-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor CA to plugins #694
Conversation
app/kumactl/cmd/get/get_meshes.go
Outdated
mtls = "builtin" | ||
} | ||
if mesh.MTLSEnabled() { | ||
mtls = mesh.Spec.GetMtls().GetEnabledBackend() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe makes sense to write its type also, like builtin/ca-1
? Because that change makes kumactl get meshes
less informative
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question to @subnetmarco how should kumactl get meshes
look like?
Right now given
type: Mesh
name: default
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
- name: ca-2
type: provided
config: ...
I print
NAME mTLS METRICS LOGGING TRACING
default ca-1 off off off
If enabledBackend
is not specified, I print off
.
Ilya's argument is that it less information because previously we've seen the type (only the type since it was 1 CA per mesh)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We came into conclusion with Marco that we will only display current backend with a format like you proposed which is type/name
.
I will refactor also others in the same way when I unify the config for Tracing/Logging/Metrics.
76f242f
to
7da2b30
Compare
c7cc0df
to
653491c
Compare
653491c
to
5662311
Compare
d378de7
to
04c791c
Compare
Summary
Mesh model
Mesh model changed from
to
Config can be anything (
google.protobuf.Struct
) therefore each plugin has to validate it's backend.This also means that there might be multiple backends of the same type in one Mesh.
Provided CA
In case of provided, we no longer have to upload cert+key with
kumactl manage ca provided
. Instead you use Secret Management API to upload cert as a secret and reference it in the config.Therefore
kumactl manage ca provided
(whole manage subcommand) is gone as well as webservice to handle it.We no longer have to validate if there is only one cert since config implies that there is only one.
Data Source
I introduced a concept of
DataSource
. When defining a cert and key for providedyou can also provide the cert and key via file or with just inline bytes.
It was easy to implement and it's great for testing and may be also used on production if someone prefers to store certs in files.
Tests
Builtin CA was lacking in tests, so I added them. Tests for provided had to be rewritten.
I'm sorry about the volume of this PR. It was all tangled up and was really hard to split into multiple PRs and keep the functionality working.