Service mesh: add mTLS auth method #24263
Merged
Commits on Mar 16, 2023
-
This adds an mTLS auth handler to the Serice Mesh auth package. It will listen on a given port and does a mutual TLS handshake with SPIFFE IDs it received. This will assure the both sides got the needed certificates. In order to integrate with the datapath tables it also improves the SPIFFE interface to use the Cilium Numeric Identities. And convert them from and to valid SNI fields. As well as implement code to validate the URI SANS inside the certificates. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
-
Remove the debug statement for processing SVIDs
Removing the debuig line that tells which SVID it received. The delegate API will send the state of the world on every sync. In very large deployments this will make a lot of debug logs. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
-
Add mTLS auth to the Helm chart
This adds the ability to enable mtls-spiffe support in the Helm chart, It will set the required config flags to the defaults as wel as mount the spire socket to the agent pods. Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.