-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support to for providing TLS certificates for Ingress listeners from an SDS source #10903
Conversation
agent/xds/listeners.go
Outdated
// Return a specific route for this service as it needs a custom FilterChain | ||
// to serve it's custom cert so we should attach it's routes to a separate | ||
// Route too. | ||
return fmt.Sprintf("%s_%s", key.RouteName(), s.ToServiceName().ToServiceID().String()), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO:
- This causes conflicts in Ent tests because it means that the default ns service
web
has a route namedweb
in OSS butdefault/default/web
in Ent. causing all golden files to conflict. This probably needs to follow the same logicstructs.Upstream.Identifier
which omits default values to keep the identifiers consistent between OSS and Ent. Shame we can't easily re-use that method from here with the types available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in later commit.
1e48690
to
314138d
Compare
ab93459
to
ef64924
Compare
ef64924
to
b38e84d
Compare
314138d
to
35de5cf
Compare
Updated with fixes from Enterprise version. |
35de5cf
to
2c3ebe6
Compare
…ot a mounted path
…tegration that doesn't support v2
2c3ebe6
to
7b4cbe3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/455247. |
This builds on #10613.
This PR adds a new low-level feature for Ingress Gateways. It allows operators to specify an external Envoy SDS (Secret Discovery Service) Service and allows loading TLS certificates for listeners.
The PR commits logically work through each package/area that needed updates with relevant tests so may be a cleaner way to view the diff.
Documentation still to-do but the intended usage is as shown in the integration test:
Proxy.Config.envoy_extra_static_clusters_json
configuration. This static cluster specifies how to connect to the SDS service(s) and takes care of authenticating the ingress to that SDS service however the SDS integration requires.ingress-gateway
Config Entry to specify which SDS certificate resource names to load (from which clusters) for the whole gateway, each listener or per service.TODO Before
This is ready for review as it is I think as the code is all here. There are several additional bits that I will either do in this PR or a follow up before this is released:
api
package updates for Config EntryTODO In later PR