-
Notifications
You must be signed in to change notification settings - Fork 7.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Env Var allowing proxies to utilize OS CA Cert (#33472)
* Env Var allowing proxies to utilize OS CA Cert * Introduce VERIFY_CERTIFICATE_AT_CLIENT as a bool env var * Select an existing CA cert bundle from a set of known file locations * If bool set and DR does not set CaCertificates, replace the proxies' CA cert with an OS CA cert found in the file system * Move OS cert replace logic to proxy * Fix typo * Move function in pilot code and check for OS cert once * Move SdsCertificateConfigFromResourceName out of pilot authenticate code and into utils for agent. * Determine OS CA certificate in pilot-agent to pass down instead of searching for the file more often * Linter and change setting off by default * Move OS CA Path find to option generation * Add release notes * Lock pointers when accessing or using them * Remove mutex inside Options * Fix secret resource choice * Add unit tests * Fix tests and linter errors * Improve tests, releasenotes and logging * Add back code that was needed * Fix linter issues * Use string constant in place of file-root:system * Update to remove proxy from ClusterBuilder * Fix auto import location * Refactor code * Refactor SdsCertificateConfig to common package * Move security tests from util.go * Fix releasenotes * Add documentation to public methods * Improve VERIFY_CERT_AT_CLIENT testing * initialize CAFilePath in security instead of main * Refactor and remove dead code * Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go * Refactor to move cafile package * Refactor toEnvoySecret funciton * Revert changes that were needed for istiod to know the OS CA file path * Fix linter problems * Correct tests and introduce caRootPath to SecretManager * SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information * Fix missing argument for mock initializaiton * Reverse mock changes and replace string with const * Fix SdsCertificateConfig to use file-root:system cert. * Fix tests by removing file-root: prefix * Fix empty OS CA cert causing an error * Remove testing print code * Rebase cluster_builder_test update struct * Fix rebase changes made to DestiantionRule
- Loading branch information
Showing
18 changed files
with
693 additions
and
145 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.