search

istio / ztunnel

The `ztunnel` component of ambient mesh
Apache License 2.0
298 stars 101 forks source link

Support custom SECRET_TTL and SECRET_GRACE_PERIOD_RATIO in ztunnel #736

Closed GregHanson closed 11 months ago

GregHanson commented 11 months ago

ztunnel currently has SECRET_TTL hardcoded to 24 hours here and SECRET_GRACE_PERIOD_RATIO hardcoded to 0.5 here. Sidecar supports these two environment variables to allow customizing these cert rotations settings - should ztunnel do the same?

GregHanson commented 11 months ago

related to second item raised during review here

Eventually you do need to mint certificates with 'new'. Is 12hr short enough for this, or do we need something between "instant" and "12hr"? 12hr seems fine to me... plus you can always force it w/ restart

In addition to the two env vars, sidecar also has PCDS as a way to pick up some cert changes immediately. Since ztunnel does not support PCDS, these env vars would allow users who don't want to wait up to 12 hours for cert changes to have some control over these settings

hzxuzhonghu commented 11 months ago

To support multi root tust and root cert rotation, I think PCDS should be supported.

It is simple to add two environments to ztunnel.

linsun commented 11 months ago

+1, PCDS could be also useful to configure ztunnel logging level without requiring users to restart/redeploy ztunnel for logs.

hzxuzhonghu commented 11 months ago

@linsun PCDS response now only contains cacerts. Logging level can be changed by istioctl proxy-config log <sidecar-pod> <sidecar-container> --level <log-level> now.

linsun commented 11 months ago

@linsun PCDS response now only contains cacerts. Logging level can be changed by istioctl proxy-config log <sidecar-pod> <sidecar-container> --level <log-level> now.

Do you mean this cmd is also avail for ztunnel as well?

hzxuzhonghu commented 11 months ago

Yes, ztunnel is also supported

GregHanson commented 11 months ago

@linsun best way to use the log command for ztunnel is:

istioctl pc log ds/ztunnel -n istio-system --level <error|warn|info|debug|trace>

which will configure all ztunnels at once

GregHanson commented 11 months ago

It is simple to add two environments to ztunnel.

@hzxuzhonghu outside of meshconfig settings (in src/config.rs), there isn't much precedence for pulling in configuration settings from environment variables. Couldn't recall if there was any intentional design discussion around this or if it was just something that was saved for post-beta

GregHanson commented 11 months ago

SECRET_TTL support is merged via https://github.com/istio/ztunnel/pull/742. Exposing one of SECRET_TTL or SECRET_GRACE_PERIOD_RATIO is probably sufficient for most use cases