arkodg
commented
3 weeks ago I'd vote for adding a caCertificateRefs field in here to solve this
Open vacan1t opened 3 weeks ago
arkodg
commented
3 weeks ago I'd vote for adding a caCertificateRefs field in here to solve this
phantooom
commented
3 weeks ago /assign
phantooom
commented
2 weeks ago I'd vote for adding a
caCertificateRefsfield in here to solve this
is caCertificateRef field ok? is there a scenario where users might need multiple CAs?
arkodg
commented
1 week ago I'd vote for adding a
caCertificateRefsfield in here to solve thisis caCertificateRef field ok? is there a scenario where users might need multiple CAs?
@phantooom lets follow the BackendTLSPolicy spec https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ as a guide and use caCertificateRefs and append them into one internally
phantooom
commented
1 week ago I'd vote for adding a
caCertificateRefsfield in here to solve thisis caCertificateRef field ok? is there a scenario where users might need multiple CAs?
@phantooom lets follow the BackendTLSPolicy spec https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ as a guide and use
caCertificateRefsand append them into one internally
ok
Description: When setting up JWT authentication we need to be able to set custom CA-certificate to allow Envoy to trust our internal HTTPS JWKS server.
Snippet from SecurityPolicy:
Relevant debug logs:
[2024-06-04 13:15:36.191][1][debug][connection] [source/extensions/transport_sockets/tls/cert_validator/default_validator.cc:325] verify cert failed: X509_verify_cert: certificate verification error at depth 1: unable to get local issuer certificate 2024-06-04T15:15:36.191711347+02:00 [2024-06-04 13:15:36.191][1][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:241] [Tags: "ConnectionId":"8"] remote address:10.X.X.254:443,TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end[optional Relevant Links:]