Skip to content

Expose Scan:: registry/token: Change istio authorization policies to allow traffic to the registry endpoints#5970

Draft
pasindutennage-da wants to merge 7 commits into
mainfrom
pasindutennage-da/fixi/ssue/5946
Draft

Expose Scan:: registry/token: Change istio authorization policies to allow traffic to the registry endpoints#5970
pasindutennage-da wants to merge 7 commits into
mainfrom
pasindutennage-da/fixi/ssue/5946

Conversation

@pasindutennage-da

@pasindutennage-da pasindutennage-da commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Fix #5946

@pasindutennage-da
istio changes
61fbc99 
[ci]

Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
@pasindutennage-da
cloudarmor changes and config
82528ab 
[ci]

Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
@pasindutennage-da
ratelimiting
4c4a5b1 
[ci]

Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
@pasindutennage-da
configs
c789168 
[ci]

Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
pasindutennage-da
pasindutennage-da commented Jun 15, 2026
View reviewed changes
Comment thread cluster/configs/shared/base.yaml
pasindutennage-da
pasindutennage-da commented Jun 15, 2026
View reviewed changes
Comment thread cluster/configs/shared/base.yaml Outdated
@github-actions

github-actions Bot commented Jun 15, 2026
edited by pasindutennage-da
Loading

Copy link
Copy Markdown

Cluster Test https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/69932

moritzkiefer-da
moritzkiefer-da reviewed Jun 16, 2026
View reviewed changes
Comment thread cluster/configs/shared/rate-limits/v0-acs.yaml Outdated
Comment thread cluster/configs/shared/base.yaml
Comment thread cluster/configs/shared/base.yaml Outdated
Comment thread cluster/configs/shared/base.yaml
Comment thread cluster/configs/shared/rate-limits/v0-acs.yaml Outdated
Comment thread cluster/deployment/scratchnetb/config.resolved.yaml
throttleAcrossAllEndpointsAllIps:
maxRequestsBeforeHttp429: 0
withinIntervalSeconds: 60
tokenRegistry:

@moritzkiefer-da moritzkiefer-da Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're enabling a global cloud armor limit but cloud armor is disabled. I was expecting we try to solve this in istio for now, is that not an option?

@moritzkiefer-da moritzkiefer-da Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

try setting the limit low enough that you can easily trigger it during testing and see that you trigger it

@pasindutennage-da pasindutennage-da Jun 28, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @moritzkiefer-da @nicu-da

Sure, will check in scratchnet with low limits.

I have a question about the scope:: As of now, we allow an endpoint to have either a per-IP token bucket (clientIp: true) or a global shared bucket. These two types are mutually exclusive. #5651 asks for both global limits and per-IP limits, AFAICU. Since Cloud Armor isn't available, we can't achieve both without refactoring the Pulumi rate limit logic to map two separate descriptors to a single route/path.

For this PR, should I stick to clientIp: true for all token endpoints (and hence no global limits), or just have global limits? or should I first refactor rate limiting logic to support both options for given end point? (sounds like different PR)

@moritzkiefer-da moritzkiefer-da Jun 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you check with Stephen when we expect cloud armor to be enabled? If the answer is soon we can maybe wait for that, if not then we do need to refactor our istio limits.

@pasindutennage-da
Merge branch 'main' into pasindutennage-da/fixi/ssue/5946
efa5174 
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
@pasindutennage-da
added token-registry.yaml
18a704c 
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
@pasindutennage-da
Removed hardcodes
dbe5837 
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com>

Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
@pasindutennage-da pasindutennage-da marked this pull request as draft June 28, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephencompall-DA stephencompall-DA stephencompall-DA left review comments
@moritzkiefer-da moritzkiefer-da moritzkiefer-da left review comments
@martinflorian-da martinflorian-da Awaiting requested review from martinflorian-da

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Expose Scan:: registry/token: Change istio authorization policies to allow traffic to the registry endpoints

3 participants

@pasindutennage-da @stephencompall-DA @moritzkiefer-da