Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamically secure RouteGroups using Kubernetes TLS Secrets #2814

Merged
merged 23 commits into from
Jan 9, 2024
Merged

Dynamically secure RouteGroups using Kubernetes TLS Secrets #2814

merged 23 commits into from
Jan 9, 2024

Conversation

rickhlx
Copy link
Contributor

@rickhlx rickhlx commented Jan 1, 2024

Closes #2811

@szuecs szuecs mentioned this pull request Jan 2, 2024
Merged
@szuecs szuecs added the major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs label Jan 2, 2024
szuecs
szuecs reviewed Jan 2, 2024
View reviewed changes
dataclients/kubernetes/routegroup.go
// and adds the TLS secret to the registry if a match is found.
func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) {
// Host in the tls section need to explicitly match the host in the RouteGroup
hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what we want here is to check if tls.Hosts is a subset of ctx.routeGroup.Spec.UniqueHosts().
compareStringList returns all items from tls.Hosts that are also part of ctx.routeGroup.Spec.UniqueHosts().
So it reduces the hostlist.

Did you do this by intention and I miss something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only want to add certs which have a match from from tls.Hosts and the routeGroup hosts, so reducing the list is desired. If there are no matches we log and return, but if there are matches, we use the reduced list to add the matching tls certs to the registry.

We could log the non-matching hosts in tls.hosts to help debugging a miss configuration. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes logging makes sense.
I wonder in case of an update that is applied wrong, what we want to have as behavior. For example a timeline like this:

  1. rg foo has tls.hosts foo.example, bar.example and there is a referenced secret that has only these two names foo.example, bar.example as hosts in SAN
  2. rg was updated to add baz.example and remove bar.example in tls.hosts

The current behavior would drop bar.example.

Should this better stop updating it, such that bar.example is not replaced by baz.example ?!

I am thinking of migrations, but can not come up with an idea how this could break less with either case, so from my side we can also just log it.

@AlexanderYastrebov wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be a part of validator and invalid routegroup should be rejected. We already use validator in webhook and dataclient.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same is for Ingress - we plan to add ingress validator to dataclient, see #2757

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something we could handle in a separate PR to keep the scope limited? Happy to work on getting in validator for both Ingress and RouteGroup.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets have it like it is now (log mismatch) and add tls validation for ingress and routegroup as a future improvement (makes sense after we land #2757).
@MustafaSaber FYI

@rickhlx
Add RouteGroup tests for securing TLS using secrets
93f2431 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Add TLS spec for RouteGroups
c71636b 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Load TLS certs to registry from RouteGroup TLS definition
c358be5 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Add description to addRouteGroupTLS function
4553fe7 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Refactor using function to add TLS cert to registry
5c5bca5 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
add fixtures for when no tls secret is defined
5e99692 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Skip adding cert to registry when no secret is defined
99ac3bf 
TLS secrets is optional in the IngressV1 spec, using similar
config for RouteGroups.

Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Update RouteGroup CRD with TLS spec
4aca418 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Fix comments for new functions and typos
f175dd0 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Use plain value instead of pointer for secretID
bccbca3 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Use Debug log level when no secrets defined in TLS
2b529a3 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Log hosts in tls and hosts in route or ingress when no match
ded3e16 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Add logging for non matching tls and ingress/routegroup
04e8061 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Remove unneeded deployment definition from tests
0daaddf 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Update fixture tests with log checks
73aac01 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Remove all unused Deployments from Ingress fixtures
090e10b 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@szuecs
Copy link
Member

szuecs commented Jan 3, 2024
edited

This is the error:

 go vet ./...
# github.com/zalando/skipper/dataclients/kubernetes
Error: dataclients/kubernetes/ingressv1.go:318:23: call of addTLSCertToRegistry copies lock value: github.com/zalando/skipper/secrets/certregistry.CertRegistry contains sync.Mutex
Error: dataclients/kubernetes/kube.go:601:30: addTLSCertToRegistry passes lock by value: github.com/zalando/skipper/secrets/certregistry.CertRegistry contains sync.Mutex
Error: dataclients/kubernetes/routegroup.go:515:23: call of addTLSCertToRegistry copies lock value: github.com/zalando/skipper/secrets/certregistry.CertRegistry contains sync.Mutex
make: *** [Makefile:127: vet] Error 1
Error: Process completed with exit code 2.

Just pass certregistry.CertRegistry as pointer in ingress and routegroup case

@rickhlx
Fix how cert registry is passed to addTLSCertToRegistry
5795c51 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
AlexanderYastrebov
AlexanderYastrebov reviewed Jan 6, 2024
View reviewed changes
dataclients/kubernetes/kube.go Show resolved Hide resolved
dataclients/kubernetes/ingressv1.go Outdated Show resolved Hide resolved
dataclients/kubernetes/routegroup.go
// and adds the TLS secret to the registry if a match is found.
func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) {
// Host in the tls section need to explicitly match the host in the RouteGroup
hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be a part of validator and invalid routegroup should be rejected. We already use validator in webhook and dataclient.

dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.log Outdated Show resolved Hide resolved
dataclients/kubernetes/testdata/ingressV1/tls/tls-host-mismatch.yaml Show resolved Hide resolved
dataclients/kubernetes/testdata/ingressV1/tls/tls-missing-host.log Outdated Show resolved Hide resolved
dataclients/kubernetes/routegroup.go
// and adds the TLS secret to the registry if a match is found.
func (r *routeGroups) addRouteGroupTLS(ctx *routeGroupContext, tls *definitions.RouteTLSSpec) {
// Host in the tls section need to explicitly match the host in the RouteGroup
hostlist := compareStringList(tls.Hosts, ctx.routeGroup.Spec.UniqueHosts())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same is for Ingress - we plan to add ingress validator to dataclient, see #2757

@rickhlx
Add missing newlines for ingress tls fixtures
9bf60a0 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Add local variable for ingress hosts in addSpecIngressTLSV1
31348fc 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@AlexanderYastrebov
Copy link
Member

Please add missing newlines at the end of test fixtures #2814 (comment) and fix log level #2814 (comment)

LGTM but I think we should land szuecs/routegroup-client#16 first.

@rickhlx
Log Error when no TLS hosts match Ingress and RouteGroups hosts
d9671ac 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Add missing newlines to fixture log files
2ceba75 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx
Update fixture for tests for error log
0e82071 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@szuecs
Copy link
Member

szuecs commented Jan 8, 2024

LGTM but I think we should land szuecs/routegroup-client#16 first.

Why?
I think first data type change then client change.
We don't use the client here.

@AlexanderYastrebov
Copy link
Member

Why?
I think first data type change then client change.
We don't use the client here.

But we generate CRD there. I think we should settle all changes in the client, then copy CRD here, then we can land client PR.

@rickhlx
Update with latest version of routegroup_crd
6750482 
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@AlexanderYastrebov
Copy link
Member

👍

1 similar comment
@szuecs
Copy link
Member

szuecs commented Jan 9, 2024

👍

@szuecs
Copy link
Member

szuecs commented Jan 9, 2024

thanks for your work!

@szuecs szuecs merged commit cec514c into zalando:master Jan 9, 2024
10 checks passed
@rickhlx rickhlx deleted the routegroup-tls branch January 9, 2024 11:11
@szuecs
Copy link
Member

szuecs commented Jan 9, 2024

I tagged the merged PR commit with https://github.com/szuecs/routegroup-client/releases/tag/v0.23.0

AlexanderYastrebov added a commit that referenced this pull request Mar 11, 2024
@AlexanderYastrebov
crd: update RouteGroup CRD
6b4fec4 
See changes
* szuecs/routegroup-client#31
* szuecs/routegroup-client#32

It restores a link to the origin removed by #2814
to make it clear that CRD is the copy.

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
@AlexanderYastrebov AlexanderYastrebov mentioned this pull request Mar 11, 2024
Merged
AlexanderYastrebov added a commit that referenced this pull request Mar 11, 2024
@AlexanderYastrebov
crd: update RouteGroup CRD (#2982)
e8b8d4d 
See changes
* szuecs/routegroup-client#31
* szuecs/routegroup-client#32

It restores a link to the origin removed by #2814
to make it clear that CRD is the copy.

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szuecs szuecs szuecs left review comments

@AlexanderYastrebov AlexanderYastrebov AlexanderYastrebov left review comments

Assignees
No one assigned
Labels
major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure RouteGroups with Kubernetes TLS Secrets
3 participants
@rickhlx @szuecs @AlexanderYastrebov