New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8 CSR support #387
base: master
Are you sure you want to change the base?
K8 CSR support #387
Conversation
@howardjohn I will move the client creation to the common level (probably when we create the configs) ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we have a different k8s csr support from sidecar? We send request to istiod and istiod will do this for sidecar
IMO Ztunnel has all the capabilities to make a CSR request directly. Why to add an extra complexity of sending req to istiod. |
@aryan16 How can we support VM installation using this mode? |
90cf030
to
bb4ba58
Compare
If VM is able to talk to K8s api server then no issues, if not we won't be using this feature instead use the existing GRPC call to istiod. |
9f7fa6c
to
b832255
Compare
src/app.rs
Outdated
if config.fake_ca { | ||
let cert_manager = identity::mock::new_secret_manager(Duration::from_secs(86400)); | ||
build_with_cert(config, cert_manager).await | ||
} else { | ||
} else if config.custom_signer.is_some() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did we validate the config before it is passed to build()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean the custom signer? No we are not validating the custom signer, do we need it?
@@ -414,6 +415,19 @@ impl SecretManager<CaClient> { | |||
} | |||
} | |||
|
|||
impl SecretManager<CustomSigner> { | |||
pub async fn origin(cfg: crate::config::Config) -> Result<Self, anyhow::Error> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does "origin" mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Associated function - https://doc.rust-lang.org/rust-by-example/fn/methods.html.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it is a function, I just do not get the name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh I saw the same name at many places in rust example codes as a replacement of new
. Do you think I should update it?
src/identity/customca.rs
Outdated
|
||
async fn check_signed_cert(csr: &Api<CertificateSigningRequest>, csr_name: &String) -> Result<k8s_openapi::ByteString, anyhow::Error> { | ||
let lp = ListParams::default().fields(&format!("{}{}", "metadata.name=", csr_name)).timeout(30); | ||
let mut stream = csr.watch(&lp, "0").await?.boxed(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just watch has a race condition; if it was finished before we start the watch it will break. Need a List+Watch
I would overall prefer a long lived watched on a label we set on each CSR but ok with list+watch approach like we do in chiron/utils.go in the short term. Note you need to put ResourceVersion as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, PTAL
|
59c4c2a
to
72b7541
Compare
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What's next ? The DNS proxy ( which is REQUIRED if the underlying network is not secure ) ? Integration with the external SDS provider using UDS ? Can we please add the agent and just use it ? No need for ztunnel to duplicate all the integrations and do everything ( in a slightly different way ). A design doc on such changes with focus on security will also be greatly appreciated:
But even if we conclude direct integration with k8s from the proxy is best ( and I can be convinced it's a more |
On a related note - ztunnel should eventually match the integrations we have, including SDS and CSI-based providers ( in both dedicated mode and in future if we implement delegation ). I saw the FAKE provider - IMO it should be replaced (or we should add) with a mode that reads from /var/run/secrets... ( same default as istio-agent ), and fallback to SDS using the well-known path that the Envoy is using ( for Spire and all other integrations ). |
impl SecretManager<CustomSigner> { | ||
pub async fn origin(cfg: crate::config::Config) -> Result<Self, anyhow::Error> { | ||
let k8s_client = tls::create_k8s_client(cfg.k8s_ca_crt).await; | ||
match k8s_client { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This won't work on VMs.
Pretty sure there is a way to initialize k8s client in rust that works with both 'in cluster' and kubeconfig.
Same for the tokens - outside of K8S you need all the auth methods, the VM may use MDS or external commands to authenticate ( gcloud, etc ).
pub async fn create_k8s_client(root_cert: RootCert) -> Result<kube::Client, anyhow::Error> { | ||
let mut conn = ssl::SslConnector::builder(ssl::SslMethod::tls_client())?; | ||
conn.set_verify(ssl::SslVerifyMode::PEER); | ||
conn.set_alpn_protos(Alpn::H2.encode())?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the only SSL connection we create in ztunnel ? Any chance we could use the same code - or client library code ?
Added support for K8 CSR and custom signer