Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissive mTLS: Config entry filtering and CLI warnings [OSS] #17183

Merged
merged 6 commits into from
Apr 28, 2023
Merged

Permissive mTLS: Config entry filtering and CLI warnings [OSS] #17183

merged 6 commits into from
Apr 28, 2023

Conversation

pglass
Copy link

@pglass pglass commented Apr 28, 2023

Description

This adds filtering for service-defaults: consul config list -filter 'MutualTLSMode == "permissive"'.

It adds CLI warnings when the CLI writes a config entry and sees that either service-defaults or proxy-defaults contains MutualTLSMode=permissive, or sees that the mesh config entry contains AllowEnablingPermissiveMutualTLSMode=true.

Testing & Reproduction steps

  • consul agent -dev
  • Then run the follow script:
Example script 
echo
echo ">>> Write mesh config entry"
cat <<-EOF | consul config write -
Kind = "mesh"

AllowEnablingPermissiveMutualTLS = true
EOF

echo
echo ">>> Write proxy-defaults config entry"
cat <<-EOF | consul config write -
Kind = "proxy-defaults"
Name = "global"

mutual_tls_mode = "permissive"
EOF

echo
echo ">>> Write service-defaults config entry"
cat <<-EOF | consul config write -
Kind = "service-defaults"
Name = "web"

MutualTLSMode = "permissive"
EOF

Output

>>> Write mesh config entry
Config entry written: mesh/mesh
WARNING: AllowEnablingPermissiveMutualTLS=true allows insecure MutualTLSMode=permissive configurations in the proxy-defaults and service-defaults config entries. You can set AllowEnablingPermissiveMutualTLS=false at any time to disallow additional permissive configurations. To list services in permissive mode, run `consul config list -kind service-defaults -filter 'MutualTLSMode = "permissive"'`.

>>> Write proxy-defaults config entry
Config entry written: proxy-defaults/global
WARNING: MutualTLSMode=permissive is insecure. To keep your services secure, set MutualTLSMode to `strict` whenever possible and override with service-defaults only if necessary. To check which service-defaults are currently in permissive mode, run `consul config list -kind service-defaults -filter 'MutualTLSMode = "permissive"'`.

>>> Write service-defaults config entry
Config entry written: service-defaults/web
WARNING: MutualTLSMode=permissive is insecure. Set to `strict` when your service no longer needs to accept non-mTLS traffic. Check `tcp.permissive_public_listener` metrics in Envoy for non-mTLS traffic. Refer to Consul documentation for more information.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@pglass pglass requested review from johnlanda and cthain April 28, 2023 17:16
@github-actions github-actions bot added the theme/cli Flags and documentation for the CLI interface label Apr 28, 2023
cthain
cthain approved these changes Apr 28, 2023
View reviewed changes
Copy link
Contributor

@cthain cthain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@pglass pglass merged commit e4a341c into main Apr 28, 2023
@pglass pglass deleted the pglass/NET-3684/config-entry-filtering-oss branch April 28, 2023 17:51
@pglass pglass mentioned this pull request May 15, 2023
Merged
4 tasks
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Jun 12, 2023
Merged
4 tasks
@p-linnane p-linnane mentioned this pull request Jun 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cthain cthain cthain approved these changes

@johnlanda johnlanda johnlanda approved these changes

Assignees
No one assigned
Labels
pr/no-backport pr/no-metrics-test theme/cli Flags and documentation for the CLI interface
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pglass @johnlanda @cthain