Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: set SNI's certificate ID ref #6660

Merged
merged 2 commits into from
Nov 13, 2024
Merged

fix: set SNI's certificate ID ref #6660

merged 2 commits into from
Nov 13, 2024

Conversation

pmalek
Copy link
Member

@pmalek pmalek commented Nov 12, 2024
edited
Loading

What this PR does / why we need it:

This PR adds SNI's certificate ID ref to be set in generated config. This basically means that instead of:

{
	"_format_version": "3.0",
	"certificates": [
		{
			"id": "8aade13c-1470-46bd-9849-9a74e349214f",
			"cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
			"key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
			"snis": [
				{
					"name": "3.example.com"
				},
				{
					"name": "4.example.com"
				}
			]
		}
	]
}

we generate

{
	"_format_version": "3.0",
	"certificates": [
		{
			"id": "8aade13c-1470-46bd-9849-9a74e349214f",
			"cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
			"key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
			"snis": [
				{
					"name": "3.example.com",
					"certificate": {
						"id": "8aade13c-1470-46bd-9849-9a74e349214f"
					}
				},
				{
					"name": "4.example.com"
					"certificate": {
						"id": "8aade13c-1470-46bd-9849-9a74e349214f"
					}
				}
			]
		}
	]
}

Which issue this PR fixes:

Fixes #6642

Special notes for your reviewer:

Related slack thread: https://kongstrong.slack.com/archives/C03CTMSHP6C/p1730991424228489

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

@pmalek pmalek added the fix label Nov 12, 2024
@pmalek pmalek self-assigned this Nov 12, 2024
@pmalek pmalek added this to the KIC v3.4.x milestone Nov 12, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.7%. Comparing base (565eb08) to head (618fd00).
Report is 10 commits behind head on main.

Additional details and impacted files 
@@          Coverage Diff          @@
##            main   #6660   +/-   ##
=====================================
  Coverage   77.6%   77.7%           
=====================================
  Files        201     200    -1     
  Lines      23766   23681   -85     
=====================================
- Hits       18456   18402   -54     
+ Misses      4359    4340   -19     
+ Partials     951     939   -12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pmalek pmalek mentioned this pull request Nov 12, 2024
Closed
@pmalek pmalek marked this pull request as ready for review November 13, 2024 11:11
@pmalek pmalek requested a review from a team as a code owner November 13, 2024 11:11
@pmalek
Copy link
Member Author

pmalek commented Nov 13, 2024

Marking this as ready for review but this still requires feedback from Gateway team in the linked slack thread.

czeslavo
czeslavo previously approved these changes Nov 13, 2024
View reviewed changes
Copy link
Contributor

@czeslavo czeslavo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very interesting find 👀 I wasn't aware KIC sets IDs for Certificates. Apparently it does so from the beginning using Kubernetes Secret's UID. Let's see what the Gateway team says about the Consumers triggering SNIs with no Certificate ID rejected. 🤔

Anyway, I think we can merge this as an improvement.

CHANGELOG.md Outdated Show resolved Hide resolved
@pmalek @czeslavo
Update CHANGELOG.md
618fd00 
Co-authored-by: Grzegorz Burzyński <[email protected]>
@pmalek pmalek merged commit 9517268 into main Nov 13, 2024
42 checks passed
@pmalek pmalek deleted the sni-certificate-id-ref branch November 13, 2024 17:50
@pmalek pmalek mentioned this pull request Nov 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@czeslavo czeslavo czeslavo approved these changes

Assignees

@pmalek pmalek

Labels
fix size/L
Projects
None yet
Milestone
KIC v3.4.x
Development

Successfully merging this pull request may close these issues.

Missing snis certificate id ref in config pushed to Admin API causes invalid config errors
2 participants
@pmalek @czeslavo