Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-Enable Secure Upstream Annotation #3287

Closed
wants to merge 1 commit into from
Closed

Re-Enable Secure Upstream Annotation #3287

wants to merge 1 commit into from

Conversation

diazjf
Copy link

@diazjf diazjf commented Oct 24, 2018

Renables the secure-verify-ca-secret annotation. This annotation allows a CA to be verified against a service. Also adds e2e tests.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 24, 2018
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 24, 2018
@diazjf
Copy link
Author

diazjf commented Oct 24, 2018

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 24, 2018
@diazjf diazjf force-pushed the redirect-https branch 2 times, most recently from 977f055 to 8fdd346 Compare October 25, 2018 18:54
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 25, 2018
@diazjf diazjf force-pushed the redirect-https branch 4 times, most recently from 06ff842 to 28da226 Compare October 26, 2018 01:23
@aledbf
Copy link
Member

aledbf commented Oct 26, 2018

@diazjf please rebase to fix the e2e issue

@diazjf
Copy link
Author

diazjf commented Oct 26, 2018

/hold remove

@diazjf
Copy link
Author

diazjf commented Oct 26, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 26, 2018
@diazjf
Copy link
Author

diazjf commented Oct 26, 2018

/assign @aledbf

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: diazjf
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: aledbf

If they are not already assigned, you can assign the PR to them by writing /assign @aledbf in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@diazjf diazjf force-pushed the redirect-https branch 3 times, most recently from 71c70b6 to 9ce30cb Compare October 30, 2018 21:35
@diazjf
Copy link
Author

diazjf commented Oct 31, 2018

@aledbf updated the tests. This one should be good to go.

@aledbf
Copy link
Member

aledbf commented Oct 31, 2018

@diazjf please add a request and assertion/s to make sure the certificate is being used

@diazjf
Copy link
Author

diazjf commented Oct 31, 2018

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 31, 2018
@diazjf
Copy link
Author

diazjf commented Oct 31, 2018

@aledbf since the certificate is being verified against a service, will I need to create a service which uses a particular CA or do we have that available?

@diazjf diazjf force-pushed the redirect-https branch 5 times, most recently from 2ec220c to 6815bb2 Compare November 1, 2018 22:57
@diazjf
Copy link
Author

diazjf commented Nov 2, 2018

/hold remove

@diazjf
Copy link
Author

diazjf commented Nov 2, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 2, 2018
diazjf
diazjf commented Nov 4, 2018
View reviewed changes
test/e2e/annotations/secureupstream.go Outdated
Set("Host", host).
End()
Expect(len(errs)).Should(BeNumerically("==", 0))
for _, pc := range resp.TLS.PeerCertificates {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aledbf is this what you had in mind?

@diazjf diazjf force-pushed the redirect-https branch 2 times, most recently from e79bc5c to 8696e74 Compare November 12, 2018 03:42
@diazjf diazjf mentioned this pull request Nov 12, 2018
Closed
61 tasks
@diazjf
Copy link
Author

diazjf commented Nov 12, 2018

@aledbf @ElvinEfendi Ready for review.

ElvinEfendi
ElvinEfendi reviewed Nov 13, 2018
View reviewed changes
test/e2e/annotations/secureupstream.go Outdated

annotations := map[string]string{
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
"nginx.ingress.kubernetes.io/secure-verify-ca-secret": host,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The secret host is used for communication between client and ingress-nginx, can you use another secret here to make it realistic? (I actually expect the test to fail when you use a different secret, because the secret won't be available in the pod)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ElvinEfendi updated the PR with your suggestions, however I'm not sure how to check that the certificate is being proxied by NGINX. I have the tests just make sure that the configuration is generated, and we trust nginx to pass it to the upstream.

@ElvinEfendi
Copy link
Member

Can you add some docs? How does this work, should the user first create secret and manually mount it to ingress-nginx pods first and then configure annotation to refer to that secret?

FWIW we use:

      proxy_ssl_verify              on;
      proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
      proxy_ssl_verify_depth        2;

@diazjf
Copy link
Author

diazjf commented Nov 14, 2018

Can you add some docs? How does this work, should the user first create secret and manually mount it to ingress-nginx pods first and then configure annotation to refer to that secret?

FWIW we use:

      proxy_ssl_verify              on;
      proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
      proxy_ssl_verify_depth        2;

Sure I can add some docs as well as proxy_ssl_verify_depth 2; by default. In the future I can add an annotation to configure this.

Re-Enable Secure Upstream Annotation
4c8f862 
Renables the secure-verify-ca-secret annotation. This annotation
allows a CA to be verified against a service. Also adds e2e tests.
@diazjf
Copy link
Author

diazjf commented Nov 16, 2018

/assign @ElvinEfendi

ElvinEfendi
ElvinEfendi reviewed Nov 18, 2018
View reviewed changes
docs/examples/auth/client-certs/ingress2.yaml
annotations:
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/secure-verify-ca-secret: "ca-secret"
# Setup the backend protocol, must be either "HTTPS" or "GRPC".
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this not be GRPCS instead of GRPC?

ElvinEfendi
ElvinEfendi reviewed Nov 18, 2018
View reviewed changes
docs/examples/auth/client-certs/ingress2.yaml
paths:
- backend:
serviceName: http-svc:80
servicePort: 80
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

80? not 443?

ElvinEfendi
ElvinEfendi reviewed Nov 18, 2018
View reviewed changes
test/e2e/annotations/secureupstream.go

f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, proxySslTrustedCertificate) && strings.Contains(server, proxySslVerify) && strings.Contains(server, proxySslVerifyDepth)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please break this into multiple lines

ElvinEfendi
ElvinEfendi reviewed Nov 18, 2018
View reviewed changes
test/e2e/annotations/secureupstream.go
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, proxySslTrustedCertificate) && strings.Contains(server, proxySslVerify) && strings.Contains(server, proxySslVerifyDepth)
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also send a request and assert that it is successfully proxied all the way to the echo server?

@diazjf diazjf closed this Dec 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ElvinEfendi ElvinEfendi ElvinEfendi left review comments

@antoineco antoineco Awaiting requested review from antoineco

Assignees

@aledbf aledbf

@ElvinEfendi ElvinEfendi

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@diazjf @aledbf @k8s-ci-robot @ElvinEfendi