6ef38eaea7
For mTLS to work between two proxies in peered clusters with different root CAs, proxies need to configure their outbound listener to use different root certificates for validation. Up until peering was introduced proxies would only ever use one set of root certificates to validate all mesh traffic, both inbound and outbound. Now an upstream proxy may have a leaf certificate signed by a CA that's different from the dialing proxy's. This PR makes changes to proxycfg and xds so that the upstream TLS validation uses different root certificates depending on which cluster is being dialed.
19 lines
431 B
Go
19 lines
431 B
Go
package lib
|
|
|
|
import (
|
|
"strings"
|
|
)
|
|
|
|
// EnsureTrailingNewline adds a newline suffix to the input if not present.
|
|
// This is typically used to fix a case where the CA provider does not return a new line
|
|
// after certificates as per the specification. See GH-8178 for more context.
|
|
func EnsureTrailingNewline(str string) string {
|
|
if str == "" {
|
|
return str
|
|
}
|
|
if strings.HasSuffix(str, "\n") {
|
|
return str
|
|
}
|
|
return str + "\n"
|
|
}
|