Support Using Certificate Revocation Lists (CRLs) Stored Remotely
#10.171 aberto em 26 de fev. de 2020
Métricas do repositório
- Stars
- (27.997 stars)
- Métricas de merge de PR
- (Mesclagem média 8d) (378 fundiu PRs em 30d)
Description
Description: Currently CRLs cannot be retrieved from a remote location by Envoys and must be vended to Envoys as secret configuration in the form of inline bytes or a file location.
The proposal here is to allow Envoys to fetch and make use of CRLs stored in a remote location. From #7311, there has been support added for fetching data remotely in the form of a RemoteDataSource and this API appears to be something that can be leveraged here to handle fetching the CRL remotely. This removes the burden of storing CRLs from the Envoy control plane. Below is an example of the current API and the proposed API addition for remote CRLs.
Current API
name: "sds_file_secret"
validation_context:
crl:
filename: "secret_crl.pem"
New API with Remote CRL Option
name: "sds_file_secret"
validation_context:
remote_crl:
http_uri: "http://server.com/secret_crl.pem"
sha256: "123456789"
With a large enough CRL, this approach would likely be unfavorable when compared to OCSP, #3178. However, this at least provides a middle ground in the case of using a remotely stored CRL without any OCSP support.