-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istiod's cacert.pem is under testdata/ #27574
Comments
Why is this better than |
@myidpt Hi Oliver, what's your suggestion? One thing for implementation is on mac it do not have |
The dockerfile already has |
+1, we should fix the outdated problem. @xulingqing I also checked the pilot image and it already has the certificate, so all you need to do is: 1) change to use x509.SystemCertPool() in jwks_resolver.go; 2) Remove the cacerts.pem from the docker image; 3) Test it a little bit to make sure it works (can use |
Sure, I'm OK with using the system root cert pool. Checked the code and found this: |
Bug description
The file tests/testdata/certs/cacert.pem is used by Istiod for JWKS endpoint authenticaiton:
https://github.com/istio/istio/blob/master/tools/istio-docker.mk#L102
https://github.com/istio/istio/blob/master/pilot/pkg/model/jwks_resolver.go#L77
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ X ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
We can use the Linux OS root cert pool, i.e., /etc/ssl/certs/ca-certificates.crt.
https://github.com/istio/istio/blob/master/docker/Dockerfile.base#L28
will update the pool when building the image.
Steps to reproduce the bug
Version (include the output of
istioctl version --remote
andkubectl version --short
andhelm version
if you used Helm)All versions.
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
All
The text was updated successfully, but these errors were encountered: