-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS min/max version. #641
Conversation
Note to reviewers: I created the subheading "Common options" and included also ciphers intentionally under that. Currently it might be bit too easy to confuse that to belong to "Peer (server-to-server / cluster) communication" options, although it impacts both. |
@ahrtr afaik, it's a manual update. Considering it's easy to miss manual updating, one quick solution would be to add a sentence in the guide to point to help.go for the latest. For example, add "For the most latest flags, refer to the Security flags." after |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @tsaarni Few more small comments besides the one I added in the PR discussion.
@@ -164,6 +164,10 @@ Flags are presented below using the format `--flag-name DEFAULT_VALUE`. | |||
Comma-separated whitelist of origins for CORS, or cross-origin resource sharing, (empty or * means allow all). | |||
--host-whitelist '*' | |||
Acceptable hostnames from HTTP client requests, if server is not secure (empty or * means allow all). | |||
--tls-min-version 'TLS12' | |||
Minimum TLS version supported by etcd. Possible values: TLS12, TLS13. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest to remove possible values
so that we don't need to maintain updates in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will fix it, but I wonder how users will find the accepted values?
--tls-min-version 'TLS12' | ||
Minimum TLS version supported by etcd. Possible values: TLS12, TLS13. | ||
--tls-max-version '' | ||
Maximum TLS version supported by etcd. Possible values: TLS12, TLS13 (empty will be auto-populated by Go). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, we should remove possible values
so that we don't need to maintain updates in the future. Leaving, Empty will be auto-populated by Go.
is fine.
@@ -42,8 +42,16 @@ The peer options work the same way as the client-to-server options: | |||
|
|||
If either a client-to-server or peer certificate is supplied the key must also be set. All of these configuration options are also available through the environment variables, `ETCD_CA_FILE`, `ETCD_PEER_CA_FILE` and so on. | |||
|
|||
**Common options:** | |||
|
|||
`--cipher-suites`: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't support 3.2 and 3.3, so I think Available from v3.2.22+, v3.3.7+, and v3.4+.
is not needed.
`--cipher-suites`: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+. | ||
|
||
`--tls-min-version=<version>` Sets the minimum TLS version supported by etcd. The default value is `TLS12`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, The default value is
TLS12.
is not needed.
Thanks @spzala for the feedback. The security doc is relatively simple, so I am not much concerning about it. Instead, the configuration doc is supposed to contain all available flags. But obvious it isn't. For example the following flags are missing, So it makes more sense to add a link in the configuration doc. |
357eb17
to
d5b401c
Compare
Thank you for review @spzala! I have now removed the specifics: protocol versions and cipher-suite etcd versions (just for clarity: etcd-io/etcd#15156 did not touch ciphers). This is to avoid further updates on the web site when the values change in future. The values remain in |
@ahrtr yrw, and yes! I was thinking to suggest to make those changes in this PR but with some more thoughts, I think I can clean up config file to address maintenance issue. The help.go is a go file but it's a structured almost as a doc. Let me create a separate PR for this for an easier review of changes. Thanks! |
Thanks @tsaarni - we need to wait for the etcd repo PR to merge. |
The implementation etcd-io/etcd#15156 is now merged! |
@tsaarni thanks! I am good with this PR but one more small request. Can you please add this sentence (or something similar if you have a different opinion) at the end of first section (right before Basic setup section) |
d5b401c
to
0b6aebe
Compare
@spzala Sure, no problem! I've added the text. I added it only to the latest release version i.e. the only version this PR has modified so far. |
That's good. Thanks @tsaarni |
cc @ahrtr |
@@ -166,6 +166,10 @@ The list of flags provided below may not be up-to-date due to ongoing developmen | |||
Comma-separated whitelist of origins for CORS, or cross-origin resource sharing, (empty or * means allow all). | |||
--host-whitelist '*' | |||
Acceptable hostnames from HTTP client requests, if server is not secure (empty or * means allow all). | |||
--tls-min-version 'TLS12' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's "TLS1.2
" in etcd-io/etcd#15156, so I suggest to keep it consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for missing that! I've pushed a fix.
Documentation for new optional flags for setting TLS versions. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
0b6aebe
to
566ac46
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @tsaarni
Documentation for new optional flags for setting TLS versions, which will be introduced in PR etcd-io/etcd#15156
Signed-off-by: Tero Saarni tero.saarni@est.tech