Service mesh: add mTLS auth method

[meyskens]

This adds an mTLS auth handler to the Serice Mesh auth package.
It will listen on a given port and does a mutual TLS handshake with
SPIFFE IDs it received. This will assure the both sides got the needed
certificates.

In order to integrate with the datapath tables it also improves the SPIFFE
interface to use the Cilium Numeric Identities. And convert them from and
to valid SNI fields. As well as implement code to validate the URI SANS
inside the certificates.

This can be enabled in the in the Helm chart.

Fixes: #23807

Add mtls-spiffe as auth mode in the CiliumNetworkPolicy

[meyskens]

How to test this (I know you cannot wait ;) ):

Enable it via Helm:

auth:
  mTLS:
    enabled: true

Install SPIRE: https://github.com/meyskens/cilium-spiffe-poc/tree/meyskens/cilium-mtls (make install)

Deploy a policy to use auth, I used the connectivity test pods for this

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: auth-egress
  namespace: cilium-test
spec:
  endpointSelector:
    matchLabels:
      kind: client
  egress:
    - toEndpoints:
        - matchLabels:
            kind: echo
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
      auth:
        type: "mtls-spiffe"
    - toEndpoints:
      - matchLabels:
          "k8s:io.kubernetes.pod.namespace": "kube-system"
          "k8s:k8s-app": "kube-dns"
      toPorts:
        - ports:
            - port: "53"
              protocol: ANY
          rules:
            dns:
              - matchPattern: "*"

Then set up a connection between two pods and scan the logs of the Cilium agent for logs like

level=debug msg="auth: egress policy is requiring authentication type mtls-spiffe for identity 30086->41044, endpoint 10.244.1.148->10.244.0.130" subsys=auth

Create a SPIFFE ID for the identities:

kubectl exec -n spire spire-server-0 -- \
		/opt/spire/bin/spire-server entry create \
		-spiffeID spiffe://spiffe.cilium.io/cilium-id/ENTER-ID-HERE \
		-parentID spiffe://spiffe.cilium.io/dclient \
		-selector cilium:mtls

(this will not be needed once #23802 is built)

Try the connection again and enjoy a brand new mTLS experience <3

[christarazi]

Nice work!

One major concern I have is that I don't see any tests. I realize from reviewing that this seems to be more of integration code so unit testing probably wasn't obvious. However, I can imagine a test that can spin off two TLS clients / servers and validate the code paths without too much complication.

Otherwise, I only have code nits.

[meyskens]

@christarazi i agree on the testing side, I have been thinking about this for a bit, it would be good to have it covered with testing on some kind of integration test in the package between the mTLS and SPIFFE package. Need to discuss however if we make it part of this PR or a separate work item.

[youngnick]

Amazing work @meyskens! I'm really impressed with how quickly you've pulled functional code together.

However, I'm in a similar boat to @christarazi here, the changes look great, but I'd like to see unit tests, particularly for mtls_authhandler.go and certificate_provider.go. I think just tests that exercise the code paths inside the if statements are a great place to start, even for the internal functions. Let's lock in tests while this is a small change, and then we can have greater confidence as the changesets and assoicated testing get bigger.

[kaworu]

Thanks for the update @meyskens!

Couple of comments about context handling and locking, but overall LGTM.

[mhofstetter]

looks great 🎉 just some small suggestions

[jrajahalme]

Looks great to me!

[nathanjsweet]

LGTM for API changes

[kaworu]

Thanks @meyskens! Couple of nitpicking comments but the patch LGTM 🎉

[kaworu]

@nathanjsweet question: will the socket mount shared between the spire agent and cilium agent be a problem in the context of OpenShift?

[meyskens]

The SPIRE installation finalization will be part of #23806
For now we have this socket setup but for some clusters it might be that we need to change this with a more complex setup. It isn't yet final

[christarazi]

/test

Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: migrate-svc restart count values do not match

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.19 so I can create one.

[meyskens]

/test

Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: migrate-svc restart count values do not match

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.19 so I can create one.

[youngnick]

LGTM, nice work @meyskens !

[meyskens]

CI fails seem to be a flake or not related to this PR

[sayboras]

test-1.16-4.19 failure should be fixed as part of #24336

test-1.24-5.4 failure is related to new test, which could be a flake #22950.

[sayboras]

/mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4

👍 created #24453