gateway-api icon indicating copy to clipboard operation
gateway-api copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

BackendTLSConfig defaulting and system ca certificates

Open howardjohn opened this issue 5 years ago • 14 comments

Currently CertificateAuthorityRef is optional and can refer to an object like secret.

The spec does not define what happens when this is not set - is this essentially -k/InsecureSkipVerify or is it defaulting to using the system ca certificates?

If the former - how can we specify to use the system ca certificates? This is an extremely common use case which seems wrong to force users to either copy them into a Secret or to have each implementation create some custom resource for this case.

howardjohn avatar Oct 14 '20 23:10 howardjohn

This is a very good question. Most implementations are capable of performing verification based on system ca certs. The default in implementations vary, some do -k/InsecureSkipVerify and some don't.

Is this something that belongs to GatewayClass's ParameterRef?

cc @bowei @danehans @jpeach @robscott

hbagdi avatar Oct 15 '20 22:10 hbagdi

My initial thought is that the validation type should be explicit, but that system CA configuration belongs in the gateway class config.

jpeach avatar Oct 15 '20 23:10 jpeach

/kind design

kundan2707 avatar Dec 01 '20 16:12 kundan2707

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar Mar 01 '21 16:03 fejta-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

fejta-bot avatar Mar 31 '21 17:03 fejta-bot

/remove-lifecycle rotten

robscott avatar Mar 31 '21 17:03 robscott

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar Jun 29 '21 18:06 fejta-bot

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

k8s-triage-robot avatar Jul 29 '21 18:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Aug 28 '21 19:08 k8s-triage-robot

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 28 '21 19:08 k8s-ci-robot

/reopen /lifecycle frozen

hbagdi avatar Aug 30 '21 19:08 hbagdi

@hbagdi: Reopened this issue.

In response to this:

/reopen /lifecycle frozen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 30 '21 19:08 k8s-ci-robot

/remove-kind design /kind feature kind/design is migrated to kind/feature, see https://github.com/kubernetes/community/issues/6144 for more details

MadhavJivrajani avatar Oct 11 '21 11:10 MadhavJivrajani

Despite this issue being quite old, we the maintainers are still pretty convinced that we want to have this functionality in a future release. We are marking this help wanted as we're looking for contributors with strong use cases to help champion and drive this forward.

shaneutt avatar Jul 21 '22 22:07 shaneutt

While grooming we saw that this one was open for a long period of time without anyone with a strong use case to champion it. We're going to close this as we don't expect anyone's ready to drive it forward, but if you still want this feature and have a strong use case we will be happy to reconsider this and re-open.

shaneutt avatar Mar 08 '23 20:03 shaneutt