Istiod's cacert.pem is under testdata/ #27574
Comments
myidpt
changed the title
|
Why is this better than |
|
@myidpt Hi Oliver, what's your suggestion? One thing for implementation is on mac it do not have |
|
The dockerfile already has |
+1, we should fix the outdated problem. @xulingqing I also checked the pilot image and it already has the certificate, so all you need to do is: 1) change to use x509.SystemCertPool() in jwks_resolver.go; 2) Remove the cacerts.pem from the docker image; 3) Test it a little bit to make sure it works (can use |
|
Sure, I'm OK with using the system root cert pool. Checked the code and found this: |
Bug description
The file tests/testdata/certs/cacert.pem is used by Istiod for JWKS endpoint authenticaiton:
https://github.com/istio/istio/blob/master/tools/istio-docker.mk#L102
https://github.com/istio/istio/blob/master/pilot/pkg/model/jwks_resolver.go#L77
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ X ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
We can use the Linux OS root cert pool, i.e., /etc/ssl/certs/ca-certificates.crt.
https://github.com/istio/istio/blob/master/docker/Dockerfile.base#L28
will update the pool when building the image.
Steps to reproduce the bug
Version (include the output of
istioctl version --remoteandkubectl version --shortandhelm versionif you used Helm)All versions.
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
All
The text was updated successfully, but these errors were encountered: