Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Etcd serving TLS is not supported #16

Closed
scottyeager opened this issue Feb 24, 2021 · 8 comments · Fixed by #23
Closed

Etcd serving TLS is not supported #16

scottyeager opened this issue Feb 24, 2021 · 8 comments · Fixed by #23
Assignees
@LeeSmet
Labels
type_bug Something isn't working

Comments

@scottyeager
Copy link

I have a VDC with etcd deployed inside. Locally, I've built the latest 0-stor from source. I can interact with the VDC etcd using etcdctl and I can use 0-stor with a local etcd. However, 0-stor and the VDC etcd will not work together.

I've downloaded the 0-stor config and added the endpoint for my VDC etcd. Attempting to add or check files gives Error: "could not save value: response failed" and Error: "could not load value: response failed", respectively.

Etcd endpoint: "https://scott-etcd-etc.webg1test.grid.tf:2379"
@scottyeager scottyeager mentioned this issue Feb 25, 2021
Closed
8 tasks
@LeeSmet
Copy link
Contributor

LeeSmet commented Feb 25, 2021

Examining the error with a proper debug build shows:

WARN  zstor_v2::etcd               > Response(Status { code: Internal, message: "Unexpected compression flag: 52, while receiving response with status: 404 Not Found" })

The cause seems to be related to the https proxy in between, we will need to investigate if it is related to webgateway or https proxy in general (e.g. also a problem when just using caddy)

@scottyeager
Copy link
Author

Thanks for looking into this, Lee. I wonder if there's any chance of a workaround in the meantime, as I see indications in #2262 that this may have been working under an older configuration of the etcd deployment where manually adding port forwarding was required.

@xmonader
Copy link
Contributor

@scottyeager running a local etcd on your machine and configuring that in the zstor config should help :)

@scottyeager
Copy link
Author

Indeed it does, @xmonader, but I'm hoping to see a fully grid based solution working :)

@LeeSmet
Copy link
Contributor

LeeSmet commented Feb 26, 2021

After some debugging, it seems that the problem is that the current library does not automatically use TLS, even when the etcd endpoint is https. After hacking around in the code a bit, I did manage to get it to work by manually providing a TLS Config to the etcd lib, with a downloaded ca_certificate.pem file containing the full certificate chain.

Since etcdctl does work out of the box, we should probably parse the endpoint string for an https endpoint, and if one is found, first connect and download the servers certificate chain.

@LeeSmet LeeSmet changed the title Response fails from VDC deployed etcd Etcd serving TLS is not supported Feb 26, 2021
@LeeSmet LeeSmet added this to the Later milestone Feb 26, 2021
@waleedhammam waleedhammam mentioned this issue Mar 8, 2021
Closed
@sasha-astiadi sasha-astiadi added the type_bug Something isn't working label Mar 8, 2021
@sasha-astiadi sasha-astiadi modified the milestones: Later, Next, Now Mar 8, 2021
@xmonader xmonader mentioned this issue Mar 8, 2021
Closed
@waleedhammam waleedhammam mentioned this issue Mar 11, 2021
Closed
@LeeSmet
Copy link
Contributor

LeeSmet commented Mar 12, 2021

Some work has been done to hopefully support tls, however I don't really have an env to test this on. I tried to use the config from #17, but that one errors on the unexpected compression flag again. However it seems that even etcdctl has issues with the etcd endpoint in that config, so that's not really a good test case.

@LeeSmet
Copy link
Contributor

LeeSmet commented Mar 12, 2021

Using "https://scott-etcd-etc.webg1test.grid.tf:2379" as etcd endpoint does seem to work out of the box now (I can upload a file), but there seems to be an error downloading the file again. But the tls works now.

LeeSmet added a commit that referenced this issue Mar 13, 2021
@LeeSmet
Support TLS for etcd connections
cd6349b 
Closes #16
Closes #8

Signed-off-by: Lee Smet <lee.smet@hotmail.com>
@LeeSmet LeeSmet mentioned this issue Mar 13, 2021
Merged
LeeSmet added a commit that referenced this issue Mar 13, 2021
@LeeSmet
Support TLS for etcd connections
ddf94a2 
Closes #16
Closes #8

Signed-off-by: Lee Smet <lee.smet@hotmail.com>
@LeeSmet
Copy link
Contributor

LeeSmet commented Mar 13, 2021

Automatic TLS for https endpoints for etcd is now available on master. Note that this relies on the running systems root certificates. In other words, self signed certificates for etcd will not work unless the certificate root is added to the systems trusted certs.

This was referenced Mar 14, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LeeSmet LeeSmet

Labels
type_bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support TLS for etcd connections threefoldtech/0-stor_v2
4 participants
@xmonader @scottyeager @LeeSmet @sasha-astiadi