Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not use in-memory root for citadel #14512

Closed
wattli opened this issue Jun 1, 2019 · 4 comments

Comments

4 participants
@wattli
Copy link
Contributor

commented Jun 1, 2019

If Citadel fails to update the CA-root stored in K8s secret, it uses an in-memory root for the cluster. This was introduced in very early stages to support testing Citadel in special environments (non-K8s). Now we should not support in-memory root, because the in-memory root is not sustainable for production usage. It may also cause issues in special scenarios. For example, when Citadel fails to read the existing CA-root secret, it may choose to generate a separate root cert and use it to issue certificates for the cluster, which conflicts with the existing root cert.

@wenchenglu @wattli @lei-tang

@duderino

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2019

The fix went out in 1.1.8 and 1.0.8. Is there any reason to keep this issue open?

@howardjohn

This comment has been minimized.

Copy link
Member

commented Jun 10, 2019

We should keep this open until the change gets into 1.2 probably (#14505)

@duderino

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2019

@myidpt this is a 1.2 release blocker

@myidpt

This comment has been minimized.

Copy link
Contributor

commented Jun 11, 2019

Closing. Changes merged to 1.0, 1.1, 1.2 and master branches.

@myidpt myidpt closed this Jun 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.