Fixing SDS field/semantics in the gateway#780
Conversation
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
|
repeating what I said earlier The server certificates is still there. Or Only the secret name is mandatory. the server path is additional customization. And systems that are auto provisioning the gateways - they are already generating the Gateway configs and the k8s secrets based on the hostnames. So all they have to do is something like this: Explicit spec avoids confusions caused by auto inference of that one single field |
|
ping |
networking/v1alpha3/gateway.proto
Outdated
| // using this name, instead of using the file system paths specified | ||
| // above. The semantics of the name are platform dependent. In | ||
| // Kubernetes, the default Istio supplied credentail server expects the | ||
| // credentialName to be of the form secretName.namespace, where the |
There was a problem hiding this comment.
namespace is not required. The controller must always retrieve the secret from its own namespace.
@louiscryan
|
/lgtm |
|
@myidpt: changing LGTM is restricted to assignees, and only istio/api repo collaborators may be assigned issues. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm |
networking/v1alpha3/gateway.proto
Outdated
|
|
||
| // The credentialName stands for a unique identifier that can be used | ||
| // to identify the serverCertificate and the privateKey (not the | ||
| // CaCertificates) associated with this server. Gateway workloads |
There was a problem hiding this comment.
Curious - why not CaCertificates ? For MTLS we need that too. Not a big deal...
There was a problem hiding this comment.
I dunno.. @myidpt said only the public and private key is shipped
There was a problem hiding this comment.
Clarified. We support delivering the cacerts in SDS as well.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: costinm, JimmyCYJ, myidpt, rshriram The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| // be configured to retrive the credentials using this name, instead of | ||
| // using the file system paths specified above. The semantics of the | ||
| // name are platform dependent. In Kubernetes, the default Istio | ||
| // supplied credentail server expects the credentialName to match the |
What this API allows is to always have SDS agent in the gateway pod
while still using old style file based configs. Then users can incrementally
migrate to the SDS server by changing their existing gateway configs to use
the CredentialStoreRemoteBackend with the resourceName as secretName. In other
words, it allows some servers in a gateway to have file based paths and others to have SDS.
Signed-off-by: Shriram Rajagopalan shriramr@vmware.com