feat(infra): add configurable CA path for xDS mTLS#8633
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8633 +/- ##
==========================================
- Coverage 74.52% 74.50% -0.02%
==========================================
Files 243 243
Lines 38670 38677 +7
==========================================
Hits 28817 28817
- Misses 7862 7867 +5
- Partials 1991 1993 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Add --xds-tls-ca-path CLI flag for the controller and xdsTLSCAPath field on the EnvoyProxy CRD to override the default CA certificate path (/certs/ca.crt) used for xDS mTLS. This enables non-disruptive CA rotation when using cert-manager with trust-manager. The default CA path is baked into leaf cert secrets, which become stale when the CA rotates. By pointing both sides at a separately managed CA bundle (e.g. a trust-manager ConfigMap), the existing reload mechanisms (GetConfigForClient and SDS file watch) pick up the new CA without pod restarts. Relates to envoyproxy#4891 Signed-off-by: Rajat Vig <[email protected]>
bdefb9f to
40f4d0b
Compare
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions! |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions! |
Summary
Adds a configurable CA certificate path for xDS mTLS on both the controller and proxy sides. By default, the CA comes from the
ca.crtfield in the leaf cert secrets. This change allows pointing both sides at a separately managed CA file instead.Changes
Controller side:
--xds-tls-ca-pathCLI flag overrides the default/certs/ca.crtxdsTLSCAPathandxdsTLSCABundleto configure the flag and mount a CA ConfigMapProxy side:
xdsTLSCAPathfield on theEnvoyProxyCRD overrides the CA path in the SDS trusted CA configBoth sides default to the existing behavior when not set.
The controller re-reads the CA file on each TLS handshake via
GetConfigForClient.The proxy picks up CA changes via SDS file watch. No pod restarts required when the CA file is updated.
Testing
Relates to: #4891