Provide a revoke API that terminates the link to a specific Site [enhancement]

[michael-s-crawford]

Currently is it possible to revoke all remote access to the local site by running the skupper revoke-access command. It is requested that this functionality be extended to allow for a Site to specified in that command so that only that Site is revoked (and other pre-existing connections are maintained).

Furthermore, it would be desirable if this functionality was available to the Skupper Console (HTTP) API

[aii-nozomu-oki]

Hi, any updates on this?

My rough ideas are below:

• Implement Certificate Revocation List(CRL)
• Implement OCSP
• Use certificates with short expiration and repeat renewals automatically. The revoke API stops the automatic renewal process.

[fgiorgetti]

Auto certificate renewal for already linked sites, seems like an interesting enhancement to explore.

[grs]

I think CRLs are the most obvious way to implement a revoke function. Auto-renewal is certainly also interesting, but I would see that as a different feature.

[aii-nozomu-oki]

To implement CRL, changes to skupper-router are required, aren't they?

Another issue is determining where to store the CRL.
K8s Secret is a simpler solution, but it has 1 MiB limitation.

References:
projectcontour/contour#4252
istio/istio#17763