From 35782d263c2c3bb7eaf3913bc7075b13e4b443fb Mon Sep 17 00:00:00 2001 From: Faseela K Date: Fri, 24 Feb 2023 18:46:55 +0100 Subject: [PATCH] Clarify credentialName usage for separate ca secrets (#2692) Signed-off-by: Faseela K --- mesh/v1alpha1/istio.mesh.v1alpha1.gen.json | 2 +- networking/v1alpha3/destination_rule.gen.json | 2 +- networking/v1alpha3/destination_rule.pb.go | 2 ++ networking/v1alpha3/destination_rule.pb.html | 2 ++ networking/v1alpha3/destination_rule.proto | 2 ++ networking/v1beta1/destination_rule.gen.json | 2 +- networking/v1beta1/destination_rule.pb.go | 2 ++ networking/v1beta1/destination_rule.proto | 2 ++ 8 files changed, 13 insertions(+), 3 deletions(-) diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json index 25e66c0f22..b32a47ac30 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json @@ -2140,7 +2140,7 @@ "type": "string" }, "credentialName": { - "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", + "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. For mutual TLS, `cacert: \u003cCACertificate\u003e` can be provided in the same secret or a separate secret named `\u003csecret\u003e-cacert`. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", "type": "string" }, "subjectAltNames": { diff --git a/networking/v1alpha3/destination_rule.gen.json b/networking/v1alpha3/destination_rule.gen.json index 6f8245eaeb..f4c709935a 100644 --- a/networking/v1alpha3/destination_rule.gen.json +++ b/networking/v1alpha3/destination_rule.gen.json @@ -26,7 +26,7 @@ "type": "string" }, "credentialName": { - "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", + "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. For mutual TLS, `cacert: \u003cCACertificate\u003e` can be provided in the same secret or a separate secret named `\u003csecret\u003e-cacert`. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", "type": "string" }, "subjectAltNames": { diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go index 342e0133c5..e9aedb38a7 100644 --- a/networking/v1alpha3/destination_rule.pb.go +++ b/networking/v1alpha3/destination_rule.pb.go @@ -1539,6 +1539,8 @@ type ClientTLSSettings struct { // following keys and values: `key: `, // `cert: `, `cacert: `. // Here CACertificate is used to verify the server certificate. + // For mutual TLS, `cacert: ` can be provided in the + // same secret or a separate secret named `-cacert`. // Secret of type tls for client certificates along with // ca.crt key for CA certificates is also supported. // Only one of client certificates and CA certificate diff --git a/networking/v1alpha3/destination_rule.pb.html b/networking/v1alpha3/destination_rule.pb.html index da2607c60b..bc7eee58b6 100644 --- a/networking/v1alpha3/destination_rule.pb.html +++ b/networking/v1alpha3/destination_rule.pb.html @@ -1067,6 +1067,8 @@

ClientTLSSettings

following keys and values: key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>. Here CACertificate is used to verify the server certificate. +For mutual TLS, cacert: <CACertificate> can be provided in the +same secret or a separate secret named <secret>-cacert. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto index d6e5debd27..365244d52e 100644 --- a/networking/v1alpha3/destination_rule.proto +++ b/networking/v1alpha3/destination_rule.proto @@ -1099,6 +1099,8 @@ message ClientTLSSettings { // following keys and values: `key: `, // `cert: `, `cacert: `. // Here CACertificate is used to verify the server certificate. + // For mutual TLS, `cacert: ` can be provided in the + // same secret or a separate secret named `-cacert`. // Secret of type tls for client certificates along with // ca.crt key for CA certificates is also supported. // Only one of client certificates and CA certificate diff --git a/networking/v1beta1/destination_rule.gen.json b/networking/v1beta1/destination_rule.gen.json index ac00a2799b..2c6f4a405e 100644 --- a/networking/v1beta1/destination_rule.gen.json +++ b/networking/v1beta1/destination_rule.gen.json @@ -26,7 +26,7 @@ "type": "string" }, "credentialName": { - "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", + "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. For mutual TLS, `cacert: \u003cCACertificate\u003e` can be provided in the same secret or a separate secret named `\u003csecret\u003e-cacert`. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", "type": "string" }, "subjectAltNames": { diff --git a/networking/v1beta1/destination_rule.pb.go b/networking/v1beta1/destination_rule.pb.go index c90daadaa9..642b349e2a 100644 --- a/networking/v1beta1/destination_rule.pb.go +++ b/networking/v1beta1/destination_rule.pb.go @@ -1488,6 +1488,8 @@ type ClientTLSSettings struct { // following keys and values: `key: `, // `cert: `, `cacert: `. // Here CACertificate is used to verify the server certificate. + // For mutual TLS, `cacert: ` can be provided in the + // same secret or a separate secret named `-cacert`. // Secret of type tls for client certificates along with // ca.crt key for CA certificates is also supported. // Only one of client certificates and CA certificate diff --git a/networking/v1beta1/destination_rule.proto b/networking/v1beta1/destination_rule.proto index 09262530fb..75788db62f 100644 --- a/networking/v1beta1/destination_rule.proto +++ b/networking/v1beta1/destination_rule.proto @@ -1048,6 +1048,8 @@ message ClientTLSSettings { // following keys and values: `key: `, // `cert: `, `cacert: `. // Here CACertificate is used to verify the server certificate. + // For mutual TLS, `cacert: ` can be provided in the + // same secret or a separate secret named `-cacert`. // Secret of type tls for client certificates along with // ca.crt key for CA certificates is also supported. // Only one of client certificates and CA certificate