Add sds_name into gateway config.#772
Conversation
googlebot
added
the
cla: yes
networking/v1alpha3/gateway.proto
Outdated
| // Otherwise default to the default cipher list supported by Envoy. | ||
| repeated string cipher_suites = 9; | ||
|
|
||
| // Optional: Name of credential to be queried by gateway via secret discovery |
There was a problem hiding this comment.
Optional: If specified, the gateway controllers (with SDS enabled) use the specified name as the SDS secret config name to call the SDS server, to retrieve the key and certificates. Otherwise, the gateway controllers (with SDS enabled) uses the first value in the hosts as the SDS secret config name to call the SDS server.
networking/v1alpha3/gateway.proto
Outdated
| // Optional: If specified, the gateway controllers (with SDS enabled) | ||
| // use the specified name as the SDS secret config name to call the SDS | ||
| // server, to retrieve the key and certificates. Otherwise, the gateway | ||
| // controllers (with SDS enabled) uses the first value in the hosts as |
|
/lgtm |
|
@myidpt: changing LGTM is restricted to assignees, and only istio/api repo collaborators may be assigned issues. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm, JimmyCYJ, myidpt The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Add sds_name into gateway config * Update comment * Update comment
| // use the specified name as the SDS secret config name to call the SDS | ||
| // server, to retrieve the key and certificates. Otherwise, the gateway | ||
| // controllers (with SDS enabled) use the first value in the hosts as | ||
| // the SDS secret config name to call the SDS server. |
There was a problem hiding this comment.
I dont think you should use the first value in hosts. Thats very arbitrary and could end up fetching someone else's secret. There is no mandate for the hosts in a gateway to be unique.
Second, this API is very adhoc. How does this work with the certificates that the end user specifies? Do they work together or is there some other magic behind the scenes ? The agreement earlier was to make this a oneOf such that the user either specifies the certs or the secret name. Not both. And certainly not this gratuitous default of picking the first host.
Please fix this before implementing it.
|
For most users the cert management will be automated, so user doesn't have to manually handle secrets. The 'sdsSecret' is used if user has existing certs in place. Having both 'file' and 'sdsSecret' is actually intended behavior if user runs Ingresses on both k8s and non-k8s environments. In non-k8s the file will be used. We should make it clear that sdsSecret will take precedence if SDS is available, falling back to file and default. Naming certs with the first hostname happens to be the convention that few popular ACME tools use. |
8 participants
Add sds_name into gateway config. In order to obtain credentials, gateway sends SDS requests with this sds_name to gateway agent.