Remove mentions of VERIFY_CERTIFICATE_AT_CLIENT and ENABLE_AUTO_SNI #3122
Conversation
istio-testing
added
the
size/S
leosarra
added
release-notes-none
| // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will | ||
| // be `true` by default in a later version where, going forward, it will be | ||
| // enabled by default. | ||
| // `insecureSkipVerify` is `false` by default while `VERIFY_CERTIFICATE_AT_CLIENT` is `true` by default. |
There was a problem hiding this comment.
the relationship with VERIFY_CERTIFICATE_AT_CLIENT looks very confusing, would cause usage trouble
There was a problem hiding this comment.
Yes I agree. Overall the VERIFY_CERTIFICATE_AT_CLIENT makes the doc a bit more confusing for the user.
On the other end we can look forward to the removal of VERIFY_CERTIFICATE_AT_CLIENT once the deprecation process is completed (given that it is already in the compatibility values starting with Istio 1.21, it is planned for removal in 1.24).
Perhaps this field can be simplified as follows:
// The `insecureSkipVerify` flag determines whether the proxy should skip verifying the
// CA signature and SAN for the server certificate associated
// with a specific host. This field is ignored if the environment variable
// `VERIFY_CERTIFICATE_AT_CLIENT` is set to `false` (default value is `true`),
// as the verification of the CA signature and SAN will be bypassed regardless.
Do you think it is better now?
There was a problem hiding this comment.
From the code, it only collaborate with VERIFY_CERTIFICATE_AT_CLIENT when deciding whether to enable AutoSanValidation.
func (cb *ClusterBuilder) setAutoSniAndAutoSanValidation(mc *clusterWrapper, tls *networking.ClientTLSSettings) {
if mc == nil || !features.EnableAutoSni {
return
}
setAutoSni := false
setAutoSanValidation := false
if len(tls.Sni) == 0 {
setAutoSni = true
}
if features.VerifyCertAtClient && setAutoSni && len(tls.SubjectAltNames) == 0 && !tls.GetInsecureSkipVerify().GetValue() {
setAutoSanValidation = true
}
So the saying is not right
There was a problem hiding this comment.
Good point, insecure skip is not always ignored since it is used also for enabling/disabling auto san validation.
I will update the message.
There was a problem hiding this comment.
IMO we can just remove any mention of VERIFY_CERTIFICATE_AT_CLIENT. It was a temporary feature flag that is now default-enabled and will eventually be removed.
There was a problem hiding this comment.
SGTM without mentioning VERIFY_CERTIFICATE_AT_CLIENT
There was a problem hiding this comment.
I removed mentions of both VERIFY_CERTIFICATE_AT_CLIENT and ENABLE_AUTO_SNI.
I think it is fine to remove the mentions of ENABLE_AUTO_SNI since it is going through the same deprecation process as VERIFY_CERTIFICATE_AT_CLIENT.
leosarra
force-pushed
the
insecure-comment-update
branch
from
bdd671d
to
99b2065
Compare
istio-testing
added
size/M
leosarra
changed the title
leosarra
force-pushed
the
insecure-comment-update
branch
from
a9b152e
to
90185e4
Compare
|
In response to a cherrypick label: new pull request created: #3132 |
Starting with Istio 1.21 VERIFY_CERTIFICATE_AT_CLIENT and ENABLE_AUTO_SNI are true by default.
Some comments had to be updated