-
Notifications
You must be signed in to change notification settings - Fork 505
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Router TLS configuration #63
Comments
I've split out per-service validation into #64 so that establishing base functionality (no validation + static name validation) can be done independently of figuring out all of the matcher stuff. |
It occurs to me that we don't need a special - kind: dstRewrite
matches:
- prefix: /
dst: linkerd.io (i still haven't found a great name for this module) See #65 for more details, but this should be effectively the same as a static configuration. I'm not sure if it makes sense to provide 2 modules for this or not... |
I'm going to do Static and No Validation in this ticket. I've filed #64 for per-service and we can delete the Static module then if it's just a special case of that. |
Quick question about the config file format for TLS. I notice that all of your example configs look something like:
But in master right now, we use
Since TLS is itself part of the protocol, how would you feel about nesting all of the tls options under the protocol section? Having a protocol and a separate tls section feels confusing to me. |
Are you suggesting:
That seems pretty reasonable to me. |
Yep, or we could keep the "kind" field, like:
|
|
…rd#63) Stop ignoring the most significant labels of Destination names Previously the destinations service was ignoring all the labels in a destination name after the first two labels. Thus, for example, "name.ns.another.domain.example.com" would be considered the same as "name.ns.svc.cluster.local". This was very wrong. Match destination names taking into consideration every label in the destination name. Provisions have been made for the case where the controller and the proxies with the zone name to use. However, currently neither the controller nor the proxies are actually configured with the zone, so the implementation was made to work in the current configuration too, as long as fully-qualified names are not used. A negative consequence of this change is that a name like "name.ns.svc.cluster.local" won't resolve in the current configuration, because the controller doesn't know the zone is "cluster.local" Unit tests are included for the new mapping rules. Signed-off-by: Brian Smith <[email protected]>
Once #21 is merged, we'll need a way to configure clientside TLS on the router. I can think of at least 2 or 3 different configurations we'll want to support, so this should be modular (and perhaps pluggable, so that users may implement their own crazy policies).
Static validation
Per-service validation
The matchers should:
Parsing the
name
values may be slightly tricky, but we can probably write a parser-generator to do this.No validation
(And, yes, i think that's what that option should be called.)
Per-host validation
We can probably punt this down the road, but, we can use the IP or Hostname of the individual destination address as the peer's name.
The text was updated successfully, but these errors were encountered: