draft: support passing Secret source over MCP

[doujiang24]

It's a draft for #40325 , and using k8s core.v1.Secret according to @howardjohn 's suggestion.

TODO:

1. need to authorize secret resources, simply skip for now, since the current authorize way depends on k8s, but the original intention is to bypass k8s; I haven't figured out a way for it yet.
2. tests and doc.

@howardjohn @hzxuzhonghu Could you please take a look? Just want to make sure it's in the right direction.
Any feedbacks are welcome, thanks!

[istio-policy-bot]

😊 Welcome @doujiang24! This is either your first contribution to the Istio istio repo, or it's been
awhile since you've been here.

You can learn more about the Istio working groups, code of conduct, and contributing guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[istio-testing]

Hi @doujiang24. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[doujiang24]

Hi team, gentle ping.
Do you think it's the right way to pass v1.Secret through MCP?

cc @howardjohn @hzxuzhonghu

[hzxuzhonghu]

Will it influence configcontroller with mcp

[howardjohn]

Won't this get all secrets from all components? Including k8s?

[doujiang24]

I think, no. It get configs from model.ConfigStore. but, seems the secrets from k8s, is on another path, credentials.Controller, which is not a kind of model.ConfigStore.

[doujiang24]

Will it influence configcontroller with mcp

@hzxuzhonghu Thanks.
I think it depends. when EnableSecretOverMCP = true,

1. if means only use secrets from MCP, I think they are two independent ways, they won't influence each other,
2. if means using secrets from k8s and MCP together, then we have to decide the priority, k8s first? or MCP first.

In the current implementation, we don't use secrets from k8s and MCP together, only use one.

[hzxuzhonghu]

If we intend to use secret over MCP to provide gateway certs, it is a little bit complex. Even worse in multi cluster, we have to respect both secret namespace and cluster attribute.

From the original issue, I guess you want to use it to provide gateway cert. So it is just a first step for transport, not for usage

[doujiang24]

Thanks. All addressed.

I have two questions, looking forward to your help, thanks.

1. for the secrets, provide a new option way to bypass k8s totally, is the right way? or do you guys think it is worth maintaining it?

background: we are migrating a large & old north-south ingress, from Nginx to Istio + Envoy. And the old control plane is not in the k8s system. So, we hope the new Istio way does not rely on k8s, at least for the first step.
Also, we are processing well in our internal fork, in the bypass k8s way.

2. is it worth introducing a new secret controller?

As said in this TODO comment, so that we may register customer secret authorize method in the feature.
8a21eaa#diff-91e0a18a58ea36d2c656d7b2706c52917a74103820c07fc843f48a110c847678R536

We just passing a nil secret controller now, which makes it difficult to add authorize for secrets.

[doujiang24]

If we intend to use secret over MCP to provide gateway certs, it is a little bit complex. Even worse in multi cluster, we have to respect both secret namespace and cluster attribute.

From the original issue, I guess you want to use it to provide gateway cert. So it is just a first step for transport, not for usage

Yeah, we want to pass secrets through MCP, so that the data plane could get the gateway cert from istio, and the related name of the gateway cert is defined in credentialName in Gateway CRD.
https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings

For the usage:
the current implementation (in this PR) does only honor the namespace and secret name, for now.
Missing the authorize method, that the biggest left issue for this PR, I think.

[istio-testing]

@doujiang24: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[costinm]

I am concerned with this - we need a VERY strong security review/discussion first, messing with secrets is dangerous.

Also: Istiod already has a mechanism to distribute secrets using SDS ( which is a first class XDS object ), with a relatively reasonable security model we discussed at length. I don't know if k8s Secret and envoy Secret are a good match - I don't
mind exposing k8s Secret, but I think it must have the same security model, the caller must have some explicit permission for the secret.

[costinm]

On a related note - we currently use the special generator for MCP, originally it was intended to keep things clean and it was an experiment, but I think it is very reasonable to allow 'MCP' generators to be used with the default (envoy) and envoy resources to be returned on the MCP generator.

Only 'special' generator is proxyless - mainly because it requires a different format for LDS/RDS, but it also reuses EDS/CDS.

[doujiang24]

Thanks for your reply.

Sorry, I think I made a mistake in the title, "passing" should be "accepting".

For istiod, we still deliver secret resources over SDS, just like it does now.
eg, using credentialName in Gateway CRD,
https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings

One thing that changed is istiod also accepts k8s secret from MCP server,
just like it accept k8s secret from k8s server.

Backgroud: we want to get rid of k8s server, in our north-south gateway.

Yeah, I totally agree with you about security.
I think we may introduce a new secret controller to implement the authurize.
But I'm not sure about it, as said in:
#40509 (comment)

Need your help, thanks.

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-10-01. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.