Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ingress/model: Support multiple certs based on SNI #22671

Merged
merged 1 commit into from
Jan 18, 2023
Merged

ingress/model: Support multiple certs based on SNI #22671

merged 1 commit into from
Jan 18, 2023

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented Dec 11, 2022
edited

Description

As per cert-selection docs, only the first certificate listed is used, this causes the bug in which the wrong certs are used in either Ingress or Gateway API.

This commit is to add serverNames, which are having values same as host name, in TLS filter chain.

Fixes: #22668

Reported-by: Nikhil Jha hi@nikhiljha.com
Signed-off-by: Tam Mach tam.mach@cilium.io

ingress/model: Support multiple certs based on SNI

Testing

Testing was done before and after changes with below manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
  namespace: default
spec:
  ingressClassName: cilium
  rules:
  - host: hipstershop.cilium.rocks
    http:
      paths:
      - backend:
          service:
            name: details
            port:
              number: 9080
        path: /details
        pathType: Prefix
  - host: bookinfo.tam.rocks
    http:
      paths:
      - backend:
          service:
            name: productpage
            port:
              number: 9080
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - hipstershop.cilium.rocks
    secretName: demo-cert
  - hosts:
    - bookinfo.tam.rocks
    secretName: demo-tam-cert
Before 
# Error in cilium agent
2022-12-11T11:08:45.476453454Z level=warning msg="Failed to update CiliumEnvoyConfig" ciliumEnvoyConfigName=cilium-ingress error="NACK received: Error adding/updating listener(s) kube-system/cilium-ingress/listener: Failed to load certificate chain from <inline>, at most one certificate of a given type may be specified\n" k8sApiVersion= k8sNamespace=kube-system k8sUID=74722a46-0962-4cf9-9983-06501a9fa0d0 subsys=k8s-watcher

# Generated cilium envoy configuration
...
      transportSocket:
        name: envoy.transport_sockets.tls
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          commonTlsContext:
            tlsCertificateSdsSecretConfigs:
            - name: cilium-secrets/default-demo-tam-cert
              sdsConfig:
                apiConfigSource:
                  apiType: GRPC
                  grpcServices:
                  - envoyGrpc:
                      clusterName: xds-grpc-cilium
                  transportApiVersion: V3
                resourceApiVersion: V3
            - name: cilium-secrets/default-demo-cert
              sdsConfig:
                apiConfigSource:
                  apiType: GRPC
                  grpcServices:
                  - envoyGrpc:
                      clusterName: xds-grpc-cilium
                  transportApiVersion: V3
                resourceApiVersion: V3
...
After 
...
# Generated Cilium Envoy config
    - filterChainMatch:
        serverNames:
        - bookinfo.tam.rocks
        transportProtocol: tls
      filters:
      - name: envoy.filters.network.http_connection_manager
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          httpFilters:
          - name: envoy.filters.http.router
          rds:
            routeConfigName: listener-secure
          statPrefix: listener-secure
          upgradeConfigs:
          - upgradeType: websocket
      transportSocket:
        name: envoy.transport_sockets.tls
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          commonTlsContext:
            tlsCertificateSdsSecretConfigs:
            - name: cilium-secrets/default-demo-tam-cert
              sdsConfig:
                apiConfigSource:
                  apiType: GRPC
                  grpcServices:
                  - envoyGrpc:
                      clusterName: xds-grpc-cilium
                  transportApiVersion: V3
                resourceApiVersion: V3
    - filterChainMatch:
        serverNames:
        - hipstershop.cilium.rocks
        transportProtocol: tls
      filters:
      - name: envoy.filters.network.http_connection_manager
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          httpFilters:
          - name: envoy.filters.http.router
          rds:
            routeConfigName: listener-secure
          statPrefix: listener-secure
          upgradeConfigs:
          - upgradeType: websocket
      transportSocket:
        name: envoy.transport_sockets.tls
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          commonTlsContext:
            tlsCertificateSdsSecretConfigs:
            - name: cilium-secrets/default-demo-cert
              sdsConfig:
                apiConfigSource:
                  apiType: GRPC
                  grpcServices:
                  - envoyGrpc:
                      clusterName: xds-grpc-cilium
                  transportApiVersion: V3
                resourceApiVersion: V3
...


$ curl -s --cacert minica.pem https://hipstershop.cilium.rocks/details/1
{"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}

$ curl -s --cacert minica.pem https://bookinfo.tam.rocks                
<!DOCTYPE html>
<html>
  <head>
    <title>Simple Bookstore App</title>
...

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 11, 2022
@sayboras sayboras added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Dec 11, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 11, 2022
@sayboras sayboras added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Dec 11, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.13.0-rc4 Dec 11, 2022
@sayboras sayboras force-pushed the tam/multiple-certs branch 2 times, most recently from b1a934e to d2fdc72 Compare December 11, 2022 11:32
@sayboras sayboras added kind/community-report This was reported by a user in the Cilium community, eg via Slack. area/servicemesh GH issues or PRs regarding servicemesh labels Dec 11, 2022
@nikhiljha
Copy link
Contributor

We're now running this commit (in production lol)-- appears to work :)

Thanks @sayboras !

@sayboras
Copy link
Member Author

We're now running this commit (in production lol)-- appears to work :)

Thanks a lot for your issue, as well as the effort in testing the change. This got overlooked as part of another work item in #19698.

Support multiple TLSs in envoy downstream context, see #18867 (comment).

@sayboras sayboras mentioned this pull request Dec 11, 2022
Closed
12 tasks
@sayboras
Copy link
Member Author

/test

@sayboras sayboras added the release-blocker/1.13 This issue will prevent the release of the next version of Cilium. label Dec 11, 2022
@youngnick youngnick self-requested a review December 12, 2022 05:09
@sayboras sayboras marked this pull request as ready for review December 12, 2022 05:44
@sayboras sayboras requested a review from a team as a code owner December 12, 2022 05:44
@tklauser
Copy link
Member

I got assigned to review this on behalf of @cilium/operator. The change itself (and the package it touches) looks servicemesh-specific, so I've sent #22683 such that these kinds of changes get reviewed by @cilium/sig-servicemesh in the future as well.

@sayboras sayboras requested a review from a team December 12, 2022 11:57
@christarazi christarazi removed the kind/community-report This was reported by a user in the Cilium community, eg via Slack. label Dec 13, 2022
@joestringer joestringer added this to Needs backport from master in 1.13.0-rc5 Dec 22, 2022
@joestringer joestringer removed this from Needs backport from master in 1.13.0-rc4 Dec 22, 2022
@sayboras
Copy link
Member Author

sayboras commented Jan 6, 2023

/test

pippolo84
pippolo84 approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a comment inline regarding the unit test.
Apart from that, LGTM 🚀

operator/pkg/model/translation/envoy_listener_test.go
Comment on lines +72 to +74
sort.Slice(downStreamTLS.CommonTlsContext.TlsCertificateSdsSecretConfigs, func(i, j int) bool {
return downStreamTLS.CommonTlsContext.TlsCertificateSdsSecretConfigs[i].Name < downStreamTLS.CommonTlsContext.TlsCertificateSdsSecretConfigs[j].Name
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we have just one config at a time, we can avoid the sorting here and at line 63.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point, let me clean this up in subsequent PR, just to avoid re-run all tests.

@sayboras
ingress/model: Support multiple cert based on SNI
210dd34 
As per [cert-selection] docs, only the first certificate listed is used,
this causes the bug in which the wrong certs are used in either Ingress
or Gateway API.

This commit is to add serverNames, which are having values same as host
name, in TLS filter chain.

[cert-selection]: https://github.com/envoyproxy/envoy/blob/main/docs/root/intro/arch_overview/security/ssl.rst#certificate-selection

Relates: cilium#22668

Reported-by: Nikhil Jha <hi@nikhiljha.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@joestringer
Copy link
Member

joestringer commented Jan 16, 2023
edited by maintainer-s-little-helper bot

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With VXLAN

Failure Output

FAIL: Failed to reach 192.168.56.11:80 from testserver-host-jx9pp

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

@joestringer
Copy link
Member

codeowners for this PR seem to include @cilium/operator , but the code itself doesn't look very relevant to that code owner. Perhaps we could drop that codeowner from these files. For this particular PR, I'm OK to accept the change with just servicemesh review (which was already provided by Fabio above, thanks!)

@sayboras
Copy link
Member Author

/test-1.24-5.4

@sayboras
Copy link
Member Author

/test-1.26-net-next

@sayboras
Copy link
Member Author

/test-runtime

@joestringer
Copy link
Member

Per Slack, the previous failures were:

Tam, if you re-run tests, please provide an explanation like the above that demonstrates why the PR is not at cause for the failures. We have had too many cases recently where we've merged PRs that have blatant issues in them, because PR authors have not triaged the issues and we've ignored the CI in order to merge the PRs.

@joestringer
Copy link
Member

I've taken a stab at one step forward on #15455, at least some further investigation. It looks like #22750 has recent activity pushing the issue forwards, so I'm not as worried about that one. I'm not sure where to look to improve the reliability of the "provisioning error" cases but if it comes up more frequently then we should spent some time looking deeper into it.

Given that this is a bugfix and a release-blocker, I'll merge this now.

@joestringer joestringer merged commit 253e826 into cilium:master Jan 18, 2023
@sayboras sayboras deleted the tam/multiple-certs branch January 18, 2023 10:47
@aanm aanm mentioned this pull request Jan 23, 2023
Merged
19 tasks
@aanm aanm added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Jan 23, 2023
@joestringer joestringer moved this from Needs backport from master to Backport done to v1.13 in 1.13.0-rc5 Jan 24, 2023
@joestringer joestringer mentioned this pull request Jan 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pippolo84 pippolo84 pippolo84 approved these changes

@youngnick youngnick Awaiting requested review from youngnick

@tklauser tklauser Awaiting requested review from tklauser tklauser was automatically assigned from cilium/operator

Assignees

@sayboras sayboras

Labels
area/servicemesh GH issues or PRs regarding servicemesh backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.13.0-rc5
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ingress: generated envoy config for TLS is incorrect
7 participants
@sayboras @nikhiljha @tklauser @joestringer @pippolo84 @christarazi @aanm