Add possibility to disable SPIFFE cert validation per envoy instance #3014
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
StupidScience
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
azdagron
reviewed
Apr 29, 2022
There was a problem hiding this comment.
Excellent, @StupidScience. Just a few small comments. Thank you for this contribution!
doc/spire_agent.md
Outdated
| @@ -321,6 +321,8 @@ support for the [SPIFFE Certificate Validator](https://www.envoyproxy.io/docs/en | |||
| extension, which is only available starting with Envoy 1.18. | |||
| The default name is configurable (see `default_all_bundles_name` under [SDS Configuration](#sds-configuration). | |||
|
|
|||
| SPIFFE Certificate Validator enabled by default and can be disabled by setting `disable_spiffe_cert_validation` to `true` in [SDS Configuration](#sds-configuration) for all instances or per instance in envoy's node metadata. | |||
There was a problem hiding this comment.
Suggested change
| SPIFFE Certificate Validator enabled by default and can be disabled by setting `disable_spiffe_cert_validation` to `true` in [SDS Configuration](#sds-configuration) for all instances or per instance in envoy's node metadata. | |
| The [SPIFFE Certificate Validator](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto) configures Envoy to perform SPIFFE authentication. It is used by default but can be disabled by setting `disable_spiffe_cert_validation` to `true` in [SDS Configuration](#sds-configuration). Alternatively, to disable for an individual envoy instance, the `disable_spiffe_cert_validation` key can be configured and set to `false` in the Envoy node metadata. When not used, Envoy will perform standard X.509 certificate chain validation. |
There was a problem hiding this comment.
This is a bit not correct but I've changed so PTAL once again
Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
azdagron
approved these changes
May 2, 2022
azdagron
changed the title
|
Hi @StupidScience. We're ready to merge this but require PRs to be up to date with the latest main. Can you merge main into this PR, or better yet grant us permissions to push commits on the PR branch? The latter makes it easier for us to manage the merge queue. |
|
@azdagron sorry, was on holiday so didn't react in time. |
|
It's not a problem! We worked around it :) |
azdagron
pushed a commit
that referenced
this pull request
May 3, 2022
…3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Merged
azdagron
pushed a commit
to azdagron/spire
that referenced
this pull request
May 3, 2022
…piffe#3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Merged
azdagron
pushed a commit
that referenced
this pull request
May 4, 2022
…3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
azdagron
pushed a commit
that referenced
this pull request
May 4, 2022
…3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
azdagron
pushed a commit
to azdagron/spire
that referenced
this pull request
May 13, 2022
…piffe#3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Merged
azdagron
pushed a commit
to azdagron/spire
that referenced
this pull request
May 13, 2022
…piffe#3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
azdagron
pushed a commit
that referenced
this pull request
May 13, 2022
…3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
…piffe#3014) Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Description of change
Added functionality that disables SPIFFE cert validation per instance of envoy by checking presence and value of
disable_spiffe_cert_validationkey in envoy node metadata.Which issue this PR fixes
fixes #3010