populate crl only when the key is present in secret (istio#45112)

Signed-off-by: Faseela K <[email protected]>
zhaohuabing · May 25, 2023 · 4e804a9 · 4e804a9
1 parent fb6ad68
commit 4e804a9
Showing 1 changed file with 15 additions and 12 deletions.
diff --git a/pilot/pkg/xds/sds.go b/pilot/pkg/xds/sds.go
@@ -320,21 +320,24 @@ func atMostNJoin(data []string, limit int) string {
 }
 
 func toEnvoyCaSecret(name string, certInfo *credscontroller.CertInfo) *discovery.Resource {
+ validationContext := &envoytls.CertificateValidationContext{
+ TrustedCa: &core.DataSource{
+ Specifier: &core.DataSource_InlineBytes{
+ InlineBytes: certInfo.Cert,
+ },
+ },
+ }
+ if certInfo.CRL != nil {
+ validationContext.Crl = &core.DataSource{
+ Specifier: &core.DataSource_InlineBytes{
+ InlineBytes: certInfo.CRL,
+ },
+ }
+ }
  res := protoconv.MessageToAny(&envoytls.Secret{
  Name: name,
  Type: &envoytls.Secret_ValidationContext{
- ValidationContext: &envoytls.CertificateValidationContext{
- TrustedCa: &core.DataSource{
- Specifier: &core.DataSource_InlineBytes{
- InlineBytes: certInfo.Cert,
- },
- },
- Crl: &core.DataSource{
- Specifier: &core.DataSource_InlineBytes{
- InlineBytes: certInfo.CRL,
- },
- },
- },
+ ValidationContext: validationContext,
  },
  })
  return &discovery.Resource{