New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KIALI-2148 Adding mTLS status into status endpoint #803
Conversation
"Kiali mTLS" - that doesn't seem right. This has nothing to do with Kiali right? You are talking about mTLS enabled globally in the Istio mesh. I think the name of this should be changed to better reflect what it means. Otherwise, people will see it and think Kiali has turned on mTLS in some way when I think this really means "Istio has mTLS enabled across the global mesh". |
@jmazzitelli yep, this was one thing I was worried about. I will move it to |
d1df034
to
1b89709
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes applied!
@xeviknal what are the different status options? right now I see GLOBALLY_ENABLED and NOT_GLOBALLY_ENABLED. if those are the only 2 statuses, why not just use boolean true/false? the field can be called something like MTLS_ENABLED. |
@abonas we have 3 scenarios so far, as I understood from heiko. I just have mentioned them in here: kiali/kiali-ui#963 (comment) Regarding the naming, I will change that to mesh-y wording instead. |
Instruccions to verify this Pull Request (on top of bookinfo): To achieve ENABLED status:
To achieve PARTIALLY_ENABLED status
To achieve NOT_ENABLED status: MP[1] - Mesh policy enabling mesh-wide mTLS apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
spec:
peers:
- mtls: {} DR[2] - Destination Rule with mesh-wide enabling apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "default"
namespace: "default"
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL Mesh-wide installation: https://istio.io/docs/tasks/security/authn-policy/#globally-enabling-istio-mutual-tls |
2 question here:
|
Regarding to 1), I just realized that the DR might be installed in different namespaces than the |
@xeviknal the combo MeshPolicy+DR in default is what enables mesh-wide mTLS. |
@pilhuhn if you check the istio-demo-auth.yaml installation file, the DR is installed in istio-system namespace. That is why @hhovsepy spot that oddness. # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
app: istio-security
chart: security-1.0.5
release: istio
heritage: Tiller
spec:
peers:
- mtls: {}
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "default"
labels:
app: istio-security
chart: security-1.0.5
release: istio
heritage: Tiller
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL //from istio-demo-auth.yaml $ oc describe destinationrules default -n istio-system
Name: default
Namespace: istio-system
Labels: app=istio-security
chart=security-1.0.4
heritage=Tiller
release=istio
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"labels":{"app":"istio-security","chart":"security-1...
API Version: networking.istio.io/v1alpha3
Kind: DestinationRule
Metadata:
Creation Timestamp: 2019-01-30T19:33:30Z
Generation: 1
Resource Version: 3893
Self Link: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/destinationrules/default
UID: ec2a3c68-24c5-11e9-9928-525400fc4f79
Spec:
Host: *.local
Traffic Policy:
Tls:
Mode: ISTIO_MUTUAL
Events: <none> |
Testing results for different configurations:
|
@lucasponce comments approached :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally with PR UI kiali/kiali-ui#963 and discussed with @xeviknal
** Describe the change **
We need to show whether or not mTLS is globally enabled or not. This PR adds that status in
/api/status
endpoint.The idea is that the ui takes it and prints a padlock into the masthead.
** Issue reference **
https://issues.jboss.org/browse/KIALI-2148
** Backwards incompatible? **
yep.