.gtc.OverrideServerName(serverNameOverride) | ||
| } | ||
|
|
||
| func (tc *transportCredential) Dialer(ctx context.Context, dialEp string) (net.Conn, error) { |
There was a problem hiding this comment.
So, gRPC first calls Dialer and by the time it calls, ClientHandshake, the remote address will always have been populated in addrToEndpoint, right?
There was a problem hiding this comment.
Right, here's the dial call: https://github.com/grpc/grpc-go/blob/45bd2846a34b039c5f1e69b7202f118687156b34/internal/transport/http2_client.go#L167 and below it is the ClientHandshake call: https://github.com/grpc/grpc-go/blob/45bd2846a34b039c5f1e69b7202f118687156b34/internal/transport/http2_client.go#L212
There was a problem hiding this comment.
And here's where the authority gets set: https://github.com/grpc/grpc-go/blob/230def769105c46b2e597578b23002a6ac159dde/clientconn.go#L1142.
We're basically just trying to get the authority set to an appropriate value for each endpoint instead of having a single value for the entire set of endpoints.
507f680 to
c2702da
Compare
gyuho
reviewed
Sep 25, 2019
|
|
||
| // Dialer dials a endpoint using net.Dialer. | ||
| // Context cancelation and timeout are supported. | ||
| func Dialer(ctx context.Context, dialEp string) (net.Conn, error) { |
There was a problem hiding this comment.
Nice clean-up by moving code here!
c2702da to
97388ce
Compare
gyuho
approved these changes
Sep 25, 2019
|
Great, let's hold off for just a bit before we merge to get feedback from the grpc team. |
|
Thanks for the quick fix! Implementation looks very clean. |
|
Merging this to master. I'd like to improve test coverage before we backport to 3.4. |
This was referenced Oct 3, 2019
jpbetz
added a commit
that referenced
this pull request
Oct 9, 2019
…-origin-release-3.4 Automated cherry pick of #11184
jpbetz
added a commit
that referenced
this pull request
Oct 9, 2019
…-origin-release-3.3 Automated cherry pick of #11184
This was referenced Oct 10, 2019
Merged
spzala
added a commit
to spzala/etcd
that referenced
this pull request
Dec 2, 2019
spzala
added a commit
to spzala/etcd
that referenced
this pull request
Dec 2, 2019
YoyinZyc
added a commit
to YoyinZyc/etcd
that referenced
this pull request
Jan 30, 2020
…after bumping grpc to 1.26.0.
tgraf
added a commit
to cilium/cilium
that referenced
this pull request
Feb 28, 2020
This bumps the etcd dependency in order to pull in github.com/etcd-io/etcd/pull/11184 which is required to fix a gRPC load balancer issue when using a k8s service name to connect to etcd. Fixes: #9791 Signed-off-by: Thomas Graf <thomas@cilium.io>
tgraf
added a commit
to cilium/cilium
that referenced
this pull request
Feb 28, 2020
This bumps the etcd dependency in order to pull in github.com/etcd-io/etcd/pull/11184 which is required to fix a gRPC load balancer issue when using a k8s service name to connect to etcd. Fixes: #9791 Signed-off-by: Thomas Graf <thomas@cilium.io>
brb
pushed a commit
to cilium/cilium
that referenced
this pull request
Mar 2, 2020
[ upstream commit 26e3ca0 ] This bumps the etcd dependency in order to pull in github.com/etcd-io/etcd/pull/11184 which is required to fix a gRPC load balancer issue when using a k8s service name to connect to etcd. Fixes: #9791 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt>
joestringer
pushed a commit
to cilium/cilium
that referenced
this pull request
Mar 4, 2020
[ upstream commit 26e3ca0 ] This bumps the etcd dependency in order to pull in github.com/etcd-io/etcd/pull/11184 which is required to fix a gRPC load balancer issue when using a k8s service name to connect to etcd. Fixes: #9791 Signed-off-by: Thomas Graf <thomas@cilium.io> Signed-off-by: Martynas Pumputis <m@lambda.lt>
6 tasks
This was referenced Apr 19, 2022
chaochn47
pushed a commit
to chaochn47/etcd
that referenced
this pull request
Oct 25, 2023
…after bumping grpc to 1.26.0. Signed-off-by: Chao Chen <chaochn@amazon.com>
chaochn47
pushed a commit
to chaochn47/etcd
that referenced
this pull request
Oct 27, 2023
…after bumping grpc to 1.26.0. Signed-off-by: Chao Chen <chaochn@amazon.com>
chaochn47
pushed a commit
to chaochn47/etcd
that referenced
this pull request
Oct 27, 2023
…after bumping grpc to 1.26.0. Signed-off-by: Chao Chen <chaochn@amazon.com>
ahrtr
added a commit
that referenced
this pull request
Oct 27, 2023
Backport [3.4] clientV3: simplify grpc dialer usage. Remove workaround #11184 after bumping grpc to 1.26.0.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #11180
This is a workaround for the gPRC load balancer, which currently uses the "service name" (which the etcd client was setting to the 1st endpoint's hostname or IP) as authority for all credential checks for all the endpoints it load balances against, which does not work well for configurations where etcd servers use a Subject Alternative Names in their certs set to their hostname or IP. We previously added a workaround to fix this problem for IPs (db61ee1) but not hostnames.
The workaround keeps track of the endpoints the load balancer dials and overwrites the authority in
ClientHandshakebefore the cert checks are performed so that the authority is always the host of the endpoint that the client was originally configured with. For example, if a client is configured with:The authorities of the endpoints will now be
member1.etcd.xyz,member2.etcd.xyzandmember3.etcd.xyzrespectively. Previously, the authority ofmember1.etcd.xyzwas used for all endpoints.I've manually verified with etcdctl that this does result in the correct authority being used in DNS name SAN cert checks.
@gyuho @jingyih @wenjiaswe