feature: support talking to etcd via TLS. about apisix HOT 9 CLOSED

The TLS authentication for etcd is usually bidirectional, but cosocket is not supported now, but fortunately, there is currently a PR in progress.

we need to fix this first: openresty/lua-nginx-module#997

from apisix.

The TLS authentication is important for auth between end to end, not just for etcd.

from apisix.

based on this PR: openresty/lua-nginx-module#1599, we can do more things about auth between end to end.

from apisix.

Hi, I believe that we don't need to support the TLS or the priority of this requirement is not high or even a pseudo-demand. TLS/HTTPS solved the risk of data being hijacked at WAN. APISIX usually access etcd via LAN, and messages in the LAN usually do not need to be considered for hijacking.
If we need to access etcd via the WAN, encryption methods such as TLS are necessary.

from apisix.

Is there any progress on this issue? TLS communication and mTLS auth ist very important for etcd.
accessing the etcd via lan is no excuse. In enterprise or shared enviroments you have dozens of applications running in the same network. if one of those apps got hijacked, it can easy access your data.
for development purpose it is ok to run a insecure setup, in production end to end encryption and authentication is a basic requirement, no matter where etcd is running!

from apisix.

Is there any progress on this issue?

the official openresty still not support the mTLS now. we have to wait

from apisix.

from apisix.

OpenResty already support mTLS.

openresty/lua-resty-core#278

We still need to wait more time.

from apisix.

Solved by #2584 . Server side TLS verification is enough to use by now.

from apisix.