honour subject alt names from service entry #32878
Conversation
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
| @@ -775,6 +776,11 @@ func (cb *ClusterBuilder) buildUpstreamClusterTLSContext(opts *buildClusterOpts, | |||
| CaCertificatePath: tls.CaCertificates, | |||
| } | |||
|
|
|||
| // Use service accounts in service if TLS settings does not have subject alt names for service entries. | |||
| if opts.serviceRegistry == string(serviceregistry.External) && len(tls.SubjectAltNames) == 0 { | |||
| tls.SubjectAltNames = opts.serviceAccounts | |||
There was a problem hiding this comment.
Can you move the tls setting to buildAutoMtlsSettings? It belongs there.
There was a problem hiding this comment.
I do not think it is autoMTLS related. For user specified TLS settings also for service entries if subject alt names are provided there and not in DR - we should handle it. This actually belongs here.
And also we need to handle for TLS SIMPLE as well.
There was a problem hiding this comment.
Actually,in some case the service accounts are already set there. We may need to rename that function
There was a problem hiding this comment.
Here it is not service accounts. It is actually subject alt names given in service entry. During conversion it is stored in service https://github.com/istio/istio/blob/master/pilot/pkg/serviceregistry/serviceentry/conversion.go#L220 and we copy it to opts. So opts.serviceAccounts is actually sANs for SEs - which is confusing but not changed in this PR
There was a problem hiding this comment.
I think both sa and SubjectAltNames are all used to build same field. They should be set when complete tls.
Also we have passed tls setting to buildUpstreamClusterTLSContext, if we set tls again in some case, this is very coupling with buildAutoMtlsSettings
There was a problem hiding this comment.
buildAutoMtlsSettings as is meant today only deals with auto mTLS cases. If we have to do what you are saying we need to change that buildMtlsSettings and take care of SIMPLE also. I can try to refactor that later - but IMO it is not related to this PR.
We do set tls like this - in this method already.
if len(tlsContext.Sni) == 0 {
tlsContext.Sni = c.cluster.Name
}
| @@ -775,6 +776,11 @@ func (cb *ClusterBuilder) buildUpstreamClusterTLSContext(opts *buildClusterOpts, | |||
| CaCertificatePath: tls.CaCertificates, | |||
| } | |||
|
|
|||
| // Use service accounts in service if TLS settings does not have subject alt names for service entries. | |||
There was a problem hiding this comment.
I am a bit confused why we don't need this for the L765 branch?
There was a problem hiding this comment.
I did not know that credential name uses the subject alt names. I think it needs to be added
|
do we have a test for when SAN is set but cacertificates is not? |
I think we do not validate that case. Do you mean to say we validate that add a test case? |
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
|
@howardjohn Think about the "SAN is set but cacertificates is not" - we can not validate that in validation webhook because the SAN and cacertificate can come from two different CRDs. So we will have to think about validating the code. While it is related to this issue - but not caused by this fix (it is latent). I am wondering we should get this in and add that validation in a separate PR? WDYT? @hzxuzhonghu For your point about merging this to buildAutoMTLS - I think if we refactor it to call buildClientTLSSettings and set every thing there - that would work. To simplify backporting of this bug to previous releases, I will do a follow-up once this is merged to refactor that part. WDYT |
|
I just want to make sure we have a test case covering it, not that user facing validation does. |
| @@ -760,7 +762,10 @@ func (cb *ClusterBuilder) buildUpstreamClusterTLSContext(opts *buildClusterOpts, | |||
| CommonTlsContext: &auth.CommonTlsContext{}, | |||
| Sni: tls.Sni, | |||
| } | |||
|
|
|||
| // Use service accounts in service if TLS settings does not have subject alt names for service entries. | |||
| if opts.serviceRegistry == string(serviceregistry.External) && len(tls.SubjectAltNames) == 0 { | |||
There was a problem hiding this comment.
TBH, just feels very weird it has to be aware of the serviceregistry when building cluster tls context.
There was a problem hiding this comment.
That is because of the API we had in service entry - If it is not there we did not have to use it - And we can not set service accounts as subject alt names in all cases (for example user specified TLS etc...). Do you have a better suggestion to handle this?
There was a problem hiding this comment.
Thinking about this - I can think of couple of options
-
https://github.com/istio/api/blob/master/networking/v1alpha3/destination_rule.proto#L961 - instead of override if we append the service entry SANs and DR SANs it might work and we do not need registry check. This is already being done for workload selector based WLE https://github.com/istio/api/blob/master/networking/v1alpha3/service_entry.proto#L953
-
Add a specific field in SubjectAltNames which would be populated from ServiceEntry and use it here i.e. do not reuse ServiceAccounts for SubjectAltNames
|
@howardjohn I thought you are looking for validation. We do have a test that ignores SAN and sets up empty validation context when cacertificate is not specified https://github.com/istio/istio/blob/master/pilot/pkg/networking/core/v1alpha3/cluster_builder_test.go#L1774 |
|
/test gencheck_istio |
|
@howardjohn @hzxuzhonghu can you PTAL when you get chance? |
|
After a retrospect of the original issue, when the user specifies no The fix here is a(dr.ClientTLSSettings) || b(se.SubjectAltNames). , the confusion is when user specifies both a and b simultaneously, only Edited: a takes preference |
only DR takes precedence (user specified) right? That is what this PR does
|
For the second, user explicitly specifies DestinationRule.TLSSetting(which contains no subjectAltNames, i am thinking it means not to verify server certificate san. I am not sure which is the right behavior, no docs say that. |
|
https://github.com/istio/api/blob/master/networking/v1alpha3/service_entry.proto#L953 - for WLEs that have workload selectors we are actually appending SANs given in SE with service accounts. IMO we should do the same for SE/DR. Combine them and present in the validation context. No need to override one with the other. Then code also becomes simpler :-) |
|
One small issue may be that if we merge them then there is no way for the DR to say "do not verify any SANs". I suppose they can just not set caCertificates though |
|
I think specifying empty SAN in DR is not possible even today for service entries. If it is
empty we will just bring it from SE. So I think appending does not create
that new problem especially for service entries. Are you thinking about regular services? For regular services if it is SIMPLE of MUTUAL we do not add service accounts and for ISTIO_MUTUAL we can combine them. That way we do not have any issue. WDYT?
So if you all agree appending is better I will change the PR and update api doc accordingly
|
|
Do we intend to fix this in 1.9 and 1.10? |
|
My plan is to fix in Master first and then possibly backport to 1.10? Any preferences? |
|
@howardjohn @hzxuzhonghu How do we move forward with this? We have couple of options
I think we should go with #1 for now and discuss about changing interpretation of api and implementation as a separate issue. |
|
/test all |
|
/test integ-pilot-multicluster-tests_istio |
|
@howardjohn @hzxuzhonghu gentle ping |
1 similar comment
|
@howardjohn @hzxuzhonghu gentle ping |
|
/retest |
|
/cherry-pick release-1.10 |
|
@Kmoneal: #32878 failed to apply on top of branch "release-1.10": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@Kmoneal: new issue created for failed cherrypick: #33235 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-1.9 |
|
This feels like a big behavioral change for a patch release. Not sure
cherrypick is safe
…On Wed, Jun 2, 2021 at 1:10 PM Kmoneal ***@***.***> wrote:
/cherry-pick release-1.10
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#32878 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXKBOHNX7WYDZP4EAN3TQ2F3NANCNFSM444BGW5Q>
.
|
|
@Kmoneal: #32878 failed to apply on top of branch "release-1.9": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@Kmoneal: new issue created for failed cherrypick: #33236 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I agree with the fact that this is a big behavioral change, but it can also present issues for users upgrading in Istio 1.11; I'm assuming we will include this in the Upgrades notes to mitigate this. We can add an analyzer to assess If we do not wish to fix this in 1.9/1.10 we should update the docs for 1.10 to reflect that We won't cherry pick this until we get agreement. Sorry for being too hasty. |
Fixes #32539
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[] Does not have any user-facing changes. This may include CLI changes, API changes, behavior changes, performance improvements, etc.