feat(crypto): add ca cert to ratelimit tls context

Signed-off-by: owl <ouyangjun1999@gmail.com>
envoyproxy · Jun 14, 2023 · 92c7107 · 92c7107
1 parent 1a7e62e
commit 92c7107
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go
@@ -17,8 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/utils/pointer"
 
-	// "k8s.io/apimachinery/pkg/api/resource"
-	// "k8s.io/utils/pointer"
 	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 	"sigs.k8s.io/yaml"
 

diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go
@@ -33,6 +33,8 @@ const (
 	rateLimitClientTLSCertFilename = "/certs/tls.crt"
 	// rateLimitClientTLSKeyFilename is the ratelimit key file.
 	rateLimitClientTLSKeyFilename = "/certs/tls.key"
+	// rateLimitClientTLSCACertFilename is the ratelimit ca cert file.
+	rateLimitClientTLSCACertFilename = "/certs/ca.crt"
 )
 
 // patchHCMWithRateLimit builds and appends the Rate Limit Filter to the HTTP connection manager
@@ -304,6 +306,13 @@ func buildRateLimitTLSocket() (*corev3.TransportSocket, error) {
 	tlsCtx := &tlsv3.UpstreamTlsContext{
 		CommonTlsContext: &tlsv3.CommonTlsContext{
 			TlsCertificates: []*tlsv3.TlsCertificate{},
+			ValidationContextType: &tlsv3.CommonTlsContext_ValidationContext{
+				ValidationContext: &tlsv3.CertificateValidationContext{
+					TrustedCa: &corev3.DataSource{
+						Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSCACertFilename},
+					},
+				},
+			},
 		},
 	}