fix(llmisvc): remove InsecureSkipVerify from Istio DestinationRules once cert-reload is supported #1165
Description
Summary
Three Istio DestinationRules created by reconcileRouterPlatformNetworking currently set InsecureSkipVerify: true as a deliberate workaround because the scheduler does not yet support hot certificate reload. This disables TLS peer verification on internal scheduler, shadow-service, and prefill workload traffic paths and represents a CWE-295 risk.
Affected resources
- Scheduler DestinationRule –
InsecureSkipVerify: true, no CA pinning - Shadow service DestinationRule –
InsecureSkipVerify: true, no CA pinning - Workload DestinationRule (Prefill enabled path) –
InsecureSkipVerify: true, no CA pinning
Required changes
Once upstream cert-reload support lands (tracked in #1155), update each of the three rules to match the pattern already used by the default workload DestinationRule:
TLS: &istioapiv1.ClientTLSSettings{
Mode: istioapiv1.ClientTLSSettings_SIMPLE,
CaCertificates: IstioCACertificatePath,
Sni: hostname,
InsecureSkipVerify: false,
},Acceptance criteria
- Sync 260304 kserve upstream odh #1155 is merged to odh-master so the scheduler restarts cleanly on cert rotation
-
InsecureSkipVerifyis removed (or explicitly set tofalse) from all three DestinationRules -
CaCertificatesis set toIstioCACertificatePathfor each rule -
Sniis set to the appropriate per-service hostname for each rule - Existing unit/integration tests for DestinationRule reconciliation are updated to assert no
InsecureSkipVerify: true
References
- PR introducing the workaround: feat(llmisvc): add Istio DestinationRules and CA-signed certs via build tags #1162
- Comment thread: feat(llmisvc): add Istio DestinationRules and CA-signed certs via build tags #1162 (comment)
- Cert-reload upstream dependency: Sync 260304 kserve upstream odh #1155
Requested by @bartoszmajsak.
Metadata
Metadata
Assignees
Labels
No labels