Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(kuma-cp) Certs for every inbound #757

Merged
merged 1 commit into from
May 25, 2020
Merged

feat(kuma-cp) Certs for every inbound #757

merged 1 commit into from
May 25, 2020

Conversation

jakubdyszkiewicz
Copy link
Contributor

Summary

Until now we Dataplane received only one certificate for their IdentityService (first service of the inbound). This PR changes this so we generate a certificate for every inbound. This means that you can specify TrafficPermission for the individual inbound.

@jakubdyszkiewicz jakubdyszkiewicz requested a review from a team May 21, 2020 15:10
lobkovilya
lobkovilya reviewed May 25, 2020
View reviewed changes
pkg/sds/server/reconciler.go
for _, resource := range snapshot.Resources[envoy_types.Secret].Items {
sec := resource.(*envoy_auth.Secret)
if envoy_names.IsDpCertResource(sec.Name) {
secret = sec
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it correct that dataplaneInsight will have expiration time only of the dp cert of the last outbound? Is it okay?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all certs are generated at the same time, so I'd say - yes

api/mesh/v1alpha1/dataplane_insight_helpers.go
@@ -44,7 +44,7 @@ func (ds *DataplaneInsight) UpdateCert(generation time.Time, expiration time.Tim
return err
}
ds.MTLS.CertificateExpirationTime = ts
ds.MTLS.CertificateRegenerations++
ds.MTLS.CertificateRegenerations += uint32(certs)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If certificateRegeneration process happens for all certificates at a time, do we really want to count every certificate separately?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, because we need to know how many certs were generated

Base automatically changed from chore/refactor-cluster-generation to master May 25, 2020 12:22
@jakubdyszkiewicz jakubdyszkiewicz merged commit 1b34dab into master May 25, 2020
@jakubdyszkiewicz jakubdyszkiewicz deleted the feat/cert-for-inbounds branch May 25, 2020 13:26
jakubdyszkiewicz added a commit that referenced this pull request May 26, 2020
@jakubdyszkiewicz
Revert "feat(kuma-cp) certs for inbound (#757)"
ed618b3 
This reverts commit 1b34dab.
@jakubdyszkiewicz jakubdyszkiewicz mentioned this pull request May 26, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lobkovilya lobkovilya lobkovilya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jakubdyszkiewicz @lobkovilya