feat(*) kuma-dp verifies connection to the kuma-cp #1065
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
austince
reviewed
Oct 12, 2020
lobkovilya
reviewed
Oct 13, 2020
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
lobkovilya
approved these changes
Oct 13, 2020
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Since Bootstrap is now served via HTTPS, we should verify their cert.
I introduced a new arg to
kuma-dpcalledca-cert-file. When it's specified and the connection to bootstrap is HTTPS (now by default) then we verify cert.If bootstrap uses HTTPS but we don't specify this file, we've got a warning in logs:
On Kubernetes, injector now automatically pass CA to every dataplane. I introduced new config for HELM (and kumactl install control plane) that let's you specify CA cert that then will be used for verification.
Keep in mind that DP first connects to API Server for catalog that returns path to Boostrap server. Right now is API Server is HTTP without TLS.
That means that technically someone can impersonate Control Plane and provide invalid bootstrap path, but the attacker would have to acquire cert for invalid bootstrap server signed by CA.
Overall I think we should connect directly to the bootstrap server which should have the same port for XDS, SDS, but it's not in the scope of this PR.
Documentation