[RFC]Add fundamental building blocks for zero-trust (certificate manager, authentication) as part of traffic governance module | 流量治理-零信任模块基础骨架设计与实现

[xinlunanxinlunan]

Issue Description

With the development of cloud-native technologies, network boundaries are gradually disappearing, and the concept of zero trust therefore prevails. The most important functions of zero trust are certificate management and request authentication. As a generic, cloud-native traffic governance component, Sentinel 2.0 will support zero-trust capabilities for certificate management and request authentication:

• Obtain the certificate from the external data source and use it to configure https when the web service is enabled.

• Obtains authentication rules from the external data source and permits or blocks each request based on the authentication rules.

Describe your initial design (if present)

1. core module:
   • Certificates and authentication rules are stored in sentinel's core.
   • Authentication rules include ALLOW rules, DENY rules, and JWT rules, which are the same as those in istio
   • The authenticator will be placed in the core and used to determine whether the request should be allowed or blocked. The specific rules are:
     • (1) If there is a JWT rule matching the request, the request is matched. If the matching result is rejected, the request is rejected.
     • (2) If any DENY policy matches the request, the request is denied.
     • (3) ALLOW the request if the workload does not have an Allow policy.
     • (4) ALLOW any Allow policy if it matches the request.

Istio authentication rules: https://istio.io/latest/docs/reference/config/security/authorization-policy/

2. extension module: We will temporarily use istio as the external data source:
   • Send a CSR with a k8s token to istio to get a certificate.
   • You can obtain authentication rules by subscribing to istio's xds in batches.
3. adatper module: Add sentinel certificates and authentication rules to the existing application framework adaptation module, and support microservice zero trust.

---

随着云原生技术的发展，网络边界逐渐消失，零信任概念盛行。零信任最重要的功能是证书管理和请求身份验证。作为一个通用的云原生流量治理组件，Sentinel 2.0将支持证书管理和请求认证的零信任功能:

— 从外部数据源获取证书，在启用web服务时用于配置https。

— 从外部数据源获取认证规则，并根据认证规则允许或阻止每个请求。

描述你的初始设计(如果有的话)

1. core模块:
   • 证书和认证规则存储在sentinel的核心。
   • 认证规则包括ALLOW规则、DENY规则和JWT规则，与istio中的规则相同
   • 验证器将被放置在核心中，用于确定是否应该允许或阻止请求。具体规则是:
     - (1)如果有JWT规则匹配，则匹配成功。如果匹配结果被拒绝，则请求被拒绝。
     - (2)如果存在DENY策略匹配，则拒绝该请求。
     - (3)如果工作负载没有允许策略，允许请求。
     - (4)允许任何允许策略，如果它符合请求。

Istio鉴权规则:https://istio.io/latest/docs/reference/config/security/authorization-policy/

2. extension模块：我们将临时使用istio作为外部数据源:
   - 向istio发送带有k8s令牌的CSR以获取证书。
   - 通过批量订阅istio的xds获取认证规则。

3.adapter模块：在已有的应用框架适配模块中增加证书和认证规则，支持微服务零信任。