Add support for TLSMode.ISTIO_MUTUAL when building cluster config. #5418
Conversation
Also remove the accidetally included port level DR policy istio#5055.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@rshriram FYI With closer looking at the code, I realized we have to modify |
|
Plugin is invoked for all clusters |
There was a problem hiding this comment.
@rshriram, we are planning to avoid using authn policy for outbound cluster configuration, and require customers to set destination rule accordingly in order to enable mTLS. That's why the authn plugin code for outbound cluster can be removed.
|
The reason for requesting changes is because this can be done cleanly in the plugin by making sure it’s called for all clusters and encapsulating the service account stuff in the auth plugin. |
|
@rshriram you're right on this is called for all clusters including subset. https://github.com/istio/istio/blob/master/pilot/pkg/networking/core/v1alpha3/cluster.go#L114 So the determining config field comes from DR (TLSSettings), the question is who should consume this settings. I agree with @diemtvu that the consumer of this field should be in clusters.go, so the authn only focused on the server authn requirement, and let networking side deal with client settings. This is the intended seperation of client/server we want to have. Will be nice to make implementation aligned with user facing config. If the concern is more of "why networking now needs to know where istio provided key cert live, etc?", we can extract those key certs paths logic and put it somewhere else. @costinm wdyt? Regarding why in master, we plan to make it work E2E first and only after ensuring it works, then merge with release branch.
This is correct... We need to provide something global else after these work... |
|
My point is retain the isDestinationEnabledForMtls. In that function, check global flag or local dest rule that comes as part of the plugin call. Add an extra parameter to plugin calls in cluster.go to supply the destination rule as well. This way, there is very minimal code change |
| @@ -334,47 +325,4 @@ func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi. | |||
| // OnOutboundCluster implements the Plugin interface method. | |||
| func (Plugin) OnOutboundCluster(env model.Environment, node model.Proxy, service *model.Service, | |||
| servicePort *model.Port, cluster *xdsapi.Cluster) { | |||
There was a problem hiding this comment.
change this method signature to take the DestinationRule as well. Same goes for Inboundcluster. Then you can simply do if destRule != nil and destRule.trafficPolicy.TLSmode==istio_mutual then...
don't forget to extract the port specific traffic policy first.
There was a problem hiding this comment.
It seems most TLS related settings are in cluster.go - it may keep them grouped ( and maybe later move to a 'tls.go' plugin). The authentication plugin seems to deal mostly with the auth policies - while cluster with the network destination rules.
There was a problem hiding this comment.
@rshriram could we proceed as it is right now, given other TLSettings mode is also handled in cluster.go? And later if needed extract client tls stuff out into tls.go plugin, suggested by @costinm
I'll send follow-up PR to actually build multi-filter chain + tls sniffing filter, which depends on this one to be checked-in.
Thanks!
There was a problem hiding this comment.
Sure. But can you push this PR to 0.8 as well ? This is independent of any thing else.
Codecov Report
@@ Coverage Diff @@
## master #5418 +/- ##
========================================
+ Coverage 74% 74% +1%
========================================
Files 323 317 -6
Lines 27394 26289 -1105
========================================
- Hits 20123 19420 -703
+ Misses 6480 6140 -340
+ Partials 791 729 -62
Continue to review full report at Codecov.
|
|
|
Also this has nothing to do with tls sniffing. This pr is useful by itself in existing 0.8, where auth overrides tls settings in dest rule. So I still believe that 0.8 is the right place for the ISTIO_mutual stuff. The tls snuffing changes in inbound listener is a different PR In auth plugin isIstioMtlsEnabled(mesh, destrule) |
|
Technically, the approach Shriram suggested could work. However, per discussion with Louis, Costin (meeting note), we want to cleanly separate authn policy to affect server side only, and destination rule to affect client side only. As a result, I think it's make more sense to remove OutboundCluster authn plugin code, to the applyTrafficPolicy module. + @louiscryan @costinm for more comments. We need to infer a 'default' destination rules from the global mesh config flag for now, for backward compatible. However, in the long run, I think we can remove that flag and have customers explicitly submit global authN policy and destination rule for that. |
| @@ -359,6 +362,34 @@ func applyUpstreamTLSSettings(cluster *v2.Cluster, tls *networking.TLSSettings) | |||
| }, | |||
| Sni: tls.Sni, | |||
| } | |||
| case networking.TLSSettings_ISTIO_MUTUAL: | |||
| // TODO(incfly): needs to change when SDS is ready. | |||
| cluster.TlsContext = &auth.UpstreamTlsContext{ | |||
There was a problem hiding this comment.
Maybe change the authN plugin function to a regular function to set these config and call it here. With that, the code that related to Istio-mTLS still stays closed to each other.
| @@ -89,7 +91,8 @@ func (configgen *ConfigGeneratorImpl) buildOutboundClusters(env model.Environmen | |||
|
|
|||
| // create default cluster | |||
| clusterName := model.BuildSubsetKey(model.TrafficDirectionOutbound, "", service.Hostname, port) | |||
| defaultCluster := buildDefaultCluster(env, clusterName, convertResolution(service.Resolution), hosts) | |||
| serviceAccounts := env.ServiceAccounts.GetIstioServiceAccounts(service.Hostname, []string{port.Name}) | |||
| defaultCluster := buildDefaultCluster(env, clusterName, convertResolution(service.Resolution), hosts, serviceAccounts) | |||
There was a problem hiding this comment.
Alternate simpler implementation suggestion: when a destinationrule is obtained, pass it to a convertIstioMtlsToMtls function. This function will simply set the tls mode to mutual with the cert file names using istio certs and SAN field using the service accounts. Once converted, the rest of the code does not need to be changed at all. And if config is nil, create a new dest rule if mesh.mtls is true and set the mTLS settings in the dest rule. This way you don’t have to wire up tnt service accounts everywhere.
In future, if anyone were to add more cluster building code, they wouldn’t have to worry about plumbing service accounts everywhere. If you want, you could add this code directly into model.DestinationRules() such that you don’t even have to change cluster.go
There was a problem hiding this comment.
This indeed remove the service account plumbing. although IMHO override/conversion is less straightforward to understand compared w/ handling everything in a single switch-case.
I'm fine with either one. I can implemented the conversion and remove service account from params.
There was a problem hiding this comment.
I suggest the conversion as it ensures that any other code using cluster.go functions does not end up overriding auth stuff.
There was a problem hiding this comment.
this conversion is better done in cluster.go, instead of model code due to certain wildcard issues in destination rules. But please convert so that you don’t have to push the service account thing into all functions.
There was a problem hiding this comment.
It's a good suggestion. In fact, it's similar to authn policy: when there is no authn policy in CRD, we generate one based on config map settings. May be we can do the same here?
|
@rshriram We also think this is a useful change for 0.8, regardless of tls multiplexing. I'll work on testing this against 0.8 branch and if we can get test passing before release cut, will change this into 0.8. |
|
This change will require customer to set up destination policy to make
authn policy work. I'm just worry that we don't have time to test the whole
thing through, given both DR and authN are relatively new in this release.
I think it's better to have this in 0.8.1.
…On Tue, May 8, 2018 at 2:13 PM Jianfei Hu ***@***.***> wrote:
@rshriram <https://github.com/rshriram> We also think this is a useful
change for 0.8, regardless of tls multiplexing. I'll work on testing this
against 0.8 branch and if we can get test passing before release cut, will
change this into 0.8.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5418 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AX99cYyoKcEdA8RZxEZZfYAJL3Z5wy2yks5twgpkgaJpZM4TzCmp>
.
--
Diem Vu | Software Engineer | diemvu@google.com | +1 408-215-8127
|
|
There is enough breaking change in 0.8 already. That said this also means that people have to use v1alpha3 in order to do auth. But v1alpha3 is optional in 0.8 and becomes default only in 0.9. So you need a backward compatible way of enabling fleet wide auth in 0.8 (via global config option) |
|
with v1/v1apha1, authN policy will set both client and server side, so it still work without destination rules. Do you think that is enough? |
|
I changed to fill key/cert path in advance, instead of plumbing service account everywhere. I still want to keep ISTIO_MUTUAL separate from MUTUAL because in future when SDS is available we can't use key/certs paths to configure envoy. Also removed the change on buildDefaultCluster, which is used for user app container as cluster as well. And there, we shouldn't add any TLSSettings. |
|
|
||
| // set TLSSettings if configmap global settings specifies MUTUAL_TLS. | ||
| if env.Mesh.AuthPolicy == meshconfig.MeshConfig_MUTUAL_TLS { | ||
| applyUpstreamTLSSettings(defaultCluster, buildIstioMutualTls(upstreamServiceAccounts)) |
There was a problem hiding this comment.
Bug: this cannot be applied for external services. Add a check for service.MeshExternal and skip setting up this istio mutual for default
There was a problem hiding this comment.
I also don’t know how this will work for headless services (ie ones using original dst cluster). You have to enable the auth in headless service test and see. If it fails add a check for original dst cluster here as well, just like the plugin code
There was a problem hiding this comment.
I checked external service now. Sorry for the lack of familiarity, what's the headless services/original dst cluster? is there some field to check, similar as service.MeshExternal?
| if subset.TrafficPolicy.Tls.Mode == networking.TLSSettings_ISTIO_MUTUAL { | ||
| subset.TrafficPolicy.Tls = buildIstioMutualTls(upstreamServiceAccount) | ||
| } | ||
| } |
There was a problem hiding this comment.
This is not enough. We also have port traffic policy - which is port specific traffic policy. See code in this file for example b
There was a problem hiding this comment.
Done.
However, this concerns me that we potentially use TrafficPolicy.TLSSettings in lots of places of DestinationRule, and it's cumbersome to keep the conversion in sync while we're adding other level (label, say), traffic policy override. Unless we do proto reflection to traverse over the DestinationRule and find all fields typed as TLSSettings...
| defaultCluster := buildDefaultCluster(env, clusterName, convertResolution(service.Resolution), hosts) | ||
|
|
||
| // set TLSSettings if configmap global settings specifies MUTUAL_TLS. | ||
| if env.Mesh.AuthPolicy == meshconfig.MeshConfig_MUTUAL_TLS && !service.External() { |
There was a problem hiding this comment.
I think External() works for v1 only. MeshExternal maybe the check you need. + @rshriram to confirm
There was a problem hiding this comment.
Yeah, I found that and changed to MeshExternal in the latest commit.
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
|
CLAs look good, thanks! |
|
@incfly: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@incfly: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Is (ab)using |
This is for #5059 clean up some behavior before we generate multi filter chains using envoy tls multiplexing.
Authn policy also stops inferring the cluster's tls settings, so the outcome is DR is the only truth where client side tls settings come from.
Why in master: plan of the record, if works fine, can be shipped into 0.8 or 0.8.1 by merging master into release-0.8 branch.
Testing: Manual Testing TODO.