From beb5614aad24ac6041045357ebd7ba296853f384 Mon Sep 17 00:00:00 2001 From: Xiang Li Date: Tue, 23 Jun 2020 21:07:36 -0700 Subject: [PATCH] doc: add TLS related warnings (#12060) --- Documentation/op-guide/gateway.md | 6 +++--- etcdmain/gateway.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Documentation/op-guide/gateway.md b/Documentation/op-guide/gateway.md index 8240d3c54..412b3dc60 100644 --- a/Documentation/op-guide/gateway.md +++ b/Documentation/op-guide/gateway.md @@ -4,7 +4,7 @@ title: etcd gateway ## What is etcd gateway -etcd gateway is a simple TCP proxy that forwards network data to the etcd cluster. The gateway is stateless and transparent; it neither inspects client requests nor interferes with cluster responses. +etcd gateway is a simple TCP proxy that forwards network data to the etcd cluster. The gateway is stateless and transparent; it neither inspects client requests nor interferes with cluster responses. It does not terminate TLS connections, do TLS handshakes on behalf of its clients, or verify if the connection is secured. The gateway supports multiple etcd server endpoints and works on a simple round-robin policy. It only routes to available endpoints and hides failures from its clients. Other retry policies, such as weighted round-robin, may be supported in the future. @@ -74,7 +74,7 @@ $ etcd gateway start --discovery-srv=example.com * Comma-separated list of etcd server targets for forwarding client connections. * Default: `127.0.0.1:2379` - * Invalid example: `https://127.0.0.1:2379` (gateway does not terminate TLS) + * Invalid example: `https://127.0.0.1:2379` (gateway does not terminate TLS). Note that the gateway does not verify the HTTP schema or inspect the requests, it only forwards requests to the given endpoints. #### --discovery-srv @@ -103,5 +103,5 @@ $ etcd gateway start --discovery-srv=example.com #### --trusted-ca-file - * Path to the client TLS CA file for the etcd cluster. Used to authenticate endpoints. + * Path to the client TLS CA file for the etcd cluster to verify the endpoints returned from SRV discovery. Note that it is ONLY used for authenticating the discovered endpoints rather than creating connections for data transferring. The gateway never terminates TLS connections or create TLS connections on behalf of its clients. * Default: (not set) diff --git a/etcdmain/gateway.go b/etcdmain/gateway.go index 2654e30d2..b4c246cf1 100644 --- a/etcdmain/gateway.go +++ b/etcdmain/gateway.go @@ -71,7 +71,7 @@ func newGatewayStartCommand() *cobra.Command { cmd.Flags().StringVar(&gatewayDNSCluster, "discovery-srv", "", "DNS domain used to bootstrap initial cluster") cmd.Flags().StringVar(&gatewayDNSClusterServiceName, "discovery-srv-name", "", "service name to query when using DNS discovery") cmd.Flags().BoolVar(&gatewayInsecureDiscovery, "insecure-discovery", false, "accept insecure SRV records") - cmd.Flags().StringVar(&gatewayCA, "trusted-ca-file", "", "path to the client server TLS CA file.") + cmd.Flags().StringVar(&gatewayCA, "trusted-ca-file", "", "path to the client server TLS CA file for verifying the discovered endpoints when discovery-srv is provided.") cmd.Flags().StringSliceVar(&gatewayEndpoints, "endpoints", []string{"127.0.0.1:2379"}, "comma separated etcd cluster endpoints")