-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mesh-wide CA path #1973
Mesh-wide CA path #1973
Conversation
* Add VerifyCertificateAtClient boolean to ProxyConfig * Add DefaultCertificateAuthorityPath string to ProxyCOnfig * Add InsecureSkipVerify boolean to DestinationRule
* Make `VerifyCertificateAtClient` hidden for meshConfig * Reorganize documentation to be more legible
Skipping CI for Draft Pull Request. |
mesh/v1alpha1/proxy.proto
Outdated
// | ||
// If `VerifyCertificateAtClient` is `true`, | ||
// `DefaultCertificateAuthorityPath` will default to the OS CA bundle for the proxy. | ||
string default_certificate_authority_path = 36; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should have a path. Default should always be system certificates, which is context specific for each proxy (depending on OS)
mesh/v1alpha1/proxy.proto
Outdated
@@ -498,6 +498,32 @@ message ProxyConfig { | |||
// The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) | |||
// are added automatically by Istiod. | |||
repeated string ca_certificates_pem = 34; | |||
|
|||
// `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not a mesh global, its a per proxy configuration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Didn't catch this when I was updating the doc
@@ -923,6 +923,10 @@ message ClientTLSSettings { | |||
// certificates to use in verifying a presented server certificate. If | |||
// omitted, the proxy will not verify the server's certificate. | |||
// Should be empty if mode is `ISTIO_MUTUAL`. | |||
// | |||
// If `CaCertificates`is set, proxy verifies CA signature based on given CaCertificates. | |||
// This setting take priority over ProxyConfig `DefaultCertificateAuthorityPath` and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can I "unset" VerifyCertificateAtClient=true to not verify?
// destination rule to verify the SANs. If unset, and | ||
// `VerifyCertificateAtClient` is false, proxy does not verify SANs. | ||
// | ||
// Client-side proxy will exact match host as well as one level wildcard if |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this the current semantics today?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is brought over from VerifyCertificateAtClient
in MeshConfigs. It seemed more suitable here
* Delete ProxyConfig.DefaultCertificateAuthorityPath * Fix typo in documentation stating mesh wide effects instead of proxy effects * Clarify documentation
@Kmoneal: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-05-14. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Address istio/istio#32539