Move downstream mTLS settings to a nested config file object, under the
key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for
these settings.
Deprecate the existing ClientCA and ClientCAFile fields in the Options
struct, but continue to honor them for now (log a warning if either is
populated).
Delete the ClientCRL and ClientCRLFile fields entirely (in current
releases these cannot be set without causing an Envoy error, so this
should not be a breaking change).
Update the Settings proto to mirror this nested structure.
Update bindEnvs() to add support for binding nested fields of the
Options struct to environment variables. The variable names are formed
by joining the nested fields' mapstructure tags with underscores (after
first converting to uppercase).
This is in preparation for adding a new nested struct for downstream
mTLS settings that will look something like this:
downstream_mtls:
ca_file: /path/to/CA/cert.pem
enforcement: reject_connection
With this change, these fields would be bound to the variables
DOWNSTREAM_MTLS_CA_FILE and DOWNSTREAM_MTLS_ENFORCEMENT.
Update isValidClientCertificate() to also consult the configured
certificate revocation lists. Update existing test cases and add a new
unit test to exercise the revocation support. Restore the skipped
integration test case.
Generate new test certificates and CRLs using a new `go run`-able source
file.
* wip
* storage: add filtering to SyncLatest
* don't increment the record version, so intermediate changes are requested
* databroker: add support for query filtering
* fill server and record version
* postgres: databroker storage backend
* wip
* serialize puts
* add test
* skip tests for macos
* add test
* return error from protojson
* set data
* exclude postgres from cover tests
* envoy: add support for bind_config bootstrap options
* only add upstream bind config options to individual policy clusters
* update docs for new Envoy keys
Co-authored-by: alexfornuto <alex@fornuto.com>
The `autocert_ca` and `autocert_email` options have been added to be
able to configure CAs that support the ACME protocol as an alternative
to Let's Encrypt.
Fix ProtoBuf definition for additional autocert options
Fix PR comments and add ACME EAB configuration
Add configuration option for trusted CAs when talking ACME
Fix linter issues
copy edits
render updated reference to docs
Add test for autocert manager configuration
Add tests for autocert configuration options
Fix CI build issues
Don't set empty acme.EAB struct if configuration not set
Remove required email when setting custom CA
When using a non-default CA it's no longer required
to specify an email address. I required this before,
because it seemed to cause an issue in which no certificate
was issued. The root cause was something different,
rendering the hard email requirement pointless. It's
still beneficial to specify an email, though. I changed
the text in the docs to explain that.
Update generated docs
Fix failing tests by recreation of a new ACMEManager
The default ACMEManager object was reused in multiple tests,
resulting in unexpected states when tests run in parallel.
By using a new instance for every test, this is no longer
an issue.
