Skip to content

Envoy router verifies ate apiserver's serving cert#237

Open
Zoe Zhao (zoez7) wants to merge 1 commit into
agent-substrate:mainfrom
zoez7:mtls
Open

Envoy router verifies ate apiserver's serving cert#237
Zoe Zhao (zoez7) wants to merge 1 commit into
agent-substrate:mainfrom
zoez7:mtls

Conversation

@zoez7

@zoez7 Zoe Zhao (zoez7) commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Part of #170

Main changes:

  1. The atenet router now verifies ate apiserver' serving certificate, and presents its client cert to ate apiserver. Previously it had InsecureSkipVerify.
  2. Remove the self-signed cert fallback in Envoy's HTTPS listener.

Minor bug fixes:

  1. Prevent servicednssigner from signing a cert with no DNS SANs.

Next steps:

  • I want to merge the 2 existing signers, podidentity and servicednssinger into a single merged signer, and use a label selector (dns = true) to indicate if the Pod is behind a Service, and the merged signer will only sign for workloads in ate-system namespace.
  • For workerpools, we'll use a separate, workerpoolsigner, that only signs certs for Pods that belong to workerpools, those can be used to call MintCert RPC to get a per-actor cert.
  • Tests pass
  • Appropriate changes to documentation are included in the PR

@zoez7 Zoe Zhao (zoez7) force-pushed the mtls branch 2 times, most recently from d53e1f2 to df3d9a0 Compare June 13, 2026 00:12
@zoez7 Zoe Zhao (zoez7) marked this pull request as ready for review June 13, 2026 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahmedtd Taahir Ahmed (ahmedtd) Awaiting requested review from ahmedtd

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zoez7