New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(appmesh): allow configuring mutual TLS #15101
Conversation
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
a104a0d
to
5f0795c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have to say, I have some trouble following the justification for many of the changes in this PR.
@Seiya6329 I've left you a few comments, and a lot of questions. Would appreciate some clarification 🙂.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for the answers to my questions @Seiya6329! They were super helpful. I now have a good vision of the goals of this PR, and how it should look.
Let me know what you think of my proposed changes!
REV#3:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM. Just a nit about a comment and I agree with the SAN match change.
REV4:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really looking great! Some comments, mainly related to naming.
Also, make sure to edit the description of the PR to include all of the breaking changes that are made as part of this PR, like you did in #14856 (comment).
Thanks @skinny85 for pointing out about the breaking change! I totally overlooked at it since my original plan was not to introduce any of them. |
REV5:
|
REV6
|
@skinny85 - I think I was able to address all the pending feedback and updated the main comment. Thanks for working along with me on this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code looks perfect @Seiya6329! Fix the few remaining ReadMe issues, and we'll merge this in.
REV7:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This is the last part of the series to implement mTLS feature. For the breakdown on series, please refer to [this comment](aws#14782 (comment)). #### Collaborators @alexbrjo and @dfezzie. Thank you! #### REV - Adding SDS certificate source to `TlsCertificate` and `TlsValidationTrust`. - Adding `subjectAlternativeNames` property to `TlsValidation`. - Adding `mutualTlsCertificate` property to `ClientPolicyTlsOptions` - Adding `mutualTlsValidation` property to `ListenerTlsOptions` - Updating `README` to include mTLS implementation example. - Updating `TlsValidationTrustConfig` to have single property #### Design Note: - Client certificates in a TLS Client Policy and server validation in a listener TLS configuration can only be sourced from `SDS` or `File` certificate. ACM certificate is currently not supported ([reference doc](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html)) - Compile-error is implemented to block assigning ACM certificate. - `TlsValidationTrustConfig` is updated to have single property to reduce the repetitions since all four properties share same shape. - `SubjectAlternativeNames` is modeled as an abstract class to include the factory method. In future if more match patterns are added, use `or()` method to extend. Closes aws#12733. BREAKING CHANGE: static methods from `TlsValidationTrust` have been changed to accept positional arguments - **appmesh**: static methods from `TlsCertificate` have been changed to accept positional arguments - **appmesh**: the type `TlsListener` has been renamed to `ListenerTlsOptions` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This is the last part of the series to implement mTLS feature.
For the breakdown on series, please refer to this comment.
Collaborators
@alexbrjo and @dfezzie. Thank you!
REV
TlsCertificate
andTlsValidationTrust
.subjectAlternativeNames
property toTlsValidation
.mutualTlsCertificate
property toClientPolicyTlsOptions
mutualTlsValidation
property toListenerTlsOptions
README
to include mTLS implementation example.TlsValidationTrustConfig
to have single propertyDesign Note:
SDS
orFile
certificate. ACM certificate is currently not supported (reference doc)TlsValidationTrustConfig
is updated to have single property to reduce the repetitions since all four properties share same shape.SubjectAlternativeNames
is modeled as an abstract class to include the factory method. In future if more match patterns are added, useor()
method to extend.Closes #12733.
BREAKING CHANGE: static methods from
TlsValidationTrust
have been changed to accept positional argumentsTlsCertificate
have been changed to accept positional argumentsTlsListener
has been renamed toListenerTlsOptions
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license