Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(translator): use SDS to deliver system trust store to support dynamic reload #5084

Merged
merged 8 commits into from
Jan 23, 2025
Merged

feat(translator): use SDS to deliver system trust store to support dynamic reload #5084

merged 8 commits into from
Jan 23, 2025

Conversation

guydc
Copy link
Contributor

@guydc guydc commented Jan 17, 2025
edited
Loading

What type of PR is this?

What this PR does / why we need it:

  • use SDS to deliver system trust store to support dynamic reload
  • Add e2e test

Which issue(s) this PR fixes:

Fixes #5074

Release Notes: Yes

@guydc
use SDS to deliver system trust store
9e3d054 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc guydc requested a review from a team as a code owner January 17, 2025 00:28
@codecov Codecov
Copy link

codecov bot commented Jan 17, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 94.59459% with 2 lines in your changes missing coverage. Please review.

Project coverage is 66.83%. Comparing base (6731dfd) to head (3f19463).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/xds/translator/translator.go 94.11% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5084      +/-   ##
==========================================
- Coverage   66.92%   66.83%   -0.09%     
==========================================
  Files         210      210              
  Lines       32995    32979      -16     
==========================================
- Hits        22081    22041      -40     
- Misses       9579     9596      +17     
- Partials     1335     1342       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

arkodg
arkodg previously approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !
would be good to optimize this in the future to have 1 system secret rather than 1 per policy

@arkodg arkodg requested review from a team January 17, 2025 21:02
@arkodg arkodg added this to the v1.3.0 milestone Jan 21, 2025
@guydc
Merge branch 'main' into feat-btlsp-reload-system-cert
8cbfcfe 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc guydc modified the milestones: v1.3.0, v1.3.0-rc.1 Jan 22, 2025
@guydc
Copy link
Contributor Author

guydc commented Jan 22, 2025

cc @arkodg
changed milestone to RC, as this is a behavior change and not a bug fix.

arkodg
arkodg previously approved these changes Jan 23, 2025
View reviewed changes
@arkodg arkodg requested review from a team January 23, 2025 02:11
@guydc
Merge branch 'main' into feat-btlsp-reload-system-cert
6507872 
Signed-off-by: Guy Daich <guy.daich@sap.com>
zhaohuabing
zhaohuabing previously approved these changes Jan 23, 2025
View reviewed changes
Copy link
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

@guydc
skip test for IPv6 as target doesn't support it
e2be31d 
Signed-off-by: Guy Daich <guy.daich@sap.com>
arkodg
arkodg reviewed Jan 23, 2025
View reviewed changes
test/e2e/tests/backend_tls.go
@@ -44,6 +44,34 @@ var BackendTLSTest = suite.ConformanceTest{
http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
})

t.Run("with a backend TLS Policy using Truststore", func(t *testing.T) {
// the upstream used is the eg site which doesn't support IPv6 at this time
if IPFamily == "ipv6" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @zirain

@arkodg arkodg merged commit 5b82a02 into envoyproxy:main Jan 23, 2025
25 checks passed
DeeBi9 pushed a commit to DeeBi9/gateway that referenced this pull request Jan 25, 2025
@guydc @DeeBi9
feat(translator): use SDS to deliver system trust store to support dy…
5802743 
…namic reload (envoyproxy#5084)

* use SDS to deliver system trust store

Signed-off-by: Guy Daich <guy.daich@sap.com>

* fix manifests

Signed-off-by: Guy Daich <guy.daich@sap.com>

* skip test for IPv6 as target doesn't support it

Signed-off-by: Guy Daich <guy.daich@sap.com>

---------

Signed-off-by: Guy Daich <guy.daich@sap.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkodg arkodg arkodg approved these changes

@zhaohuabing zhaohuabing zhaohuabing left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.3.0-rc.1
Development

Successfully merging this pull request may close these issues.

Support rotation of System WellKnownCACertificates in BTLSP
3 participants
@guydc @zhaohuabing @arkodg