Env Var allowing proxies to utilize OS CA Cert #33472
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
istio-testing
added
the
do-not-merge/work-in-progress
google-cla
bot
added
the
cla: yes
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
size/S
|
Described in https://docs.google.com/document/d/100Jvwjr9KkURiF2HtiOtRlAON8TqgskUyLfT17_xoRM/edit#heading=h.xw1gqgyqs5b this is the initial Env Var portion to be expanded on. |
istio-testing
removed
the
do-not-merge/work-in-progress
howardjohn
requested changes
Jun 16, 2021
howardjohn
reviewed
Jun 28, 2021
pilot/pkg/model/authentication.go
Outdated
| } | ||
|
|
||
| for _, cert := range certFiles { | ||
| if _, err := os.Stat(cert); err == nil { |
There was a problem hiding this comment.
small perf nit: should we wrap this in a once like go does? Its fairly slow to check the filesystem on every call here
There was a problem hiding this comment.
+1. And the value seems not neeed to passed around, and parameteize and special casing it. It's fair to assume the proxy image's filesystem stay the same during the pod running time and keep use that value.
istio-testing
added
needs-rebase
istio-testing
removed
the
needs-rebase
istio-testing
added
the
needs-rebase
istio-testing
added
needs-rebase
istio-testing
removed
the
needs-rebase
* Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go
* SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information
jacob-delgado
approved these changes
Sep 10, 2021
howardjohn
approved these changes
Sep 10, 2021
| - 33472 | ||
| releaseNotes: | ||
| - | | ||
| **Added** `VERTIFY_CERT_AT_CLIENT` environmental variable to istiod. Setting `VERTIFY_CERT_AT_CLIENT` to `true` will verify server certificates using the OS CA certificates when not using a `DestinationRule` `caCertificates` field [Issue #33472](github.com/istio/istio/issues/33472). |
There was a problem hiding this comment.
can they also set caCertificates: system explicitly?
If so (which I think they should?) we should add a warning to the webhook when we detect an explicit path to use system instead. Definitely should be a followup though, not in this PR. Lets get this in first
There was a problem hiding this comment.
They would be able to use system and it will treat it the same.
| sdsFromFile = true | ||
| if sc.caRootPath != "" { | ||
| if sitem, err = sc.generateRootCertFromExistingFile(sc.caRootPath, resourceName, false); err == nil { | ||
| sc.addFileWatcher(sc.caRootPath, resourceName) |
There was a problem hiding this comment.
note to others: addFileWatcher dedupes so we will have at most 1 watch 👍
Kmoneal
added a commit
to Kmoneal/istio
that referenced
this pull request
Sep 13, 2021
* Env Var allowing proxies to utilize OS CA Cert * Introduce VERIFY_CERTIFICATE_AT_CLIENT as a bool env var * Select an existing CA cert bundle from a set of known file locations * If bool set and DR does not set CaCertificates, replace the proxies' CA cert with an OS CA cert found in the file system * Move OS cert replace logic to proxy * Fix typo * Move function in pilot code and check for OS cert once * Move SdsCertificateConfigFromResourceName out of pilot authenticate code and into utils for agent. * Determine OS CA certificate in pilot-agent to pass down instead of searching for the file more often * Linter and change setting off by default * Move OS CA Path find to option generation * Add release notes * Lock pointers when accessing or using them * Remove mutex inside Options * Fix secret resource choice * Add unit tests * Fix tests and linter errors * Improve tests, releasenotes and logging * Add back code that was needed * Fix linter issues * Use string constant in place of file-root:system * Update to remove proxy from ClusterBuilder * Fix auto import location * Refactor code * Refactor SdsCertificateConfig to common package * Move security tests from util.go * Fix releasenotes * Add documentation to public methods * Improve VERIFY_CERT_AT_CLIENT testing * initialize CAFilePath in security instead of main * Refactor and remove dead code * Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go * Refactor to move cafile package * Refactor toEnvoySecret funciton * Revert changes that were needed for istiod to know the OS CA file path * Fix linter problems * Correct tests and introduce caRootPath to SecretManager * SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information * Fix missing argument for mock initializaiton * Reverse mock changes and replace string with const * Fix SdsCertificateConfig to use file-root:system cert. * Fix tests by removing file-root: prefix * Fix empty OS CA cert causing an error * Remove testing print code * Rebase cluster_builder_test update struct * Fix rebase changes made to DestiantionRule
10 tasks
Kmoneal
added a commit
to Kmoneal/istio
that referenced
this pull request
Sep 21, 2021
* Env Var allowing proxies to utilize OS CA Cert * Introduce VERIFY_CERTIFICATE_AT_CLIENT as a bool env var * Select an existing CA cert bundle from a set of known file locations * If bool set and DR does not set CaCertificates, replace the proxies' CA cert with an OS CA cert found in the file system * Move OS cert replace logic to proxy * Fix typo * Move function in pilot code and check for OS cert once * Move SdsCertificateConfigFromResourceName out of pilot authenticate code and into utils for agent. * Determine OS CA certificate in pilot-agent to pass down instead of searching for the file more often * Linter and change setting off by default * Move OS CA Path find to option generation * Add release notes * Lock pointers when accessing or using them * Remove mutex inside Options * Fix secret resource choice * Add unit tests * Fix tests and linter errors * Improve tests, releasenotes and logging * Add back code that was needed * Fix linter issues * Use string constant in place of file-root:system * Update to remove proxy from ClusterBuilder * Fix auto import location * Refactor code * Refactor SdsCertificateConfig to common package * Move security tests from util.go * Fix releasenotes * Add documentation to public methods * Improve VERIFY_CERT_AT_CLIENT testing * initialize CAFilePath in security instead of main * Refactor and remove dead code * Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go * Refactor to move cafile package * Refactor toEnvoySecret funciton * Revert changes that were needed for istiod to know the OS CA file path * Fix linter problems * Correct tests and introduce caRootPath to SecretManager * SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information * Fix missing argument for mock initializaiton * Reverse mock changes and replace string with const * Fix SdsCertificateConfig to use file-root:system cert. * Fix tests by removing file-root: prefix * Fix empty OS CA cert causing an error * Remove testing print code * Rebase cluster_builder_test update struct * Fix rebase changes made to DestiantionRule
5 tasks
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Address istio/istio #32539
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[ ] Does not have any user-facing changes. This may include CLI changes, API changes, behavior changes, performance improvements, etc.