Skip to content

Commit 2da43c5

Browse files
zaharidichevolix0r
zaharidichev
and
olix0r
authored
destination: add UriLikeIdentity and server_name (#285)
Changes the `TlsIdentity` type in the destination API such that: - we add an extra `UriLikeIdentity` identity type that should contain identities that are in URI format (e.g. SPIFFE) - we add a `server_name` to the `TlsIdentity` type. This allows us to differentiate between an SNI value and a TLS Id value. This is mainly needed because in certain identity systems (SPIFFE/SPIRE) the TLS SAN can be in URI form. A URI cannot be used as a SNI extension in a `ClientHello`, so an alternative SNI value needs to be provided. This brings the need to distinguish between these two concepts. For context: linkerd/linkerd2-proxy#2506 Signed-off-by: Zahari Dichev <[email protected]> Co-authored-by: Oliver Gould <[email protected]>
1 parent a3c6b13 commit 2da43c5

17 files changed

+404
-265
lines changed

Diff for: go/destination/destination.pb.go

+340-232
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/destination/destination_grpc.pb.go

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/grpc_route/grpc_route.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/http_route/http_route.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/http_types/http_types.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/identity/identity.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/identity/identity_grpc.pb.go

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/inbound/inbound.pb.go

+4-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/inbound/inbound_grpc.pb.go

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/meta/meta.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/net/net.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/outbound/outbound.pb.go

+4-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/outbound/outbound_grpc.pb.go

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/tap/tap.pb.go

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: go/tap/tap_grpc.pb.go

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: proto/destination.proto

+18-2
Original file line numberDiff line numberDiff line change
@@ -103,12 +103,19 @@ message WeightedAddr {
103103
AuthorityOverride authority_override = 7;
104104
}
105105

106-
// Which strategy should be used for verifying TLS.
107106
message TlsIdentity {
108107
reserved 2;
109108
reserved "k8s_pod_identity";
110109

111-
oneof strategy { DnsLikeIdentity dns_like_identity = 1; }
110+
oneof strategy {
111+
DnsLikeIdentity dns_like_identity = 1;
112+
UriLikeIdentity uri_like_identity = 3;
113+
}
114+
115+
// The server name of the endpoint. This is the value that needs to be included
116+
// by clients in the ClientHello SNI extension of the TLS handshake when they
117+
// initiate TLS connections to servers.
118+
DnsLikeIdentity server_name = 4;
112119

113120
// Verify the certificate based on the Kubernetes pod identity.
114121
message DnsLikeIdentity {
@@ -118,6 +125,15 @@ message TlsIdentity {
118125
// {name}.{namespace}.{type}.identity.{control-namespace}.{trust-domain...}
119126
string name = 1;
120127
}
128+
129+
// Verify the certificate based on an URI identity.
130+
message UriLikeIdentity {
131+
// A URI name that encodes workload identity.
132+
//
133+
// For example:
134+
// spiffe://trust-domain/workload-dentifier
135+
string uri = 1;
136+
}
121137
}
122138

123139
message AuthorityOverride { string authority_override = 1; }

Diff for: src/gen/io.linkerd.proxy.destination.rs

+19-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)