add fallback support for PrivateKeyProvider (#3045)

* add fallback support for privatekeyprovider * add default value into comment * Update releasenotes/notes/private-key-provider-fallback.yaml --------- Co-authored-by: Lin Sun <lin.sun@solo.io>
istio · Jan 16, 2024 · c9b0bf6 · c9b0bf6
1 parent 8919509
commit c9b0bf6
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 24 deletions.
diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
@@ -312,6 +312,10 @@ message PrivateKeyProvider {
     // In effect, this value controls the balance between latency and throughput.
     // The duration needs to be set to a value greater than or equal to 1 millisecond.
     google.protobuf.Duration poll_delay = 1;
+    // If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
+    // Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+    // The default value is false.
+    google.protobuf.BoolValue fallback = 2;
   }
 
   // QAT (QuickAssist Technology) PrivateKeyProvider configuration
@@ -321,6 +325,10 @@ message PrivateKeyProvider {
     // leading to potentially larger CPU usage.
     // The duration needs to be set to a value greater than or equal to 1 millisecond.
     google.protobuf.Duration poll_delay = 1;
+    // If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
+    // Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+    // The default value is false.
+    google.protobuf.BoolValue fallback = 2;
   }
 
   // REQUIRED. Specifies detailed configuration for the Private key provider.

diff --git a/proto.lock b/proto.lock
@@ -38812,6 +38812,11 @@
                     "id": 1,
                     "name": "poll_delay",
                     "type": "google.protobuf.Duration"
+                  },
+                  {
+                    "id": 2,
+                    "name": "fallback",
+                    "type": "google.protobuf.BoolValue"
                   }
                 ]
               },
@@ -38822,6 +38827,11 @@
                     "id": 1,
                     "name": "poll_delay",
                     "type": "google.protobuf.Duration"
+                  },
+                  {
+                    "id": 2,
+                    "name": "fallback",
+                    "type": "google.protobuf.BoolValue"
                   }
                 ]
               }

diff --git a/releasenotes/notes/private-key-provider-fallback.yaml b/releasenotes/notes/private-key-provider-fallback.yaml
@@ -0,0 +1,6 @@
+apiVersion: release-notes/v2
+kind: feature
+area: security
+releaseNotes:
+  - |
+    **Added** an `fallback` field for PrivateKeyProvider to support fallback to the BoringSSL default implementation if the private key provider isn’t available.