Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(*) ExternalServices add CA and Client certificate support #1094

Merged
merged 26 commits into from
Nov 12, 2020
Merged

chore(*) ExternalServices add CA and Client certificate support #1094

merged 26 commits into from
Nov 12, 2020

Conversation

nickolaev
Copy link
Contributor

Summary

Add CA and Client certificate support

chore(*) add CA and Client certificate support code
34b6fe1 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
@nickolaev nickolaev force-pushed the chore/tls_origination branch from 4fc74de to 34b6fe1 Compare October 19, 2020 15:32
Nikolay Nikolaev added 3 commits October 20, 2020 08:33
Merge remote-tracking branch 'origin/master' into chore/tls_origination
c2f8bf9 
# Conflicts:
#	pkg/xds/topology/outbound.go

Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
feat(*) push ExternalService TLS config to Envoy
8ace4b5 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
1ac997d
lobkovilya
lobkovilya reviewed Oct 21, 2020
View reviewed changes
pkg/xds/topology/outbound.go Outdated
tlsEnabled = externalService.Spec.Networking.Tls.Enabled
externalServiceEndpoint, err := buildExternalServiceEndpoint(externalService, mesh.Meta.GetMesh(), loader)
if err != nil {
log.Info("Unable to create ExternalService endpoint", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If err happened, maybe log also should be log.Error regardless it doesn't affect the execution?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think log.Error is better. How about this

log.Error(err, "unable to create ExternalService endpoint. Endpoint won't be included in the XDS.", "name", externalService.Meta.GetName(), "mesh", externalService.Meta.GetMesh())

fix(*) tests
44d4a63 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
@nickolaev nickolaev marked this pull request as ready for review October 22, 2020 06:25
@nickolaev nickolaev requested a review from a team as a code owner October 22, 2020 06:25
jakubdyszkiewicz
jakubdyszkiewicz requested changes Oct 22, 2020
View reviewed changes
pkg/xds/envoy/tls.go Outdated
@@ -183,8 +183,35 @@ func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.Str
}
}

func CreateUpstreamTlsContextNoMetadata(sni string) (*envoy_auth.UpstreamTlsContext, error) {
func CreateUpstreamTlsContextNoMetadata(ca, cert, key *envoy_core.DataSource, sni string) (*envoy_auth.UpstreamTlsContext, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about UpstreamTlsContextOutsideMesh() or UpstreamTLSContextManuallMTLS instead of CreateUpstreamTlsContextNoMetadata()
?

Can you also put this function in existing tls subpackage if possible? I want to throw there all the things tls related eventually

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renaming is fine, but am not sure why to move only this function and not the whole tls.go?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

feel free to move whole tls.go

pkg/xds/topology/outbound.go Outdated
tlsEnabled = externalService.Spec.Networking.Tls.Enabled
externalServiceEndpoint, err := buildExternalServiceEndpoint(externalService, mesh.Meta.GetMesh(), loader)
if err != nil {
log.Info("Unable to create ExternalService endpoint", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think log.Error is better. How about this

log.Error(err, "unable to create ExternalService endpoint. Endpoint won't be included in the XDS.", "name", externalService.Meta.GetName(), "mesh", externalService.Meta.GetMesh())

Nikolay Nikolaev added 2 commits October 22, 2020 17:21
Merge remote-tracking branch 'origin/master' into chore/tls_origination
b14eaa5
fix(*) review
e685596 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
@nickolaev nickolaev force-pushed the chore/tls_origination branch from f7dcd17 to e685596 Compare October 22, 2020 15:18
Nikolay Nikolaev added 9 commits October 23, 2020 16:16
chore(*) move tls.go and fix for review
d07dee2 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
5173c84
chore(*) update UpstreamTlsContextOutsideMesh
f5b3d7c 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
25bf408
test(*) e2e for TLS certs
8c8d3a0 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
136eae2
Merge remote-tracking branch 'origin/master' into chore/tls_origination
1bfe9db
fix(*) improve e2e
a6665b6 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
53a65d4 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
@nickolaev nickolaev force-pushed the chore/tls_origination branch from 5c27e51 to 53a65d4 Compare November 4, 2020 05:09
Nikolay Nikolaev added 3 commits November 4, 2020 10:10
fix(*) load certificates at BuildEndpointMap
0ff0123 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
fix(*) have a proper ca_cert thest for ExternalServices
7c71513 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
ccb1766
jakubdyszkiewicz
jakubdyszkiewicz reviewed Nov 9, 2020
View reviewed changes
Copy link
Contributor

@jakubdyszkiewicz jakubdyszkiewicz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tested mTLS? at least manually?

test/framework/deployments/externalservice/kubernetes.go Outdated
@@ -76,3 +76,7 @@ func (k *k8SDeployment) Delete(cluster framework.Cluster) error {
func (k *k8SDeployment) GetExternalAppAddress() string {
return k.ip
}

func (k *k8SDeployment) GetCert() string {
return ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is it empty on K8S?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is actually not implemented there. Will just panic.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but why? Is it because we don't have this test on Kubernetes? If so, please add a comment why we don't have a test on Kubernetes

Nikolay Nikolaev added 4 commits November 9, 2020 17:17
fix(*) fix review
8d9392e 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
45f0086
fix(*) review
3c2e281 
Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>
Merge remote-tracking branch 'origin/master' into chore/tls_origination
2b4ce22
Nikolay Nikolaev added 2 commits November 12, 2020 14:22
@nickolaev nickolaev merged commit 1cf6d0d into master Nov 12, 2020
@nickolaev nickolaev deleted the chore/tls_origination branch November 12, 2020 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubdyszkiewicz jakubdyszkiewicz jakubdyszkiewicz approved these changes

@lobkovilya lobkovilya Awaiting requested review from lobkovilya

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nickolaev @jakubdyszkiewicz @lobkovilya