feat(kuma-cp) permissive mTLS mode

[lobkovilya]

Summary

The initial implementation of the permissive mTLS model according to #2550

Full changelog

• add new mode option for Mesh
• add e2e tests for STRICT and PERMISSIVE modes
• update inbound generator

Issues resolved

N/A

Documentation

• Link to the website documentation PR

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• Add backport-to-stable label if the code is backwards compatible. Otherwise, list breaking changes.

[jakubdyszkiewicz]

very nice! I'm excited to see this feature.

[jakubdyszkiewicz]

how about kumactl get dataplanes and get address + port?

[lobkovilya]

yes, probably it's simpler, but at that moment I don't see the point in rewriting this to kumactl get dataplanes, the same amount of work, still have to parse the output somehow

[jakubdyszkiewicz]

Disclaimer: My opinion, your opinion may vary.

Please try to not overuse functions inside a test. For me, it's easier to read a test with code embedded

// given a mesh
... code that creates a mesh

// and test server
... code that creates test server

than test with functions. To read the full test I need to jump back and forth between test and function implementations.

Of course, if we have reusable functions and repeating the complex operations, it may make sense to use it.

Also, I'd try to keep the given, when, then convention. For me, it makes it easier to read the intention of the test.

[lobkovilya]

I agree that it was probably too much. I got rid of these checkInsideMeshConnection and checkNoOutsideMeshConnection, but I left the functions that create a mesh and runs client, they are 100 percent reusable across tests in this file

[jakubdyszkiewicz]

#2550 (comment) <- supporting this use case is critical for this functionality.

[codecov-commenter]

Codecov Report

Merging #2579 (b9a9b86) into master (ab55603) will decrease coverage by 0.10%.
The diff coverage is 21.60%.

@@            Coverage Diff             @@
##           master    #2579      +/-   ##
==========================================
- Coverage   52.08%   51.98%   -0.11%     
==========================================
  Files         877      878       +1     
  Lines       49478    49628     +150     
==========================================
+ Hits        25771    25799      +28     
- Misses      21641    21759     +118     
- Partials     2066     2070       +4     

Impacted Files	Coverage Δ
pkg/xds/envoy/tls/tls.go	100.00% <ø> (ø)
test/e2e/mtls/standalone_universal.go	0.00% <0.00%> (ø)
test/server/cmd/echo.go	0.00% <0.00%> (ø)
api/mesh/v1alpha1/mesh.pb.go	32.72% <30.00%> (-0.20%)	⬇️
pkg/xds/generator/inbound_proxy_generator.go	74.77% <90.90%> (+2.14%)	⬆️
...kg/xds/envoy/listeners/filter_chain_configurers.go	97.29% <100.00%> (+0.01%)	⬆️
...nvoy/listeners/v3/filter_chain_match_configurer.go	100.00% <100.00%> (ø)
pkg/xds/envoy/tls/v3/tls.go	93.85% <100.00%> (+0.05%)	⬆️
pkg/xds/generator/admin_proxy_generator.go	86.79% <100.00%> (ø)
pkg/xds/generator/ingress_generator.go	85.56% <100.00%> (ø)
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ab55603...b9a9b86. Read the comment docs.

[lobkovilya]

I added support of the case when the client and server already have TLS, covered this with a test. I'm going to provide docs on how to migrate your services under the mesh.

Also, this PR probably requires a disclaimer for UPGRADE.md – you can't set PERMISSIVE mode until all Kuma CP instances are updated to the newer version, because ALPN protocol kuma won't be set for proxies connected to the old Kuma CP.

[jakubdyszkiewicz]

we should not import individual Envoy versions in generator. KumaALPNProtocols should be common to all versions. I'd suggest moving KumaALPNProtocols out of pkg/xds/envoy/tls/v3 into pkg/xds/envoy/tls