Skip to content

Commit

Permalink
fix(kuma-cp): handle external services with permissive mtls (#7179)
Browse files Browse the repository at this point in the history
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
  • Loading branch information
jakubdyszkiewicz authored Jul 6, 2023
1 parent de9bba9 commit 6e228b7
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 1 deletion.
6 changes: 5 additions & 1 deletion pkg/xds/context/mesh_context_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -408,7 +408,11 @@ func (m *meshContextBuilder) resolveTLSReadiness(mesh *core_mesh.MeshResource, s
}

for svc, insight := range serviceInsights.Items[0].Spec.GetServices() {
tlsReady[svc] = insight.IssuedBackends[backend.Name] == (insight.Dataplanes.Offline + insight.Dataplanes.Online)
if insight.ServiceType == mesh_proto.ServiceInsight_Service_external {
tlsReady[svc] = true
} else {
tlsReady[svc] = insight.IssuedBackends[backend.Name] == (insight.Dataplanes.Offline + insight.Dataplanes.Online)
}
}
return tlsReady
}
86 changes: 86 additions & 0 deletions test/e2e_env/kubernetes/externalservices/permissive_mtls.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
package externalservices

import (
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"

. "github.com/kumahq/kuma/test/framework"
"github.com/kumahq/kuma/test/framework/client"
"github.com/kumahq/kuma/test/framework/deployments/democlient"
"github.com/kumahq/kuma/test/framework/deployments/testserver"
"github.com/kumahq/kuma/test/framework/envs/kubernetes"
)

func PermissiveMTLS() {
meshName := "perm-external-services"
namespace := "perm-external-services"
clientNamespace := "perm-client-external-services"

mesh := `
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: perm-external-services
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
mode: PERMISSIVE
networking:
outbound:
passthrough: false
routing:
zoneEgress: true
`

tlsExternalService := `
apiVersion: kuma.io/v1alpha1
kind: ExternalService
mesh: perm-external-services
metadata:
name: perm-tls-external-service
spec:
tags:
kuma.io/service: perm-tls-external-service
kuma.io/protocol: http
networking:
address: perm-tls-external-service.perm-external-services.svc.cluster.local:80 # .svc.cluster.local is needed, otherwise Kubernetes will resolve this to the real IP
tls:
enabled: true
`

BeforeAll(func() {
err := NewClusterSetup().
Install(YamlK8s(mesh)).
Install(YamlK8s(tlsExternalService)).
Install(Namespace(namespace)).
Install(NamespaceWithSidecarInjection(clientNamespace)).
Install(democlient.Install(democlient.WithNamespace(clientNamespace), democlient.WithMesh(meshName))).
Install(testserver.Install(
testserver.WithNamespace(namespace),
testserver.WithEchoArgs("--tls", "--crt=/kuma/server.crt", "--key=/kuma/server.key"),
testserver.WithName("perm-tls-external-service"),
testserver.WithoutProbes(), // not compatible with TLS
)).
Setup(kubernetes.Cluster)
Expect(err).ToNot(HaveOccurred())
})

E2EAfterAll(func() {
Expect(kubernetes.Cluster.TriggerDeleteNamespace(clientNamespace)).To(Succeed())
Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())
Expect(kubernetes.Cluster.DeleteMesh(meshName)).To(Succeed())
})

It("should access external service", func() {
Eventually(func(g Gomega) {
_, err := client.CollectEchoResponse(
kubernetes.Cluster, "demo-client", "http://perm-tls-external-service.mesh",
client.FromKubernetesPod(clientNamespace, "demo-client"),
)
g.Expect(err).ToNot(HaveOccurred())
}, "30s", "1s").Should(Succeed())
})
}
1 change: 1 addition & 0 deletions test/e2e_env/kubernetes/kubernetes_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ var (
_ = Describe("Reachable Services", reachableservices.ReachableServices, Ordered)
_ = Describe("Defaults", defaults.Defaults, Ordered)
_ = Describe("External Services", externalservices.ExternalServices, Ordered)
_ = Describe("External Services Permissive MTLS", externalservices.PermissiveMTLS, Ordered)
_ = Describe("Virtual Outbound", virtualoutbound.VirtualOutbound, Ordered)
_ = Describe("Kong Ingress Controller", Label("arm-not-supported"), kic.KICKubernetes, Ordered)
_ = Describe("MeshTrafficPermission API", meshtrafficpermission.API, Ordered)
Expand Down

0 comments on commit 6e228b7

Please sign in to comment.