[Feature] Enhance etcd auth configuration

[hanahmily]

Search before asking

• I had searched in the issues and found no similar feature requirement.

Description

Embed etcd keeps complaining:

simple token is not cryptographically signed

which might relate to its v3 auth design. The solution is to pick up the JWT token which is cryptographically signed.

Use case

No response

Related issues

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[hanahmily]

The related configuration is https://etcd.io/docs/v3.2/op-guide/configuration/#--auth-token

[rabajaj0509]

Which repository will these changes be required in?

[wu-sheng]

skywalking-banyandb

[rabajaj0509]

From the documentation provided for etcd v3 auth design, it seems that there is no mention of refresh tokens in etcd. In this case, the user might have to re-authenticate each time the token expires, meaning if API is called using a script with a time interval, then the user might need to re-authenticate and the script would be stopped since the token expired. @hanahmily do you know if implementing refresh tokens is possible in this case or if there is no need for it?

[hanahmily]

FWIK, Etcd's JWT token is "stateless", being never stored in any storage. Refreshing/Renewing such a token is not necessary. For example, k0s creates a token during booting, https://github.com/k0sproject/k0s/blob/main/pkg/component/controller/etcd.go#L194, never renewing it.

But the key/cert pair should have a chance to get renewed. Users could leverage vault or other tools to generate a new key/cert pair which the BanyanDB server can load to create new tokens.