support ZK auth and ACLs in serverset announcer #1192
Comments
|
@zircote would you mind elaborating on your motivations for this? My (hopefully incorrect) understanding is that zookeeper's password authentication provides no real security benefit, since credentials are transmitted in plaintext. I just want to make sure this feature is going to be actually useful and not snake oil ;) |
|
It is not so much about securing the znodes for me as it is about making it less likely that one team/engineer can not harm or interfere with others. If someone unwanted gets to the zk servers we have bigger problems than zk. We currently have our discovery tree under acls to disallow accidental/unwanted mutation by individuals. |
|
Ok, that's the answer I wanted to hear ;) This sounds reasonably easy if it's acceptable to have these credentials stored in linkerd configs. |
…#1192) This branch adds the rebinding logic added to outbound clients in linkerd#1185 to the controller client used in the proxy's `control::destination::background` module. Now, if we are communicating with the control plane over TLS, we will rebind the controller client stack if the TLS client configuration changes, using the `WatchService` added in linkerd#1177. Signed-off-by: Eliza Weisman <[email protected]> Signed-off-by: Brian Smith <[email protected]> Co-authored-by: Brian Smith <[email protected]>
We have this for dtab storage, but not for announcements yet.
The text was updated successfully, but these errors were encountered: