Closed mikegrass closed 7 months ago
cc: @ramaraochavali
we have done similar check in istiod iirc
Yes. We did. We need the same check in agent.
@ramaraochavali do you mind if I take a look at this to build some experience on the secrets handling?
I have just pushed the change some time back. Sorry. you should have told me earlier. Next time you can do
np :+1:
Is this the right place to submit this?
Bug Description
We've noticed some cases in our environment where pilot-agent pushes an empty root cert bundles to envoy, which then gets rejected.
This can happen if the entity updating the trust bundle does not do an atomic write (write to a temp file in the same dir, then rename).
Example log sequence:
pilot-agent can be improved to do a basic validity check of the trust bundle before pushing the update event to the proxy.
Note that #37722 added validity checks for private keys/certs. This request is to add a similar check for root cert bundles.
Version
Additional Information
No response