New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag to enforce mTLS on hubble relay clients #25582
Add flag to enforce mTLS on hubble relay clients #25582
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @marqc. I think we want a new flag for the CA used to validate Hubble Relay client connections. On the way I think we should rename some flags for consistency:
- tls-client-cert-file → tls-hubble-client-cert-file
- tls-client-key-file → tls-hubble-client-key-file
To clarify that this keypair is used to contact Hubble servers.
- tls-server-cert-file → tls-relay-server-cert-file
- tls-server-key-file → tls-relay-server-key-file
To clarify that this keypair is used by the Hubble Relay server. Then the new flag could be named tls-relay-client-ca-files for consistency. While technically a breaking change, the flags renaming should be transparently handled by the Helm charts, so unlikely to affect most users. What do you think? cc @rolinh
da34aa9
to
a3f2487
Compare
@kaworu For better backwards compatibility I implemented old flag deprecation instead of just renaming. The complete set of flags after these changes:
Are you sure that the new flag should be |
a3f2487
to
7a66ab9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update @marqc!
Are you sure that the new flag should be tls-relay-client-ca-files and not tls-relay-server-ca-files?
Yes, it convey that the CA is used to validate clients, this is consistent with
Lines 946 to 949 in 2a966f4
// HubbleTLSClientCAFiles specifies the path to one or more client CA | |
// certificates to use for TLS with mutual authentication (mTLS). The files | |
// must contain PEM encoded data. | |
HubbleTLSClientCAFiles = "hubble-tls-client-ca-files" |
@kaworu For better backwards compatibility I implemented old flag deprecation instead of just renaming.
Awesome, could you please add a note in Documentation/operations/upgrade.rst
about the flag deprecation and planned removal for v1.15 (in the Deprecated Options section)? Other than that LGTM.
7a66ab9
to
abdd143
Compare
Documentation updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marqc Some changes required, otherwise LGTM.
57a0a68
to
64225e1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @marqc! Patch LGTM, however CI is unhappy:
HINT: to fix this, run 'make -C Documentation update-helm-values'
5686f3d
to
fff3d91
Compare
thanks, fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
/test |
@marqc Thanks, nice work! I've kicked off tests and put this on the queue to revisit after the 1.14 release branch has been cut. |
@marqc I think you know the deal by now ;), needs a rebase and a push back up. That will fix the two stuck tests you see in this PR. |
fff3d91
to
7a83019
Compare
/test |
Fixes: cilium#24265 Signed-off-by: Marek Chodor <mchodor@google.com> Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>
7a83019
to
ef9e0eb
Compare
/test |
hmm, not sure why travisCI tests are getting blocked. |
Sorry to ask you to do this, but it appears all your PRs are having trouble triggering TravisCI. I'm going to leave this message on your other PRs as well, but can you please close this PR and open a new one with the same changes? Hopefully this will fix these issues. |
I've manually run the Travis tests ( |
Fixes: #24265
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
For some time hubble-relay clients (hubble CLI, hubble UI) support mTLS. This change adds option to enforce mTLS on connections to hubble-relay.
Fixes: 24265