feat(appmesh): allow configuring mutual TLS #15101
Conversation
|
|
|
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
Seiya6329
changed the title
Seiya6329
force-pushed
the
mTLS
branch
2 times, most recently
from
a104a0d
to
5f0795c
Compare
There was a problem hiding this comment.
I have to say, I have some trouble following the justification for many of the changes in this PR.
@Seiya6329 I've left you a few comments, and a lot of questions. Would appreciate some clarification 🙂.
There was a problem hiding this comment.
Thanks a lot for the answers to my questions @Seiya6329! They were super helpful. I now have a good vision of the goals of this PR, and how it should look.
Let me know what you think of my proposed changes!
|
REV#3:
|
REV4:
|
There was a problem hiding this comment.
This is really looking great! Some comments, mainly related to naming.
Also, make sure to edit the description of the PR to include all of the breaking changes that are made as part of this PR, like you did in #14856 (comment).
|
Thanks @skinny85 for pointing out about the breaking change! I totally overlooked at it since my original plan was not to introduce any of them. |
|
REV5:
|
REV6
|
|
@skinny85 - I think I was able to address all the pending feedback and updated the main comment. Thanks for working along with me on this! |
There was a problem hiding this comment.
The code looks perfect @Seiya6329! Fix the few remaining ReadMe issues, and we'll merge this in.
REV7:
|
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
skinny85
changed the title
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This is the last part of the series to implement mTLS feature. For the breakdown on series, please refer to [this comment](aws#14782 (comment)). #### Collaborators @alexbrjo and @dfezzie. Thank you! #### REV - Adding SDS certificate source to `TlsCertificate` and `TlsValidationTrust`. - Adding `subjectAlternativeNames` property to `TlsValidation`. - Adding `mutualTlsCertificate` property to `ClientPolicyTlsOptions` - Adding `mutualTlsValidation` property to `ListenerTlsOptions` - Updating `README` to include mTLS implementation example. - Updating `TlsValidationTrustConfig` to have single property #### Design Note: - Client certificates in a TLS Client Policy and server validation in a listener TLS configuration can only be sourced from `SDS` or `File` certificate. ACM certificate is currently not supported ([reference doc](https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html)) - Compile-error is implemented to block assigning ACM certificate. - `TlsValidationTrustConfig` is updated to have single property to reduce the repetitions since all four properties share same shape. - `SubjectAlternativeNames` is modeled as an abstract class to include the factory method. In future if more match patterns are added, use `or()` method to extend. Closes aws#12733. BREAKING CHANGE: static methods from `TlsValidationTrust` have been changed to accept positional arguments - **appmesh**: static methods from `TlsCertificate` have been changed to accept positional arguments - **appmesh**: the type `TlsListener` has been renamed to `ListenerTlsOptions` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This is the last part of the series to implement mTLS feature.
For the breakdown on series, please refer to this comment.
Collaborators
@alexbrjo and @dfezzie. Thank you!
REV
TlsCertificateandTlsValidationTrust.subjectAlternativeNamesproperty toTlsValidation.mutualTlsCertificateproperty toClientPolicyTlsOptionsmutualTlsValidationproperty toListenerTlsOptionsREADMEto include mTLS implementation example.TlsValidationTrustConfigto have single propertyDesign Note:
SDSorFilecertificate. ACM certificate is currently not supported (reference doc)TlsValidationTrustConfigis updated to have single property to reduce the repetitions since all four properties share same shape.SubjectAlternativeNamesis modeled as an abstract class to include the factory method. In future if more match patterns are added, useor()method to extend.Closes #12733.
BREAKING CHANGE: static methods from
TlsValidationTrusthave been changed to accept positional argumentsTlsCertificatehave been changed to accept positional argumentsTlsListenerhas been renamed toListenerTlsOptionsBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license