New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable ISTIO_MULTIROOT_MESH by default #49825
Conversation
@hzxuzhonghu: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not so sure about the stability or quality of this feature, can investigate a bit more before we merge?
Agree, also not sure about the documentation around this feature.
AFAIK we have supported 'multiple roots' since the beginning of the project
- the ca pem can include
more than one CA cert, including different types (RSA/EC256). Even this
feature is under-documented.
We have a huge number of options and complexity around CAs even with the
current defaults.
I would also like confirmation that ztunnel ( and perhaps proxyless gRPC or
similar apps natively using
istio certs) are able to handle this feature.
…On Sun, Mar 10, 2024 at 7:36 AM John Howard ***@***.***> wrote:
***@***.**** commented on this pull request.
I am not so sure about the stability or quality of this feature, can
investigate a bit more before we merge?
—
Reply to this email directly, view it on GitHub
<#49825 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2WTHJH2MDZNMCDED3LYXR4YNAVCNFSM6AAAAABEOVVEPKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSMRWGU3DAOBXGE>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
There are integration tests running for years.
I think standard language tls implement can support this, i have tried golang with this. |
Ztunnel and proxyless do not handle PCDS. I am concerned that we will enable this PCDS which is confusing, wasteful, and risky, for users who do not use multiroot -- which is >99% of users. For example, with DNS proxy, users need to opt in to get NDS |
It's not if they can implement - anything can be implemented.
The issue is if they _want_ to implement istio-specific things - and
usually the answer is no.
Even for ztunnel we are trying to keep things simpler.
I still don't even fully understand what multiroot does and how is it
different from having multiple roots in the CA file...
…On Sun, Mar 10, 2024 at 7:48 PM Zhonghu Xu ***@***.***> wrote:
There are integration tests running for years.
I would also like confirmation that ztunnel ( and perhaps proxyless gRPC or
similar apps natively using
istio certs) are able to handle this feature.
I think standard language tls implement can support this, i have tried
golang with this.
—
Reply to this email directly, view it on GitHub
<#49825 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2S2TFMPVUDMZZUDVUDYXULQ3AVCNFSM6AAAAABEOVVEPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBXGUZTCNJQGE>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
I think the root cert distribution we have is pretty weird overall. We get the root by looking at the cert we got back from the CSR. What if the peers have a different root? What if we need to update the root? What if we are ztunnel, and have many certs, and they have different roots? All questions caused by our 'unique' model. I think others are just doing a stream of root certs or similar. Which maybe we do, and just make it always behave that way, not just for 'multiroot'. And then maybe it makes sense beyond sidecars, and in ztunnel and beyond. But another question -- should this be pushed by the XDS server or the CA? |
I can recall multi-root is for mesh federation, so within it enabled, multi mesh can communicate with each other. Unlike DNS proxy, the motivation to make it by default is that if we donot use pcds, it has no effect on proxies. Not sure ambient will support this feature in future, at least not now. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-03-12. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Please provide a description of this PR: