feat (kumactl) kumactl can communicate to kuma-cp over https

[sudeeptoroy]

Summary

kumactl and kuma-dp communicates to kuma-cp over http. In case kuma-cp is behind a https reverese proxy,
kumactl cannot connect to it.
Added support to upgrade connection to https and disable client security check for ssl.

this PR will enable https://github.com/Kong/kuma/issues/597

[jakubdyszkiewicz]

Hey, @sudeeptoroy
thank you for moving forward with this task!
Can you maybe describe a bigger picture how would this help us with #597? URLs returned by catalog will still be pointing at http.
If we merge this, will the communication via http still work?

[sudeeptoroy]

Hi @jakubdyszkiewicz ,

yes sure, in scenarios where kuma-cp is deployed behind a reverse proxy, kuma-cp native endpoints will be available on reverse proxy with different hostnames.
with #597 we will be able to send the reverse proxy urls to kumactl and kuma-dp so that they can connect to the reverse proxy. Further if reverse proxy supports https termination this PR will help.

kuma-cp <------------ >|reverse -proxy (https)|< ============== >( kumactl/kuma-dp)

I have started with #597, once done i can submit the fix under this PR so that the functionality is better understood.

[jakubdyszkiewicz]

How would the connection to XDS/SDS work here? Don't you have to also configure the equivalent of &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} in Envoy itself that will connect to XDS/SDS?

[jakubdyszkiewicz]

See CatalogConfig:

type BootstrapApiConfig struct {
	Url string
}

type DataplaneTokenApiConfig struct {
	LocalUrl  string
	PublicUrl string
}

type AdminApiConfig struct {
	LocalUrl  string
	PublicUrl string
}

type MonitoringAssignmentApiConfig struct {
	Url string
}

I think instead of introducing publicUrl in every server it's better to include CatalogConfig to YAML and ENV config. this way you can override the catalog fields with your public URLs.

[sudeeptoroy]

yeah, i can do that..

[sudeeptoroy]

i can make changes for bootstrap and admin url.. how about sds.. i am guessing its going to sit with sdsServer config..

Also if i move the config to catalogConfig it may not very intuitive to the end user as catalog is an internal concept and not exposed to them yet..

[jakubdyszkiewicz]

If you expose it, the catalog will be just a part of Kuma Config.

About XDS/SDS. Why not just set the KUMA_GENERAL_ADVERTISED_HOSTNAME to the address of your reverse proxy for Kuma CP? For API Server/Bootstrap/Admin it didn't work because the change of http:// -> https://, but I think here it should be ok.

[sudeeptoroy]

How would the connection to XDS/SDS work here? Don't you have to also configure the equivalent of &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} in Envoy itself that will connect to XDS/SDS?

yes, you are right..sds works but xds is still insecure.. and the way to do that would be to extent kuma-dp to take additional arguments via which user can specify the cert/key to use for upgrading the xdx connection.. i wanted to discuss with you before starting the xds work and hence did not include with this PR.. do you have any other suggestion..

[jakubdyszkiewicz]

How would the connection to XDS/SDS work here? Don't you have to also configure the equivalent of &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} in Envoy itself that will connect to XDS/SDS?

yes, you are right..sds works but xds is still insecure.. and the way to do that would be to extent kuma-dp to take additional arguments via which user can specify the cert/key to use for upgrading the xdx connection.. i wanted to discuss with you before starting the xds work and hence did not include with this PR.. do you have any other suggestion..

SDS is secured, not sure if extra reverse proxy won't break anything here.

About securing XDS. If we are talking about simple TLS, we can follow similar pattern that we've got for SDS which is:

1. either provide cert/key for TLS XDS server or generate it on the fly if not provided
2. Include TLS cert (without key) into bootstrap config for envoy.

This way we don't need to manually distribute certificate next to every Kuma DP instance.

mTLS would be more complicated, but I don't think XDS contains such sensitive data to do mTLS.

[sudeeptoroy]

Hi @jakubdyszkiewicz,

Thanks for your reply, it has clarified few doubt. i would still need suggestion for making further progress on other points.

agreement:
open up catalog for overwriting bootstrap and mads server endpoint.

Let me explain the need for SDS endpoint and XDS client cert for envoy.
I am using contour as my reverse proxy and it exposes backend service's TCP port as a unique fqdn (https://projectcontour.io/docs/v1.3.0/httpproxy/#tcp-proxying). This reverse proxy is configured to supports TLS and https endpoints only.
This poses these 2 requirements:

1. KUMA_GENERAL_ADVERTISED_HOSTNAME config is not good enough for exposing admin and SDS endpoints together and hence i need additional configuration to expose SDS endpoint.
2. XDS server on kuma-cp does not need to support TLS, as TLS initiated by the envoy gets terminated on the reverse proxy. This reverse proxy uses SNI to connect to the right backend. Thus envoy need to support TLS with SNI so that proper routing can happen at the reverse proxy. Envoy can initiate a TLS connection only when it has both cert and key configured. This was the reason i proposed the cert and key location to be a part of kuma-dp command line argument. If the locations of cert and key files are sent over to bootstrap server it can properly template and send back the bootstrap config for envoy.

Let me know your thoughts around it.

[jakubdyszkiewicz]

Thanks for explanation, now I understand more.

SDS needs to be encrypted at all points, because it exchanges sensitive data and it works in a very similar way as XDS, so we probably use the same pattern for both.

With SDS you don't want Contour to terminate TLS, therefore my question: can you use spec.virtualhost.tls.passthrough: true? If so, we could do the variant with securing XDS at all time, provide cert to the CP and embed it in Bootstrap config.

Can the hostname for Admin/SDS/XDS be the same with support for different ports?

[sudeeptoroy]

Thanks for explanation, now I understand more.

SDS needs to be encrypted at all points, because it exchanges sensitive data and it works in a very similar way as XDS, so we probably use the same pattern for both.

With SDS you don't want Contour to terminate TLS, therefore my question: can you use spec.virtualhost.tls.passthrough: true? If so, we could do the variant with securing XDS at all time, provide cert to the CP and embed it in Bootstrap config.

Can the hostname for Admin/SDS/XDS be the same with support for different ports?

Hi @jakubdyszkiewicz,

Thanks for your reply.

1. yes for SDS its passthrough so that the connection terminates on kuma-cp
2. Can the hostname for Admin/SDS/XDS be the same with support for different ports?
   No, each port of the backend requires a new fqdn

I will continue to make progress on XDS and let you know any new findings.
With this commit i have taken care of you previous comments (except xds) and hence its up for review now.

[sudeeptoroy]

hi @jakubdyszkiewicz, this PR is up for review
I have take care of xds too

[jakubdyszkiewicz]

Thanks for moving forward here. It starting to look pretty good!

[jakubdyszkiewicz]

Can we include this in the catalog instead? Just like MADS server.
I think there should be also XDS server there, because my guess is that you would also like to override this.

[sudeeptoroy]

yes, i can move it to catalog seems to be a better place to manage all overwrites.
XDS is derived via AdvertisedHostname. let me know if you are ok to derive from this new variable.

[sudeeptoroy]

Just realised, XDS is a part of bootstrapServer config. Probably we can keep it that way. Let me know.

[jakubdyszkiewicz]

I think you will also want to override the XdsHost and XdsPort, right?

[jakubdyszkiewicz]

can we have a little bit descriptive names like certBytes, err?

[jakubdyszkiewicz]

also I think we should handle this error instead, not ignore it

[sudeeptoroy]

@jakubdyszkiewicz its up for review, the CI did not run for some reason

[jakubdyszkiewicz]

Question, why SDS is configurable from catalog but XDS is not?

[jakubdyszkiewicz]

Can we make this consistent to MonitoringAssignmentApiConfig?
Make this URL and use grpc://host:port format

[jakubdyszkiewicz]

Why are we adding Xds hostname to the SDS Server cert?

[sudeeptoroy]

As XDS is serving TLS so i added xds host to the cert. This created cert can be added to config when kuma-cp starts. It can be removed too. please suggest.

[jakubdyszkiewicz]

Please remove it. If you need such a shared certificate you can generate it yourself pretty easily with kumactl generate tls-certificate providing multiple hostnames.

[sudeeptoroy]

Question, why SDS is configurable from catalog but XDS is not?

xds is already configured via bootstrap config so I have not included it in catalog. I feel XDS config is better with bootstrap config. however let me know your thoughts.
https://github.com/Kong/kuma/blob/master/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml#L62

[jakubdyszkiewicz]

You are right. Bootstrap config is enough there.

[sudeeptoroy]

Hi @jakubdyszkiewicz

I have make the changes you mentioned but the ci is breaking. Any clue on what might be wrong?
upto eb5291e commit the CI was fine.

[subnetmarco]

I just re-run the checks, let's see what happens.

[subnetmarco]

@jakubdyszkiewicz any additional feedback here besides making sure that the checks pass? Is there any documentation that needs to be created in addition to this PR?

[sudeeptoroy]

I just re-run the checks, let's see what happens.

thanks @subnetmarco it failed again at the same place.
it runs quick and fine on my mac, not sure if it uses some cache.

➜  kuma git:(feature/client_https_support) make check BUILD_INFO_VERSION=latest
find ./pkg/config -name '*.pb.go' -delete
find ./pkg/config -name '*.pb.validate.go' -delete
protoc --proto_path=/Users/sudeepto/bin/protobuf.d/include --proto_path=. --proto_path=/Users/sudeepto/Documents/projects/go_projects//pkg/mod/github.com/golang/protobuf@v1.3.2 --proto_path=/Users/sudeepto/Documents/projects/go_projects//pkg/mod/github.com/envoyproxy/protoc-gen-validate@v0.3.0-java --go_out=plugins=grpc:. --validate_out=lang=go:. pkg/config/app/kumactl/v1alpha1/*.proto
protoc --proto_path=/Users/sudeepto/bin/protobuf.d/include --proto_path=. --proto_path=/Users/sudeepto/Documents/projects/go_projects//pkg/mod/github.com/golang/protobuf@v1.3.2 --proto_path=/Users/sudeepto/Documents/projects/go_projects//pkg/mod/github.com/envoyproxy/protoc-gen-validate@v0.3.0-java --go_out=plugins=grpc:. --validate_out=lang=go:. pkg/test/apis/sample/v1alpha1/*.proto
go fmt ./...
make fmt -C pkg/plugins/resources/k8s/native
go fmt ./...
which clang-format && find . -name '*.proto' | xargs -L 1 clang-format -i || true
go vet ./...
make vet -C pkg/plugins/resources/k8s/native
go vet ./...
# re-build `kumactl` binary with a predictable `version`
/Library/Developer/CommandLineTools/usr/bin/make _docs_ BUILD_INFO_VERSION=latest
GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -v -ldflags="-s -w  -X github.com/Kong/kuma/pkg/version.version=latest  -X github.com/Kong/kuma/pkg/version.gitTag=0.4.0-60-g950b0f8d  -X github.com/Kong/kuma/pkg/version.gitCommit=950b0f8dd312b797ff9d7d4bbfc2417f8beedcd6  -X github.com/Kong/kuma/pkg/version.buildDate=2020-04-15T06:19:41Z" -o build/artifacts-darwin-amd64/kumactl/kumactl ./app/kumactl
tools/docs/kumactl/gen_help.sh build/artifacts-darwin-amd64/kumactl/kumactl >docs/cmd/kumactl/HELP.md
/Users/sudeepto/bin/golangci-lint run -v
INFO [config_reader] Config search paths: [./ /Users/sudeepto/Documents/projects/go_projects/src/github.com/kuma /Users/sudeepto/Documents/projects/go_projects/src/github.com /Users/sudeepto/Documents/projects/go_projects/src /Users/sudeepto/Documents/projects/go_projects /Users/sudeepto/Documents/projects /Users/sudeepto/Documents /Users/sudeepto /Users /]
INFO [config_reader] Used config file .golangci.yml
INFO [lintersdb] Active 15 linters: [bodyclose deadcode errcheck gocritic gosimple govet ineffassign misspell staticcheck structcheck typecheck unconvert unused varcheck whitespace]
INFO [loader] Go packages loading at mode 575 (deps|files|imports|name|compiled_files|exports_file|types_sizes) took 1.741146047s
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 153.916872ms
INFO [runner/unused/goanalysis] analyzers took 0s with no stages
INFO [runner/goanalysis_metalinter/goanalysis] analyzers took 0s with no stages
INFO [runner/skip dirs] Skipped 1 issues from dir pkg/tokens/builtin/server by pattern (^|/)builtin($|/)
INFO [runner] Issues before processing: 45, after processing: 0
INFO [runner] Processors filtering stat (out/in): skip_dirs: 37/38, exclude: 0/29, cgo: 45/45, autogenerated_exclude: 29/37, identifier_marker: 29/29, path_prettifier: 45/45, skip_files: 38/45, filename_unadjuster: 45/45
INFO [runner] processing took 6.911097ms with stages: path_prettifier: 2.644774ms, exclude: 1.097179ms, skip_dirs: 1.096924ms, autogenerated_exclude: 1.043584ms, identifier_marker: 858.732µs, skip_files: 79.865µs, nolint: 44.421µs, cgo: 18.365µs, filename_unadjuster: 7.098µs, diff: 5.658µs, max_same_issues: 4.433µs, max_from_linter: 3.012µs, path_shortener: 1.938µs, source_code: 1.772µs, exclude-rules: 1.306µs, uniq_by_line: 1.188µs, max_per_file_from_linter: 848ns
INFO [runner] linters took 465.257036ms with stages: unused: 419.268587ms, goanalysis_metalinter: 38.766324ms
INFO File cache stats: 0 entries of total size 0B
INFO Memory: 25 samples, avg is 82.7MB, max is 136.3MB
INFO Execution took 2.388291762s
goimports -w -local github.com/Kong/kuma -d `find . -type f -name '*.go' -not -name '*.pb.go' -not -path './vendor/*'`
make generate manifests -C pkg/plugins/resources/k8s/native
/Users/sudeepto/Documents/projects/go_projects//bin/controller-gen object:headerFile=./hack/boilerplate.go.txt paths=./api/...
/Users/sudeepto/Documents/projects/go_projects//bin/controller-gen  rbac:roleName=manager-role webhook paths="./api/...;./controllers/..."
git diff --quiet || test $(git diff --name-only | grep -v -e 'go.mod$' -e 'go.sum$' | wc -l) -eq 0 || ( echo "The following changes (result of code generators and code checks) have been detected:" && git --no-pager diff && false ) # fail if Git working tree is dirty
➜  kuma git:(feature/client_https_support)
➜  kuma git:(feature/client_https_support) git status
On branch feature/client_https_support
Your branch is up to date with 'origin/feature/client_https_support'.

nothing to commit, working tree clean
➜  kuma git:(feature/client_https_support)

[jakubdyszkiewicz]

Just a small change with env vars, other than that it's ok!
Please add a CHANGELOG entry and rebase with origin/master to fix CI.

FYI: in the near future we will be securing all servers with cert. Additionally we might merge servers for easier operations.

[jakubdyszkiewicz]

We name the env vars the same as YAML path, so the env should be KUMA_API_SERVER_CATALOG_BOOTSTRAP_URL
other envs:
KUMA_API_SERVER_CATALOG_MONITORING_ASSIGNMENT_URL
KUMA_API_SERVER_CATALOG_SDS_URL

[jakubdyszkiewicz]

this should be url

[sudeeptoroy]

yeah, not sure how i missed it..

[sudeeptoroy]

Hi @jakubdyszkiewicz, thanks for fixing the CI. Its up for your review.

[jakubdyszkiewicz]

@subnetmarco about docs:
This is a little bit niche case when you run Kuma behind load balancer but you need different URLs for different components, normally you control this with KUMA_GENERAL_HOSTNAME.

About securing XDS server - it's optional for now. I think we should document everything after we put TLS on every server and support this in kumactl/kuma-dp.

[jakubdyszkiewicz]

Thank you for working together on this @sudeeptoroy

Looking forward to your next contributions! 🎉

[sudeeptoroy]

Thank you for working together on this @sudeeptoroy

Looking forward to your next contributions! 🎉

Thanks @jakubdyszkiewicz, i have a few more use case and looking forward to collaborate more closely.

[devadvocado]

@sudeeptoroy, if you're interested in some contributor swag that we're planning right now, shoot me an email at kevin.chen@konghq.com so I make sure you get some once they're ready :) Thanks a bunch for this contribution