Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support rotation of System WellKnownCACertificates in BTLSP #5074

Closed
guydc opened this issue Jan 15, 2025 · 0 comments · Fixed by #5084
Closed

Support rotation of System WellKnownCACertificates in BTLSP #5074

guydc opened this issue Jan 15, 2025 · 0 comments · Fixed by #5084
Labels
area/api API-related issues help wanted Extra attention is needed kind/bug Something isn't working
Milestone
Backlog

Comments

@guydc
Copy link
Contributor

guydc commented Jan 15, 2025
edited
Loading

Description:
Currently, BTLSP System WellKnownCACertificates are not reloaded by envoy on change.

https://github.com/envoyproxy/gateway/blob/main/internal/xds/translator/translator.go#L985

According to envoy docs:

If trusted_ca is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the CertificateValidationContext is delivered via SDS.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-certificatevalidationcontext

See additional discussion here: envoyproxy/envoy#10387

Envoy Gateway can deliver the file source validation context using SDS, ensuring that changes in the CA certificate are picked-up by Envoy.

[optional Relevant Links:]

Any extra documentation required to understand the issue.
@guydc guydc added triage area/api API-related issues and removed triage labels Jan 15, 2025
@arkodg arkodg added help wanted Extra attention is needed kind/bug Something isn't working labels Jan 15, 2025
@arkodg arkodg added this to the Backlog milestone Jan 15, 2025
@guydc guydc mentioned this issue Jan 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api API-related issues help wanted Extra attention is needed kind/bug Something isn't working
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

feat(translator): use SDS to deliver system trust store to support dynamic reload guydc/gateway
2 participants
@arkodg @guydc