KIALI-2148 Adding mTLS status into status endpoint #803
Conversation
xeviknal
added
do not merge
|
"Kiali mTLS" - that doesn't seem right. This has nothing to do with Kiali right? You are talking about mTLS enabled globally in the Istio mesh. I think the name of this should be changed to better reflect what it means. Otherwise, people will see it and think Kiali has turned on mTLS in some way when I think this really means "Istio has mTLS enabled across the global mesh". |
|
@jmazzitelli yep, this was one thing I was worried about. I will move it to |
xeviknal
force-pushed
the
KIALI-2148
branch
2 times, most recently
from
d1df034
to
1b89709
Compare
|
@xeviknal what are the different status options? right now I see GLOBALLY_ENABLED and NOT_GLOBALLY_ENABLED. if those are the only 2 statuses, why not just use boolean true/false? the field can be called something like MTLS_ENABLED. |
|
@abonas we have 3 scenarios so far, as I understood from heiko. I just have mentioned them in here: kiali/kiali-ui#963 (comment) Regarding the naming, I will change that to mesh-y wording instead. |
|
Instruccions to verify this Pull Request (on top of bookinfo): To achieve ENABLED status:
To achieve PARTIALLY_ENABLED status
To achieve NOT_ENABLED status: MP[1] - Mesh policy enabling mesh-wide mTLS apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
spec:
peers:
- mtls: {}DR[2] - Destination Rule with mesh-wide enabling apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "default"
namespace: "default"
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUALMesh-wide installation: https://istio.io/docs/tasks/security/authn-policy/#globally-enabling-istio-mutual-tls |
|
2 question here:
|
|
Regarding to 1), I just realized that the DR might be installed in different namespaces than the |
|
@xeviknal the combo MeshPolicy+DR in default is what enables mesh-wide mTLS. |
|
@pilhuhn if you check the istio-demo-auth.yaml installation file, the DR is installed in istio-system namespace. That is why @hhovsepy spot that oddness. # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
app: istio-security
chart: security-1.0.5
release: istio
heritage: Tiller
spec:
peers:
- mtls: {}
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "default"
labels:
app: istio-security
chart: security-1.0.5
release: istio
heritage: Tiller
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL//from istio-demo-auth.yaml $ oc describe destinationrules default -n istio-system
Name: default
Namespace: istio-system
Labels: app=istio-security
chart=security-1.0.4
heritage=Tiller
release=istio
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"app":"istio-security","chart":"security-1...
API Version: networking.istio.io/v1alpha3
Kind: DestinationRule
Metadata:
Creation Timestamp: 2019-01-30T19:33:30Z
Generation: 1
Resource Version: 3893
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/destinationrules/default
UID: ec2a3c68-24c5-11e9-9928-525400fc4f79
Spec:
Host: *.local
Traffic Policy:
Tls:
Mode: ISTIO_MUTUAL
Events: <none> |
|
Testing results for different configurations:
|
|
@lucasponce comments approached :) |
There was a problem hiding this comment.
Tested locally with PR UI kiali/kiali-ui#963 and discussed with @xeviknal
** Describe the change **
We need to show whether or not mTLS is globally enabled or not. This PR adds that status in
/api/statusendpoint.The idea is that the ui takes it and prints a padlock into the masthead.
** Issue reference **
https://issues.jboss.org/browse/KIALI-2148
** Backwards incompatible? **
yep.