Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add trusting a CA bundle to net-istio #1328

Closed
ReToCode opened this issue May 30, 2024 · 4 comments · Fixed by knative/serving#15299 or #1344
Closed

Add trusting a CA bundle to net-istio #1328

ReToCode opened this issue May 30, 2024 · 4 comments · Fixed by knative/serving#15299 or #1344
Assignees
@ReToCode

Comments

@ReToCode
Copy link
Member

We need to add
knative/serving#14609 for net-istio as well.

Related to knative/serving#15276
@ReToCode
Copy link
Member Author

/assign

mgencur added a commit to mgencur/serving-1 that referenced this issue May 30, 2024
@mgencur
Do not delete ingress Secret in tests for internal tls
c61d2ed 
This test relies on trusting certificates as described in
knative#14609
This is currently not implemented in net-istio, and it's tracked as
knative-extensions/net-istio#1328
@mgencur mgencur mentioned this issue May 30, 2024
Merged
knative-prow bot pushed a commit to knative/serving that referenced this issue May 30, 2024
@mgencur
Do not delete ingress Secret in tests for internal tls (#15280)
f84265a 
This test relies on trusting certificates as described in
#14609
This is currently not implemented in net-istio, and it's tracked as
knative-extensions/net-istio#1328
ReToCode pushed a commit to ReToCode/serving that referenced this issue May 31, 2024
@mgencur @ReToCode
Do not delete ingress Secret in tests for internal tls (knative#15280)
2578809 
This test relies on trusting certificates as described in
knative#14609
This is currently not implemented in net-istio, and it's tracked as
knative-extensions/net-istio#1328

(cherry picked from commit f84265a)
@ReToCode
Copy link
Member Author

ReToCode commented Jun 4, 2024
edited
Loading

After some discussions it seems that this is unnecessary. Trust-bundles are only relevant for system-internal-tls, which makes not a lot of sense for net-istio in the first place. Istio has this built in using the istio-proxies while forming a mesh. So to summarize:

  • net-istio supports cluster-local-domain-tls which makes it capable of an ingress gateway with TLS mode: simple
  • net-istio supports external-domain-tls (already available for a long time)
  • net-istio will not support system-internal-tls as users can just enable mesh integration to have connections between Ingress-Gateway <> Activator <> and Queue Proxies encrypted

We already have it in the docs with the respective hint. I'm going to update the test cases to reflect that as well.

@ReToCode ReToCode mentioned this issue Jun 4, 2024
Merged
@dprotaso
Copy link
Contributor

net-istio will not support system-internal-tls as users can just enable mesh integration to have connections between Ingress-Gateway <> Activator <> and Queue Proxies encrypted

Should we rollback the feature added in #1085 ?

@ReToCode
Copy link
Member Author

Should we rollback the feature added in #1085 ?

Yeah I think that makes sense. I'll do a PR for that.

@ReToCode ReToCode mentioned this issue Jul 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ReToCode ReToCode

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@dprotaso @ReToCode