[WIP] TLS: generate certificates pair dynamically (#18928)#19137
[WIP] TLS: generate certificates pair dynamically (#18928)#19137LuyaoZhong wants to merge 2 commits intoenvoyproxy:mainfrom
Conversation
1. Introduce API to set root CA cert/key to enable this feature
e.g.
common_tls_context:
tls_root_ca_certificate:
cert: {"filename": "root-ca.pem"}
private_key: {"filename": "root-ca.key"}
2. Generate/reuse dynamic certificates pair in TLS transport socket and set SSL*
a. if there is no corresponding cached certs, create CSR and
create certs signed from root CA, then cache the generated
certs to local cache looked up by host name
b. if there is corresponding cached certs, reuse them
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
| } | ||
|
|
||
| // [#next-free-field: 3] | ||
| message TlsRootCACertificate { |
There was a problem hiding this comment.
This doesn't have to be root CA, an intermediate CA works as well.
| // | ||
| // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*, | ||
| // *tls_certificate_provider_instance* and *tls_root_ca_certificate* may be used. | ||
| TlsRootCACertificate tls_root_ca_certificate = 15; |
There was a problem hiding this comment.
Another thought, can this be one of CertificateProvider? I think that's an natural extension point you might want to use, though the extension mechanism itself isn't implemented yet. cc @markdroth
There was a problem hiding this comment.
+1 for CertificateProvider. There have been other requests for that in the past (I think related to managing enormous numbers of certificates and not having a filter-chain per cert).
There was a problem hiding this comment.
What's the status for CertificateProvider implementation? Is there any PoC code which allows me testing with my patch?
There was a problem hiding this comment.
The config is defined in the .protos, but it hasn't been implemented yet.
There was a problem hiding this comment.
So you mean this should be config.core.v3.TypedExtensionConfig of CertificateProvider, right?
Is there any example which implemented such config, where am I supposed to define the TypedExtensionConfig and how do I use it in config file?
There was a problem hiding this comment.
Not exactly, you don't need an API change in this file. Just implement CertificateProvider extension point, and the certificate generator should be one of the extension. If you're still unclear ping me on Slack.
There was a problem hiding this comment.
I got that I don't need an API change in this file. I just wanna another implemented extension point like this for reference.
There was a problem hiding this comment.
The closest one is PrivateKeyMethodProvider, you may search related code to that to see how extension point is implemented.
There was a problem hiding this comment.
When I dived into the code and tried to implement, these names make me confused:
CertificateProviderPluginInstance, CertificateProvider, CertificateProviderPluginInstance
I need time to ramp up extension mechanism, I'd like to confirm it is CertificateProvider, if so I will create a new issue to discuss its implementation, since it will serve general usage in the future.
|
@LuyaoZhong is this PR WIP ? either way the PR state should reflect the title there are some minor formatting issues, but i think this PR is waiting on feedback to be implemented before further review /wait |
|
@phlax Yes, it's WIP. I need to implementing an API extension point first, thanks for adding label. |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
|
@phlax @lizan @ggreenway could you reopen this pr |
|
/wait-any |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Introduce API to set root CA cert/key to enable this feature
e.g.
common_tls_context:
tls_root_ca_certificate:
cert: {"filename": "root-ca.pem"}
private_key: {"filename": "root-ca.key"}
Generate/reuse dynamic certificates pair in TLS transport socket and set SSL*
a. if there is no corresponding cached certs, create CSR and
create certs signed from root CA, then cache the generated
certs to local cache looked up by host name
b. if there is corresponding cached certs, reuse them
Signed-off-by: Luyao Zhong luyao.zhong@intel.com