Skip to content

Extension Manager: support CA certificate reload #5396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
guydc opened this issue Mar 3, 2025 · 1 comment · Fixed by #5613
Closed

Extension Manager: support CA certificate reload #5396

guydc opened this issue Mar 3, 2025 · 1 comment · Fixed by #5613
Assignees
@sapirpol
Labels
area/extensions
Milestone
v1.4.0-rc.1

Comments

@guydc
Copy link
Contributor

guydc commented Mar 3, 2025

Description:
Currently, extension manager loads the CA certificate when establishing GRPC connections:

gateway/internal/extension/registry/extension_manager.go

Line 271 in 5b6a35f

if ext.Service.TLS != nil {

Connections are then cached and reused:

gateway/internal/extension/registry/extension_manager.go

Line 219 in 5b6a35f

if m.extensionConnCache == nil {

At this time, golang doesn't provide a convenient way to reload CA certificates: golang/go#64796. However, grpc-go's advancedtls library does support working with CA cert providers/callbacks: https://pkg.go.dev/google.golang.org/grpc/security/advancedtls#RootCertificateOptions.

Envoy Gateway can implement dynamic reload of the extension manager CA certificate by:

  • Using grpc-go's advancedtls
  • Implementing a provider/callback that:
    • reads the CA cert from controller-runtime cache of k8s secret
    • reads the CA cert from a cache watching a mount of the K8s secret in Envoy Gateway's pod

[optional Relevant Links:]

Any extra documentation required to understand the issue.
@sapirpol
Copy link
Contributor

Hi,
I would like to work on this issue, please assign it to me.

@guydc guydc added this to the v1.4.0-rc.1 milestone Mar 18, 2025
This was referenced Mar 25, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sapirpol sapirpol

Labels
area/extensions
Projects
None yet
Milestone
v1.4.0-rc.1
2 participants
@guydc @sapirpol