linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Proxy: Use new destination service TLS identity scheme. (#1222) 

Signed-off-by: Brian Smith <brian@briansmith.org>
This commit is contained in:
Brian Smith 2018-06-27 14:47:57 -10:00 committed by GitHub
parent 06d0209d0b
commit 06d3c09ca5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
proto/proxy/destination.proto
View File

@ -86,22 +86,9 @@ message WeightedAddr {
// Which strategy should be used for verifying TLS. // Which strategy should be used for verifying TLS.
message TlsIdentity { message TlsIdentity {
oneof strategy { oneof strategy {
K8sPodNamespace k8s_pod_namespace = 1;
K8sPodIdentity k8s_pod_identity = 2; K8sPodIdentity k8s_pod_identity = 2;
} }
// Verify the certificate based on the Kubernetes pod name, and ensure
// that the pod is configured with the same Conduit control plane
// namespace as this proxy.
message K8sPodNamespace {
// The Kubernetes namespace of the pod's Conduit control plane.
string controller_ns = 1;
// The Kubernetes namespace that the pod is in.
string pod_ns = 2;
// The name of the pod.
string pod_name = 3;
}
// Verify the certificate based on the Kubernetes pod identity. // Verify the certificate based on the Kubernetes pod identity.
message K8sPodIdentity { message K8sPodIdentity {
// The pod_identity string is of the format: // The pod_identity string is of the format:

12
proxy/src/transport/tls/identity.rs
View File

@ -22,7 +22,7 @@ impl Identity {
{ {
use conduit_proxy_controller_grpc::destination::tls_identity::Strategy; use conduit_proxy_controller_grpc::destination::tls_identity::Strategy;
match pb.strategy { match pb.strategy {
Some(Strategy::K8sPodNamespace(i)) => { Some(Strategy::K8sPodIdentity(i)) => {
// XXX: If we don't know the controller's namespace or we don't // XXX: If we don't know the controller's namespace or we don't
// share the same controller then we won't be able to validate // share the same controller then we won't be able to validate
// the certificate yet. TODO: Support cross-controller // the certificate yet. TODO: Support cross-controller
@ -30,15 +30,7 @@ impl Identity {
if controller_namespace != Some(i.controller_ns.as_ref()) { if controller_namespace != Some(i.controller_ns.as_ref()) {
return Ok(None); return Ok(None);
} }
Self::from_sni_hostname(i.pod_identity.as_bytes()).map(Some)
let namespaces = Namespaces {
pod: i.pod_ns,
tls_controller: Some(i.controller_ns),
};
Self::try_from_pod_name(&namespaces, &i.pod_name).map(Some)
},
Some(Strategy::K8sPodIdentity(_i)) => {
Ok(None) // TODO: switch to K8sPodIdentity
}, },
None => Ok(None), // No TLS. None => Ok(None), // No TLS.
} }