Fixes MAISTRA-2324: Backport multi-root support for Envoy #92
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dmitri-d
changed the title
dmitri-d
force-pushed
the
multi-root-support
branch
from
057f294 to
9bca8bc
Compare
|
envoyproxy/envoy#14884 ported. @oschaaf: fixed the comparison you pointed out the other day; The main changes in this batch are here: https://github.com/maistra/envoy/pull/92/files#diff-067aae04811b0f9ec5191388ebd58efe08012c3bc75e0951c028448ec87e2d70R164. I'm quite certain we are ok (see the comment), an alternative would be to open up internal OpenSSL structures (something I try to do sparingly) and just use upstream code without changes. |
dmitri-d
force-pushed
the
multi-root-support
branch
from
9bca8bc to
fa297b0
Compare
port of tls: separate out cert validation logic from ContextImpl (#14757)
cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]>
tls: fix flaky integration test of SPIFFE validator (#15301) Previously these tests flake due to early counter check before the counter is actually incremented, and fail occasionally around 1~3%. I tried this with --runs_per_test=10000 and never failed. Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]>
Add separate SPIFFE integeration test build target. (#15324) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]>
tls: enable allow_expired_certificate for SPIFFE validator (#15426) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]>
dmitri-d
force-pushed
the
multi-root-support
branch
from
fa297b0 to
9b72e59
Compare
dmitri-d
changed the title
oschaaf
approved these changes
May 10, 2021
| bssl::UniquePtr<X509_STORE_CTX> verify_ctx(X509_STORE_CTX_new()); | ||
| // We make a copy of X509_VERIFY_PARAMs in the store_ctx that we received as a parameter. | ||
| // This is a precaution mostly, as Envoy doesn't configure any X509_VERIFY_PARAMs. | ||
| // Note that there's no api to copy crls from one store_ctx to another; the assumption is that |
There was a problem hiding this comment.
This sentence is slightly hard to grok because of the double negation; if it is semantically correct probably not worth iterating on, but if this is accidental perhaps it is.
There was a problem hiding this comment.
Ugh, indeed, this is hard to understand, and I wrote it. Fixed.
tls: enable match_subject_alt_names option in SPIFFE validator (#15509) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]>
dmitri-d
force-pushed
the
multi-root-support
branch
from
9b72e59 to
41c3342
Compare
dmitri-d
pushed a commit
to dmitri-d/maistra-envoy
that referenced
this pull request
May 19, 2021
* Fixes MAISTRA-2324: port of tls: separate out cert validation logic from ContextImpl (#14757) * Fixes MAISTRA-2324: cherry-pick of tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884) Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves envoyproxy/envoy#14614 and envoyproxy/envoy#9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: fix flaky integration test of SPIFFE validator (#15301) Previously these tests flake due to early counter check before the counter is actually incremented, and fail occasionally around 1~3%. I tried this with --runs_per_test=10000 and never failed. Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of Add separate SPIFFE integeration test build target. (#15324) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: enable allow_expired_certificate for SPIFFE validator (#15426) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> * Fixes MAISTRA-2324: cherry-pick of tls: enable match_subject_alt_names option in SPIFFE validator (#15509) Signed-off-by: Takeshi Yoneda <[email protected]> Signed-off-by: Dmitri Dolguikh <[email protected]> Co-authored-by: Takeshi Yoneda <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a port of tls: separate out cert validation logic from ContextImpl (#14757) (the original PR: envoyproxy/envoy#14757).
The next PR in the queue is envoyproxy/envoy#14884. It's going to be tricky, upstream relies on what is an OpenSSL internal data-structure in their spiffe validator implementation.
@dgn, @oschaaf.