Maistra 2.2 istio-csr support #890
Conversation
|
Hi @SpectralHiss. Thanks for your PR. I'm waiting for a maistra member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Q for @luksa, i saw that you just recently updated the scaffolding for the 2.2 release, I have rebased on top of that and the makefile build works 🥳 If these tags are cut later in the release process, is there another 2.2 branch "build" version so I can progress with testing the operator through patching the olm related manifests? Thanks in advance 😄 |
|
Never mind i think i can just build my own SNAPSHOT builds and patch until we get to the actual release cutting.. I think I cannot run build the rhel image from the opensource maistra/istio repo, hope the centos 8 image will do 🤔 |
|
Managed to test ok on 2.2 however there were some hickups with some empty envs for mutatingwebhookconfigname and validatingwebhookconfigname as well as some rbac, I will be checking that closely on integration time |
SpectralHiss
force-pushed
the
hef/maistra-2.2-cert-manager-istio-csr-support
branch
from
8f82caa
to
dae00ba
Compare
|
So i've added all the required unit tests for conversion from securityconfig -> helm and the reverse path, the particular unit test is passing: I am getting some other go code warnings in zz_generate deepcopy stuff.. i am not sure how relevant those are, it builds end to end on the cluster except for some webhookconfig env vars that are set to nil (which I assume is a WIP on maistra-2.2). So assuming these are all upstream wip, I guess this is ready to start having a first past? I will be doing a website PR explaining the new field later, I am off rest of this week and next, but please let me know of any release related tasks I need to do regardless!. |
SpectralHiss
changed the title
|
/ok-to-test |
| @@ -0,0 +1,2040 @@ | |||
| //go:build !ignore_autogenerated | |||
There was a problem hiding this comment.
Ah sorry i didn't realise i checked these in
There was a problem hiding this comment.
strange, my CI failure is saying:
"ERROR: Some files need to be updated, please run 'make gen' and include any changed files in your PR"
And make gen creates those files, what's going on here 😕
There was a problem hiding this comment.
I cleared what seems like rubish from a stray go build run.. but it's still erroring on deep copy methods derived from new struct fields .. i am missing something about the workflow here I believe.
|
Only seeing this now. Are you planning on reopening istio/istio#37264? |
Yeah good point, the PR fell inactive but in principle, all PR comments by the core team were addressed, it's good for us to get it in later k8s so we don't have to maintain the sed patch! |
SpectralHiss
force-pushed
the
hef/maistra-2.2-cert-manager-istio-csr-support
branch
from
1a53609
to
e90e5a2
Compare
|
@SpectralHiss: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@dgn I don't see how the gen_check step can pass since it's checking out maistra-2.2 and doing a diff check after gen which is not going to be the same as I introduces new security certificateauthority type.. is there a step I missed for this build? Another question I have is about support for 2.1 would I need to backport these changes on 2.1 branch as well? i had a conversation with Jamie Longmuir (paraphrasing slightly) We will be into our QE cycle before the 2.2 release. If this can't make that release, we will likely need to do a 2.2.1 and 2.1.3 minor release not too long afterward." mentioning @rcernich |
| @@ -10698,7 +10716,8 @@ spec: | |||
| serviceAccountName: istio-operator | |||
| containers: | |||
| - name: istio-operator | |||
| image: quay.io/maistra/istio-ubi8-operator:2.2.0 | |||
| #image: quay.io/maistra/istio-ubi8-operator:2.2.0 | |||
| image: maistradev.azurecr.io/istio-operator:latest | |||
There was a problem hiding this comment.
This needs to be removed before it can be merged.
| extraArgs[2] = "--caCertFile=/etc/cert-manager/ca/root-cert.pem" | ||
| } else { | ||
| fmt.Printf(`Warning! using istiod-tls ca.crt key as root of trust for mesh,\ | ||
| this will likely work but is not a recomended Trust On First Use pattern. Set rootCAConfigMapName to 'istio-ca-root-cert' instead`) |
There was a problem hiding this comment.
Is this something that we'd want to validate, i.e. prevent the user from creating an invalid SMCP?
There was a problem hiding this comment.
It technically isn't incorrect but it's a less secure configuration, I am okay to enforce this as a hard gate if you'd like
| // .Values.global.caAddress | ||
| Address string `json:"address,omitempty"` | ||
| PilotCertSecretName string `json:"pilotSecretName,omitempty"` | ||
| RootCAConfigMapName string `json:"rootCAConfigMapName,omitempty"` |
There was a problem hiding this comment.
Would it be easier to use the default cacerts? Is the issue that the root CA gets configured into a ConfigMap resource instead of a Secret? Seems like if the Certificate were configured to use cacerts as the secret, everything would work without the extra volume mounts.
There was a problem hiding this comment.
The trouble is that the cacerts configmap is designed to load an external plugin CA root (private key and cert) which is then used by pilot to sign all future csr including it's own serving cert., this is a less secure version of what istio-csr does. I believe It's not possible to have istio-csr work using that parameter
The parameters above are needed by istio-csr, it assumes an existing external CA issuer (handled by cert-manager), but still needs to manually inject the pilot server serving cert. which has already been signed by the external CA (istio-csr handles this automatically on chart install). This is currently the only way to install istio-csr in the upstream istio too.
We do not use any injected CA to sign any new secrets but just as a trust bundle anchor, every new cert when signed goes directly to our istio-csr server for signing where it's paired with a cert-manager issuer.
here's a process diagram of a CSR during execution time:
During configuration what happens when you set cacerts is that pilot starts to generate their own signing cert, assuming basically that you're still using citadel for signing.
I've spent a decent amount of time trying to hack around the cacerts configmap along with the existing "custom" method to fit our use case to no avail.
I am pretty confident this is the only way but happy to be wrong on this!
If you still think this is wrong could you care to explain to me at a high level how each component will be configured? ie. what fields will be set in cacerts and roughly how the istio-csr config would work?
For more details on overall design options we explored: https://docs.google.com/document/d/1CwACez6pFPi_z3CFY1bB4HwIbwT3VQOz_NDUn3cQqv0/edit#
|
Regarding version support, the operator is designed to support multiple install versions, so having this in 2.2 would still support users running 2.1 control planes. That said, the charts are version specific, so there may be some work to do there. I added a comment about the need to have volume mounts for the certs/keys and was wondering if using the default cacerts named secret might make things simpler, at least initially, as it wouldn't require any chart changes. |
I had initially also implemented this for 2.1, it should be possible to retrofit the sed hacks to older charts with minimal effort but does that break any release assumptions? As for the code, I am confident that we can implement pretty much exactly the same code and add this as part of a new 2.1 patch release. I am happy to start porting, although I have been slightly guessing at the release process and would like a bit more guidance if at all possible. |
|
Hey @SpectralHiss, thanks for working on this and for being patient with us. This looks pretty good to me. I only have two (hopefully small) requests, and one question:
Hopefully, we can get this merged in the next week or so. Thanks again! |
Hi , great to see you're still keeping a close eye on this, I will look actively at porting the changes to 2-3 next week, when is the code-freeze date for that and which upstream version is it targeting? |
|
Hey @SpectralHiss, I've rebased this against 2.3 and have made the changes above. I just need to get some eyes on it and hopefully we can get it merged next week (or sooner). Thanks again for the contribution, and sorry it's taken so long for us to get back to you. Here's the other PR. We can go with that if you want, or you can update this one. Your call. |
|
@SpectralHiss: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Hey again, be advised that the upstream istio pr has been finally merged 🥳 istio/istio#39375 , I will check which version this will be cut in but i think it's 1.17 (maybe 1.16) , once you'll be targeting that version there will be some simplifications to make to the chart overlay code, so we need to monitor closely for that PR! |
|
Happy to close this PR, as the work was ported and merged here #1005, |
|
Sounds good. We'll make a note to make the necessary changes when we update onto 1.16/17. Thanks @SpectralHiss for the contribution, and I'm sorry that it took us so long to get it merged. Thanks for sticking with it. |
This PR is still work in progress! it aims to provide the cert-manager certificate authority method to Maistra through a high level convenient API.
It is essentially simplifying the mesh configuration with istio-csr through exposing few simple parameters like ca address and pilot secret.
The pilot secret mounting for the serving cert has presented many difficulties and was the initial reason this was not possible to do natively in Maistra. Maistra is an operator for the helm chart and doesn't provide the same overlays method that IstioOperator API provides, so we had to supply these parameters ourselves. original issue: https://issues.redhat.com/browse/MAISTRA-2592
While we wait for more native support for the helm chart in istio/istio#37264 , we missed the likely istio version target for this 2.2 release and instead expose the exact same parameters through a sed patch of the helm chart.
Todo: