Show sds config name in /certs when Secret Discovery Service is used #6315
Description
Title: Show sds config name in /certs when Secret Discovery Service is used
Description:
the /cert admin path shows the certificate name used in Envoy and the this is very useful for debugging as it refers to the certificate used in the listener/cluster tls config.
The following is the /certs output when SDS is enabled:
...
"ca_cert": [
{
"path": "\u003cinline\u003e",
"serial_number": "116db900f6bb4bd4a3fcd8fa57a1b141",
"subject_alt_names": [],
"days_until_expiration": "36196",
"valid_from": "2018-04-25T21:11:33Z",
"expiration_time": "1982-03-19T15:43:17Z"
}
],
"cert_chain": [
{
"path": "\u003cinline\u003e",
"serial_number": "0287be20c0bc92ce9d87b5f5f396f2ef1d7670",
"subject_alt_names": [
{
"uri": "my-service-1"
}
],
"days_until_expiration": "0",
"valid_from": "2019-03-18T22:43:59Z",
"expiration_time": "2019-03-19T22:48:59Z"
}
]
},
{
"ca_cert": [
{
"path": "\u003cinline\u003e",
"serial_number": "116db900f6bb4bd4a3fcd8fa57a1b141",
"subject_alt_names": [],
"days_until_expiration": "36196",
"valid_from": "2018-04-25T21:11:33Z",
"expiration_time": "1982-03-19T15:43:17Z"
}
],
"cert_chain": [
{
"path": "\u003cinline\u003e",
"serial_number": "0287be20c0bc92ce9d87b5f5f396f2ef1d7670",
"subject_alt_names": [
{
"uri": "my-service-2"
}
],
"days_until_expiration": "0",
"valid_from": "2019-03-18T22:43:59Z",
"expiration_time": "2019-03-19T22:48:59Z"
}
]
},
...When SDS is enabled, only <inline> is showed for all certs in the dump which makes the /certs page kind of useless as you cannot link it back to the sds config name in listener/cluster tls config.
Expected Behavior:
The sds config name should be used in the /certs output.
envoy/api/envoy/api/v2/auth/cert.proto
Line 367 in 34532dd