Skip to content

Add sds_name into gateway config. #772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wenchenglu merged 3 commits into from
Jan 24, 2019
Merged

Add sds_name into gateway config. #772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
51d2cbb
Add sds_name into gateway config
Jan 24, 2019
f00b358
Update comment
JimmyCYJ Jan 24, 2019
ecb0515
Update comment
JimmyCYJ Jan 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 95 additions & 42 deletions networking/v1alpha3/gateway.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions networking/v1alpha3/gateway.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,13 @@ message Server {
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
repeated string cipher_suites = 9;

// Optional: If specified, the gateway controllers (with SDS enabled)
// use the specified name as the SDS secret config name to call the SDS
// server, to retrieve the key and certificates. Otherwise, the gateway
// controllers (with SDS enabled) use the first value in the hosts as
// the SDS secret config name to call the SDS server.
Copy link
Copy Markdown
Member

@rshriram rshriram Jan 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont think you should use the first value in hosts. Thats very arbitrary and could end up fetching someone else's secret. There is no mandate for the hosts in a gateway to be unique.

Second, this API is very adhoc. How does this work with the certificates that the end user specifies? Do they work together or is there some other magic behind the scenes ? The agreement earlier was to make this a oneOf such that the user either specifies the certs or the secret name. Not both. And certainly not this gratuitous default of picking the first host.

Please fix this before implementing it.

string sds_name = 10;
}

// Set of TLS related options that govern the server's behavior. Use
Expand Down
12 changes: 12 additions & 0 deletions networking/v1alpha3/istio.networking.v1alpha3.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions proto.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3302,6 +3302,11 @@
"name": "cipher_suites",
"type": "string",
"is_repeated": true
},
{
"id": 10,
"name": "sds_name",
"type": "string"
}
]
}
Expand Down
25 changes: 16 additions & 9 deletions python/istio_api/networking/v1alpha3/gateway_pb2.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.