-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1698456 *: use wildcard domain in DNS: SAN for etcd server certs #676
Conversation
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
/cc @ericavonb |
This is reasonable to me, and the failure scenario is bad. /approve for 4.1 (the code looks correct to me, but want others to review deeper) |
As a side note, we should make sure you are in OWNERS under cmd/setup-etcd-environment and a few other dirs. |
/approve from mco point on view, will leave to others as well |
This lgtm, and I've heard no comment, and this is a huge blocker /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hexfusion, runcom, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
/test e2e-aws |
1 similar comment
/test e2e-aws |
/test e2e-aws |
This PR resolves an issue with client balancer and etcd. The balancer is populated with a list of etcd peer endpoints. When we dial endpoint[0] it is used as the target and the other endpoints are dialed using subconnections. I have verified that each connection, the target and subs all make a proper TLS handshake with Wireshark.
The issue we see which is painted well in the below logs, when etcd-0 fails and the balancer failsover to etcd-1 the connection will fail because the TLS context of the balancer assumes target (etcd-0).
The solution, for now, is to populate the DNS: SAN of server certs with a wildcard. This will allow TLS auth to complete successfully and the balancer can properly work. This is because the target etcd-0 will now authenticate against the *.clustername.domain.com in SAN.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1698456
Ref:
/hold