Mesh-wide CA path #1973
Mesh-wide CA path #1973
Conversation
* Add VerifyCertificateAtClient boolean to ProxyConfig * Add DefaultCertificateAuthorityPath string to ProxyCOnfig * Add InsecureSkipVerify boolean to DestinationRule
* Make `VerifyCertificateAtClient` hidden for meshConfig * Reorganize documentation to be more legible
istio-testing
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
google-cla
bot
added
the
cla: yes
istio-testing
added
the
size/M
mesh/v1alpha1/proxy.proto
Outdated
| // | ||
| // If `VerifyCertificateAtClient` is `true`, | ||
| // `DefaultCertificateAuthorityPath` will default to the OS CA bundle for the proxy. | ||
| string default_certificate_authority_path = 36; |
There was a problem hiding this comment.
I don't think we should have a path. Default should always be system certificates, which is context specific for each proxy (depending on OS)
mesh/v1alpha1/proxy.proto
Outdated
| @@ -498,6 +498,32 @@ message ProxyConfig { | |||
| // The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) | |||
| // are added automatically by Istiod. | |||
| repeated string ca_certificates_pem = 34; | |||
|
|
|||
| // `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation | |||
There was a problem hiding this comment.
this is not a mesh global, its a per proxy configuration
There was a problem hiding this comment.
Thanks! Didn't catch this when I was updating the doc
| @@ -923,6 +923,10 @@ message ClientTLSSettings { | |||
| // certificates to use in verifying a presented server certificate. If | |||
| // omitted, the proxy will not verify the server's certificate. | |||
| // Should be empty if mode is `ISTIO_MUTUAL`. | |||
| // | |||
| // If `CaCertificates`is set, proxy verifies CA signature based on given CaCertificates. | |||
| // This setting take priority over ProxyConfig `DefaultCertificateAuthorityPath` and | |||
There was a problem hiding this comment.
How can I "unset" VerifyCertificateAtClient=true to not verify?
| // destination rule to verify the SANs. If unset, and | ||
| // `VerifyCertificateAtClient` is false, proxy does not verify SANs. | ||
| // | ||
| // Client-side proxy will exact match host as well as one level wildcard if |
There was a problem hiding this comment.
is this the current semantics today?
There was a problem hiding this comment.
This is brought over from VerifyCertificateAtClient in MeshConfigs. It seemed more suitable here
* Delete ProxyConfig.DefaultCertificateAuthorityPath * Fix typo in documentation stating mesh wide effects instead of proxy effects * Clarify documentation
istio-testing
added
the
needs-rebase
|
@Kmoneal: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-05-14. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
istio-policy-bot
added
the
lifecycle/automatically-closed
Address istio/istio#32539