gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

BackendTLSPolicy: Support CACerts in Secrets

Open arkodg opened this issue 1 year ago • 5 comments

Description:

Describe the desired behavior, what scenario it enables and how it would be used.

Relates to https://github.com/envoyproxy/gateway/pull/2247

[optional Relevant Links:]

Any extra documentation required to understand the issue.

arkodg avatar Mar 04 '24 23:03 arkodg

https://github.com/envoyproxy/gateway/pull/2247#discussion_r1436045542 shall we really process CAs in secrets ?

TasdidurRahman avatar Mar 05 '24 00:03 TasdidurRahman

I'm interested in this, please tell me more information.

After we discuss the results, please assign them to me. Thanks!

ShyunnY avatar Mar 05 '24 12:03 ShyunnY

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Apr 04 '24 20:04 github-actions[bot]

https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.BackendTLSPolicyConfig

Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt. Support: Implementation-specific (More than one reference, or other kinds of resources).

Vault helm chart uses cert-manager to generate a kubernetes.io/tls type secret having a ca.crt key. I guess any app who needs a custom ca/keypair is doing the same. Duplicating the ca.crt key in a ConfigMap for a backendTLSPolicy leads to inconsistencies on ca rotation, I'd love to avoid that burden.

vixns avatar Apr 09 '24 20:04 vixns

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar May 10 '24 00:05 github-actions[bot]