Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dynamically secure RouteGroups using Kubernetes TLS Secrets #2814

Merged
merged 23 commits into from
Jan 9, 2024

Conversation

rickhlx
Copy link
Contributor

@rickhlx rickhlx commented Jan 1, 2024

Closes #2811

@szuecs szuecs added the major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs label Jan 2, 2024
// and adds the TLS secret to the registry if a match is found.
func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) {
// Host in the tls section need to explicitly match the host in the RouteGroup
hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what we want here is to check if tls.Hosts is a subset of ctx.routeGroup.Spec.UniqueHosts().
compareStringList returns all items from tls.Hosts that are also part of ctx.routeGroup.Spec.UniqueHosts().
So it reduces the hostlist.

Did you do this by intention and I miss something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only want to add certs which have a match from from tls.Hosts and the routeGroup hosts, so reducing the list is desired. If there are no matches we log and return, but if there are matches, we use the reduced list to add the matching tls certs to the registry.

We could log the non-matching hosts in tls.hosts to help debugging a miss configuration. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes logging makes sense.
I wonder in case of an update that is applied wrong, what we want to have as behavior. For example a timeline like this:

  1. rg foo has tls.hosts foo.example, bar.example and there is a referenced secret that has only these two names foo.example, bar.example as hosts in SAN
  2. rg was updated to add baz.example and remove bar.example in tls.hosts

The current behavior would drop bar.example.

Should this better stop updating it, such that bar.example is not replaced by baz.example ?!

I am thinking of migrations, but can not come up with an idea how this could break less with either case, so from my side we can also just log it.

@AlexanderYastrebov wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be a part of validator and invalid routegroup should be rejected. We already use validator in webhook and dataclient.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same is for Ingress - we plan to add ingress validator to dataclient, see #2757

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something we could handle in a separate PR to keep the scope limited? Happy to work on getting in validator for both Ingress and RouteGroup.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets have it like it is now (log mismatch) and add tls validation for ingress and routegroup as a future improvement (makes sense after we land #2757).
@MustafaSaber FYI

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
TLS secrets is optional in the IngressV1 spec, using similar
config for RouteGroups.

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@szuecs
Copy link
Member

szuecs commented Jan 3, 2024

This is the error:

 go vet ./...
# github.com/zalando/skipper/dataclients/kubernetes
Error: dataclients/kubernetes/ingressv1.go:318:23: call of addTLSCertToRegistry copies lock value: github.com/zalando/skipper/secrets/certregistry.CertRegistry contains sync.Mutex
Error: dataclients/kubernetes/kube.go:601:30: addTLSCertToRegistry passes lock by value: github.com/zalando/skipper/secrets/certregistry.CertRegistry contains sync.Mutex
Error: dataclients/kubernetes/routegroup.go:515:23: call of addTLSCertToRegistry copies lock value: github.com/zalando/skipper/secrets/certregistry.CertRegistry contains sync.Mutex
make: *** [Makefile:127: vet] Error 1
Error: Process completed with exit code 2.

Just pass certregistry.CertRegistry as pointer in ingress and routegroup case

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
dataclients/kubernetes/kube.go Show resolved Hide resolved
dataclients/kubernetes/ingressv1.go Outdated Show resolved Hide resolved
// and adds the TLS secret to the registry if a match is found.
func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) {
// Host in the tls section need to explicitly match the host in the RouteGroup
hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be a part of validator and invalid routegroup should be rejected. We already use validator in webhook and dataclient.

// and adds the TLS secret to the registry if a match is found.
func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) {
// Host in the tls section need to explicitly match the host in the RouteGroup
hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same is for Ingress - we plan to add ingress validator to dataclient, see #2757

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@AlexanderYastrebov
Copy link
Member

Please add missing newlines at the end of test fixtures #2814 (comment) and fix log level #2814 (comment)

LGTM but I think we should land szuecs/routegroup-client#16 first.

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@szuecs
Copy link
Member

szuecs commented Jan 8, 2024

LGTM but I think we should land szuecs/routegroup-client#16 first.

Why?
I think first data type change then client change.
We don't use the client here.

@AlexanderYastrebov
Copy link
Member

Why?
I think first data type change then client change.
We don't use the client here.

But we generate CRD there. I think we should settle all changes in the client, then copy CRD here, then we can land client PR.

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@AlexanderYastrebov
Copy link
Member

👍

1 similar comment
@szuecs
Copy link
Member

szuecs commented Jan 9, 2024

👍

@szuecs
Copy link
Member

szuecs commented Jan 9, 2024

thanks for your work!

@szuecs szuecs merged commit cec514c into zalando:master Jan 9, 2024
10 checks passed
@rickhlx rickhlx deleted the routegroup-tls branch January 9, 2024 11:11
@szuecs
Copy link
Member

szuecs commented Jan 9, 2024

AlexanderYastrebov added a commit that referenced this pull request Mar 11, 2024
See changes
* szuecs/routegroup-client#31
* szuecs/routegroup-client#32

It restores a link to the origin removed by #2814
to make it clear that CRD is the copy.

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov added a commit that referenced this pull request Mar 11, 2024
See changes
* szuecs/routegroup-client#31
* szuecs/routegroup-client#32

It restores a link to the origin removed by #2814
to make it clear that CRD is the copy.

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Secure RouteGroups with Kubernetes TLS Secrets
3 participants