# Securing Microservices Communication with Envoy using X.509 SPIFFE IDs - Lab 2
## Deploy the Microservices application in the Kubernetes Cluster with Envoy as a proxy to handle SPIFFE SVIDs

### **Lab workflow:**

In this lab:

1. As tenant user, you will first deploy the application services (Backend and Frontend applications) with their Envoy sidecar proxy, in the Kubernetes cluster in your tenant working context.

2. You will create registration entries on the SPIRE Server for your the Envoy proxy instances sitting in front of your application services.

3. You will then test successful X.509 authentication and mTLS connection between the Frontend app and the Backend app, through the Envoy sidecar proxies.

4. Next, you will configure an Envoy RBAC HTTP filter policy to allow for more granular access control.

5. Finally, you will perform some CleanUp to ensure repeatable hands-on workshop.


**Definitions:** Before diving into the heart of the hands-on exercises, it is important to understand some of the SPIFFE/SPIRE and Envoy definitions:

- *Envoy:* Envoy is a popular open-source service proxy that is widely used to provide abstracted, secure, authenticated and encrypted communication between services. Envoy is a self contained process that is designed to run alongside every application service. All of the Envoy proxies form a communication mesh in wich each application sends and receives messages to and from **localhost** and is unaware of the network topology.

- *Envoy Secret Discovery Service (SDS):* One component of this configuration system is the Secret Discovery Service protocol or SDS. Envoy uses SDS to retrieve and maintain updated “secrets” from SDS providers. In the context of SPIRE, these secrets are the service identifier, the certificate document, and the trusted CA certificate(s). The SPIRE Agents act as the Envoy SDS Provider and issue these elements to Envoy proxy. The Envoy proxy uses them to provide mutual TLS authentication on behalf of applications. 

- *SPIRE Server:* This component acts as a signing authority for service identities (the SPIFFE ID service identifier and the certificate SVID) issued to services via SPIRE agents. It is responsible for generating and signing all certificates (known as ***SVIDs***) in the entire system, and creating the ***Trust Bundle*** (a set of trusted CA certificates). It also maintains a registry of system and service identities, and the conditions that must be verified in order for those identities (i.e.: the SPIFFE ID and the SVIDs) to be issued.

- *SPIRE Agent:* This component seats on each Kubernetes worker nodes and it is responsible for serving the ***Workloads API*** to services running on Kubernetes worker nodes and for providing the identified services with their service identities (the SPIFFE ID and cryptographic identity document (SVID)). The SPIRE Agent can be configured as an SDS provider for Envoy, allowing it to directly provide Envoy with the elements (SPIFFE ID service identifier, the X.509 certificate SVID, and the Trust Bundle) it needs to provide TLS authentication. The SPIRE Agent will also take care of re-generating the short-lived keys and certificates as required. 

- *SPIFFE ID:* A service identifier that uniquely identifies a service in SPIRE environment.

- *SPIFFE Verifiable Identity Document (SVID):* A SVID is the document with which a service proves its identity to a resource. A SVID contains a single SPIFFE ID which represents the identity of a service presenting it. It encodes the SPIFFE ID in a cryptographically-verifiable document in one of two supported formats: an X.509 certificate or a JWT token. The cryptographic properties of the SVID allow a particular service to prove its identity and that its certificate SVID is authentic and that it belongs to the service presenting it.

- *Trust Bundle:* The set of CA certificates that a service can use to verify a certificate SVID presented by another service. The Trust Bundle is generated by the SPIRE Server and distributed to the SPIRE Agents.

- *Workload API:* The SPIFFE Workload API, exposed by the SPIRE agent, is the method through which services obtain their service identities (SPIFFE ID and certificate SVIDs) and Trust Bundle. A service calls the Workload API to request its service identity and obtain the Trust Bundle.

### **1- Initialize the environment**

Let's first define the environment variables needed to execute this part of the lab.

In [None]:
#
# environment variables
#
studentId=$(grep hpecp-user $HOME/.kube/config | cut -d= -f2)
#
gateway_host="{{ HPEECPGWNAME }}"
Internet_access="{{ JPHOSTEXT }}"

BackendConfigMapUpdate="backend-envoy-configmap-update-student.yaml" #the backend envoy configmap object.
BackendConfigMapRBACUpdate="backend-envoy-configmap-update-RBAC-filter-student.yaml" #the backend envoy configmap object.

echo "Your studentId is: "$studentId

### **2- Deploy the Microservices application workloads in K8s cluster for your tenant working context**

To deploy the Backend and Frontent workload service, their Envoy sidecar proxies and configure the Envoy proxies to use SPIRE on behalf the workload services, you will leverage the Kubernetes ***Kustomize*** tool to customize Kubernetes resources through the following ***Kustomization*** Yaml file:
* Run the code cell below to display the content of the Kustomization YAML file:

In [None]:
cat k8s-student/kustomization.yaml

Next, deploy and configure the workload services and their Envoy sidecar proxy by applying the following kubectl command:

In [None]:
kubectl apply -k k8s-student/.

The kubectl apply command creates the following resources:

- A Kubernetes Deployment object for each of the workload services. The workload's POD contains a container for a particular service (Frontend, or Frontend-2, or Backend) and another container for the Envoy proxy.
- A Kubernetes Service object for each workload. It is used to communicate between them.
- Several Kubernetes Configmap objects are generated from various files (located at *~/k8s-student* subfolder) that are used to configure the workloads and the Envoy proxies sitting in front of the workloads:
   - ***json-data files*** are used to provide static data to the nginx instance running as the backend service.
   - ***envoy.yaml*** contains the Envoy proxy configuration for each workload.
   - ***symbank-webapp.conf*** contains the configuration supplied to each instance of the frontend services.

### **3- Inspect the deployed Microservices application**
Use the command `kubectl get -k k8s-student/.` and `kubectl get pods` to inspect the deployed components of your microservices application. Repeat the command until all the PODs are in **running** state.

In [None]:
kubectl get pods | grep $studentId
kubectl get -k k8s-student/.

### **4- Create registration entries on the SPIRE Server for each of your Workload:**

In order for SPIRE to identify a workload service and issue the service identity (the X.509 SVID) to the service, you must **register** the service with the SPIRE Server, via registration entries. Workload service registration tells SPIRE how to identify the service and which service identifier (SPIFFE ID) and certificate SVID (which carries the encoded/cryptographic form of the SPIFFE ID) to give it. 

A registration entry maps an identity - in the form of a SPIFFE ID - to a set of properties known as **selectors** (for example: namespace, POD service account, POD label, container name) and that are attributes the workload service must possess in order to be issued a particular service identity (the SPIFFE ID and the X.509 certificate SVID). A workload service registration entry contains the following:

* a SPIFFE ID that uniquely identifies a workload service and takes the following format: spiffe://trust-domain/workload-identifier
* a set of one or more selectors such as the K8s namespace and the POD Service Account
* a parent ID (i.e.: the SPIFFE ID assigned to the SPIRE Agent running on K8S worker nodes)

In our use case, the SPIFFE ID granted to the workload service is derived from the POD Service Account and namespace in the form:
  
  ***spiffe://Trusted-domain/ns/namespace/sa/Pod-sa***. 

An example of registration entry for the ***backend*** application service with a POD name *backend-student75*, an Envoy proxy container named *envoy*, a POD Service Account *student75* in the *testspiresds* namespace, in SPIFFE trusted domain *example.org* is shown here:

***
    -parentID spiffe://example.org/ns/spire/sa/spire-agent \
    -spiffeID spiffe://example.org/ns/testspiresds/sa/student75/backend \
    -selector k8s:ns:testspiresds \
    -selector k8s:sa:student75 \
    -selector k8s:pod-label:app:backend-student75 \
    -selector k8s:container-name:envoy
***

> <font color="red"> Note: the selectors for our workloads point to the Envoy container: **k8s:container-name:envoy**. This is how we configure Envoy to perform X.509 SVID authentication on a workload’s behalf. </font>
   

Let’s use the following Bash script to create the registration entries on SPIRE Server for your three workloads. 

In [None]:
bash Scripts/create-registration-entries-student.sh

Once the script is run, the list of created registration entries can be shown using the command below: 

In [None]:
echo "Listing created registration entries..."
kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry show | grep -B 1 -C 5 -E $studentId

Upon successful creation of the registration entries for the workload services, all the service SVIDs are generated and signed on the SPIRE Server.

The SPIRE server then sends to the SPIRE agent running on the K8s worker nodes a list of all registration entries for workload services that are entitled to run on the nodes. SPIRE agents cache these registration entries. 

The Workload services (in our case the Envoy proxies) connect to the SPIRE agent using the Workload API &mdash; exposed by the SPIRE agent &mdash; to retrieve their service identifier (SPIFFE ID), their identity service document (the X.509 certificate SVID) and the Trust Bundle. When a service connects to the SPIRE Agent to retrieve its SVID, the SPIRE agent performs a process called ***Workload Attestation*** to determine the service's identity and return the correct SVID to the service.
During the Workload Attestation process, the SPIRE agent determines the workload service's identity and which SVID to assign to the service by comparing the attributes the workload service possesses to registration entries selectors.

>**Note: In our use case, the Envoy proxies connect to the Workload API, retrieve their SPIFFE ID, SVIDs and Trust Bundle, and encrypt and authenticate traffic on behalf of the Frontend/Backend workload services.**

### **5- Anatomy of the Envoy sidecar proxy configuration**
To help you better understand how Envoy sidecar proxy obtain their service identities to encrypt mTLS communication on workload service's behalf, let's examine some of the sections of the **Envoy.yaml** file used to configure the Envoy proxy container of the workload services.

#### **5.1. Envoy proxy to SPIRE communication**

Envoy must be configured to communicate with the SPIRE agent by configuring a **cluster** that points to the Unix Domain Socket the SPIRE agent provides on the Kubernetes worker node the Envoy container runs.

<p align="center">
  <img src="Pictures/Envoy-Spire-cluster.png">
    
>A **Unix Domain Socket** is an inter-process communicaion mechanism that allows bidirectional communication between processes running on the same machine. You can list a machine local unix domain sockets with the following command: *netstat -a -p --unix | grep spire*. An example of the output of the command on a Kubernetes worker node where a SPIRE agent is running is shown here:
    
<p align="center">
  <img src="Pictures/Spire-agent-local-unix-domain-socket.png">

We then configure a **TLS context** that is used by the Envoy proxy to retrieve its SPIFFE ID, certificate SVID and the Trust Bundle that will allow it to encrypt and authenticate traffic on behalf of the workload service.

The ***tls_certificate_sds_secret_configs*** configuration tells Envoy proxy to talk to the SPIRE agent over the Unix Domain Socket to get its service identity document (SVID). The name of the TLS certificate is the SPIFFE ID of the workload service that Envoy is acting as a proxy for. Since the SPIFFE ID (spiffe://trust-domain/workload-identifier) that uniquely identifies the workload service has been created in SPIRE, the Envoy sidecar proxy will be able to get its SVID from SPIRE agent.

<p align="center">
  <img src="Pictures/Envoy-TLS_Context.png">
    

Next, the **combined validation context** will verify the trust domain as well as the Subject Alternate Name (SAN) of the peer service. 

The ***match_subject_alt_names*** of the *default_validation_context* configuration tells Envoy to only allow the connection if the certificate SVID presented by the connection has a Subject Alternate Name (SAN) that matches a particular workload service SPIFFE ID. In this example below, the Envoy sidecar proxy of the Backend workload will only allow connection from the Frontend and Frontend-2 workloads.

The ***validation_context_sds_secret_config*** tells Envoy proxy to talk to the SPIRE agent over the Unix Domain Socket to get the Trust Bundle which contains the CA certificates that Envoy uses to verify peer certificate SVID when establishing encrypted and authenticated connection with peer services.

<p align="center">
  <img src="Pictures/Envoy-combined-validation-context.png">
    

#### **5.2. Mutual TLS communication between Frontend application and Backend application through their Envoy proxies**

All of the Envoy proxies form a communication mesh in which each application sends and receives messages to and from **localhost** and is unaware of the network topology. 

>**Note:** Remember, the deployed workload service and their Envoy sidecar proxy are containers running on the same Kubernetes POD resource. Containers in the same POD share the same resources and local network. Containers can communicate with other containers in the same POD as though they were on the same machine (i.e.: localhost).

#### Frontend web app service configuration:

In our use case, the file **symbank-webapp.conf** contains the static configuration supplied to each instance of the frontend service. With this configuration, the Frontend web application will connect to the listining socket on port 3001 on localhost, that is the Envoy proxy sitting in front of the Frontend application.

<p align="center">
  <img src="Pictures/Frontend-config-webapp.png">

#### Frontend Envoy proxy configuration:

The Envoy proxy for a Frontend application is configured:
* to listen on localhost on port 3001 by configuring a **Listener**, and
* to communicate with Envoy proxy sitting in front of the Backend application service by configuring a **cluster** that points to Kubernetes service deployed for the Backend's Envoy proxy that listens on port 9001 and directs all requests on port 9001 to the Envoy proxy.

<p align="center">
  <img src="Pictures/Envoy-Frontend-config-Listener.png">
    

<p align="center">
  <img src="Pictures/Envoy-Frontend-config-for-cluster-backend.png">
    
    
#### Backend Envoy proxy configuration:
    
The Envoy proxy for the Backend application is configured:
* to listen on Localhost on port 9001 by configuring a **Listener**, and
* to communicate with the Backend application service by configuring a **cluster** that points to the localhost on port 80 
    
<p align="center">
  <img src="Pictures/Envoy-Backend-config-Listener.png">
     
<p align="center">
  <img src="Pictures/Envoy-Backend-config-Local-service-cluster.png">


### **6- Test the workloads authentication and mutual TLS secure communication**
Now that your application workloads have been deployed, registered in SPIRE Server, and their Envoy sidecar proxy have obtained their service identity document (X.509 SVID), the Envoy sidecar proxies can use their certificate SVID to establish end-to-end mutual TLS encrypted connections on application workload's behalf and secure connections between the applications.

Now let’s test the authorization that we’ve configured. To do this, we show that both frontend applications (frontend and frontend-2) can talk to the backend service through their Envoy proxies.

* Run the code cell below to obtain your Frontend application services endpoints and connect to them from your browser. 
* Once the page is loaded for the Frontend application, you will see the bank account and transaction details for user ***"Jacob Marley"***.
* Connect to the Frontend-2 application and you will see the account and transaction details for user ***"Alex Fergus"***.

In [None]:
#
# Frontend app endpoint URL:
#
FrontendAppURL=$(kubectl describe service frontend-${studentId} | grep gateway/3000 | awk '{print $3}')
#echo $FrontendAppURL
FrontendAppPort=$(echo $FrontendAppURL | cut -d':' -f 2)
#echo $FrontendAppPort
echo "Your Frontend application service endpoint URL is: "https://$Internet_access:$FrontendAppPort
#
# Frontend-2 app endpoint URL:
#
Frontend2AppURL=$(kubectl describe service frontend-2-${studentId} | grep gateway/3002 | awk '{print $3}')
#echo $Frontend2AppURL
Frontend2AppPort=$(echo $Frontend2AppURL | cut -d':' -f 2)
#echo $Frontend2AppPort
echo "Your Frontend-2 application service endpoint URL is: "https://$Internet_access:$Frontend2AppPort

### **7- Update the TLS configuration so only one Frontend app can access the backend**

The Envoy configuration for the backend service uses the TLS configuration to filter incoming connections by validating the Subject Alternative Name (SAN) of the certificate presented on the TLS connection. For SVIDs, the SAN field of the certificate is set with the SPIFFE ID associated with the service. So by specifying the SPIFFE IDs in the _match_subject_alt_names_ filter we indicate to Envoy which services can establish a connection.

Let’s now update the Envoy configuration for the backend service to revoke the workload entry for the Frontend-2 workload, and allow requests from the frontend service only. This is achieved by removing the SPIFFE ID of the frontend-2 service from the _combined_validation_context_ section at the Envoy configuration. 

To update the Envoy configuration for the backend workload, you will use the file ***backend-envoy-configmap-update-student.yaml*** to update the configMap for the Envoy proxy of the Backend workload service.

After execution of the code cell below, check out the section ***Combined_validation_context*** of the TLS_Context section, and run the next cell to apply the new configuration on Envoy sidecar proxy of the Backend workload:

In [None]:
cat $BackendConfigMapUpdate

In [None]:
kubectl apply -f $BackendConfigMapUpdate

Next, the backend pod needs to be restarted for the Envoy sidecar proxy container to pick up the new configuration:

In [None]:
kubectl scale deployment backend-${studentId} --replicas=0
kubectl scale deployment backend-${studentId} --replicas=1

Wait some seconds for the deployment to propagate before trying to view the frontend-2 service in your 
browser again. 

In [None]:
kubectl get pod | grep ${studentId}

Once the pod is ready, refresh the browser using the correct URL (run the code cell below to get the URL) for frontend-2 service. As a result, now Envoy does not allow the request to get to the backend service and account details are not shown in your browser.

In [None]:
echo "Your Frontend-2 application service is available at endpoint URL here: "https://$Internet_access:$Frontend2AppPort

On the other hand, you can check that the frontend service is still able to get a response from the backend. Refresh the browser at the correct URL (run the code cell below to get the URL) and confirm that account details are shown for **Jacob Marley**.

In [None]:
echo "Your Frontend application service is available at endpoint URL here: "https://$Internet_access:$FrontendAppPort

### **8- Extend the scenario with a Role Based Access Control (RBAC) filter**

Envoy provides a Role Based Access Control (RBAC) HTTP filter that checks the request based on a list of policies. A policy consists of permissions and principals, where the principal specifies the downstream client identities of the request, for example, the URI SAN of the downstream client certificate. So we can use the SPIFFE ID assigned to the service to create policies that allow for more granular access control.

The Symbank demo application consumes three different endpoints to get all the information about the bank account. The _/profiles_ endpoint provides the name and the address of the account’s owner. The other two endpoints, _/balances_ and _/transactions_, provide the balance and transactions for the account.

To demonstrate an Envoy RBAC filter, we can create a policy that allows the **Frontend** service to obtain only data from the _/profile_ endpoint and deny requests sent to other endpoints. This is achieved by defining a policy with a principal that matches the SPIFFE ID of the service and the permissions to allow only GET requests to the _/profiles_ resource. 

Let’s now update the Envoy proxy configuration for the backend service to allow requests from the frontend service to obtain only data from the _/profile_ only. 

To update the Envoy configuration for the backend workload, you will use the file ***backend-envoy-configmap-update-RBAC-filter-student.yaml*** to update the configMap for the Envoy proxy of the Backend workload service.

After execution of the code cell below, look at the section ***http_filters*** for configuration details of the RBAC filter, and run the next cell to apply the new configuration on Envoy sidecar proxy of the Backend workload:

In [None]:
cat $BackendConfigMapRBACUpdate

In [None]:
kubectl apply -f $BackendConfigMapRBACUpdate

Next, the backend pod needs to be restarted for the Envoy sidecar proxy container to pick up the new configuration:

In [None]:
kubectl scale deployment backend-${studentId} --replicas=0
kubectl scale deployment backend-${studentId} --replicas=1

Wait some seconds for the deployment to propagate before trying to view the frontend service in your 
browser again. 

In [None]:
kubectl get pod | grep ${studentId}

Once the pod is ready, refresh the browser using the correct URL (run the code cell below to get the URL) for Frontend service and confirm that **only** the profile information for **Jacob Marley's** account is shown.

As a result, now Envoy does not allow the request to get account details beyond the Profile information.

In [None]:
echo "Your Frontend application service is available at endpoint URL here: "https://$Internet_access:$FrontendAppPort

### **9- Time to do some Cleanup**

Please make sure you run the code cell below to delete your workloads from the Kubernetes cluster and delete their registration entries from SPIRE Server.  

In [None]:
kubectl delete -k k8s-student/.

In [None]:
bash Scripts/delete-registration-entries-student.sh

Verifying there is no registration entry for your workloads. The output should be ***":1"*** that means there is no more entries registered in SPIRE Server for your workloads.

In [None]:
echo "Listing created registration entries..."
kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry show | grep -B 1 -C 5 -E $studentId

## Summary

In this lab, you went through the steps to configure SPIRE to provide service identity dynamically in the form of X.509 certificates that are consumed by Envoy secret discovery service (SDS), so workloads can communicate securely.

## Let's move to the conclusion now!

* [Conclusion](3-WKSHP-Conclusion.ipynb)