New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Env Var allowing proxies to utilize OS CA Cert #33472
Conversation
Skipping CI for Draft Pull Request. |
Described in https://docs.google.com/document/d/100Jvwjr9KkURiF2HtiOtRlAON8TqgskUyLfT17_xoRM/edit#heading=h.xw1gqgyqs5b this is the initial Env Var portion to be expanded on. |
pilot/pkg/model/authentication.go
Outdated
} | ||
|
||
for _, cert := range certFiles { | ||
if _, err := os.Stat(cert); err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
small perf nit: should we wrap this in a once
like go does? Its fairly slow to check the filesystem on every call here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1. And the value seems not neeed to passed around, and parameteize and special casing it. It's fair to assume the proxy image's filesystem stay the same during the pod running time and keep use that value.
* Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go
* SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kenan demoed this to me and we walked through the various test cases proposed in the RFC using badssl.com and its various subdomains (self-signed.badssl.com, untrusted-root.badssl.com, expired.badssl.com).
- 33472 | ||
releaseNotes: | ||
- | | ||
**Added** `VERTIFY_CERT_AT_CLIENT` environmental variable to istiod. Setting `VERTIFY_CERT_AT_CLIENT` to `true` will verify server certificates using the OS CA certificates when not using a `DestinationRule` `caCertificates` field [Issue #33472](github.com/istio/istio/issues/33472). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can they also set caCertificates: system
explicitly?
If so (which I think they should?) we should add a warning to the webhook when we detect an explicit path to use system
instead. Definitely should be a followup though, not in this PR. Lets get this in first
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They would be able to use system
and it will treat it the same.
sdsFromFile = true | ||
if sc.caRootPath != "" { | ||
if sitem, err = sc.generateRootCertFromExistingFile(sc.caRootPath, resourceName, false); err == nil { | ||
sc.addFileWatcher(sc.caRootPath, resourceName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note to others: addFileWatcher dedupes so we will have at most 1 watch 👍
* Env Var allowing proxies to utilize OS CA Cert * Introduce VERIFY_CERTIFICATE_AT_CLIENT as a bool env var * Select an existing CA cert bundle from a set of known file locations * If bool set and DR does not set CaCertificates, replace the proxies' CA cert with an OS CA cert found in the file system * Move OS cert replace logic to proxy * Fix typo * Move function in pilot code and check for OS cert once * Move SdsCertificateConfigFromResourceName out of pilot authenticate code and into utils for agent. * Determine OS CA certificate in pilot-agent to pass down instead of searching for the file more often * Linter and change setting off by default * Move OS CA Path find to option generation * Add release notes * Lock pointers when accessing or using them * Remove mutex inside Options * Fix secret resource choice * Add unit tests * Fix tests and linter errors * Improve tests, releasenotes and logging * Add back code that was needed * Fix linter issues * Use string constant in place of file-root:system * Update to remove proxy from ClusterBuilder * Fix auto import location * Refactor code * Refactor SdsCertificateConfig to common package * Move security tests from util.go * Fix releasenotes * Add documentation to public methods * Improve VERIFY_CERT_AT_CLIENT testing * initialize CAFilePath in security instead of main * Refactor and remove dead code * Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go * Refactor to move cafile package * Refactor toEnvoySecret funciton * Revert changes that were needed for istiod to know the OS CA file path * Fix linter problems * Correct tests and introduce caRootPath to SecretManager * SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information * Fix missing argument for mock initializaiton * Reverse mock changes and replace string with const * Fix SdsCertificateConfig to use file-root:system cert. * Fix tests by removing file-root: prefix * Fix empty OS CA cert causing an error * Remove testing print code * Rebase cluster_builder_test update struct * Fix rebase changes made to DestiantionRule
* Env Var allowing proxies to utilize OS CA Cert * Introduce VERIFY_CERTIFICATE_AT_CLIENT as a bool env var * Select an existing CA cert bundle from a set of known file locations * If bool set and DR does not set CaCertificates, replace the proxies' CA cert with an OS CA cert found in the file system * Move OS cert replace logic to proxy * Fix typo * Move function in pilot code and check for OS cert once * Move SdsCertificateConfigFromResourceName out of pilot authenticate code and into utils for agent. * Determine OS CA certificate in pilot-agent to pass down instead of searching for the file more often * Linter and change setting off by default * Move OS CA Path find to option generation * Add release notes * Lock pointers when accessing or using them * Remove mutex inside Options * Fix secret resource choice * Add unit tests * Fix tests and linter errors * Improve tests, releasenotes and logging * Add back code that was needed * Fix linter issues * Use string constant in place of file-root:system * Update to remove proxy from ClusterBuilder * Fix auto import location * Refactor code * Refactor SdsCertificateConfig to common package * Move security tests from util.go * Fix releasenotes * Add documentation to public methods * Improve VERIFY_CERT_AT_CLIENT testing * initialize CAFilePath in security instead of main * Refactor and remove dead code * Remove code that is no longer needed with CA file path being generated on init * Move CACertFilePath init outside of shared package so it only needs to be made for sdsservice.go and secretcache.go * Refactor to move cafile package * Refactor toEnvoySecret funciton * Revert changes that were needed for istiod to know the OS CA file path * Fix linter problems * Correct tests and introduce caRootPath to SecretManager * SecretManager uses GenerateSecret and to avoid adding another perameter to the function, SecretManager implementations need to have it in the type. * `file-root:` was missing from secretcache_test.go to pull the correct certificate information * Fix missing argument for mock initializaiton * Reverse mock changes and replace string with const * Fix SdsCertificateConfig to use file-root:system cert. * Fix tests by removing file-root: prefix * Fix empty OS CA cert causing an error * Remove testing print code * Rebase cluster_builder_test update struct * Fix rebase changes made to DestiantionRule
Address istio/istio #32539
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[ ] Does not have any user-facing changes. This may include CLI changes, API changes, behavior changes, performance improvements, etc.