Fixes MAISTRA-2324: Backport multi-root support for Envoy#92
Merged
maistra-bot merged 6 commits intomaistra:maistra-2.1from May 10, 2021
Merged
Fixes MAISTRA-2324: Backport multi-root support for Envoy#92maistra-bot merged 6 commits intomaistra:maistra-2.1from
maistra-bot merged 6 commits intomaistra:maistra-2.1from
Conversation
dmitri-d
changed the title
dmitri-d
force-pushed
the
multi-root-support
branch
from
057f294 to
9bca8bc
Compare
Contributor
Author
|
envoyproxy/envoy#14884 ported. @oschaaf: fixed the comparison you pointed out the other day; The main changes in this batch are here: https://github.com/maistra/envoy/pull/92/files#diff-067aae04811b0f9ec5191388ebd58efe08012c3bc75e0951c028448ec87e2d70R164. I'm quite certain we are ok (see the comment), an alternative would be to open up internal OpenSSL structures (something I try to do sparingly) and just use upstream code without changes. |
dmitri-d
force-pushed
the
multi-root-support
branch
from
9bca8bc to
fa297b0
Compare
port of tls: separate out cert validation logic from ContextImpl (#14757)
cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io>
tls: fix flaky integration test of SPIFFE validator (#15301) Previously these tests flake due to early counter check before the counter is actually incremented, and fail occasionally around 1~3%. I tried this with --runs_per_test=10000 and never failed. Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
Add separate SPIFFE integeration test build target. (#15324) Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
tls: enable allow_expired_certificate for SPIFFE validator (#15426) Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
dmitri-d
force-pushed
the
multi-root-support
branch
from
fa297b0 to
9b72e59
Compare
Contributor
Author
dmitri-d
changed the title
oschaaf
approved these changes
May 10, 2021
Contributor
oschaaf
left a comment
oschaaf
left a comment
There was a problem hiding this comment.
One comment, other then that LGTM
| bssl::UniquePtr<X509_STORE_CTX> verify_ctx(X509_STORE_CTX_new()); | ||
| // We make a copy of X509_VERIFY_PARAMs in the store_ctx that we received as a parameter. | ||
| // This is a precaution mostly, as Envoy doesn't configure any X509_VERIFY_PARAMs. | ||
| // Note that there's no api to copy crls from one store_ctx to another; the assumption is that |
Contributor
There was a problem hiding this comment.
This sentence is slightly hard to grok because of the double negation; if it is semantically correct probably not worth iterating on, but if this is accidental perhaps it is.
Contributor
Author
There was a problem hiding this comment.
Ugh, indeed, this is hard to understand, and I wrote it. Fixed.
tls: enable match_subject_alt_names option in SPIFFE validator (#15509) Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com>
dmitri-d
force-pushed
the
multi-root-support
branch
from
9b72e59 to
41c3342
Compare
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this pull request
May 19, 2021
* Fixes MAISTRA-2324: port of tls: separate out cert validation logic from ContextImpl (#14757) * Fixes MAISTRA-2324: cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> * Fixes MAISTRA-2324: cherry-pick of tls: fix flaky integration test of SPIFFE validator (#15301) Previously these tests flake due to early counter check before the counter is actually incremented, and fail occasionally around 1~3%. I tried this with --runs_per_test=10000 and never failed. Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com> * Fixes MAISTRA-2324: cherry-pick of Add separate SPIFFE integeration test build target. (#15324) Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com> * Fixes MAISTRA-2324: cherry-pick of tls: enable allow_expired_certificate for SPIFFE validator (#15426) Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com> * Fixes MAISTRA-2324: cherry-pick of tls: enable match_subject_alt_names option in SPIFFE validator (#15509) Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Signed-off-by: Dmitri Dolguikh <ddolguik@redhat.com> Co-authored-by: Takeshi Yoneda <takeshi@tetrate.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a port of tls: separate out cert validation logic from ContextImpl (#14757) (the original PR: envoyproxy/envoy#14757).
The next PR in the queue is envoyproxy/envoy#14884. It's going to be tricky, upstream relies on what is an OpenSSL internal data-structure in their spiffe validator implementation.
@dgn, @oschaaf.