Hi Team,
I've been trying to have Service Registration and discovery using Eureka over SSL for java application(Spring boot based)
My Eureka Clients are able to register with Eureka Server Service over ssl (by using DiscoveryClient.DiscoveryClientOptionalArgs bean modification) illustrated below:
@Bean
public DiscoveryClient.DiscoveryClientOptionalArgs getTrustStoredEurekaClient(SSLContext sslContext) {
DiscoveryClient.DiscoveryClientOptionalArgs args = new DiscoveryClient.DiscoveryClientOptionalArgs();
args.setSSLContext(sslContext);
return args;
}
@Bean
public SSLContext sslContext() throws Exception {
return new SSLContextBuilder()
.loadTrustMaterial(trustStore, trustStorePassword.toCharArray())
.loadKeyMaterial(keyStore, keyStorePassword.toCharArray(), keyPassword.toCharArray())
.build();
}
The code above uses keystore, truststore to configure DiscoveryClientOptionalArgs That kind of works well for a single eureka server
Now when i'm trying to have multiple eureka servers(an eureka cluster with each 2 servers which are peer of each other)
My two eureka servers are not able to sync up with each other Does Eureka uses some other HttpClient implementation for syncing the peer registries that needs to custom configured(Similar to EurekaJerseyClient and DiscoveryClientArgs used for Eureka Client to Eureka Server Heartbeats)?
Need Suggestions and help to find out approach for having peer eureka service syncing over ssl
Comment From: spencergibb
Please don't post the same issue in multiple repos
Comment From: ryanjbaxter
My two eureka servers are not able to sync up with each other
Why? What happens?
Comment From: venkatesh-007
Received a bad_Certificate error in eureka server logs
Comment From: venkatesh-007
Same Certs are used for eureka client to server registration that works fine
Comment From: venkatesh-007
and some clients(eureka Clients) successfully registered to one eureka server and some successfully registered to other server but none of them(each of eureka server) has all the applications which ideally is the case if run it over http normally
Comment From: spencergibb
probably related to #3554 and the ability to customize the peer replication client. In fact, it's probably a duplicate.
Comment From: venkatesh-007
Closing it, as it's duplicate of https://github.com/spring-cloud/spring-cloud-netflix/issues/3554
Comment From: venkatesh-007
@spencergibb @ryanjbaxter How to configure eureka service discovery to peer sync with other service discovery over ssl.
Documentation have info for peer cluster over http can we have something for https as well
I know I'm asking this again.
But, it doesn't make sense that you need to customize httpclient(JerseyReplicationClient) just for running your service discovery over https
Comment From: spencergibb
http clients absolutely need to be configured for https
Comment From: venkatesh-007
@spencergibb Can't httpclients be configured to by default take keystore and truststore info from tomcat/netty on which service is running? Or by using jvm arguments, some http clients do work like that
Because in case you've to run your spring cloud gateway + eureka service discovery + microservices over https
You gotta have to configure httpclient in spring cloud gateway + configure discovery client in gateway and microservices for client to eureka server registration + configure JerseyReplicationClient in eureka server in case you have multiple servers
That's alot of custom config to be done
Comment From: spencergibb
some will, it appears this one does not.
Comment From: venkatesh-007
@spencergibb So iirc peer communication Client customizations is still in PR, so there's no user using eureka service discovery over https, who has a multi server cluster for service discovery each syncing registered set with each other
That's doubtful
Comment From: venkatesh-007
I guess we're definitely missing something here
Comment From: spencergibb
Not sure what you want me to say.
Comment From: venkatesh-007
Nope, Its not like that It just sounds odd, something that should be addressed in eureka-core
Because that mean there's no working production grade service discovery peer to peer implementation. I know you can have it over http as it just exposes service metadata but still
Comment From: spencergibb
Because that mean there's no working production grade service discovery peer to peer implementation.
Netflix isn't production grade?
Comment From: venkatesh-007
In that case, that means they're running eureka discovery over http, is it?
Comment From: spencergibb
Not necessarily. You can install certs into JVMs.
Comment From: venkatesh-007
@spencergibb Configuring discoveryclient or JerseyReplicationClient is a step to run eureka over ssl None of this is documented anywhere, though some of them are closed issues (discoveryclient is)
Can we chat on gitter if you don't mind, I seek some guidance on this?
Comment From: venkatesh-007
You mean by passing jvm arguments?
Comment From: venkatesh-007
So that mean, httpclients will use certs installed in jvm?
Comment From: venkatesh-007
Need some explanation on this, how can I run eureka over ssl, without customizing JerseyReplicationClient, in case I've multiple service discoveroes
Comment From: venkatesh-007
https://github.com/spring-cloud/spring-cloud-netflix/issues/3563#issuecomment-507355759
Can you just explain this a bit?
Comment From: ryanjbaxter
There is no need to spam us, we are very busy please be patient. Have you Googled how to install certs into the JVM, there are lots of information on the internet about how to do this.
Comment From: venkatesh-007
@spencergibb and @ryanjbaxter Thanks for suggestions Trusting certs in cacert (as I had self signed certs) do work when I use a eureka service discovery cluster (with 2 service discovery)
But it requires me to have dns names in subject alternative names of cert(this kind of restricts or creates friction in case I've to add extra server to environment in case I'm using VSI's)
In case I've to use a generic cert and skip hostname verification for it, anyway by which I can do it?(for eureka peer to peer communication)
Comment From: venkatesh-007
If I don't include subject alternative names and use a generic cert, it gives a
javax.net.ssl.SSLPeerUnverifiedException
Comment From: asharani-m
@venkatesh-007 Were you able to find a solution for this? multiple eureka peers in a same host ?