-
Story
-
Resolution: Done
-
Blocker
-
None
-
None
-
None
-
20
-
False
-
False
-
Undefined
-
-
Sprint 3, Sprint 4, Sprint 5, Sprint 6, Sprint 7, Sprint 8, Sprint 9, Sprint 10
As a mesh administrator, I want to be able to join two meshes into a federation that do not share a root certificate, so that administrative domains can be completely separate
There has been some work upstream to support SPIFFE TrustBundles - they offer exactly the functionality required here, by mapping trust domains to certificate chains. We should look at cherry-picking that work, if possible.
Acceptance Criteria:
- Every mesh can define its own trust domain and cert chain
- Proxies validate remote certificates depending on the trust domain
This story covers exchange of certificate chains at Federation initialization- for continuous updates of cert chains, see MAISTRA-2238
- blocks
-
-
- Backlog
-
- is blocked by
-
MAISTRA-2649 OSSM 2.1 error inserting data for namespace: error when creating configmap istio-ca-root-cert: configmaps "istio-ca-root-cert" already exists
-
- Closed
-
-
-
- Closed
-
- is cloned by
-
-
- Backlog
-
- relates to
-
MAISTRA-2293 Create CRD for joining meshes into a federated mesh
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
