add enable_sds_k8s_sa_jwt flag to meshconfig#729
add enable_sds_k8s_sa_jwt flag to meshconfig#729istio-testing merged 3 commits intoistio:release-1.1from
Conversation
googlebot
added
the
cla: yes
|
/cc @wattli |
|
@quanjielin: GitHub didn't allow me to request PR reviews from the following users: wattli. Note that only istio members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @diemtvu for owner approval |
|
@quanjielin: GitHub didn't allow me to assign the following users: for, owner, approval. Note that only istio members and repo collaborators can be assigned. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| // for k8s service account trustworthy JWT(which is avaialbe for k8s 1.12 or higher), so that K8s API server | ||
| // mounts k8s service account JWT to envoy container, which will be used to generate key/cert eventually. | ||
| // This isn't supported for non-k8s case. | ||
| bool enable_sds_token_mount = 23; |
There was a problem hiding this comment.
Are these 2 flags independent?
There was a problem hiding this comment.
rename and update comment based on offline chat, PTAL, thanks!
| // If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' | ||
| // (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) | ||
| // and pass to sds server, which will be used to request key/cert eventually. | ||
| // If both enable_sds_token_mount and sds_use_k8s_sa_jwt are set to true, enable_sds_token_mount(trustworthy jwt) takes precedence. |
There was a problem hiding this comment.
Or simply say this flag is ignored if enable_sds_token_mount is set.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: diemtvu, quanjielin The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
5 participants
istio/istio#9035
This flag is used by secret discovery service(SDS).
If set to true, envoy will fetch normal k8s service account JWT(this is fallback from k8s trustworthy jwt, which is only available for k8s 1.12 or higher) from '/var/run/secrets/kubernetes.io/serviceaccount/token'
(https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)and pass to sds server, which will be used to generate key/cert eventually.
This isn't supported for non-k8s case.