serving icon indicating copy to clipboard operation
serving copied to clipboard

Published 20 hours ago verified publisher icon knative

add upstream TLS trust from CM bundles

Open ReToCode opened this issue 1 year ago • 6 comments

Changes

  • Adds support for trust-bundles in Activators cert-cache

Fixes #14609

ReToCode avatar Dec 07 '23 13:12 ReToCode

Codecov Report

Attention: Patch coverage is 49.31507% with 37 lines in your changes are missing coverage. Please review.

Project coverage is 85.66%. Comparing base (51b0337) to head (d4c28a4). Report is 107 commits behind head on main.

Files Patch % Lines
pkg/activator/certificate/cache.go 49.31% 31 Missing and 6 partials :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14717      +/-   ##
==========================================
- Coverage   85.83%   85.66%   -0.18%     
==========================================
  Files         198      198              
  Lines       15117    15171      +54     
==========================================
+ Hits        12976    12996      +20     
- Misses       1819     1848      +29     
- Partials      322      327       +5

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Jan 29 '24 13:01 codecov[bot]

PTAL /assign @dprotaso /assign @skonto

ReToCode avatar Jan 29 '24 14:01 ReToCode

/unhold

ReToCode avatar Jan 29 '24 14:01 ReToCode

@dprotaso gentle ping.

ReToCode avatar Feb 07 '24 06:02 ReToCode

@dprotaso gentle ping.

ReToCode avatar Feb 13 '24 13:02 ReToCode

@dprotaso as discussed yesterday on the SIG, are you fine with merging this as is? For the cluster-trust-bundles I created https://github.com/knative/serving/issues/14990.

ReToCode avatar Mar 07 '24 09:03 ReToCode

/lgtm /approve

nit: unsure if you want to handle pool regeneration on deletion.

eg. if I'm using a configmap and I'm transitioning to a secret. Then when I add the secret and then delete the config map the old CA could still be in the computed x509.Pool

dprotaso avatar Mar 08 '24 17:03 dprotaso

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [ReToCode,dprotaso]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

knative-prow[bot] avatar Mar 08 '24 17:03 knative-prow[bot]

/retest

dprotaso avatar Mar 08 '24 20:03 dprotaso

nit: unsure if you want to handle pool regeneration on deletion. eg. if I'm using a configmap and I'm transitioning to a secret. Then when I add the secret and then delete the config map the old CA could still be in the computed x509.Pool

@dprotaso I'm not sure I understand this case. We do update on deletion of a CM, right? The Secret comes from Serving installation, so that one should always be there (it might be empty, but should be there).

ReToCode avatar Mar 11 '24 08:03 ReToCode