tls: support dual ECDSA/RSA certs via SDS#16605
Conversation
This was previously only supported via static file-based certificate configuration. Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
LGTM modulo nit on version history comment.
| * listener: added ability to change an existing listener's address. | ||
| * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.emit_tags_as_labels>` field to true. | ||
| * tcp: added support for :ref:`preconnecting <v1.18.0:envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic. | ||
| * tls: allow dual ECDSA/RSA certs via SDS. This was previously only supported via static file-based certificate configuration. |
There was a problem hiding this comment.
That's not true; it was possible to do inline ECDS/RSA certs via TLS contexts included directly in Listener or Cluster transport socket configuration. Suggest rephrasing to reflect this.
There was a problem hiding this comment.
Ah, I see. That's what I intended to say, but the phrasing came out misleading. Will fix.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
…-time-options Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Risk Level: Low Testing: Added integration test; possibly need more unit tests Docs Changes: Documented in protos Release Notes: Added Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
@ggreenway Sorry to tag you on old PR. This PR only enabled dual certificate in sds_secret_config but did not touch Validation Context. Is that assumption that CA will have single ca certificate for both RSA and ECDSA certs that it issues? Is that the normal case? |
|
@ramaraochavali the configured CA is a bundle and can have multiple CA certs, so you could bundle an RSA CA and an EC CA in the same bundle and configure it that way. |
|
Thank you. That is what I realized too. |
3 participants
This was previously only supported via static file-based certificate configuration.
Signed-off-by: Greg Greenway ggreenway@apple.com
Commit Message:
Additional Description:
Risk Level: Low
Testing: Added integration test; possibly need more unit tests
Docs Changes: Documented in protos
Release Notes: Added
Platform Specific Features: none
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]
[Optional API Considerations:]