Set Citadel as the default provider for Pilot certificate#20196
Merged
istio-testing merged 5 commits intoistio:masterfrom Jan 20, 2020
Merged
Set Citadel as the default provider for Pilot certificate#20196istio-testing merged 5 commits intoistio:masterfrom
istio-testing merged 5 commits intoistio:masterfrom
Conversation
9bc8066 to
dc04da5
Compare
Contributor
Author
|
/test integ-new-install-k8s-tests_istio |
hzxuzhonghu
reviewed
Jan 15, 2020
pilot/cmd/pilot-agent/main.go
Outdated
pilot/pkg/features/pilot.go
Outdated
dc04da5 to
902a4a5
Compare
howardjohn
approved these changes
Jan 15, 2020
Member
|
run |
902a4a5 to
f9190b4
Compare
70084cc to
b62bc1e
Compare
62a1bc6 to
41a57aa
Compare
41a57aa to
ac58e4a
Compare
ac58e4a to
5744185
Compare
a29e870 to
504e2f8
Compare
6494246 to
8c517b5
Compare
8c517b5 to
12917db
Compare
12917db to
aa1abcb
Compare
aa1abcb to
a1f6327
Compare
Contributor
Author
|
/test e2e-dashboard_istio |
Contributor
Author
|
/test integ-telemetry-k8s-tests_istio |
a1a62c6 to
458483d
Compare
myidpt
reviewed
Jan 19, 2020
There was a problem hiding this comment.
Can you explain why we want to mount the cert? Isn't Pilot using the cert generated by Citadel running inside it?
Contributor
Author
There was a problem hiding this comment.
Pilot uses the cert generated by Citadel. The mouting of the cert is for the TLS between data plane and control plane.
Member
|
what if there is no citadel? can pilot create this?
…On Sat, Jan 18, 2020, 9:13 PM lei-tang ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In manifests/gateways/istio-ingress/templates/deployment.yaml
<#20196 (comment)>:
> @@ -284,6 +286,10 @@ spec:
- name: SDS_ENABLED
value: "{{ .Values.global.sds.enabled }}"
volumeMounts:
+{{- if eq .Values.global.pilotCertProvider "citadel" }}
+ - mountPath: /etc/istio/citadel-ca-cert
Pilot uses the cert generated by Citadel. The mouting of the cert is for
the TLS between data plane and control plane.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#20196?email_source=notifications&email_token=AAEYGXMZS5U6FV355XDXD7LQ6PON5A5CNFSM4KG6QA7KYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCSH7ABI#discussion_r368266441>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXOW7SCUEOVREBD4IBLQ6PON5ANCNFSM4KG6QA7A>
.
|
Contributor
Author
|
The Citadel referred here is the Citadel linked in Pilot. Even without the legacy Citadel, Pilot can obtained a certificate issued from the Citadel linked in Pilot. |
Member
|
oh I read the pr wrong, I thought pilot was mounting it but that's ingress. Sounds good, ignore me |
458483d to
1beb330
Compare
- As some platforms may not have k8s signing APIs, set Citadel as the default provider for Pilot certificate. - Integration tests when pilotCertProvider=citadel
1beb330 to
cf44d7b
Compare
Fix the file permission problem: error failed to create discovery service: grpcDNS: open ./var/run/secrets/self-signed-root.pem: permission denied
383a6a1 to
e485edd
Compare
e485edd to
d2820b9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please provide a description for what this PR is for: #19950.
As some platforms may not have k8s signing APIs, set Citadel as the default provider for Pilot certificate.
And to help us figure out who should review this PR, please
put an X in all the areas that this PR affects.
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[X ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure