tls: allow cert validation by only leaf trusted CA's CRL #18289
Conversation
Signed-off-by: Shikugawa <rei@tetrate.io>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
There was a problem hiding this comment.
Thanks flushing out some comments. cc @ggreenway to provide a quick sanity check of the feature.
/wait
|
Thanks for the quick change! @Shikugawa |
Signed-off-by: Shikugawa <rei@tetrate.io>
There was a problem hiding this comment.
Flushing some more API comments. I will defer to @lizan and others for the testing review to make sure we have good coverage, thanks.
/wait
|
@lizan Could you take a look? |
There was a problem hiding this comment.
API LGTM thanks. I will defer to @lizan for the TLS/test review. Thank you!
|
Needs a main merge. Ping @lizan PTAL. /wait |
|
Needs a main merge. /wait |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Shikugawa <rei@tetrate.io>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
Signed-off-by: Shikugawa <rei@tetrate.io>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
There was a problem hiding this comment.
This looks good to me. Thanks @Shikugawa for the change, and @mattklein123 for the headsup
Signed-off-by: Shikugawa rei@tetrate.io
Commit Message: Allow cert validation by only leaf trusted CAs CRL
Additional Description: Close #18268. In the previous implementation, we don't have availability to validate certs when all trusted CAs don't have their own CRLs if any trusted CAs have that. This feature allows validating even if all trusted CAs don't have CRLs.
Risk Level: Low
Testing: Unit
Docs Changes: Required
Release Notes: Required
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]
[Optional API Considerations:]
cc @incfly