From 64f2536811e24d79c01ea4c03a43ae37b9a37933 Mon Sep 17 00:00:00 2001 From: Greg Hanson Date: Fri, 1 Dec 2023 00:54:41 +0000 Subject: [PATCH 1/3] support setting a custom cert ttl via SECRET_TTL env var --- src/config.rs | 8 ++++++++ src/identity/caclient.rs | 5 ++++- src/identity/manager.rs | 1 + src/test_helpers/ca.rs | 1 + 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/config.rs b/src/config.rs index 0768f1f8b..4acc413c6 100644 --- a/src/config.rs +++ b/src/config.rs @@ -40,6 +40,7 @@ const LOCAL_XDS_PATH: &str = "LOCAL_XDS_PATH"; const XDS_ON_DEMAND: &str = "XDS_ON_DEMAND"; const XDS_ADDRESS: &str = "XDS_ADDRESS"; const CA_ADDRESS: &str = "CA_ADDRESS"; +const SECRET_TTL: &str = "SECRET_TTL"; const FAKE_CA: &str = "FAKE_CA"; const ZTUNNEL_WORKER_THREADS: &str = "ZTUNNEL_WORKER_THREADS"; const ENABLE_ORIG_SRC: &str = "ENABLE_ORIG_SRC"; @@ -53,6 +54,7 @@ const DEFAULT_DNS_PORT: u16 = 15053; const DEFAULT_SELFTERM_DEADLINE: Duration = Duration::from_secs(5); const DEFAULT_CLUSTER_ID: &str = "Kubernetes"; const DEFAULT_CLUSTER_DOMAIN: &str = "cluster.local"; +const DEFAULT_TTL: i64 = 60 * 60 * 24; // 24 hours const ISTIO_META_PREFIX: &str = "ISTIO_META_"; const DNS_CAPTURE_METADATA: &str = "DNS_CAPTURE"; @@ -139,6 +141,8 @@ pub struct Config { pub xds_address: Option, /// Root cert for XDS TLS verification. pub xds_root_cert: RootCert, + /// TTL for CSR requests + pub secret_ttl: i64, /// YAML config for local XDS workloads #[serde(skip_serializing)] pub local_xds_config: Option, @@ -335,6 +339,10 @@ pub fn construct_config(pc: ProxyConfig) -> Result { xds_root_cert, ca_address, ca_root_cert, + secret_ttl: match parse::(SECRET_TTL)? { + Some(ttl) => ttl, + _ => DEFAULT_TTL, + }, local_xds_config: parse::(LOCAL_XDS_PATH)?.map(ConfigSource::File), xds_on_demand: parse_default(XDS_ON_DEMAND, false)?, proxy_metadata: pc.proxy_metadata, diff --git a/src/identity/caclient.rs b/src/identity/caclient.rs index 31d6ede74..cf3ab12e0 100644 --- a/src/identity/caclient.rs +++ b/src/identity/caclient.rs @@ -31,6 +31,7 @@ use crate::xds::istio::ca::IstioCertificateRequest; pub struct CaClient { pub client: IstioCertificateServiceClient>, pub enable_impersonated_identity: bool, + pub secret_ttl: i64, } impl CaClient { @@ -39,6 +40,7 @@ impl CaClient { cert_provider: Box, auth: AuthSource, enable_impersonated_identity: bool, + secret_ttl: i64, ) -> Result { let svc = tls::grpc_connector(address, cert_provider.fetch_cert().await?)?; // let client = IstioCertificateServiceClient::new(svc); @@ -48,6 +50,7 @@ impl CaClient { Ok(CaClient { client, enable_impersonated_identity, + secret_ttl, }) } } @@ -65,7 +68,7 @@ impl CaClient { let csr = std::str::from_utf8(&csr).map_err(Error::Utf8)?.to_string(); let req = IstioCertificateRequest { csr, - validity_duration: 60 * 60 * 24, // 24 hours + validity_duration: self.secret_ttl, metadata: { if self.enable_impersonated_identity { Some(Struct { diff --git a/src/identity/manager.rs b/src/identity/manager.rs index 2bde6d3a8..bbacdc6f4 100644 --- a/src/identity/manager.rs +++ b/src/identity/manager.rs @@ -393,6 +393,7 @@ impl SecretManager { )), cfg.auth, cfg.proxy_mode == ProxyMode::Shared, + cfg.secret_ttl, ) .await?; Ok(Self::new_with_client(caclient)) diff --git a/src/test_helpers/ca.rs b/src/test_helpers/ca.rs index 45e9fa12a..070431965 100644 --- a/src/test_helpers/ca.rs +++ b/src/test_helpers/ca.rs @@ -82,6 +82,7 @@ impl CaServer { "Kubernetes".to_string(), ), true, + 60 * 60 * 24, ) .await .unwrap(); From ddf49c00ae815560479900fc7e6e7eb5d5eb53c6 Mon Sep 17 00:00:00 2001 From: Greg Hanson Date: Wed, 6 Dec 2023 01:51:02 +0000 Subject: [PATCH 2/3] switch to duration formatting on secret_ttl --- Cargo.lock | 31 +++++++++++++++++++++++++++++++ Cargo.toml | 1 + src/config.rs | 10 +++++----- src/identity/manager.rs | 2 +- 4 files changed, 38 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8098518c9..d4f6c3a80 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -59,6 +59,12 @@ version = "1.0.75" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6" +[[package]] +name = "arrayvec" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711" + [[package]] name = "async-channel" version = "1.9.0" @@ -581,6 +587,20 @@ version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dcbb2bf8e87535c23f7a8a321e364ce21462d0ff10cb6407820e8e96dfff6653" +[[package]] +name = "duration-str" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e172e85f305d6a442b250bf40667ffcb91a24f52c9a1ca59e2fa991ac9b7790" +dependencies = [ + "chrono", + "nom", + "rust_decimal", + "serde", + "thiserror", + "time", +] + [[package]] name = "either" version = "1.9.0" @@ -2125,6 +2145,16 @@ dependencies = [ "quick-error", ] +[[package]] +name = "rust_decimal" +version = "1.33.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06676aec5ccb8fc1da723cc8c0f9a46549f21ebb8753d3915c6c41db1e7f1dc4" +dependencies = [ + "arrayvec", + "num-traits", +] + [[package]] name = "rustc-demangle" version = "0.1.23" @@ -3189,6 +3219,7 @@ dependencies = [ "criterion", "diff", "drain", + "duration-str", "futures", "futures-util", "go-parse-duration", diff --git a/Cargo.toml b/Cargo.toml index f1de52f34..dc118c2c4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -84,6 +84,7 @@ trust-dns-client = "0.22.0" trust-dns-proto = "0.22.0" trust-dns-resolver = "0.22.0" trust-dns-server = { version = "0.22.1", features = [ "trust-dns-resolver" ] } +duration-str = "0.7.0" [target.'cfg(target_os = "linux")'.dependencies] netns-rs = "0.1.0" diff --git a/src/config.rs b/src/config.rs index 4acc413c6..dcd971ba2 100644 --- a/src/config.rs +++ b/src/config.rs @@ -54,7 +54,7 @@ const DEFAULT_DNS_PORT: u16 = 15053; const DEFAULT_SELFTERM_DEADLINE: Duration = Duration::from_secs(5); const DEFAULT_CLUSTER_ID: &str = "Kubernetes"; const DEFAULT_CLUSTER_DOMAIN: &str = "cluster.local"; -const DEFAULT_TTL: i64 = 60 * 60 * 24; // 24 hours +const DEFAULT_TTL: Duration = Duration::from_secs(60 * 60 * 24); // 24 hours const ISTIO_META_PREFIX: &str = "ISTIO_META_"; const DNS_CAPTURE_METADATA: &str = "DNS_CAPTURE"; @@ -142,7 +142,7 @@ pub struct Config { /// Root cert for XDS TLS verification. pub xds_root_cert: RootCert, /// TTL for CSR requests - pub secret_ttl: i64, + pub secret_ttl: Duration, /// YAML config for local XDS workloads #[serde(skip_serializing)] pub local_xds_config: Option, @@ -339,9 +339,9 @@ pub fn construct_config(pc: ProxyConfig) -> Result { xds_root_cert, ca_address, ca_root_cert, - secret_ttl: match parse::(SECRET_TTL)? { - Some(ttl) => ttl, - _ => DEFAULT_TTL, + secret_ttl: match parse::(SECRET_TTL)? { + Some(ttl) => duration_str::parse(&ttl).unwrap_or(DEFAULT_TTL), + None => DEFAULT_TTL, }, local_xds_config: parse::(LOCAL_XDS_PATH)?.map(ConfigSource::File), xds_on_demand: parse_default(XDS_ON_DEMAND, false)?, diff --git a/src/identity/manager.rs b/src/identity/manager.rs index bbacdc6f4..7a7905510 100644 --- a/src/identity/manager.rs +++ b/src/identity/manager.rs @@ -393,7 +393,7 @@ impl SecretManager { )), cfg.auth, cfg.proxy_mode == ProxyMode::Shared, - cfg.secret_ttl, + cfg.secret_ttl.as_secs().try_into().unwrap_or(60 * 60 * 24), ) .await?; Ok(Self::new_with_client(caclient)) From 920893646ed77d807e60f9cea96b661f7427f88f Mon Sep 17 00:00:00 2001 From: Greg Hanson Date: Wed, 6 Dec 2023 14:21:32 +0000 Subject: [PATCH 3/3] fix fuzz cargo.lock fileD --- fuzz/Cargo.lock | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/fuzz/Cargo.lock b/fuzz/Cargo.lock index 3ac80d87b..9bab8a474 100644 --- a/fuzz/Cargo.lock +++ b/fuzz/Cargo.lock @@ -65,6 +65,12 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2d098ff73c1ca148721f37baad5ea6a465a13f9573aba8641fbbbae8164a54e" +[[package]] +name = "arrayvec" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711" + [[package]] name = "async-channel" version = "1.8.0" @@ -475,6 +481,20 @@ version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "65d09067bfacaa79114679b279d7f5885b53295b1e2cfb4e79c8e4bd3d633169" +[[package]] +name = "duration-str" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e172e85f305d6a442b250bf40667ffcb91a24f52c9a1ca59e2fa991ac9b7790" +dependencies = [ + "chrono", + "nom", + "rust_decimal", + "serde", + "thiserror", + "time 0.3.22", +] + [[package]] name = "either" version = "1.8.1" @@ -1876,6 +1896,16 @@ dependencies = [ "quick-error", ] +[[package]] +name = "rust_decimal" +version = "1.33.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06676aec5ccb8fc1da723cc8c0f9a46549f21ebb8753d3915c6c41db1e7f1dc4" +dependencies = [ + "arrayvec", + "num-traits", +] + [[package]] name = "rustc-demangle" version = "0.1.23" @@ -2868,6 +2898,7 @@ dependencies = [ "bytes", "chrono", "drain", + "duration-str", "futures", "futures-util", "go-parse-duration",