Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gateway-api: Cross namespace TLS certificateRefs does not work #36075

Closed
Tracked by #199
nak3 opened this issue Nov 14, 2021 · 1 comment · Fixed by #36177
Closed
Tracked by #199

gateway-api: Cross namespace TLS certificateRefs does not work #36075

nak3 opened this issue Nov 14, 2021 · 1 comment · Fixed by #36177
Assignees
@howardjohn
Labels
area/networking

Comments

@nak3
Copy link
Member

nak3 commented Nov 14, 2021
edited by istio-policy-bot
Loading

Bug Description

  • When create Gateway has certificateRefs with cross namespace, HTTPRoute does not work.

Step to reproduce the issue

1. deploy istio, httpbin and secret

$ istioctl install -y --set values.gateways.istio-ingressgateway.type=NodePort
$ kubectl apply -f samples/httpbin/httpbin.yaml

$ kubectl get secret -n istio-system  wildcard-example-com-cert
NAME                        TYPE                DATA   AGE
wildcard-example-com-cert   kubernetes.io/tls   2      12s

2. Deploy Gateway, GatewayClass and HTTPRoute (without cross namespace cert)

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
  name: istio
spec:
  controllerName: istio.io/gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: knative-gateway
  namespace: istio-system
spec:
  addresses:
  - type: Hostname
    value: istio-ingressgateway
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    name: default
    port: 80
    protocol: HTTP
  - allowedRoutes:
      namespaces:
        from: All
    name: https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: wildcard-example-com-cert
        namespace: istio-system
      mode: Terminate
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: http
  namespace: default
spec:
  hostnames:
  - httpbin.example.com
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: knative-gateway
    namespace: istio-system
    sectionName: https
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: httpbin
      port: 8000
      weight: 1
    filters:
    - requestHeaderModifier:
        add:
        - name: my-added-header
          value: added-value
      type: RequestHeaderModifier
    matches:
    - path:
        type: PathPrefix
        value: /get
EOF

This deployments (without cross namespace cert) works fine:

$ curl -sI -k https://httpbin.example.com:32434/get
HTTP/2 200
server: istio-envoy
date: Sun, 14 Nov 2021 11:58:03 GMT
content-type: application/json
content-length: 1826
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 1

3. Deploy Referencepolicy, secret and use cross namespace cert

Set certificateRefs to namespace: default.

    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: wildcard-example-com-cert
        namespace: default
      mode: Terminate

Deploy ReferencePolicy and secret.

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferencePolicy
metadata:
  name: allow-gateways-to-ref-secrets
  namespace: default
spec:
  from:
  - group: gateway.networking.k8s.io
    kind: Gateway
    namespace: istio-system
  to:
  - group: ""
    kind: Secret
EOF

$ kubectl get secret -n default  wildcard-example-com-cert
NAME                        TYPE                DATA   AGE
wildcard-example-com-cert   kubernetes.io/tls   2      163m

After a few minutes, it stops working.

$ curl -sI -v -k https://httpbin.example.com:32434/get
*   Trying 172.20.0.2:32434...
* Connected to httpbin.example.com (172.20.0.2) port 32434 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to httpbin.example.com:32434 
* Closing connection 0

Version

$ istioctl version
client version: 1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8
control plane version: 1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8
data plane version: 1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8 (1 proxies)

$ kubectl version --short
Client Version: v1.21.4
Server Version: v1.22.0

$ kubectl api-resources |grep gateway
gatewayclasses                    gc              gateway.networking.k8s.io/v1alpha2          false        GatewayClass
gateways                          gtw             gateway.networking.k8s.io/v1alpha2          true         Gateway
httproutes                                        gateway.networking.k8s.io/v1alpha2          true         HTTPRoute
referencepolicies                 refpol          gateway.networking.k8s.io/v1alpha2          true         ReferencePolicy
tcproutes                                         gateway.networking.k8s.io/v1alpha2          true         TCPRoute
tlsroutes                                         gateway.networking.k8s.io/v1alpha2          true         TLSRoute
udproutes                                         gateway.networking.k8s.io/v1alpha2          true         UDPRoute
gateways                          gw              networking.istio.io/v1beta1                 true         Gateway

Additional Information

No response
@howardjohn howardjohn self-assigned this Nov 19, 2021
howardjohn added a commit to howardjohn/istio that referenced this issue Nov 20, 2021
@howardjohn
gateway: improvements to reference policy
6174b35 
* Fix istio#36075
* Support to.Name
* Properly update PushContext on change
@howardjohn howardjohn mentioned this issue Nov 20, 2021
Merged
@howardjohn
Copy link
Member

thanks! sent a fix

@nak3 nak3 mentioned this issue Nov 21, 2021
Closed
2 tasks
istio-testing pushed a commit that referenced this issue Dec 7, 2021
@howardjohn
gateway: improvements to reference policy (#36177)
0305a69 
* Fix #36075
* Support to.Name
* Properly update PushContext on change
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@howardjohn howardjohn

Labels
area/networking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gateway: improvements to reference policy howardjohn/istio
3 participants
@howardjohn @nak3 @istio-policy-bot