Add Support to for providing TLS certificates for Ingress listeners from an SDS source #10903

banks · 2021-08-24T16:00:18Z

This builds on #10613.

This PR adds a new low-level feature for Ingress Gateways. It allows operators to specify an external Envoy SDS (Secret Discovery Service) Service and allows loading TLS certificates for listeners.

The PR commits logically work through each package/area that needed updates with relevant tests so may be a cleaner way to view the diff.

Documentation still to-do but the intended usage is as shown in the integration test:

Operator registers the Ingress service with one or more custom static cluster sin bootstrap using the Proxy.Config.envoy_extra_static_clusters_json configuration. This static cluster specifies how to connect to the SDS service(s) and takes care of authenticating the ingress to that SDS service however the SDS integration requires.
The operator can then use new config fields in the ingress-gateway Config Entry to specify which SDS certificate resource names to load (from which clusters) for the whole gateway, each listener or per service.

TODO Before

This is ready for review as it is I think as the code is all here. There are several additional bits that I will either do in this PR or a follow up before this is released:

Changelog entry
api package updates for Config Entry

TODO In later PR

Document the new options in Ingress Gateway Config Entry
Document how to use SDS end-to-end (as an "Advanced Topic")
- I don't think we need a Learn guide here because this is low-level only really needed for folks that want to build a custom integration with an SDS service. We will later provide an opinionated way to do this that will hide all these details from end-users.

banks · 2021-08-25T12:02:59Z

agent/xds/listeners.go

+	// Return a specific route for this service as it needs a custom FilterChain
+	// to serve it's custom cert so we should attach it's routes to a separate
+	// Route too.
+	return fmt.Sprintf("%s_%s", key.RouteName(), s.ToServiceName().ToServiceID().String()), nil


TODO:

This causes conflicts in Ent tests because it means that the default ns service web has a route named web in OSS but default/default/web in Ent. causing all golden files to conflict. This probably needs to follow the same logic structs.Upstream.Identifier which omits default values to keep the identifiers consistent between OSS and Ent. Shame we can't easily re-use that method from here with the types available.

Fixed in later commit.

hashicorp-cla · 2021-08-25T14:40:22Z

All committers have signed the CLA.

banks · 2021-09-13T12:36:50Z

Updated with fixes from Enterprise version.

…ot a mounted path

…tegration that doesn't support v2

rboyer

LGTM

hc-github-team-consul-core · 2021-09-23T15:20:14Z

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/455247.

banks added type/enhancement Proposed improvement or new feature theme/ingress-gw Track ingress work labels Aug 24, 2021

github-actions bot added the theme/envoy/xds Related to Envoy support label Aug 24, 2021

banks commented Aug 25, 2021

View reviewed changes

banks force-pushed the feature/ingress-sds branch from 1e48690 to 314138d Compare August 25, 2021 14:40

vercel bot temporarily deployed to Preview – consul August 25, 2021 14:40 Inactive

vercel bot temporarily deployed to Preview – consul-ui-staging August 25, 2021 14:40 Inactive

banks force-pushed the feature/mesh-header-manip branch 3 times, most recently from ab93459 to ef64924 Compare August 27, 2021 21:34

banks force-pushed the feature/mesh-header-manip branch from ef64924 to b38e84d Compare September 10, 2021 20:14

Base automatically changed from feature/mesh-header-manip to main September 10, 2021 20:40

banks force-pushed the feature/ingress-sds branch from 314138d to 35de5cf Compare September 13, 2021 12:36

vercel bot temporarily deployed to Preview – consul September 13, 2021 12:36 Inactive

vercel bot temporarily deployed to Preview – consul-ui-staging September 13, 2021 12:36 Inactive

banks force-pushed the feature/ingress-sds branch from 35de5cf to 2c3ebe6 Compare September 14, 2021 15:04

vercel bot temporarily deployed to Preview – consul September 14, 2021 15:04 Inactive

vercel bot temporarily deployed to Preview – consul-ui-staging September 14, 2021 15:04 Inactive

banks added 10 commits September 23, 2021 10:08

Add ingress-gateway config for SDS

4e39f03

Update proxycfg to hold more ingress config state

ccbda0c

Update xDS Listeners with SDS support

16b3b1c

Update xDS routes to support ingress services with different TLS config

2a3d3d3

Add basic integration test for Envoy ingress with SDS

cd8ad00

Handle namespaces in route names correctly; add tests for enterprise

659321d

Remove unused argument to fix lint error

9fa60c7

Add changelog; Add API package support for new fields.

b5345ea

Fix some more Enterprise Normalization issues affecting tests

2281d88

Fix integration test for older Envoy versions

843079f

banks added 11 commits September 23, 2021 10:12

Fix integration tests in CI - serve SDS certs from the Docker image n…

e01c358

…ot a mounted path

Allow skipping v2 compat tests for SDS as it's only the SDS server in…

2b755d7

…tegration that doesn't support v2

Fix merge conflict in xds tests

a9119e3

Revert abandonned changes to proxycfg for Ent test consistency

20d0bf8

Minor PR typo and cleanup fixes

136928a

Refactor Ingress-specific lister code to separate file

5cfd030

Refactor SDS validation to make it more contained and readable

07f8199

Fix subtle loop bug and add test

70bc89b

Minor improvements to SDS server from review

ab27214

Add Envoy integration test for split-route SDS case

e0efb42

Final readability tweaks from review

7b4cbe3

banks force-pushed the feature/ingress-sds branch from 2c3ebe6 to 7b4cbe3 Compare September 23, 2021 10:31

vercel bot temporarily deployed to Preview – consul September 23, 2021 10:31 Inactive

vercel bot temporarily deployed to Preview – consul-ui-staging September 23, 2021 10:31 Inactive

kisunji approved these changes Sep 23, 2021

View reviewed changes

rboyer approved these changes Sep 23, 2021

View reviewed changes

banks merged commit 1ecec84 into main Sep 23, 2021

banks deleted the feature/ingress-sds branch September 23, 2021 15:19

This was referenced Sep 28, 2021

Add support for enabling connect-based ingress TLS per listener. #11163

Merged

Document SDS for ingress gateways #11164

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Support to for providing TLS certificates for Ingress listeners from an SDS source #10903

Add Support to for providing TLS certificates for Ingress listeners from an SDS source #10903

banks commented Aug 24, 2021 •

edited

Loading

banks Aug 25, 2021 •

edited

Loading

banks Aug 25, 2021

hashicorp-cla commented Aug 25, 2021 •

edited

Loading

banks commented Sep 13, 2021

rboyer left a comment

hc-github-team-consul-core commented Sep 23, 2021

Add Support to for providing TLS certificates for Ingress listeners from an SDS source #10903

Add Support to for providing TLS certificates for Ingress listeners from an SDS source #10903

Conversation

banks commented Aug 24, 2021 • edited Loading

TODO Before

TODO In later PR

banks Aug 25, 2021 • edited Loading

Choose a reason for hiding this comment

banks Aug 25, 2021

Choose a reason for hiding this comment

hashicorp-cla commented Aug 25, 2021 • edited Loading

banks commented Sep 13, 2021

rboyer left a comment

Choose a reason for hiding this comment

hc-github-team-consul-core commented Sep 23, 2021

banks commented Aug 24, 2021 •

edited

Loading

banks Aug 25, 2021 •

edited

Loading

hashicorp-cla commented Aug 25, 2021 •

edited

Loading