-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kuma-cp) Certs for every inbound #757
Conversation
for _, resource := range snapshot.Resources[envoy_types.Secret].Items { | ||
sec := resource.(*envoy_auth.Secret) | ||
if envoy_names.IsDpCertResource(sec.Name) { | ||
secret = sec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct that dataplaneInsight
will have expiration time only of the dp cert of the last outbound? Is it okay?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all certs are generated at the same time, so I'd say - yes
@@ -44,7 +44,7 @@ func (ds *DataplaneInsight) UpdateCert(generation time.Time, expiration time.Tim | |||
return err | |||
} | |||
ds.MTLS.CertificateExpirationTime = ts | |||
ds.MTLS.CertificateRegenerations++ | |||
ds.MTLS.CertificateRegenerations += uint32(certs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If certificateRegeneration process happens for all certificates at a time, do we really want to count every certificate separately?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, because we need to know how many certs were generated
9561b83
to
8b4c557
Compare
This reverts commit 1b34dab.
Summary
Until now we Dataplane received only one certificate for their
IdentityService
(first service of the inbound). This PR changes this so we generate a certificate for every inbound. This means that you can specify TrafficPermission for the individual inbound.