Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: replace trustDomainAliases with caCertificates[].trustDomains in examples for SPIRE #181

Conversation

jewertow
Copy link
Collaborator

@jewertow jewertow commented Mar 17, 2025

Using trustDomainAliases is not the right solution when federated services from different trust domains may have overlapping service account and namespace names. Then authorization policies defined for a single trust domain are automatically generated for all trust domain aliases, and this may be not desired in multi-mesh deployments, so we should avoid using this solution.

We also use trustDomainAliases in e2e tests, but that can be fixed in a follow-up.

@openshift-ci openshift-ci bot added the size/L label Mar 17, 2025
@jewertow jewertow requested a review from bartoszmajsak March 17, 2025 16:46
Copy link
Collaborator

@bartoszmajsak bartoszmajsak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I can take a stab at the follow-up if you haven't already.

@jewertow
Copy link
Collaborator Author

I can take a stab at the follow-up if you haven't already

Go ahead :)

@jewertow
Copy link
Collaborator Author

/retest

@openshift-merge-bot openshift-merge-bot bot merged commit 255ad0c into openshift-service-mesh:master Mar 20, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants