Istio-Gateway should support two certificates for the same domain (RSA & EC) #38946
Comments
|
Does envoy support discovery of multiple TLS certificates for the downstream TLS context via SDS - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-datasource? Would be good to enumerate the advantages and reasons for this in an RFC in the team drive - https://groups.google.com/g/istio-team-drive-access, particularly since this requires some Istio SDS API refactoring to support it. |
|
@Crazyigor1987 Do you have any solution for that? |
istio-policy-bot
added
the
lifecycle/stale
|
@dragondam |
|
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-07-25. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
istio-policy-bot
added
the
lifecycle/automatically-closed
Describe the feature request
We have a requirement to run two certificates on our cloud environment with the same hostnames. One RSA and the other with the modern Eliptic Curve procedures. The Istio ingress gateway should be able to load both certificates and decide through the client request which encryption method to use.
Describe alternatives you've considered
I have seen alternatives at Envoy in the form of DownStreamTLSContext. As described here. However, it would be desirable to control this via the gateway.
Affected product area (please put an X in all that apply)
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: