if require-client-certs is false than cert-file and key-file should not be necessary
name: Feature request
about: Suggest an idea for this project
Some initial questions
- Are you sure your feature is not already implemented in the latest Kea version? No, I am running version
2.2.0-isc20220726061131
- Are you sure what you would like to do is not possible using some other mechanisms? It is possible but wrong.
- Have you discussed your idea on kea-users or kea-dev mailing lists? No
Is your feature request related to a problem? Please describe.
If you configure require-client-certs
as false in high availability hooks, you should not be required to declare cert-file
and key-file
It is very important to describe what you would like to do and why?
Why? It doesn't make sense for remote Kea server to require client certificate from other Kea server when it is already configured as non-required.
Describe the solution you'd like A clear and concise description of what you want to happen.
Example config From high availability hook,
"peers": [
{
"auto-failover": true,
"name": "kea-dhcpremote-2.kea-dhcpremote.default.svc.cluster.local.",
"role": "primary",
"url": "http://10.244.0.7:8000/"
},
{
"auto-failover": true,
"cert-file": "/certs/kea-client.crt",
"key-file": "/certs/kea-client.key",
"name": "kea-dhcpremote-1.kea-dhcpremote.default.svc.cluster.local.",
"require-client-certs": false,
"role": "standby",
"trust-anchor": "/certs/ca.crt",
"url": "https://10.244.0.5:8000/"
},
{
"auto-failover": true,
"name": "kea-dhcpremote-0.kea-dhcpremote.default.svc.cluster.local.",
"role": "backup",
"url": "http://10.244.0.10:8000/"
}
]
From the above config snippet, the cert-file
and key-file
should not be needed.
Describe alternatives you've considered The alternative is to generate a bogus client certificate file and client key file and point to it, Note the files do not need to be the correct ones since it is not used.
Additional context Add any other context about the feature request here.
Funding its development Kea is run by ISC, which is a small non-profit organization without any government funding or any permanent sponsorship organizations. Are you able and willing to participate financially in the development costs? No sorry
Participating in development Are you willing to participate in the feature development? ISC team always tries to make a feature as generic as possible, so it can be used in wide variety of situations. That means the proposed solution may be a bit different that you initially thought. Are you willing to take part in the design discussions? Are you willing to test an unreleased engineering code? I would have to ask my employer
Contacting you How can ISC reach you to discuss this matter further? If you do not specify any means such as e-mail, jabber id or a telephone, we may send you a message on github with questions when we have them. jon.bjarni@menandmice.com