|
| 1 | +# Authentication, authorization and secure communication |
| 2 | + |
| 3 | +* Status: proposed |
| 4 | +* Date: 2024-04-03 |
| 5 | + |
| 6 | +Guthub issue: https://github.com/aenix-io/etcd-operator/issues/76 |
| 7 | + |
| 8 | +## Security specification |
| 9 | + |
| 10 | +``` |
| 11 | +kind: EtcdCluster |
| 12 | +spec: |
| 13 | +... |
| 14 | + security: |
| 15 | + peer: |
| 16 | + caSecretName: peer-ca-tls-secret |
| 17 | + tlsSecretName: peer-server-tls-secret |
| 18 | + clientServer: |
| 19 | + caSecretName: client-server-ca-tls-secret |
| 20 | + tlsSecretName: client-server-server-tls-secret |
| 21 | + auth: |
| 22 | + tlsSecretName: client-server-client-tls-secret |
| 23 | +... |
| 24 | +``` |
| 25 | + |
| 26 | +It is expected that secrets contain sections with specific names: `tls.crt`, `tls.key` for tlsSecret and `ca.crt` for caSecret. |
| 27 | + |
| 28 | +All fields are optional, but if one field is defined in a pair (caSecretName and tlsSecretName), other must be defined as well - it will be validated in a webhook. |
| 29 | + |
| 30 | +## Peer communication |
| 31 | +If peer secrets are not defined, then `--peer-auto-tls` option is used that allows etcd to communicate via https. |
| 32 | + |
| 33 | +If peer certificate/key is reissued, etcd cluster does rollout restart to reread the secret. Operator watches these secrets. |
| 34 | + |
| 35 | +One secret is used for all etcd nodes. |
| 36 | + |
| 37 | +## Client-server communication |
| 38 | +If client-server secrets are not defined, then `--auto-tls` option is used that allows clients to communicate via https. |
| 39 | + |
| 40 | +If client-server certificate/key is reissued, etcd cluster does rollout restart to reread the secret. Operator watches these secrets. |
| 41 | + |
| 42 | +## User authentication |
| 43 | +If enabler is true, user authentication is enabled and `root` user is created in etcd without a password. It is expected that customer provides valid secret for operator authentication (to operate etcd cluster) with `tls.crt` and `tls.key` sections. As multiple secrets for multiple etcd clusters are created on the fly, secrets are not mounted to operator => secrets are read on the fly and reread by operator if certificates are reissued. |
| 44 | + |
| 45 | +If `auth.tlsSecretName` is defined, then the whole `clientServer` section must be defined as well => validated in a webhook. |
| 46 | + |
| 47 | +## Futher improvements to be described and discussed |
| 48 | + |
| 49 | +1. * What: Use separate controller (CR) to create k8s secrets with certificates/passwords and renew them relularly. |
| 50 | + * Why: |
| 51 | + * Etcd clients (apps deployed to k8s) will need to have possibility to access created etcd clusters. It would be inconvenient to couple user lists in EtcdCluster CR (with complete RBAC lists) with users in the application configurations. |
| 52 | +2. * What: Remove cert-manager dependency to create and rotate certificates. |
| 53 | + * Why: |
| 54 | + * Openshift has its own ecosystem and doesn't have cert-manager out of the box. It has own operator. |
| 55 | + * Cert-manager dependency (ceparate operator) is too heavy for etcd-operator. |
0 commit comments