Skip to content

docs: document x509 keyUsage and extendedKeyUsage for etcd TLS#1123

Open
Aditya7880900936 wants to merge 1 commit intoetcd-io:mainfrom
Aditya7880900936:docs/tls-x509-keyusage
Open

docs: document x509 keyUsage and extendedKeyUsage for etcd TLS#1123
Aditya7880900936 wants to merge 1 commit intoetcd-io:mainfrom
Aditya7880900936:docs/tls-x509-keyusage

Conversation

@Aditya7880900936
Copy link

@Aditya7880900936 Aditya7880900936 commented Feb 10, 2026

This PR documents recommended X.509 keyUsage and extendedKeyUsage
values for certificates used to secure etcd transport (CA, server,
client, and peer).

This clarifies existing behavior enforced by Go's crypto/tls and
crypto/x509 libraries.

Fixes etcd-io/etcd#19799

Docs-only change.

@k8s-ci-robot
Copy link

k8s-ci-robot commented Feb 10, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Aditya7880900936
Once this PR has been reviewed and has the lgtm label, please assign serathius for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link

k8s-ci-robot commented Feb 10, 2026

Hi @Aditya7880900936. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Aditya7880900936 Aditya7880900936 mentioned this pull request Feb 10, 2026
Open
@Aditya7880900936
Copy link
Author

Aditya7880900936 commented Feb 16, 2026

hi @ronaldngounou @ivanvc , Have a look in this PR and feel free to suggest any changes

@ronaldngounou
Copy link
Member

ronaldngounou commented Feb 17, 2026

/ok-to-test

@ronaldngounou
Copy link
Member

ronaldngounou commented Feb 17, 2026

@Aditya7880900936 Can you please fix the lint failures in https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/etcd-io_website/1123/pull-website-lint/2023798261906673664 ?

@Aditya7880900936
Copy link
Author

Aditya7880900936 commented Feb 17, 2026

@ronaldngounou , i corrected the lint failure kindly check it

@ronaldngounou
Copy link
Member

ronaldngounou commented Feb 18, 2026

Thanks. Could you please squash your commits as well?

@Aditya7880900936
docs: document x509 keyUsage and extendedKeyUsage for etcd TLS
1fdcdae 
Document recommended keyUsage and extendedKeyUsage values
for CA, server, client, and peer certificates used to
secure etcd transport.

Peer certificates are used for mutual TLS and therefore
require both serverAuth and clientAuth extended key usages.

Fixes etcd-io/etcd#19799.

Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com>
@Aditya7880900936
Copy link
Author

Aditya7880900936 commented Feb 18, 2026

Hi @ronaldngounou , I have implmenetd the squash changes you have suggested earlier , feel free to have any suggestions

@ronaldngounou
Copy link
Member

ronaldngounou commented Feb 18, 2026

/lgtm

@jberkus
Copy link
Contributor

jberkus commented Mar 4, 2026

@ivanvc @siyuanfoundation can you have a quick sanity check look at the info here to make sure it's technically correct?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ivanvc ivanvc Awaiting requested review from ivanvc

@siyuanfoundation siyuanfoundation Awaiting requested review from siyuanfoundation

At least 1 approving review is required to merge this pull request.

Assignees

@ronaldngounou ronaldngounou

Labels

lgtm ok-to-test size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document needed x509 (extended)keyUsage required for (server, client, peer, ca) in etcd cluster using TLS transport

4 participants

@Aditya7880900936 @k8s-ci-robot @ronaldngounou @jberkus