K8 CSR support #387
K8 CSR support #387
Conversation
istio-testing
added
needs-rebase
istio-testing
added
the
do-not-merge/work-in-progress
istio-testing
removed
the
needs-rebase
|
@howardjohn I will move the client creation to the common level (probably when we create the configs) ? |
aryan16
removed
the
do-not-merge/work-in-progress
IMO Ztunnel has all the capabilities to make a CSR request directly. Why to add an extra complexity of sending req to istiod. |
istio-testing
added
the
needs-rebase
|
@aryan16 How can we support VM installation using this mode? |
istio-testing
removed
the
needs-rebase
aryan16
force-pushed
the
K8s-csr
branch
2 times, most recently
from
90cf030
to
bb4ba58
Compare
If VM is able to talk to K8s api server then no issues, if not we won't be using this feature instead use the existing GRPC call to istiod. |
istio-testing
added
the
needs-rebase
aryan16
force-pushed
the
K8s-csr
branch
2 times, most recently
from
9f7fa6c
to
b832255
Compare
istio-testing
removed
the
needs-rebase
src/app.rs
Outdated
| if config.fake_ca { | ||
| let cert_manager = identity::mock::new_secret_manager(Duration::from_secs(86400)); | ||
| build_with_cert(config, cert_manager).await | ||
| } else { | ||
| } else if config.custom_signer.is_some() { |
There was a problem hiding this comment.
Did we validate the config before it is passed to build()?
There was a problem hiding this comment.
you mean the custom signer? No we are not validating the custom signer, do we need it?
| @@ -414,6 +415,19 @@ impl SecretManager<CaClient> { | |||
| } | |||
| } | |||
|
|
|||
| impl SecretManager<CustomSigner> { | |||
| pub async fn origin(cfg: crate::config::Config) -> Result<Self, anyhow::Error> { | |||
There was a problem hiding this comment.
Associated function - https://doc.rust-lang.org/rust-by-example/fn/methods.html.
There was a problem hiding this comment.
I know it is a function, I just do not get the name?
There was a problem hiding this comment.
oh I saw the same name at many places in rust example codes as a replacement of new. Do you think I should update it?
src/identity/customca.rs
Outdated
|
|
||
| async fn check_signed_cert(csr: &Api<CertificateSigningRequest>, csr_name: &String) -> Result<k8s_openapi::ByteString, anyhow::Error> { | ||
| let lp = ListParams::default().fields(&format!("{}{}", "metadata.name=", csr_name)).timeout(30); | ||
| let mut stream = csr.watch(&lp, "0").await?.boxed(); |
There was a problem hiding this comment.
just watch has a race condition; if it was finished before we start the watch it will break. Need a List+Watch
I would overall prefer a long lived watched on a label we set on each CSR but ok with list+watch approach like we do in chiron/utils.go in the short term. Note you need to put ResourceVersion as well.
|
|
aryan16
force-pushed
the
K8s-csr
branch
2 times, most recently
from
59c4c2a
to
72b7541
Compare
istio-testing
added
size/XXL
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
istio-testing
added
the
needs-rebase
|
What's next ? The DNS proxy ( which is REQUIRED if the underlying network is not secure ) ? Integration with the external SDS provider using UDS ? Can we please add the agent and just use it ? No need for ztunnel to duplicate all the integrations and do everything ( in a slightly different way ). A design doc on such changes with focus on security will also be greatly appreciated:
But even if we conclude direct integration with k8s from the proxy is best ( and I can be convinced it's a more |
|
On a related note - ztunnel should eventually match the integrations we have, including SDS and CSI-based providers ( in both dedicated mode and in future if we implement delegation ). I saw the FAKE provider - IMO it should be replaced (or we should add) with a mode that reads from /var/run/secrets... ( same default as istio-agent ), and fallback to SDS using the well-known path that the Envoy is using ( for Spire and all other integrations ). |
| impl SecretManager<CustomSigner> { | ||
| pub async fn origin(cfg: crate::config::Config) -> Result<Self, anyhow::Error> { | ||
| let k8s_client = tls::create_k8s_client(cfg.k8s_ca_crt).await; | ||
| match k8s_client { |
There was a problem hiding this comment.
This won't work on VMs.
Pretty sure there is a way to initialize k8s client in rust that works with both 'in cluster' and kubeconfig.
Same for the tokens - outside of K8S you need all the auth methods, the VM may use MDS or external commands to authenticate ( gcloud, etc ).
| pub async fn create_k8s_client(root_cert: RootCert) -> Result<kube::Client, anyhow::Error> { | ||
| let mut conn = ssl::SslConnector::builder(ssl::SslMethod::tls_client())?; | ||
| conn.set_verify(ssl::SslVerifyMode::PEER); | ||
| conn.set_alpn_protos(Alpn::H2.encode())?; |
There was a problem hiding this comment.
Is this the only SSL connection we create in ztunnel ? Any chance we could use the same code - or client library code ?
Added support for K8 CSR and custom signer