9a53601a18
Etcd currently supports validating peers based on their TLS certificate's CN field. The current best practice for creation and validation of TLS certs is to use the Subject Alternative Name (SAN) fields instead, so that a certificate might be issued with a unique CN and its logical identities in the SANs. This commit extends the peer validation logic to use Go's `(*"crypto/x509".Certificate).ValidateHostname` function for name validation, which allows SANs to be used for peer access control. In addition, it allows name validation to be enabled on clients as well. This is used when running Etcd behind an authenticating proxy, or as an internal component in a larger system (like a Kubernetes master).
Documentation
etcd is a distributed key-value store designed to reliably and quickly preserve and provide access to critical data. It enables reliable distributed coordination through distributed locking, leader elections, and write barriers. An etcd cluster is intended for high availability and permanent data storage and retrieval.
Getting started
New etcd users and developers should get started by downloading and building etcd. After getting etcd, follow this quick demo to see the basics of creating and working with an etcd cluster.
Developing with etcd
The easiest way to get started using etcd as a distributed key-value store is to set up a local cluster.
- Setting up local clusters
- Interacting with etcd
- gRPC etcd core and etcd concurrency API references
- HTTP JSON API through the gRPC gateway
- gRPC naming and discovery
- Client and proxy namespacing
- Embedding etcd
- Experimental features and APIs
- System limits
Operating etcd clusters
Administrators who need a fault-tolerant etcd cluster for either development or production should begin with a cluster on multiple machines.
Setting up etcd
System configuration
Platform guides
Security
Maintenance and troubleshooting
Learning
To learn more about the concepts and internals behind etcd, read the following pages: