do not hardcode cert watch path in pilot agent#12142
do not hardcode cert watch path in pilot agent#12142drichelson wants to merge 4 commits intoistio:release-1.1from
Conversation
istio-testing
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: drichelson If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
istio-testing
added
the
needs-rebase
|
@drichelson: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hi @drichelson. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
pilot/pkg/model/validation_test.go
Outdated
| isValid: false, | ||
| }, | ||
| { | ||
| name: "cert files to watch partially invalid", |
There was a problem hiding this comment.
File is not goimports-ed (from goimports)
|
|
||
| type watcher struct { | ||
| certs []CertSource | ||
| certs []string |
There was a problem hiding this comment.
The watcher code now takes a list of absolute file paths to watch. This allows for maximum flexibility when cert file names and locations are dictated by outside forces.
|
/ok-to-test |
istio-testing
added
ok-to-test
|
@drichelson: The following tests failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| envoyProxy := envoy.NewProxy(proxyConfig, role.ServiceNode(), proxyLogLevel, pilotSAN, role.IPAddresses) | ||
| agent := proxy.NewAgent(envoyProxy, proxy.DefaultRetry, pilot.TerminationDrainDuration()) | ||
| watcher := envoy.NewWatcher(certs, agent.ConfigCh()) | ||
| watcher := envoy.NewWatcher(proxyConfig.TlsCertsToWatch, agent.ConfigCh()) |
There was a problem hiding this comment.
I can not see how these files are used other than watch them ans restart envoy.
There was a problem hiding this comment.
true. dont you have to update the mTLS plugin in pilot to generate envoy TLS contexts to use the right paths?
There was a problem hiding this comment.
@hzxuzhonghu: correct. The actual certs that envoy uses come from other configs:
- xDS (pilot-discovery) mTLS certs are defined in static config.
- All cert info for proxied requests is passed down from xDS config.
Moving forward my understanding is that Envoy's SDS will handle more of #2.
There was a problem hiding this comment.
my point is XDS still uses the old path /etc/certs.. the code change here only tells pilot agent to watch the new path. but Pilot (discovery) is still using the old one
There was a problem hiding this comment.
@rshriram We'll open a separate issue/PR for any pilot-discovery changes needed to customize these cert paths if that's ok.
There was a problem hiding this comment.
No, I think we need fix it here.
rshriram
changed the title
istio-testing
removed
the
do-not-merge/work-in-progress
|
@rshriram This PR depends on an update of the vendored |
|
Due to the large number of changes in the |
|
Hi, per my other comment, could you send the API pr to master branch and send this PR to master branch as well ? This is a two part fix and I am not sure if both will end up in Pilot before the 1.1 release. I would much rather have a complete feature in 1.1 vs a partial one. We can always cherry pick these fixes into a 1.1.x patch release, as its a trivial fix |
| path.Join(model.AuthCertsPath, model.KeyFilename), | ||
| path.Join(model.AuthCertsPath, model.RootCertFilename), | ||
| } | ||
| if role.Type == model.Ingress { |
There was a problem hiding this comment.
I think yu can get rid of this ingress cert thing.. and restrict this to just the mTLS certs. we are using SDS for ingress and gateways. and the certs specified in both do not have to have a standard path. So thsi code is likely a legacy leftover..
rshriram
left a comment
rshriram
left a comment
There was a problem hiding this comment.
okay with the changes as it is, but please move to master
|
Closing and creating a new more comprehensive PR that targets master branch |
6 participants
Addresses #11984 for pilot-agent.
Note: Changes made in vendor directory will be reverted and a proper update of the api dependency will be committed once istio/api#824 is merged