fix(kuma-cp) use EnvoyGRPC to fix DNS resolving #1740
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
|
This is okay because the config dump cannot be performed without SSH access to the machine, correct? @jakubdyszkiewicz |
lobkovilya
reviewed
Apr 1, 2021
pkg/xds/bootstrap/generator.go
Outdated
| func isNotCA(cert []byte) (bool, error) { | ||
| pemCert, _ := pem.Decode(cert) | ||
| if pemCert == nil { | ||
| return false, errors.New("could not parse certificate") |
There was a problem hiding this comment.
I think errors could not parse certificate should be better wrapped somewhere up the stack trace. If these are validation errors then I believe it makes sense to mention the field .CaCert
pkg/xds/bootstrap/generator.go
Outdated
| @@ -307,14 +348,27 @@ func (s SANSet) slice() []string { | |||
| return sans | |||
| } | |||
|
|
|||
| func isNotCA(cert []byte) (bool, error) { | |||
There was a problem hiding this comment.
I'd better change it to
func validateCA(cert []byte) error {
...
}and if it's not CA then return NotCA straight away.
It will simplify the usage of this method:
func (b *bootstrapGenerator) validateCaCert(cert []byte, request types.BootstrapRequest) error {
if request.DataplaneTokenPath != "" {
// when using GoogleGRPC it is valid to put non-CA certificate therefore we should only verify this for EnvoyGRPC
// EnvoyGRPC is used when DataplaneToken is passed via request as inline value, not as a file.
return nil
}
return validateCA(cert)
}And probably, in that case, we don't need a separate validateCA method, I guess its content can be inlined
@subnetmarco correct |
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
lobkovilya
approved these changes
Apr 1, 2021
mergify bot
pushed a commit
that referenced
this pull request
Apr 2, 2021
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com> (cherry picked from commit 48cac88)
jakubdyszkiewicz
pushed a commit
that referenced
this pull request
Apr 6, 2021
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Use EnvoyGRPC instead of GoogleGRPC for XDS so it fixes #1620
The cost of this fix is that now the dataplane token is visible in config dump. It's not that bad since we don't expose config_dump ourselves.
You need to explicitly ssh into host to fetch it and Envoy admin binds only to localhost.
We may switch back to GoogleGRPC once the bug with DNS resolving is fixed.
Full changelog
This has to be done for backwards compatibility.
EnvoyGRPC requires real CA, therefore we use CA (trusted_ca.inline_bytes) that was passed to kuma-dp run if possible. If not we are trying to use DP server cert which is most likely selfsigned cert (is CA).
If it is not a CA we throw an error.
Issues resolved
Fix #1620
Documentation