-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[istio.io testing] Need test for Provisioning Identity through SDS #6575
Comments
I'll take this one. |
Thanks @su225 |
@su225 Have you started working on this. I would like to help here (or just follow along if you don't want help) |
@Pawan-Bishnoi - Yes. I have started working on this. There are lots of [istio.io testing] issues here. You can pick any of them and start working. |
@brian-avery - Some issues regarding environment setup for SDS. I'm blocked. I dug through a lot, but keep finding new feature gates to enable. I found 4 so far. So any clue how to fix this one? This is blocking my way. Here is what I did so far func enableSDSIdProvisioning(cfg *istio.Config) {
if cfg == nil {
return
}
cfg.Values["global.sds.enabled"] = "true"
cfg.Values["global.sds.udsPath"] = "unix:/var/run/sds/uds_path"
cfg.Values["global.sds.token.aud"] = "istio-ca"
cfg.Values["global.mtls.enabled"] = "true"
cfg.Values["nodeagent.enabled"] = "true"
cfg.Values["nodeagent.image"] = "node-agent-k8s"
cfg.Values["nodeagent.env.CA_PROVIDER"] = "Citadel"
cfg.Values["nodeagent.env.CA_ADDR"] = "istio-citadel.istio-system:8060"
cfg.Values["nodeagent.env.VALID_TOKEN"] = "true"
cfg.Values["security.components.nodeAgent.enabled"] = "true"
} Pilot, Ingress-gateway and others were stuck in
Even before that it complained that TokenEndpoint feature gate was not enabled. So i enabled them by passing kube-apiserver
--advertise-address=192.168.0.122
--allow-privileged=true
--authorization-mode=Node,RBAC
--client-ca-file=/var/lib/minikube/certs/ca.crt
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
--enable-bootstrap-token-auth=true
--etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt
--etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt
--etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
+ --feature-gates=TokenRequest=true,TokenRequestProjection=true
--insecure-port=0
--kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt
--kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt
--proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=8443
--service-account-key-file=/var/lib/minikube/certs/sa.pub
--service-cluster-ip-range=10.96.0.0/12
--tls-cert-file=/var/lib/minikube/certs/apiserver.crt
--tls-private-key-file=/var/lib/minikube/certs/apiserver.key I then started examining the secret on which projection is being done. An example JWT looks like this {
"alg": "RS256",
"kid": "yo-oRLZMTR6xrPyE8cFCuAiMiSVwssAgiF6YbgRAs2M"
}
{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "istio-system",
"kubernetes.io/serviceaccount/secret.name": "istio-pilot-service-account-token-stxdp",
"kubernetes.io/serviceaccount/service-account.name": "istio-pilot-service-account",
"kubernetes.io/serviceaccount/service-account.uid": "ce257494-652f-4f04-b4ac-e85dffc9a66e",
"sub": "system:serviceaccount:istio-system:istio-pilot-service-account"
} It does not look like what the projection YAML expects But the projection YAML for pilot looks like this - name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token So I started digging into "service account token projection" and Google took me to Kubernetes documentation page here To summarize, it mentions one more feature gate called
There is yet another link to Istio blog titled Change in Secret Discovery Service in Istio 1.3 which talks about introducing audience fields to JWT tokens to limit its scope. I see that this is biting me. While digging further in that blog, I ran into another feature gate named |
Ah! Found something here - https://github.com/istio/istio/blob/master/prow/config/trustworthy-jwt.yaml |
Finally it worked. I had to add the following extra configuration to Minikube to make it work --extra-config=apiserver.service-account-signing-key-file="/var/lib/minikube/certs/sa.key" \
--extra-config=apiserver.service-account-issuer="kubernetes.default.svc" \
--extra-config=kubelet.resolv-conf="/run/systemd/resolve/resolv.conf" I guess for most people only the first two are relevant. My CoreDNS was stuck in forwarding loop and hence the third one. My bad! Never knew that the fix is easy. 🤦♂️ |
@brian-avery - It seems that the link is broken. I checked in https://preliminary.istio.io/docs/tasks/security/ and it does not seem to exist. I heard that SDS is enabled by default in after Istio moved to using Operators instead of Helm charts. Is that correct? By the way, if this issue is outdated, can we close it? |
It looks like this was removed Friday as part of #6644. Unfortunately, I don't think this test is needed anymore and that this issue should be closed. |
Describe the feature request
We need to develop a test for the Provisioning Identity through SDS task in order to provide automated testing of the Istio.io website for future releases.
Example tests and the documentation for the framework can be found here: https://github.com/istio/istio/tree/master/tests/integration/istioio
A YouTube video describing the usage of the framework can be found here: https://www.youtube.com/watch?v=3y-z8NaVwr0
Please reach out to the Test and Release channel on the Istio Slack or Test and Release Discuss with any questions.
[ ] Configuration Infrastructure
[ x] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ x] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
The text was updated successfully, but these errors were encountered: