Skip to content

adding validate_upstream_certs#5576

Open
aburan28 wants to merge 1 commit intoemissary-ingress:masterfrom
aburan28:adam--update-to-add-tls-upstream-validation
Open

adding validate_upstream_certs#5576
aburan28 wants to merge 1 commit intoemissary-ingress:masterfrom
aburan28:adam--update-to-add-tls-upstream-validation

Conversation

@aburan28
Copy link

@aburan28 aburan28 commented Feb 20, 2024
edited
Loading

Description

Currently emissary does not offer a way to validate upstream TLS certificates despite envoy supporting this feature
https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing

Related Issues

#1646

Testing

A few sentences describing what testing you've done, e.g., manual tests, automated tests, deployed in production, etc.

Checklist

  • Does my change need to be backported to a previous release?

    • What backport versions were discussed with the Maintainers in the Issue?

  • I made sure to update CHANGELOG.md.

    Remember, the CHANGELOG needs to mention:

    • Any new features
    • Any changes to our included version of Envoy
    • Any non-backward-compatible changes
    • Any deprecations

  • This is unlikely to impact how Ambassador performs at scale.

    Remember, things that might have an impact at scale include:

    • Any significant changes in memory use that might require adjusting the memory limits
    • Any significant changes in CPU use that might require adjusting the CPU limits
    • Anything that might change how many replicas users should use
    • Changes that impact data-plane latency/scalability

  • My change is adequately tested.

    Remember when considering testing:

    • Your change needs to be specifically covered by tests.
      • Tests need to cover all the states where your change is relevant: for example, if you add a behavior that can be enabled or disabled, you'll need tests that cover the enabled case and tests that cover the disabled case. It's not sufficient just to test with the behavior enabled.
    • You also need to make sure that the entire area being changed has adequate test coverage.
      • If existing tests don't actually cover the entire area being changed, add tests.
      • This applies even for aspects of the area that you're not changing – check the test coverage, and improve it if needed!
    • We should lean on the bulk of code being covered by unit tests, but...
    • ... an end-to-end test should cover the integration points

  • I updated DEVELOPING.md with any any special dev tricks I had to use to work on this code efficiently.

  • The changes in this PR have been reviewed for security concerns and adherence to security best practices.

@aburan28
adding validate_upstream_certs
6d34d04 
Signed-off-by: Adam Buran <aburan28@gmail.com>
@aburan28 aburan28 force-pushed the adam--update-to-add-tls-upstream-validation branch from 403f696 to 6d34d04 Compare February 20, 2024 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aburan28