[Feature]: It is necessary to add authentication to external etcd

[ViokingTung]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe.

I deployed milvus used helm(cpu), when I enable external etcd rbac auth, milvus cannot connect it cause service configuration only has two parameters :externalEtcd.enabled and externalEtcd.endpoints.

Describe the solution you'd like.

configuration need add some parameters like this.

###################################
# External etcd
# - these configs are only used when `externalEtcd.enabled` is true
###################################
externalEtcd:
  enabled: true
  endpoints:
    # host or ip e.g. http://172.20.148.99:2379
    - http://etcd.etcd.svc.cluster.local:2379
  # -- user for external etcd.
  user: root
  # -- if externalEtcd.existingSecret is empty, externalEtcd.password is the passsword for external etcd.
  password: "your-etcd-password"
  # -- externalEtcd.existingSecret is the name of secret containing the external etcd password
  existingSecret: ""
  # -- externalEtcd.secretPasswordKey Key inside the secret containing the external etcd password
  secretPasswordKey: "etcd-root-password"

Describe an alternate solution.

used milvus internal etcd or disabled external etcd auth, milvus will work well now.

Anything else? (Additional Context)

No response

[xiaofan-luan]

/assign @PowderLi

[haorenfsa]

@PowderLi Will TLS endpoints be supported as well?

[PowderLi]

@PowderLi Will TLS endpoints be supported as well?

you can find more from #20868

[PowderLi]

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

[ViokingTung]

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

what about externalEtcd. how to add auth.

[PowderLi]

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

what about externalEtcd. how to add auth.

you mean how to use helm to deploy?

[PowderLi]

update extraConfigFiles in your values.yaml
https://github.com/zilliztech/milvus-helm/blob/master/charts/milvus/values.yaml#L47

[ViokingTung]

add configuration items like this:

etcd:
    auth:
         enable: true
         userName:
         password:

/unassign

what about externalEtcd. how to add auth.

you mean how to use helm to deploy?

yep, I deployed by helm chats. it still nor recongnized username and password.

rpc error: code = InvalidArgument desc = etcdserver: user name is empty

my config like this:

extraConfigFiles:
  user.yaml: |+
    common:
      security:
        authorizationEnabled: true
    etcd:
      auth:
         enable: true
         userName: etcdusername
         password: etcdpwd
........
externalEtcd:
  enabled: true
  endpoints:
    - http://etcd.etcd.svc.cluster.local:2379

[PowderLi]

maybe forget to update etcd.rbac.enable: true, just try it
https://github.com/zilliztech/milvus-helm/blob/master/charts/milvus/values.yaml#L555

if still fail, please upload etcd's log and related log

[ViokingTung]

maybe forget to update etcd.rbac.enable: true, just try it https://github.com/zilliztech/milvus-helm/blob/master/charts/milvus/values.yaml#L555

if still fail, please upload etcd's log and related log

my external etcd work well(enabled rbac), it verified by other program.
etcd log when milvus connecting:

2024-03-01T10:19:55.551954935+08:00 {"level":"warn","ts":"2024-03-01T02:19:55.551697Z","caller":"etcdserver/util.go:170","msg":"apply request took too long","took":"311.635946ms","expected-duration":"100ms","prefix":"read-only range ","request":"key:\"health\" ","response":"","error":"auth: user name is empty"}

my etcd key config:

image:
  registry: docker.io
  repository: bitnami/etcd
  tag: 3.5.10-debian-11-r2
........
replicaCount: 5
........
auth:
  ## Role-based access control parameters
  ## ref: https://etcd.io/docs/current/op-guide/authentication/
  ##
  rbac:
    ## @param auth.rbac.create Switch to enable RBAC authentication
    ##
    create: true
    ## @param auth.rbac.allowNoneAuthentication Allow to use etcd without configuring RBAC authentication
    ##
    allowNoneAuthentication: true
    ## @param auth.rbac.rootPassword Root user password. The root user is always `root`
    ##
    rootPassword: "etcdpwd"
    

k8s milvus default.yaml

etcd:
  endpoints:
    - http://etcd.etcd.svc.cluster.local:2379

metastore:
  type: etcd

k8s milvus user.yaml

common:
  security:
    authorizationEnabled: true
etcd:
  auth:
     enable: true
     userName: etcdusernmae
     password: etcdpwd

[PowderLi]

sorry, I'm not good at answering such questions: etcd's warning log, may related to network
you can found more useful information from k3s-io/k3s#9207

did milvus run well? any ERROR/WARN log?

[ViokingTung]

sorry, I'm not good at answering such questions: etcd's warning log, may related to network you can found more useful information from k3s-io/k3s#9207

did milvus run well? any ERROR/WARN log?

Thank you for your many thoughtful answer, I think it caused by milvus connected etcd uncorrectly,maybe has a little bug, I wait someone have same issue with me and find a way to solve this problem. thanks for your work.

[ViokingTung]

@PowderLi hi, I find the problem, no matter true or false for etcd.rbac.enable, the etcd authentication is still off in fact, so you get a wrong tested result. this is a bug.