Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable ISTIO_MULTIROOT_MESH by default #49825

Closed
wants to merge 1 commit into from
Closed

enable ISTIO_MULTIROOT_MESH by default #49825

wants to merge 1 commit into from

Conversation

hzxuzhonghu
Copy link
Member

@hzxuzhonghu hzxuzhonghu commented Mar 10, 2024
edited by istio-policy-bot

Please provide a description of this PR:

@hzxuzhonghu hzxuzhonghu requested review from a team as code owners March 10, 2024 05:20
@istio-testing istio-testing added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 10, 2024
@istio-testing
Copy link
Collaborator

@hzxuzhonghu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
release-notes_istio 72d41ff link true /test release-notes
integ-telemetry-istiodremote_istio 72d41ff link true /test integ-telemetry-istiodremote
integ-security-istiodremote_istio 72d41ff link true /test integ-security-istiodremote
integ-security_istio 72d41ff link true /test integ-security
integ-security-multicluster_istio 72d41ff link true /test integ-security-multicluster

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

howardjohn
howardjohn reviewed Mar 10, 2024
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not so sure about the stability or quality of this feature, can investigate a bit more before we merge?

@costinm
Copy link
Contributor

costinm commented Mar 10, 2024 via email

@hzxuzhonghu
Copy link
Member Author

There are integration tests running for years.

I would also like confirmation that ztunnel ( and perhaps proxyless gRPC or
similar apps natively using
istio certs) are able to handle this feature.

I think standard language tls implement can support this, i have tried golang with this.

@howardjohn
Copy link
Member

There are integration tests running for years.

I would also like confirmation that ztunnel ( and perhaps proxyless gRPC or
similar apps natively using
istio certs) are able to handle this feature.

I think standard language tls implement can support this, i have tried golang with this.

Ztunnel and proxyless do not handle PCDS.

I am concerned that we will enable this PCDS which is confusing, wasteful, and risky, for users who do not use multiroot -- which is >99% of users.

For example, with DNS proxy, users need to opt in to get NDS

@costinm
Copy link
Contributor

costinm commented Mar 11, 2024 via email

@howardjohn
Copy link
Member

I think the root cert distribution we have is pretty weird overall. We get the root by looking at the cert we got back from the CSR. What if the peers have a different root? What if we need to update the root? What if we are ztunnel, and have many certs, and they have different roots?

All questions caused by our 'unique' model. I think others are just doing a stream of root certs or similar. Which maybe we do, and just make it always behave that way, not just for 'multiroot'. And then maybe it makes sense beyond sidecars, and in ztunnel and beyond. But another question -- should this be pushed by the XDS server or the CA?

@hzxuzhonghu
Copy link
Member Author

I can recall multi-root is for mesh federation, so within it enabled, multi mesh can communicate with each other. Unlike DNS proxy, the motivation to make it by default is that if we donot use pcds, it has no effect on proxies.

Not sure ambient will support this feature in future, at least not now.

@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Apr 11, 2024
@istio-policy-bot
Copy link

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-03-12. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

@istio-policy-bot istio-policy-bot added the lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn left review comments

@zirain zirain zirain approved these changes

Assignees
No one assigned
Labels
lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@hzxuzhonghu @istio-testing @costinm @howardjohn @istio-policy-bot @zirain