Comments (10)
brandond
commented on August 16, 2024
This may be related to go-sql-driver/mysql#564
from kine.
up9cloud
commented on August 16, 2024
@brandond It's not related, that because if you want to connect to GCP mysql, you have to use dsn with ip (not with domain) and you have to manually pass the server name to tls config to let it verify by server name.
from kine.
brandond
commented on August 16, 2024
Wait, so you're connecting to it with an IP address in the datastore URI, but want to validate the certificate against a hostname, because the IP address isn't in the SAN list on the server's cert?
Can you provide an example?
from kine.
up9cloud
commented on August 16, 2024
@brandond yes it is.
See this commit for another project:
I use config something like this:
{
"jobDBAddress": "(123.123.123.123)/kala?tls=custom",
"jobDBUsername": "user",
"jobDBPassword": "the secret",
"jobDBTlsServerName": "api-0000000000000-00000:blabla"
}and it works perfectly
from kine.
up9cloud
commented on August 16, 2024
that's how GCP mysql with TLS works 😂
from kine.
up9cloud
commented on August 16, 2024
See this also:
from kine.
brandond
commented on August 16, 2024
So they basically require you to disable TLS verification because "the mysql client libraries by default have hostname verification disabled" and they seem to think that using unique self-signed certs makes MITM impossible somehow? This all seems quite broken.
from kine.
up9cloud
commented on August 16, 2024
Well, to be honestly, I'm not familiar with MITM, and don't know why they made like that. I just want to use k3s with TLS mysql on GCP. All I know is there are 2 ways to solve this:
- Let
?tls=skip-verifyworks (this is the way that we connect to server but skip that verification, like you said) - Pass
ServerNameto tls config to verify by server name (this is that we connect to it and verify the cert by the server name they request)
from kine.
fredleger
commented on August 16, 2024
Also hitting this.
I think the best option is to honor the tls=skip-verify flag since this is a classic and it might help in other reason than Google Cloud (if not the ssl lib won't have included it)
from kine.
fredleger
commented on August 16, 2024
For those that are affected by this one just want to share that using postgresql has not this side effect since pq does honor sslmode=verify-ca
from kine.
Related Issues (20)
- amd64 publish steps fail due to missing dependencies
- Any plan to support `ProgressNotify` feature? HOT 11
- gRPC health probe on Kine deployment does not work HOT 4
- Kine responds with the resourceVersion corresponding to the maxRowId globally, rather than the one associated with the specified prefix. HOT 10
- k3s mysql数据库存储kine表 HOT 5
- Latest version release don't include build artifacts. HOT 2
- Opentelemetry instrumentation for sql drivers including postgresql HOT 2
- mysql: check db and table exist before creating
- Kine does not handle `WatchRequest_ProgressRequest` message
- Add metrics for received etcd calls HOT 16
- Document options for etcd client authentication in tcp listener HOT 2
- Kubeadm + Kine + NATS possible bug: illegal resource version from storage: 0 HOT 5
- Add support for SurrealDB
- kine periodic query causes MySQL CPU 100% load HOT 1
- [Question] Does Having A Caching Layer Make Sense? HOT 1
- "TTL event watch failed to get start revision" HOT 3
- [Question] is kine able to support data sharding in mysql? HOT 1
- Multi-replica Kine HOT 1
- Add support for RISC-V 64
- MariaDB in README HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kine.