operator/agent: Refactor to remove mTLS references

Signed-off-by: Tam Mach <tam.mach@cilium.io>
cilium · Jun 2, 2023 · acdfea3 · acdfea3
1 parent dabb34e
commit acdfea3
Show file tree

Hide file tree

Showing 11 changed files with 74 additions and 78 deletions.
diff --git a/Documentation/operations/system_requirements.rst b/Documentation/operations/system_requirements.rst
@@ -418,7 +418,7 @@ Port Range / Protocol    Description
 4240/tcp                 cluster health checks (``cilium-health``)
 4244/tcp                 Hubble server
 4245/tcp                 Hubble Relay
-4250/tcp                 mTLS port
+4250/tcp                 Mutual Authentication port
 4251/tcp                 Spire Agent health check port (listening on 127.0.0.1 or ::1)
 6060/tcp                 cilium-agent pprof server (listening on 127.0.0.1)
 6061/tcp                 cilium-operator pprof server (listening on 127.0.0.1)

diff --git a/operator/auth/doc.go b/operator/auth/doc.go
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright Authors of Cilium
 
-// Package auth provides routines to manage mTLS identities in Cilium.
+// Package auth provides routines to manage mutual authentication identities in Cilium.
 // If enabled, the operator will watch for CiliumIdentity resources and provision
 // corresponding external identities such as SPIFFE identities.
 package auth
diff --git a/operator/auth/spire/client.go b/operator/auth/spire/client.go
@@ -35,7 +35,7 @@ const (
 var defaultSelectors = []*types.Selector{
 	{
 		Type:  "cilium",
-		Value: "mtls",
+		Value: "mutual-auth",
 	},
 }
 
@@ -87,7 +87,7 @@ type Client struct {
 }
 
 // NewClient creates a new SPIRE client.
-// If the mTLS is not enabled, it returns a noop client.
+// If the mutual authentication is not enabled, it returns a noop client.
 func NewClient(lc hive.Lifecycle, cfg ClientConfig, log logrus.FieldLogger) identity.Provider {
 	if !cfg.MutualAuthEnabled {
 		return &noopClient{}

diff --git a/operator/auth/spire/client_test.go b/operator/auth/spire/client_test.go
@@ -91,7 +91,7 @@ func TestClient_Upsert(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,
@@ -126,7 +126,7 @@ func TestClient_Upsert(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,
@@ -176,7 +176,7 @@ func TestClient_Upsert(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,
@@ -262,7 +262,7 @@ func TestClient_Delete(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,
@@ -297,7 +297,7 @@ func TestClient_Delete(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,
@@ -331,7 +331,7 @@ func TestClient_Delete(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,
@@ -365,7 +365,7 @@ func TestClient_Delete(t *testing.T) {
 									Selectors: []*types.Selector{
 										{
 											Type:  "cilium",
-											Value: "mtls",
+											Value: "mutual-auth",
 										},
 									},
 									Match: types.SelectorMatch_MATCH_EXACT,

diff --git a/pkg/auth/always_pass_authhandler.go b/pkg/auth/always_pass_authhandler.go
@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Cilium
+
+package auth
+
+import (
+	"time"
+
+	"github.com/cilium/cilium/pkg/auth/certs"
+	"github.com/cilium/cilium/pkg/policy"
+)
+
+// alwaysPassAuthHandler implements an authHandler by just authenticate every request
+// This is only for testing purpose.
+type alwaysPassAuthHandler struct {
+}
+
+func (r *alwaysPassAuthHandler) authenticate(authReq *authRequest) (*authResponse, error) {
+	// Authentication trivially done
+	log.Debugf("auth: Successfully authenticated request")
+
+	return &authResponse{
+		expirationTime: time.Now().Add(1 * time.Minute),
+	}, nil
+}
+
+func (r *alwaysPassAuthHandler) authType() policy.AuthType {
+	// return a dummy auth type as this auth type is used only for testing
+	return policy.AuthType(100)
+}
+
+func (r *alwaysPassAuthHandler) subscribeToRotatedIdentities() <-chan certs.CertificateRotationEvent {
+	return nil
+}
diff --git a/pkg/auth/cell.go b/pkg/auth/cell.go
@@ -31,8 +31,8 @@ var Cell = cell.Module(
 	cell.Invoke(newManager),
 	cell.ProvidePrivate(
 		newSignalRegistration,
-		// MTLS auth handler provides support for auth type "mtls-*" - which performs mTLS authentication.
-		newMTLSAuthHandler,
+		// Null auth handler provides support for auth type "null" - which always succeeds.
+		newMutualAuthHandler,
 		// Always fail auth handler provides support for auth type "always-fail" - which always fails.
 		newAlwaysFailAuthHandler,
 	),
@@ -105,9 +105,3 @@ type authHandlerResult struct {
 
 	AuthHandler authHandler `group:"authHandlers"`
 }
-
-func newNullAuthHandler() authHandlerResult {
-	return authHandlerResult{
-		AuthHandler: &disabledAuthHandler{},
-	}
-}
diff --git a/pkg/auth/disabled_authhandler.go b/pkg/auth/disabled_authhandler.go
diff --git a/pkg/auth/manager_test.go b/pkg/auth/manager_test.go
@@ -15,18 +15,18 @@ import (
 
 func Test_newAuthManager_clashingAuthHandlers(t *testing.T) {
 	authHandlers := []authHandler{
-		&disabledAuthHandler{},
-		&disabledAuthHandler{},
+		&alwaysFailAuthHandler{},
+		&alwaysFailAuthHandler{},
 	}
 
 	am, err := newAuthManager(nil, authHandlers, nil, nil)
-	assert.ErrorContains(t, err, "multiple handlers for auth type: disabled")
+	assert.ErrorContains(t, err, "multiple handlers for auth type: test-always-fail")
 	assert.Nil(t, am)
 }
 
 func Test_newAuthManager(t *testing.T) {
 	authHandlers := []authHandler{
-		&disabledAuthHandler{},
+		&alwaysPassAuthHandler{},
 		&fakeAuthHandler{},
 	}
 
@@ -53,7 +53,7 @@ func Test_authManager_authenticate(t *testing.T) {
 				remoteNodeID:   2,
 				authType:       1,
 			},
-			wantErr:     assertErrorString("unknown requested auth type: required"),
+			wantErr:     assertErrorString("unknown requested auth type: spire"),
 			wantEntries: 0,
 		},
 		{
@@ -62,7 +62,7 @@ func Test_authManager_authenticate(t *testing.T) {
 				localIdentity:  1,
 				remoteIdentity: 2,
 				remoteNodeID:   1,
-				authType:       0,
+				authType:       2,
 			},
 			wantErr:     assertErrorString("remote node IP not available for node ID 1"),
 			wantEntries: 0,
@@ -73,7 +73,7 @@ func Test_authManager_authenticate(t *testing.T) {
 				localIdentity:  1,
 				remoteIdentity: 2,
 				remoteNodeID:   2,
-				authType:       0,
+				authType:       100,
 			},
 			wantErr:     assert.NoError,
 			wantEntries: 1,
@@ -86,7 +86,7 @@ func Test_authManager_authenticate(t *testing.T) {
 			}
 			am, err := newAuthManager(
 				make(<-chan signalAuthKey, 100),
-				[]authHandler{&disabledAuthHandler{}},
+				[]authHandler{&alwaysFailAuthHandler{}, &alwaysPassAuthHandler{}},
 				authMap,
 				newFakeIPCache(map[uint16]string{
 					2: "172.18.0.2",

diff --git a/pkg/auth/mtls_authhandler.go → pkg/auth/mutual_authhandler.go b/pkg/auth/mtls_authhandler.go → pkg/auth/mutual_authhandler.go
@@ -24,13 +24,13 @@ import (
 	"github.com/cilium/cilium/pkg/policy"
 )
 
-type mtlsParams struct {
+type mutualAuthParams struct {
 	cell.In
 
 	CertificateProvider certs.CertificateProvider
 }
 
-func newMTLSAuthHandler(lc hive.Lifecycle, cfg MutualAuthConfig, params mtlsParams, log logrus.FieldLogger) authHandlerResult {
+func newMutualAuthHandler(lc hive.Lifecycle, cfg MutualAuthConfig, params mutualAuthParams, log logrus.FieldLogger) authHandlerResult {
 	if cfg.MutualAuthListenerPort == 0 {
 		log.Info("mutual authentication handler is disabled as no port is configured")
 		return authHandlerResult{}
@@ -39,16 +39,16 @@ func newMTLSAuthHandler(lc hive.Lifecycle, cfg MutualAuthConfig, params mtlsPara
 		log.Fatal("No certificate provider configured, but one is required. Please check if the spire flags are configured.")
 	}
 
-	mtls := &mutualAuthHandler{
+	mAuthHandler := &mutualAuthHandler{
 		cfg:  cfg,
-		log:  log.WithField(logfields.LogSubsys, "mtls-auth-handler"),
+		log:  log.WithField(logfields.LogSubsys, "mutual-auth-handler"),
 		cert: params.CertificateProvider,
 	}
 
-	lc.Append(hive.Hook{OnStart: mtls.onStart, OnStop: mtls.onStop})
+	lc.Append(hive.Hook{OnStart: mAuthHandler.onStart, OnStop: mAuthHandler.onStop})
 
 	return authHandlerResult{
-		AuthHandler: mtls,
+		AuthHandler: mAuthHandler,
 	}
 }
 
@@ -154,22 +154,22 @@ func (m *mutualAuthHandler) listenForConnections(upstreamCtx context.Context, re
 	var lc net.ListenConfig
 	l, err := lc.Listen(ctx, "tcp", fmt.Sprintf(":%d", m.cfg.MutualAuthListenerPort))
 	if err != nil {
-		m.log.WithError(err).Fatal("Failed to start mTLS listener")
+		m.log.WithError(err).Fatal("Failed to start mutual auth listener")
 	}
 	go func() { // shutdown socket goroutine
 		<-ctx.Done()
 		l.Close()
 	}()
 
-	m.log.WithField(logfields.Port, m.cfg.MutualAuthListenerPort).Info("Started mTLS listener")
+	m.log.WithField(logfields.Port, m.cfg.MutualAuthListenerPort).Info("Started mutual auth listener")
 	ready <- struct{}{} // signal to hive that we are ready to accept connections
 
 	for {
 		conn, err := l.Accept()
 		if err != nil {
 			m.log.WithError(err).Error("Failed to accept connection")
 			if errors.Is(err, net.ErrClosed) {
-				m.log.Info("mTLS listener socket got closed")
+				m.log.Info("mutual auth listener socket got closed")
 				return
 			}
 			continue
@@ -211,7 +211,7 @@ func (m *mutualAuthHandler) GetCertificateForIncomingConnection(info *tls.Client
 }
 
 func (m *mutualAuthHandler) onStart(ctx hive.HookContext) error {
-	m.log.Info("Starting mTLS auth handler")
+	m.log.Info("Starting mutual auth handler")
 
 	listenCtx, cancel := context.WithCancel(context.Background())
 	m.cancelSocketListen = cancel
@@ -223,7 +223,7 @@ func (m *mutualAuthHandler) onStart(ctx hive.HookContext) error {
 }
 
 func (m *mutualAuthHandler) onStop(ctx hive.HookContext) error {
-	m.log.Info("Stopping mTLS auth handler")
+	m.log.Info("Stopping mutual auth handler")
 	m.cancelSocketListen()
 	return nil
 }

diff --git a/pkg/auth/mtls_authhandler_test.go → pkg/auth/mutual_authhandler_test.go b/pkg/auth/mtls_authhandler_test.go → pkg/auth/mutual_authhandler_test.go
@@ -145,7 +145,7 @@ func generateTestCertificates(t *testing.T) (map[string]*x509.Certificate, map[s
 	return leafCerts, leafPrivKeys, caPool
 }
 
-func Test_mtlsAuthHandler_verifyPeerCertificate(t *testing.T) {
+func Test_mutualAuthHandler_verifyPeerCertificate(t *testing.T) {
 	certMap, keyMap, caPool := generateTestCertificates(t)
 	certMapOtherCA, _, _ := generateTestCertificates(t)
 	type args struct {
@@ -248,7 +248,7 @@ func Test_mtlsAuthHandler_verifyPeerCertificate(t *testing.T) {
 	}
 }
 
-func Test_mtlsAuthHandler_GetCertificateForIncomingConnection(t *testing.T) {
+func Test_mutualAuthHandler_GetCertificateForIncomingConnection(t *testing.T) {
 	certMap, keyMap, caPool := generateTestCertificates(t)
 	type args struct {
 		info *tls.ClientHelloInfo
@@ -317,16 +317,16 @@ func Test_mtlsAuthHandler_GetCertificateForIncomingConnection(t *testing.T) {
 	}
 }
 
-func Test_mtlsAuthHandler_authenticate(t *testing.T) {
+func Test_mutualAuthHandler_authenticate(t *testing.T) {
 	certMap, keyMap, caPool := generateTestCertificates(t)
 
-	tls := &mutualAuthHandler{
+	mAuthHandler := &mutualAuthHandler{
 		cfg:  MutualAuthConfig{MutualAuthListenerPort: getRandomOpenPort(t)},
 		log:  log,
 		cert: &fakeCertificateProvider{certMap: certMap, caPool: caPool, privkeyMap: keyMap},
 	}
-	tls.onStart(context.Background())
-	defer tls.onStop(context.Background())
+	mAuthHandler.onStart(context.Background())
+	defer mAuthHandler.onStop(context.Background())
 
 	var lowestExpirationTime time.Time
 	for _, cert := range certMap {
@@ -392,7 +392,7 @@ func Test_mtlsAuthHandler_authenticate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := tls.authenticate(tt.args.ar)
+			got, err := mAuthHandler.authenticate(tt.args.ar)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("mutualAuthHandler.authenticate() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/pkg/auth/spire/delegate.go b/pkg/auth/spire/delegate.go
@@ -282,7 +282,7 @@ func (s *SpireDelegateClient) initWatcher(ctx context.Context) (delegatedidentit
 		Selectors: []*spiffeTypes.Selector{
 			{
 				Type:  "cilium",
-				Value: "mtls",
+				Value: "mutual-auth",
 			},
 		},
 	})