Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split root_ca in CSR API #3480

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Split root_ca in CSR API #3480

wants to merge 1 commit into from

Conversation

howardjohn
Copy link
Member

Opening this for discussion.

Good background reading: istio/istio#55793. Note we do NOT need this API to fix the bug. This PR is about making the API more clear and less error-prone.

This API still is not ideal. A better approach would be to have a separate stream of root CAs and perhaps some way to tell the client they should send a new CSR. This is a much bigger change than is present here, though.

@howardjohn howardjohn added the do-not-merge/hold Block automatic merging of a PR. label Apr 7, 2025
@howardjohn howardjohn requested a review from a team as a code owner April 7, 2025 17:15
@istio-policy-bot
Copy link

🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test?

Courtesy of your friendly test nag.

@istio-testing istio-testing added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 7, 2025
@istio-testing
Copy link
Collaborator

@howardjohn: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
release-notes_api 5fc618f link false /test release-notes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

keithmattix
keithmattix reviewed Apr 7, 2025
View reviewed changes
Copy link
Contributor

@keithmattix keithmattix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @jaellio to weigh in, but this seems reasonable to me

hzxuzhonghu
hzxuzhonghu reviewed Apr 8, 2025
View reviewed changes
Copy link
Member

@hzxuzhonghu hzxuzhonghu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how can you make sure during upgrade, it is capatible for both client and server iwith different versions

@howardjohn
Copy link
Member Author

how can you make sure during upgrade, it is capatible for both client and server iwith different versions

that's a good call, I only really consider older control plane than data plane, not newer control plane... but that's an important issue

ilrudie
ilrudie reviewed Apr 9, 2025
View reviewed changes
security/v1alpha1/ca.proto
// root_cert contains [root1, root2].
// * if root_cert is not specified, cert_chain contains [leaf, intermediate1, intermediate2, root1+root2] concatenated into one entry.
// Note that the individual cert_chain is only signed by a single root. The roots provided here is the full bundle of trusted roots.
Roots root_cert = 2;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if having a more significant addition which introduces a new structured type containing a full replacement for cert_chanin would be better/cleaner than making a small change like this. Don't make them mutually exclusive and then we could have an interop mode where cert_chain and name_tbd are both populated with the ~same information.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to that, let's introduce a real replacement struct, potentially with arrays for intermediates and roots and a separate leaf variable

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could get behind that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilrudie ilrudie ilrudie left review comments

@keithmattix keithmattix keithmattix left review comments

@dgn dgn dgn left review comments

@hzxuzhonghu hzxuzhonghu hzxuzhonghu left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
do-not-merge/hold Block automatic merging of a PR. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@howardjohn @istio-policy-bot @istio-testing @ilrudie @keithmattix @dgn @hzxuzhonghu