Update comment for credentialName#786
Conversation
googlebot
added
the
cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: JimmyCYJ If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
networking/v1alpha3/gateway.proto
Outdated
| // using the file system paths specified above. If using mutual TLS, | ||
| // gateway workloads will retrieve the CaCertificates using | ||
| // credentialName-cacert. The semantics of the name are platform dependent. | ||
| // In Kubernetes, the default Istio supplied credentail server expects the |
| // credentialName-cacert. The semantics of the name are platform dependent. | ||
| // In Kubernetes, the default Istio supplied credentail server expects the | ||
| // credentialName to match the name of the Kubernetes secret that holds the | ||
| // server certificate, the private key, and the CA certificate |
There was a problem hiding this comment.
and if using mTLS, "credentialName-cacert" to match the name of the Kubernetes secret that holds the CA certificate.
There was a problem hiding this comment.
If using mTLS, customer only creates one k8s secret with credentialName (e.g. "foo.credential"), Pilot creates two SDS configs for gateway listener, one is named "foo.credential", and is used to fetch key and cert. The other is named "foo.credential-cacert", and is used to fetch certificate validation context that has CA cert. So I think the comment is okay.
rshriram
left a comment
rshriram
left a comment
There was a problem hiding this comment.
please fix typo and address minor comment
5 participants
Update comment for credentialName.
When customer specifies credentialName (e.g. "foo.credential"), and use MUTUAL TLS.
Gateway workloads will send SDS requests with resource name "foo.credential" to retrieve serverCertificate and privateKey, and send SDS requests with resource name "foo.credential-cacert" to retrieve CaCertificates. In Kubernetes, customer needs to create a Kubernetes secret named "foo.credential", which contains server certificate, the private key, and the CA certificate.
If customer specifies credentialName (e.g. "foo.credential"), and use SIMPLE TLS. Gateway workload will only send SDS requests with resource name "foo.credential" to retrieve serverCertificate and privateKey. And the Kubernetes secret named "foo.credential" only contains server certificate and private key.