mirror of https://github.com/linkerd/linkerd2.git
5a42ce357e
Required for #1008. This PR adds the `TlsIdentity` message to the Destination service proto, to describe what strategy the proxy should use for verifying an endpoint's TLS certificates. It also adds a `TlsIdentity` field to the `WeightedAddr` message. Currently, there is one possible variant for `TlsIdentity`, `KubernetesPodName`, which consists of the Kubernetes pod name of the endpoint, the namespace of the endpoint, and the namespace of that pod's Conduit control plane. The proxy should attempt to connect over TLS if the control plane namespace matches its own control plane namespace. The pod name and namespace are used to verify the endpoint's TLS certificate. See https://github.com/runconduit/conduit/issues/386#issuecomment-392948046. This change was initially part of #1008, but I factored it out to make the diff smaller. Signed-off-by: Eliza Weisman <eliza@buoyant.io> |
||
|---|---|---|
| .. | ||
| common | ||
| controller/tap | ||
| google/protobuf | ||
| proxy | ||
| public | ||