contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Migrate serving of upstream CA certificate to SDS

Open davecheney opened this issue 6 years ago • 1 comments

Currently TLS certificates are referenced by CDS and served by SDS. For CA certs used by upstream verification we still serve the CA material inline in CDS.

To fix this we need to:

  • [ ] change the internal/envoy.upstreamVerification helpers to take a secret name, not a secret itself.
  • [ ] build the secret as part of internal/contour's secret visitor by traversing down to the route.Cluster.Upstream validation to recover the secret.
  • [ ] add internal/e2e/sds_test.go tests to ensure the secret is served by SDS.

davecheney avatar Aug 29 '19 05:08 davecheney

This isn't necessary for 1.0 and has a quite high risk of regression. Bumping to after 1.0

davecheney avatar Sep 03 '19 00:09 davecheney