feat(kds): relax tls requirement (#6145)

* feat(kds): relax tls requirement

Signed-off-by: slonka <slonka@users.noreply.github.com>

app/kumactl/cmd/install/install_control_plane_test.go

@@ -200,7 +200,7 @@ var _ = Describe("kumactl install control-plane", func() {
 				"--tls-kds-zone-client-secret", "kds-ca-secret",
 				"--tls-general-ca-secret", "general-tls-secret-ca",
 				"--mode", "zone",
-				"--kds-global-address", "grpcs://192.168.0.1:5685",
+				"--kds-global-address", "grpc://192.168.0.1:5685",
 				"--zone", "zone-1",
 				"--use-node-port",
 				"--experimental-gatewayapi",
@@ -359,9 +359,9 @@ controlPlane:
 			extraArgs: []string{"--kds-global-address", "192.168.0.1:1234", "--mode", "zone", "--zone", "zone-1"},
 			errorMsg:  "unable to parse url: parse \"192.168.0.1:1234\"",
 		}),
-		Entry("--kds-global-address has no grpcs scheme", errTestCase{
+		Entry("--kds-global-address has no grpcs/grpc scheme", errTestCase{
 			extraArgs: []string{"--kds-global-address", "http://192.168.0.1:1234", "--mode", "zone", "--zone", "zone-1"},
-			errorMsg:  "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// got:'http://192.168.0.1:1234'",
+			errorMsg:  "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'http://192.168.0.1:1234'",
 		}),
 		Entry("--kds-global-address is used with standalone", errTestCase{
 			extraArgs: []string{"--kds-global-address", "192.168.0.1:1234", "--mode", "standalone"},

app/kumactl/cmd/install/testdata/install-control-plane.overrides.golden.yaml

@@ -413,7 +413,7 @@ spec:
             - name: KUMA_MODE
               value: "zone"
             - name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
-              value: "grpcs://192.168.0.1:5685"
+              value: "grpc://192.168.0.1:5685"
             - name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
               value: "/var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt"
             - name: KUMA_MULTIZONE_ZONE_NAME

deployments/charts/kuma/templates/_helpers.tpl

@@ -188,8 +188,8 @@ returns: formatted image string
     {{ fail "controlPlane.kdsGlobalAddress can't be empty when controlPlane.mode=='zone', needs to be the global control-plane address" }}
   {{ else }}
     {{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }}
-    {{ if not (eq $url.scheme "grpcs") }}
-      {{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
+    {{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }}
+      {{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
       {{ fail $msg }}
     {{ end }}
   {{ end }}

pkg/config/app/kuma-cp/kuma-cp.defaults.yaml

@@ -415,6 +415,8 @@ multizone:
       refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
       # Interval for flushing Zone Insights (stats of multi-zone communication)
       zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
+      # TlsEnabled turns on TLS for KDS
+      tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
       # TlsCertFile defines a path to a file with PEM-encoded TLS cert.
       tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
       # TlsKeyFile defines a path to a file with PEM-encoded TLS key.

pkg/config/loader_test.go

@@ -228,6 +228,7 @@ var _ = Describe("Config loader", func() {
 			Expect(cfg.Multizone.Global.KDS.TlsMinVersion).To(Equal("TLSv1_3"))
 			Expect(cfg.Multizone.Global.KDS.TlsMaxVersion).To(Equal("TLSv1_3"))
 			Expect(cfg.Multizone.Global.KDS.TlsCipherSuites).To(Equal([]string{"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_AES_256_GCM_SHA384"}))
+			Expect(cfg.Multizone.Global.KDS.TlsEnabled).To(Equal(false))
 			Expect(cfg.Multizone.Global.KDS.TlsCertFile).To(Equal("/cert"))
 			Expect(cfg.Multizone.Global.KDS.TlsKeyFile).To(Equal("/key"))
 			Expect(cfg.Multizone.Global.KDS.MaxMsgSize).To(Equal(uint32(1)))
@@ -500,6 +501,7 @@ multizone:
       grpcPort: 1234
       refreshInterval: 2s
       zoneInsightFlushInterval: 5s
+      tlsEnabled: false
       tlsCertFile: /cert
       tlsKeyFile: /key
       tlsMinVersion: TLSv1_3
@@ -756,6 +758,7 @@ proxy:
 				"KUMA_MODE":                                                                                "zone",
 				"KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT":                                                      "1234",
 				"KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL":                                               "2s",
+				"KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED":                                                    "false",
 				"KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE":                                                  "/cert",
 				"KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE":                                                   "/key",
 				"KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION":                                                "TLSv1_3",

pkg/config/multizone/kds.go

@@ -15,6 +15,8 @@ type KdsServerConfig struct {
 	RefreshInterval config_types.Duration `json:"refreshInterval" envconfig:"kuma_multizone_global_kds_refresh_interval"`
 	// Interval for flushing Zone Insights (stats of multi-zone communication)
 	ZoneInsightFlushInterval config_types.Duration `json:"zoneInsightFlushInterval" envconfig:"kuma_multizone_global_kds_zone_insight_flush_interval"`
+	// TlsEnabled turns on TLS for KDS
+	TlsEnabled bool `json:"tlsEnabled" envconfig:"kuma_multizone_global_kds_tls_enabled"`
 	// TlsCertFile defines a path to a file with PEM-encoded TLS cert.
 	TlsCertFile string `json:"tlsCertFile" envconfig:"kuma_multizone_global_kds_tls_cert_file"`
 	// TlsKeyFile defines a path to a file with PEM-encoded TLS key.

pkg/config/multizone/multicluster.go

@@ -35,6 +35,7 @@ func DefaultGlobalConfig() *GlobalConfig {
 			GrpcPort:                 5685,
 			RefreshInterval:          config_types.Duration{Duration: 1 * time.Second},
 			ZoneInsightFlushInterval: config_types.Duration{Duration: 10 * time.Second},
+			TlsEnabled:               true,
 			MaxMsgSize:               10 * 1024 * 1024,
 			MsgSendTimeout:           config_types.Duration{Duration: 60 * time.Second},
 			TlsMinVersion:            "TLSv1_2",

pkg/kds/mux/server.go

@@ -88,7 +88,7 @@ func (s *server) Start(stop <-chan struct{}) error {
 		grpc.MaxSendMsgSize(int(s.config.MaxMsgSize)),
 	}
 	grpcOptions = append(grpcOptions, s.metrics.GRPCServerInterceptors()...)
-	if s.config.TlsCertFile != "" {
+	if s.config.TlsCertFile != "" && s.config.TlsEnabled {
 		cert, err := tls.LoadX509KeyPair(s.config.TlsCertFile, s.config.TlsKeyFile)
 		if err != nil {
 			return errors.Wrap(err, "failed to load TLS certificate")

test/e2e/helm/kuma_helm_deploy_global_universal_mode_and_zone.go

@@ -66,6 +66,7 @@ stringData:
 				WithHelmReleaseName(releaseName),
 				WithCPReplicas(2),
 				WithHelmOpt("controlPlane.environment", "universal"),
+				WithHelmOpt("controlPlane.envVars.KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED", "false"),
 				WithHelmOpt("controlPlane.envVars.KUMA_STORE_POSTGRES_HOST", "postgres-release-postgresql"),
 				WithHelmOpt("controlPlane.envVars.KUMA_STORE_POSTGRES_PORT", "5432"),
 				WithHelmOpt("controlPlane.envVars.KUMA_STORE_POSTGRES_USER", "mesh"),
@@ -85,7 +86,7 @@ stringData:
 			Install(Kuma(core.Zone,
 				WithInstallationMode(HelmInstallationMode),
 				WithHelmReleaseName(releaseName),
-				WithGlobalAddress(global.GetKDSServerAddress()),
+				WithGlobalAddress(global.GetKDSInsecureServerAddress()),
 				WithHelmOpt("ingress.enabled", "true"),
 			)).
 			Install(NamespaceWithSidecarInjection(TestNamespace)).

test/framework/interface.go

@@ -557,6 +557,7 @@ type ControlPlane interface {
 	GetName() string
 	GetMetrics() (string, error)
 	GetKDSServerAddress() string
+	GetKDSInsecureServerAddress() string
 	GetGlobalStatusAPI() string
 	GetAPIServerAddress() string
 	GenerateDpToken(mesh, serviceName string) (string, error)

test/framework/k8s_controlplane.go

@@ -208,8 +208,21 @@ func (c *K8sControlPlane) InstallCP(args ...string) (string, error) {
 	return c.kumactl.KumactlInstallCP(c.mode, args...)
 }
 
-// A naive implementation to find the URL where Zone CP exposes its API
+func (c *K8sControlPlane) GetKDSInsecureServerAddress() string {
+	return c.getKDSServerAddress(false)
+}
+
 func (c *K8sControlPlane) GetKDSServerAddress() string {
+	return c.getKDSServerAddress(true)
+}
+
+// A naive implementation to find the URL where Zone CP exposes its API
+func (c *K8sControlPlane) getKDSServerAddress(secure bool) string {
+	var protocol = "grpcs"
+	if !secure {
+		protocol = "grpc"
+	}
+
 	// As EKS and AWS generally returns dns records of load balancers instead of
 	//  IP addresses, accessing this data (hostname) was only tested there,
 	//  so the env var was created for that purpose
@@ -222,11 +235,11 @@ func (c *K8sControlPlane) GetKDSServerAddress() string {
 			address = svc.Status.LoadBalancer.Ingress[0].Hostname
 		}
 
-		return "grpcs://" + address + ":" + strconv.FormatUint(loadBalancerKdsPort, 10)
+		return protocol + "://" + address + ":" + strconv.FormatUint(loadBalancerKdsPort, 10)
 	}
 
 	pod := c.GetKumaCPPods()[0]
-	return "grpcs://" + net.JoinHostPort(
+	return protocol + "://" + net.JoinHostPort(
 		pod.Status.HostIP, strconv.FormatUint(uint64(kdsPort), 10))
 }
 

test/framework/universal_controlplane.go

@@ -52,8 +52,21 @@ func (c *UniversalControlPlane) GetName() string {
 	return c.name
 }
 
+func (c *UniversalControlPlane) GetKDSInsecureServerAddress() string {
+	return c.getKDSServerAddress(false)
+}
+
 func (c *UniversalControlPlane) GetKDSServerAddress() string {
-	return "grpcs://" + net.JoinHostPort(c.cpNetworking.IP, "5685")
+	return c.getKDSServerAddress(true)
+}
+
+func (c *UniversalControlPlane) getKDSServerAddress(secure bool) string {
+	var protocol = "grpcs"
+	if !secure {
+		protocol = "grpc"
+	}
+
+	return protocol + "://" + net.JoinHostPort(c.cpNetworking.IP, "5685")
 }
 
 func (c *UniversalControlPlane) GetGlobalStatusAPI() string {