Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2242

Support different root certificates

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Blocker
    • maistra-2.1.0
    • None
    • None
    • None
    • Sprint 3, Sprint 4, Sprint 5, Sprint 6, Sprint 7, Sprint 8, Sprint 9, Sprint 10

    Description

      As a mesh administrator, I want to be able to join two meshes into a federation that do not share a root certificate, so that administrative domains can be completely separate

      There has been some work upstream to support SPIFFE TrustBundles - they offer exactly the functionality required here, by mapping trust domains to certificate chains. We should look at cherry-picking that work, if possible.

      Acceptance Criteria:

      • Every mesh can define its own trust domain and cert chain
      • Proxies validate remote certificates depending on the trust domain

      This story covers exchange of certificate chains at Federation initialization- for continuous updates of cert chains, see MAISTRA-2238

      Attachments

        Issue Links

          blocks

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MAISTRA-2238 Certificate Rotation

          • Critical - To be worked on immediately following BLOCKER issues.
          • Backlog
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. MAISTRA-2649 OSSM 2.1 error inserting data for namespace: error when creating configmap istio-ca-root-cert: configmaps "istio-ca-root-cert" already exists

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. MAISTRA-2687 OSSM 2.1 Federation gateway does not send full cert chain when using external certificates

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MAISTRA-2316 Communicate cert chains automatically

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Backlog
          relates to

          Sub-task - The sub-task of the issue MAISTRA-2293 Create CRD for joining meshes into a federated mesh

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue MAISTRA-2319 Create a new test case for supporting two meshes with their trust domain and cert chain into a federation

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Sub-task - The sub-task of the issue MAISTRA-2320 Create a new test case for validating remote certificates depending on the trust domain

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              dgrimm@redhat.com Daniel Grimm
              dgrimm@redhat.com Daniel Grimm
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: