Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Decouple certificate common name from various components #4759

Merged
merged 5 commits into from
May 31, 2022
Merged

Decouple certificate common name from various components #4759

merged 5 commits into from
May 31, 2022

Conversation

steeling
Copy link
Contributor

@steeling steeling commented May 24, 2022
edited
Loading

In preparation for custom trust domains, I am beginning the process of decoupling the equality between certificate.CommonName, and identity.ServiceIdentity (they will remain tightly coupled, but not strictly equal)

There's a bunch of places in the code that currently relies on CertificateCommonName, particularly with respect to proxies, proxy maps (registries), and xdsLog.

In these cases I prefer using either the UUID, when mapping directly to the proxy OR a new "proxy name" comprised of the uuid and service identity for the xdsLog to maintain the usefulness of having both the identity and uuid.

This PR also removes some dead code as a result of the above changes.

@steeling
Copy link
Contributor Author

Part of #4754

@steeling steeling force-pushed the feature/xdslog branch 3 times, most recently from 9a45803 to 8603eea Compare May 25, 2022 00:01
@codecov-commenter
Copy link

codecov-commenter commented May 25, 2022
edited
Loading

Codecov Report

Merging #4759 (6b9bdfb) into main (7ddd4d1) will increase coverage by 0.07%.
The diff coverage is 70.17%.

@@            Coverage Diff             @@
##             main    #4759      +/-   ##
==========================================
+ Coverage   68.99%   69.06%   +0.07%     
==========================================
  Files         226      225       -1     
  Lines       16432    16365      -67     
==========================================
- Hits        11337    11303      -34     
+ Misses       5043     5010      -33     
  Partials       52       52
Flag Coverage Δ
unittests 69.06% <70.17%> (+0.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/debugger/mock_debugger_generated.go 77.77% <0.00%> (ø)
pkg/debugger/proxy.go 10.00% <0.00%> (ø)
pkg/debugger/xds.go 6.06% <0.00%> (ø)
pkg/envoy/xdsutil.go 93.91% <ø> (+0.46%) ⬆️
pkg/errcode/errcode.go 100.00% <ø> (ø)
pkg/envoy/ads/stream.go 8.05% <33.33%> (-0.07%) ⬇️
pkg/envoy/eds/response.go 62.06% <50.00%> (+6.18%) ⬆️
pkg/envoy/proxy.go 85.48% <60.00%> (-1.08%) ⬇️
pkg/envoy/rds/response.go 82.85% <75.00%> (+3.90%) ⬆️
pkg/envoy/ads/profile.go 88.37% <83.33%> (ø)
... and 11 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ddd4d1...6b9bdfb. Read the comment docs.

@steeling
Decouple certificate common name from various components
5bb2281 
Signed-off-by: Sean Teeling <seanteeling@microsoft.com>
keithmattix
keithmattix reviewed May 25, 2022
View reviewed changes
@shashankram
Copy link
Member

I understand what this PR is doing, but couldn't understand how this change helps #4754. Could you describe in the commit message why this decoupling is necessary?
Thanks

@steeling
Copy link
Contributor Author

I understand what this PR is doing, but couldn't understand how this change helps #4754. Could you describe in the commit message why this decoupling is necessary?
Thanks

Good question! That’s definitely not obvious on first pass

  1. A proxy’s CN can change with rotated trust domains, so we want to keep these mappings stable
  2. After we decouple service identity and from common name, we can no longer derive the CN without access to the cert manager instance, and knowing which trust domain to use

shashankram
shashankram reviewed May 26, 2022
View reviewed changes
nojnhuh
nojnhuh reviewed May 27, 2022
View reviewed changes
@steeling
address comment
fe0b519 
Signed-off-by: Sean Teeling <seanteeling@microsoft.com>
jaellio
jaellio reviewed May 27, 2022
View reviewed changes
jaellio
jaellio reviewed May 27, 2022
View reviewed changes
@steeling steeling force-pushed the feature/xdslog branch 2 times, most recently from 04959e1 to 325958b Compare May 28, 2022 00:27
@steeling
address more comments
6b9bdfb 
Signed-off-by: Sean Teeling <seanteeling@microsoft.com>
@jaellio jaellio merged commit ae53c47 into openservicemesh:main May 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@snehachhabria snehachhabria Awaiting requested review from snehachhabria

@draychev draychev Awaiting requested review from draychev

@trstringer trstringer Awaiting requested review from trstringer

4 more reviewers

@keithmattix keithmattix keithmattix left review comments

@jaellio jaellio jaellio left review comments

@nojnhuh nojnhuh nojnhuh approved these changes

@shashankram shashankram shashankram approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@steeling @codecov-commenter @shashankram @keithmattix @nojnhuh @jaellio