Cert file path override fixes.

[drichelson]

This PR addresses #11984
It is a followup to #12189
Please see api PR: istio/api#902 as it will need to be merged before this can be finalized.

Addresses a few bugs from the original PR and adds the ability to override client certs (set in DestinationRule) with envoy node metadata.

I've included the api changes in the vendor dir. I will remove them once the api PR is merged. This is causing the lint failure.

[istio-testing]

Hi @drichelson. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[drichelson]

The role.Metadata was never initialized or read, so setting it was a fail. Instead we are using the new EnvoyNodeMetadata field on the ProxyConfig struct. This gets passed in to the bootstrap code so it seems like the logical place for it to live.

[rshriram]

instead of piggybacking on metadata, cant you do this check after https://github.com/istio/istio/pull/13367/files#diff-5cb6a377bcea0cba4f2dd118a326af06R181 has been called?

[drichelson]

@rshriram I'm not sure what you mean by "piggybacking on metadata". The cert file overrides are used by both the file watcher here in pilot-agent and they are sent as node metadata so they can be used by pilot to configure listeners + clusters.

[drichelson]

fixing typo.

[ericvn]

/ok-to-test

[rshriram]

can you clarify this:

adds the ability to override client certs (set in DestinationRule) with envoy node metadata.

Destination rules merely specify the paths. they dont provide certs. So a bit more context would help.

[drichelson]

@rshriram These changes are all about cert file paths, not cert contents.

I'll outline the current scenario for our (Salesforce) mesh:
Current behavior:

• MUTUAL_TLS mode
• DestinationRule specifies client cert paths for mesh traffic. These client cert paths become the default for our mesh. For K8s mesh nodes we mount certs to these paths and everything works well.
• In the same mesh: We have baremetal/VM nodes where we don't control cert file paths. This PR allows for us to override the client cert file paths in the DestinationRule with per-node settings (via command line args->node metadata)

I hope that helps.

[rshriram]

Sorry for the delayed response and sorry to keep this pr waiting. I understand the setup and the requirement to customize cert path. What I am uncomfortable about is changing the mesh config api to add the default node metadata under the default proxy config section.

This will lead to others stuffing additional metadata in the helm chart that might conflict with ones inserted by us per sidecar in the sidecar injector. What takes precedence ? Default or one in sidecar injector that appears as env vars? I believe it’s latter but that behavior needs documenting and good explanation.

If we can do this without modifying the mesh config proto, it would be great. Otherwise lets get this in with proper docs.

[drichelson]

@rshriram Does the comment in the api PR make sense? Beyond the comment, where in the docs should I be updating info about node metadata?

[drichelson]

@rshriram:

"If we can do this without modifying the mesh config proto, it would be great"

I'm thinking of this as a simpler approach: Abandon command line args for setting cert paths and instead set the ISTIO_META env vars for custom cert paths. The cert watcher can check for these env vars and watch non-default paths if they are set.

Thoughts?

[rshriram]

That works!

[istio-testing]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: drichelson
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: nmittler

If they are not already assigned, you can assign the PR to them by writing /assign @nmittler in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pilot/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[istio-testing]

@drichelson: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/istio-integ-k8s-tests.sh	b058687	link	/test istio-integ-k8s-tests
prow/istio-pilot-multicluster-e2e.sh	b058687	link	/test istio-pilot-multicluster-e2e

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.