etcdserver: config flag to skip verification of peer client address

[MartinWeindel]

On initialising the peer-to-peer communication, ETCD checks the CN/SAN for the client side. This is not feasible, if the client IP address (of the HTTPS connection) is not stable or unknown at the time of creation of the certificate.

For example, if the peers of a distributed ETCD cluster with TLS enabled run in multiple clouds (or behind NAT with some kind of DHCP),
the IP addresses of the peers are not stable. Another example for such an environment is a Kubernetes cluster using Calico CNI. Here incoming requests from outside the cluster get the client address of the accepting K8s node.

Therefore a new command line option --peer-skip-client-verify is introduced to disable the client address check optionally. Basically it should be enough to rely on the knowledge of a valid certificate.

This partially fixes #8912 "Make it possible to ignore CN/SAN mismatches" (if certificates are created for DNS names and DNS records are updated according to the current proxy IP addresses).

[codecov-io]

Codecov Report

Merging #10524 into master will increase coverage by 0.13%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master   #10524      +/-   ##
==========================================
+ Coverage   63.64%   63.77%   +0.13%     
==========================================
  Files         401      401              
  Lines       37470    37473       +3     
==========================================
+ Hits        23846    23899      +53     
+ Misses      12016    11938      -78     
- Partials     1608     1636      +28

Impacted Files	Coverage Δ
etcdmain/config.go	83.03% <100%> (+0.07%)	⬆️
pkg/transport/listener.go	51.35% <100%> (+1.8%)	⬆️
client/keys.go	55.77% <0%> (-35.68%)	⬇️
auth/simple_token.go	65.85% <0%> (-21.14%)	⬇️
client/members.go	65.32% <0%> (-20.17%)	⬇️
clientv3/naming/grpc.go	68.42% <0%> (-7.02%)	⬇️
clientv3/leasing/util.go	91.66% <0%> (-6.67%)	⬇️
pkg/testutil/recorder.go	77.77% <0%> (-3.71%)	⬇️
clientv3/leasing/cache.go	87.77% <0%> (-3.34%)	⬇️
clientv3/balancer/balancer.go	86.36% <0%> (-2.28%)	⬇️
... and 20 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 800e723...718e9c1. Read the comment docs.

[jingyih]

cc @gyuho

[jingyih]

cc @wenjiaswe

[afritzler]

Any chance this gets merged anytime soon?

[MartinWeindel]

Ping. Any chances for this mini pull request consisting of just 6 new lines?

[wenjiaswe]

@MartinWeindel Thanks for the PR! Sorry for the delay, would you please add a test to it? Otherwise lgtm

@hexfusion would you please also take a look to make sure?

[gyuho]

kubernetes/kubernetes#21283 (comment)

I would say no. It's not an option supported by the go http transport, and trusting the signature but not verifying the subject/sans means you are extending your trust beyond the CA to everyone holding a certificate ever issued by the CA.

/cc @liggitt

[MartinWeindel]

That’s exactly the purpose of this PR: to trust the certificates issued by the *private* CA. As I tried to explain is it not possible to check the subject/sans on the client side if the ETCD server instances are living in different networks with NAT. And just to repeat it. This is only an advanced option for non-standard scenarios, which has to be activated explicitly. The only possible alternative I can think of in our scenario is to set up a VPN, which is quite an effort, if you only need it for the internal communication of a distributed ETCD cluster.

[MartinWeindel]

@wenjiaswe As there was no test coverage for checking the client address from its certificate, the added test checks the correct behaviour for three cases:

1. Client IP address matches the SAN entry of the client certificate and handshaking is successful.
2. Client IP address does not match and handshaking fails.
3. SkipClientVerify flag is set and handshaking succeeds even if client IP address does not match.

[wenjiaswe]

Friendly ping @gyuho @liggitt for your opinion, cc @hexfusion as well. Thanks!

[gyuho]

Skip client SAN field verification for peer connections?

[xiang90]

I think the skip client verify is a very vague description. can we make it clear to include what exactly is skipped?

[MartinWeindel]

Changed description to Skip verification of SAN field in client certificate for peer connections.
Any more ideas?

[gyuho]

Skip verification of SAN field in client certificate for peer connections

This is clearer.

[gyuho]

I will check with SIG-auth https://github.com/kubernetes/community/tree/master/sig-auth. Overall, the use case is reasonable.

[gyuho]

@MartinWeindel can you update commit title to *: ...?

[gyuho]

/cc @deads2k @liggitt @mikedanese

[xiang90]

@MartinWeindel can we also change the flag naming to peer-skip-client-san-veirfy? not a fan of long flag, but we need to be clear on what is skipped on flag naming too.

[MartinWeindel]

Changed flag to peer-skip-client-san-verification

[mikedanese]

Can ETCD not be configured with different certs for client and server TLS auth? It seems like checkSAN should be OR'd with the AllowedCN check. This is allowed by the spec for both client and server auth, but is especially useful for client auth.

[hexfusion]

I would like some time to test this before we merge. In general this feels like a flag that will promote poor usage and thus reduce overall security. While I understand the reporters networking challenge I still am not convinced this is the only path forward.

[xiang90]

defer to @hexfusion

[MartinWeindel]

@hexfusion Have you already found some time to test this?

[hexfusion]

@MartinWeindel we are going to talk about this today at the community meeting

[hexfusion]

@MartinWeindel it would be nice if we had a solid reproducible use case to test alternative solutions against. Your description has general networking detail but not enough to validate the need for this change. Can you provide a test ENV or steps to reproduce the ENV which we could clearly see the failure case? Thanks!

[MartinWeindel]

@hexfusion You can find a test ENV using Kubernetes services in the GitHub project MartinWeindel/etcd-peer-skip-client-verify. Feel free to contact me if anything is unclear.

[hexfusion]

@MartinWeindel after talking with the other maintainers we have decided to move this forward for v3.4 as an experimental flag. Can you please append experimental to your flag and update docs[1] as well as add details to changelog[2]?

[1] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md#experimental-flags
[2] https://github.com/etcd-io/etcd/blob/master/CHANGELOG-3.4.md

[MartinWeindel]

@hexfusion Thanks for your endurance

[hexfusion]

/lgtm

@MartinWeindel thank you for your patience.

[andyliuliming]

Hi @xiang90 is it possible we cherry-pick this change to the etcd 3.2/3.3 too?
if yes, I will prepare the PR, thanks :)