Support TLS certificate auto-generation using certmanager

[dungdm93]

This is fourth part of #16792 that add support tls autogen using cert-manager

cert-manager (under CNCF umbrella) has become de-facto way to create and manage certificates.
Compare to other methods that cilium chart currently supported, this has some advantages:

• Support multiple issuers: CA, Vault, Let's encrypt, Google CAS,...
• Auto-renew certificate when it pass 2/3 life time.
• Manage cert via a CRD resource, which show much more easier than inspect the PEM file.

[kaworu]

Hello @dungdm93 and thank you for the PR!

I have some suggestions that were required for me to test the PR. Once fixed, here are some steps I did using a kind cluster.

install cert-manager

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml

Now here we have a "chicken and egg problem": Because the Nodes are in NotReady state waiting on the CNI, cert-manager Pods are in Pending state waiting on the Nodes:

$ kubectl describe -n cert-manager pod -l app.kubernetes.io/name=cert-manager
…
Events:
  Type     Reason            Age                 From               Message
  ----     ------            ----                ----               -------
  Warning  FailedScheduling  24s (x13 over 12m)  default-scheduler  0/3 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate, 2 node(s) had taint {node.kubernetes.io/not-ready: }, that the pod didn't tolerate.

Issuer

Configure a CA issuer named hubble-ca (inspired from #15443 (comment)):

$ cat <<EOF > hubble-ca-issuer.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: hubble-ca-keypair
  namespace: kube-system
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lKQUtQR3dLRGwvNUhuTUEwR0NTcUdTSWIzRFFFQkN3VUFNQk14RVRBUEJnTlYKQkFNTUNHcHZjMmgyWVc1c01CNFhEVEU1TURneU1qRTJNRFUxT0ZvWERUSTVNRGd4T1RFMk1EVTFPRm93RXpFUgpNQThHQTFVRUF3d0lhbTl6YUhaaGJtd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCCkFRQ3doU0IvcVc2L2tMYjJ6cHUrRUp2RDl3SEZhcStRQS8wSkgvTGxseW83ekFGeCtISHErQ09BYmsrQzhCNHQKL0hVRXNuczVSTDA5Q1orWDRqNnBiSkZkS2R1UHhYdTVaVllua3hZcFVEVTd5ZzdPU0tTWnpUbklaNzIzc01zMApSNmpZbi9Ecmo0eFhNSkVmSFVEcVllU1dsWnIzcWkxRUZhMGM3ZlZEeEgrNHh0WnROTkZPakg3YzZEL3ZXa0lnCldRVXhpd3Vzc2U2S01PV2pEbnYvNFZyamVsMlFnVVlVYkhDeWVaSG1jdGkrSzBMV0Nmby9SZzZQdWx3cmJEa2gKam1PZ1l0MzBwZGhYME9aa0F1a2xmVURIZnA4YmpiQ29JMnRhWUFCQTZBS2pLc08zNUxBRVU3OUNMMW1MVkh1WgpBQ0k1VWppamEzVlBXVkhTd21KUEp5dXhBZ01CQUFHalVEQk9NQjBHQTFVZERnUVdCQlFtbDVkVEFaaXhGS2hqCjkzd3VjUldoYW8vdFFqQWZCZ05WSFNNRUdEQVdnQlFtbDVkVEFaaXhGS2hqOTN3dWNSV2hhby90UWpBTUJnTlYKSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCK2tsa1JOSlVLQkxYOHlZa3l1VTJSSGNCdgpHaG1tRGpKSXNPSkhac29ZWGRMbEcxcFpORmpqUGFPTDh2aDQ0Vmw5OFJoRVpCSHNMVDFLTWJwMXN1NkNxajByClVHMWtwUkJlZitJT01UNE1VN3ZSSUNpN1VPbFJMcDFXcDBGOGxhM2hQT2NSYjJ5T2ZGcVhYeVpXWGY0dDBCNDUKdEhpK1pDTkhCOUZ4alNSeWNiR1lWaytUS3B2aEphU1lOTUdKM2R4REthUDcrRHgzWGNLNnNBbklBa2h5SThhagpOVSttdzgvdG1Sa1A0SW4va1hBUitSaTBxVW1Iai92d3ZuazRLbTdaVXkxRllIOERNZVM1TmtzbisvdUhsUnhSClY3RG5uMDM5VFJtZ0tiQXFONzJnS05MbzVjWit5L1lxREFZSFlybjk4U1FUOUpEZ3RJL0svQVRwVzhkWAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc0lVZ2Y2bHV2NUMyOXM2YnZoQ2J3L2NCeFdxdmtBUDlDUi95NVpjcU84d0JjZmh4CjZ2Z2pnRzVQZ3ZBZUxmeDFCTEo3T1VTOVBRbWZsK0krcVd5UlhTbmJqOFY3dVdWV0o1TVdLVkExTzhvT3praWsKbWMwNXlHZTl0N0RMTkVlbzJKL3c2NCtNVnpDUkh4MUE2bUhrbHBXYTk2b3RSQld0SE8zMVE4Ui91TWJXYlRUUgpUb3grM09nLzcxcENJRmtGTVlzTHJMSHVpakRsb3c1Ny8rRmE0M3Bka0lGR0ZHeHdzbm1SNW5MWXZpdEMxZ242ClAwWU9qN3BjSzJ3NUlZNWpvR0xkOUtYWVY5RG1aQUxwSlgxQXgzNmZHNDJ3cUNOcldtQUFRT2dDb3lyRHQrU3cKQkZPL1FpOVppMVI3bVFBaU9WSTRvMnQxVDFsUjBzSmlUeWNyc1FJREFRQUJBb0lCQUNFTkhET3JGdGg1a1RpUApJT3dxa2UvVVhSbUl5MHlNNHFFRndXWXBzcmUxa0FPMkFDWjl4YS96ZDZITnNlanNYMEM4NW9PbmtrTk9mUHBrClcxVS94Y3dLM1ZpRElwSnBIZ09VNzg1V2ZWRXZtU3dZdi9Fb1V3eHFHRVMvcnB5Z1drWU5WSC9XeGZGQlg3clMKc0dmeVltbXJvM09DQXEyLzNVVVFiUjcrT09md3kzSHdUdTBRdW5FSnBFbWU2RXdzdWIwZzhTTGp2cEpjSHZTbQpPQlNKSXJyL1RjcFRITjVPc1h1Vm5FTlVqV3BBUmRQT1NrRFZHbWtCbnkyaVZURElST3NGbmV1RUZ1NitXOWpqCmhlb1hNN2czbkE0NmlLenUzR0YwRWhLOFkzWjRmeE42NERkbWNBWnphaU1vMFJVaktWTFVqbVlQSEUxWWZVK3AKMkNYb3dNRUNnWUVBMTgyaU52UEkwVVlWaUh5blhKclNzd1YrcTlTRStvVi90U2ZSUUNGU2xsV0d3KzYyblRiVwpvNXpoL1RDQW9VTVNSbUFPZ0xKWU1LZUZ1SWdvTEoxN1pvWjN0U1czTlVtMmRpT0lPSHorcTQxQzM5MDRrUzM5CjkrYkFtVmtaSFA5VktLOEMraS9tek5mSkdHZEJadGIweWtTM2t3OUIxTHdnT3o3MDhFeXFSQ2tDZ1lFQTBXWlAKbzF2MThnV2tMK2FnUDFvOE13eDRPZlpTN3dKY3E0Z0xnUWhjYS9pSkttY0x0RFN4cUJHckJ4UVo0WTIyazlzdQpzTFVrNEJobGlVM29iUUJNaUdtMGtITHVBSEFRNmJvdWZBMUJwZjN2VFdHSkhSRjRMeFJsNzc2akw4UXI4VnpxClpURVBtY0R0T0hpYjdwb2I1Z2IzSDhiVGhYeUhmdGZxRW55alhFa0NnWUVBdk9DdDZZclZhTlQrWThjMmRFYk4Kd3dJOExBaUZtdjdkRjZFUjlCODJPWDRCeGR0WTJhRDFtNTNqN2NaVnpzNzFYOE1TN25FcDN1dkFqaElkbDI3KwpZbTJ1dUUyYVhIbDN5VTZ3RzBETFpUcnVIU0Z5TVI4ZithbHRTTXBDd0s1NXluSGpHVFp6dXpYaVBBbWpwRzdmCk1XbVRncE1IK3puc3UrNE9VNFBHUW9FQ2dZQWNqdUdKbS84YzlOd0JsR2lDZTJIK2JGTHhSTURteStHcm16QkcKZHNkMENqOWF3eGI3aXJ3MytjRGpoRUJMWExKcjA5YTRUdHdxbStrdElxenlRTG92V0l0QnNBcjVrRThlTVVBcAp0djBmRUZUVXJ0cXVWaldYNWlaSTNpMFBWS2ZSa1NSK2pJUmVLY3V3aWZKcVJpWkw1dU5KT0NxYzUvRHF3Yk93CnRjTHAwUUtCZ0VwdEw1SU10Sk5EQnBXbllmN0F5QVBhc0RWRE9aTEhNUGRpL2dvNitjSmdpUmtMYWt3eUpjV3IKU25QSG1TbFE0aEluNGMrNW1lbHBDWFdJaklLRCtjcTlxT2xmQmRtaWtYb2RVQ2pqWUJjNnVGQ1QrNWRkMWM4RwpiUkJQOUNtWk9GL0hOcHN0MEgxenhNd1crUHk5Q2VnR3hhZ0ZCekxzVW84N0xWR2h0VFFZCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: hubble-ca
  namespace: kube-system
spec:
  ca:
    secretName: hubble-ca-keypair
EOF
$ kubectl apply -f hubble-ca-issuer.yaml
secret/hubble-ca-keypair created
Error from server (InternalError): error when creating "hubble-ca-issuer.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.31.2.53:443: connect: connection refused

Here the Secret is created, but the Issuer creation failed.

Install Cilium

Install using the certgen method:

$ helm install cilium ./install/kubernetes/cilium \
--namespace kube-system \
--set image.tag=stable \
--set hubble.relay.image.tag=stable \
--set hubble.ui.backend.image.tag=stable \
--set hubble.ui.frontend.image.tag=stable \
--set operator.image.tag=stable \
--set preflight.image.tag=stable \
--set clustermesh.apiserver.image.tag=latest \
--set nodeinit.enabled=true \
--set kubeProxyReplacement=partial \
--set hostServices.enabled=false \
--set externalIPs.enabled=true \
--set nodePort.enabled=true \
--set hostPort.enabled=true \
--set bpf.masquerade=false \
--set image.pullPolicy=IfNotPresent \
--set ipam.mode=kubernetes \
--set hubble.relay.enabled=true \
--set hubble.tls.auto.method=certmanager \
--set clustermesh.apiserver.tls.auto.method=certmanager \
--set hubble.tls.auto.certManagerIssuerRef.name=hubble-ca \
--set clustermesh.apiserver.tls.auto.certManagerIssuerRef.name=hubble-ca
Error: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.31.2.53:443: connect: connection refused

Now at that point all Pods but the Relay Pod are eventually in a Running state, but the TLS Secrets couldn't be created:

$ kubectl logs -n kube-system ds/cilium  | grep subsys=hubble
Found 3 pods, using pod/cilium-4p7xv
level=info msg="Configuring Hubble server" eventQueueSize=8192 maxFlows=4095 subsys=hubble
level=info msg="Starting local Hubble server" address="unix:///var/run/cilium/hubble.sock" subsys=hubble
level=info msg="Waiting for Hubble server TLS certificate and key files to be created" subsys=hubble
$ kubectl describe pod -n kube-system -l k8s-app=hubble-relay
…
Events:
  Type     Reason            Age                    From               Message
  ----     ------            ----                   ----               -------
  Warning  FailedMount       3m49s (x2 over 8m18s)  kubelet            Unable to attach or mount volumes: unmounted volumes=[tls], unattached volumes=[tls hubble-sock-dir config]: timed out waiting for the condition
  Warning  FailedMount       95s (x2 over 6m4s)     kubelet            Unable to attach or mount volumes: unmounted volumes=[tls], unattached volumes=[hubble-sock-dir config tls]: timed out waiting for the condition
  Warning  FailedMount       5s (x13 over 10m)      kubelet            MountVolume.SetUp failed for volume "tls" : secret "hubble-relay-client-certs" not found

Fixing the TLS stuff

Re-creating the Issuer would now work:

$ kubectl apply -f hubble-ca-issuer.yaml
secret/hubble-ca-keypair unchanged
issuer.cert-manager.io/hubble-ca created

Forcing an upgrade would re-try to create the certificate requests:

$ helm upgrade cilium ./install/kubernetes/cilium \
--namespace kube-system \
--set image.tag=stable \
--set hubble.relay.image.tag=stable \
--set hubble.ui.backend.image.tag=stable \
--set hubble.ui.frontend.image.tag=stable \
--set operator.image.tag=stable \
--set preflight.image.tag=stable \
--set clustermesh.apiserver.image.tag=latest \
--set nodeinit.enabled=true \
--set kubeProxyReplacement=partial \
--set hostServices.enabled=false \
--set externalIPs.enabled=true \
--set nodePort.enabled=true \
--set hostPort.enabled=true \
--set bpf.masquerade=false \
--set image.pullPolicy=IfNotPresent \
--set ipam.mode=kubernetes \
--set hubble.relay.enabled=true \
--set hubble.tls.auto.method=certmanager \
--set clustermesh.apiserver.tls.auto.method=certmanager \
--set hubble.tls.auto.certManagerIssuerRef.name=hubble-ca \
--set clustermesh.apiserver.tls.auto.certManagerIssuerRef.name=hubble-ca
Release "cilium" has been upgraded. Happy Helming!
NAME: cilium
LAST DEPLOYED: Mon Aug 30 17:11:10 2021
NAMESPACE: kube-system
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble Relay.

Your release version is 1.10.90.

For any further help, visit https://docs.cilium.io/en/v1.10/gettinghelp

Now eventually all TLS Secrets are created, and both Hubble and Relay are up.

tl;dr

I have no clue how to handle the fact that cert-manager needs the CNI to be initialized, but This PR invoke cert-manager's Certificate CRD creation (requiring cert-manager to be ready) when we install Cilium.

[seanmwinn]

To be sure the cilium containers can start prior to cert-manager deploying the certificates, its required that volume mounts that target those secrets are mounted as projected:

https://github.com/cilium/cilium/blob/master/install/kubernetes/cilium/templates/hubble-relay/deployment.yaml#L111-L121

[kaworu]

@dungdm93 thanks for addressing the suggestions. However, I think there is a fundamental problem here as we can't expect cert-manager to be functional without network, and thus the Certificate request will fail when we helm install Cilium. Additionally, cert-manager require to setup Issuer(s) as well, and in that sense it isn't an auto method.

Since there are many ways to setup cert-manager, I think the issue is primarily a documentation issue (we have #13590 to track it).

[dungdm93]

Hello @kaworu, it's not exactly chicken-and-egg problem.
In cilium-agent, hubble-server-certs volume defined as optional.

cilium/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml

Lines 575 to 587 in 1695d9c

	- name: hubble-tls
	projected:
	sources:
	- secret:
	name: hubble-server-certs
	optional: true
	items:
	- key: ca.crt
	path: client-ca.crt
	- key: tls.crt
	path: server.crt
	- key: tls.key
	path: server.key

So, cilium-agent can be start without TLS and the startup order will be following:

1. cilium-agent start
2. Nodes become Ready
3. cert-manager launch
4. certificates secret is created
5. secret automatically mount to cilium-agent without restart (may take a few minute delay)
6. other components like hubble, clustermesh start

Your above problem come from cert-manager webhook, not cilium or cert-manager it self.
There are several ways to overcome above issue:

• Option 1: Install cert-manager without Validation Webhook (you should use pure k8s manifests, cert-manager helm don't have option to disable webhook). You can also enable it later.
• Option 2: install cert-manager with webhook.hostNetwork=true
• Option 3: Install cilium without TLS first:
  1. helm install cilium without TLS
  2. helm install cert-manager
  3. waiting for node ready, and cert-manager available
  4. helm upgrade cilium with TLS

In the CI/CD environment, I think option 2 is most suitable.

[kaworu]

@dungdm93 Thank you for the explanation!

I feel like we still need to address #13590, as there are multiple non-trivial options. Would you mind updating the documentation in this PR?

[dungdm93]

Additionally, cert-manager require to setup Issuer(s) as well, and in that sense it isn't an auto method.

I don't think so, issuer is in cert-manager part, not cilium. And auto mean certificates is not create and manage, renew,... manually.

Would you mind updating the documentation in this PR?

Yes. Where should I update the document?

[kaworu]

Yes. Where should I update the document?

It is under the Documentation/ directory. You can make -C Documentation live-preview to see the changes you are making.

[seanmwinn]

Additionally, cert-manager require to setup Issuer(s) as well, and in that sense it isn't an auto method.

I don't think so, issuer is in cert-manager part, not cilium. And auto mean certificates is not create and manage, renew,... manually.

Would you mind updating the documentation in this PR?

Yes. Where should I update the document?

The user needs to create an issuer that can issue certificates with our cilium.io internal domain names along with the associated certificate requests. My clusters include the following:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cilium-ca
  namespace: kube-system
spec:
  ca:
    secretName: cilium-ca-cert

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cilium-ca-cert
  namespace: kube-system
spec:
  secretName: cilium-ca-cert
  dnsNames:
    - '*.cilium.io'
    - cilium.io
  keyAlgorithm: ecdsa
  keySize: 384
  isCA: true
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer

These are very specific to CIlium and not a part of cert-manager installation.

[dungdm93]

Hello @kaworu, I just update docs on Documentation/concepts/observability/hubble-configuration.rst. Could you please take a look

[dungdm93]

@seanmwinn actually, you don't need create a dedicated issuer for cilium.

For example in my org, we use a Vault issuer to manage all private certificates (not only for cilium) in multiple environments and clusters as well. And as I mention above, setup issuer should not be in scope of cilium.

[kaworu]

Thanks for updating the documentation @dungdm93! I have some comments but overall it's great.

[dungdm93]

@kaworu update as your suggestion

[kaworu]

Thank you @dungdm93! There is one missed but other than that LGTM.

Some warnings that need to be fixed from the deploy/netlify build:

12:34:33 PM: /opt/build/repo/Documentation/concepts/observability/hubble-configuration.rst:11: WARNING: Duplicate explicit target name: "cert-manager".
12:34:33 PM: /opt/build/repo/Documentation/concepts/observability/hubble-configuration.rst:114: WARNING: Enumerated list ends without a blank line; unexpected unindent.
12:34:33 PM: /opt/build/repo/Documentation/concepts/observability/hubble-configuration.rst:115: WARNING: Block quote ends without a blank line; unexpected unindent.

[gandro]

test-me-please

Job 'Cilium-PR-K8s-1.16-net-next' hit: #17437 (97.22% similarity)

[joestringer]

Sorry, I missed a couple of other minor formatting issues and I have one question about issuer.yaml below.

[joestringer]

For these ones, if you want to format them as a shell-session then you need to do:

Suggested change

	.. code-block:: bash
	# We assum cilium installed in kube-system namespace
	kubectl label namespace kube-system cert-manager.io/disable-validation=true
	helm install cert-manager ...
	kubectl apply -f issuer.yaml
	helm install cilium ...
	.. code-block:: shell-session
	$ # We assume cilium installed in kube-system namespace
	$ kubectl label namespace kube-system cert-manager.io/disable-validation=true
	$ helm install cert-manager ...
	$ kubectl apply -f issuer.yaml
	$ helm install cilium ...

[joestringer]

Also, looking at these snippets, I see issuer.yaml mentioned but I'm not sure where that comes from. How does the user generate issuer.yaml?

[dungdm93]

@joestringer I also add a note that where issuer.yaml is come from.

[joestringer]

LGTM, thanks!

[oblazek]

small nits :)

[kaworu]

test-me-please

Job 'Cilium-PR-K8s-1.19-kernel-5.4' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDatapathConfig AutoDirectNodeRoutes Check connectivity with sockops and direct routing

Failure Output

FAIL: Error creating resource /home/jenkins/workspace/Cilium-PR-K8s-1.19-kernel-5.4/src/github.com/cilium/cilium/test/k8sT/manifests/l3-policy-demo.yaml: Cannot retrieve cilium pod cilium-mb6dk policy revision: cannot get revision from json output '': could not parse JSON from command "kubectl exec -n kube-system cilium-mb6dk -- cilium policy get -o json"

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.19-kernel-5.4 so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-1.16-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running

Failure Output

FAIL: DNS entry is not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.16-net-next so I can create a new GitHub issue to track it.

[joestringer]

/test

[joestringer]

test-1.16-net-next run hit #14598.
test-1.19-5.4 run hit #16852.
BPF checks don't like empty commit content and would prefer an explanation, but that's fine to ignore.

CI 3.0 runs didn't trigger for some reason, retriggering manually.

[joestringer]

/ci-gke

[joestringer]

/ci-eks

[joestringer]

/ci-aks

[joestringer]

/ci-awscni

[joestringer]

test-1.16-netnext job hit what looks like #17401, should be fixed recently in the master tree.
test-1.19-5.4 job hit #16852 .

Checkpatch warnings don't need to be addressed.

All reviews are in.

Ready to merge.

[dungdm93]

Thanks @joestringer