Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(kds): relax tls requirement #6145

Merged
merged 9 commits into from
Feb 28, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions app/kumactl/cmd/install/install_control_plane_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ var _ = Describe("kumactl install control-plane", func() {
"--tls-kds-zone-client-secret", "kds-ca-secret",
"--tls-general-ca-secret", "general-tls-secret-ca",
"--mode", "zone",
"--kds-global-address", "grpcs://192.168.0.1:5685",
"--kds-global-address", "grpc://192.168.0.1:5685",
"--zone", "zone-1",
"--use-node-port",
"--experimental-gatewayapi",
Expand Down Expand Up @@ -359,9 +359,9 @@ controlPlane:
extraArgs: []string{"--kds-global-address", "192.168.0.1:1234", "--mode", "zone", "--zone", "zone-1"},
errorMsg: "unable to parse url: parse \"192.168.0.1:1234\"",
}),
Entry("--kds-global-address has no grpcs scheme", errTestCase{
Entry("--kds-global-address has no grpcs/grpc scheme", errTestCase{
extraArgs: []string{"--kds-global-address", "http://192.168.0.1:1234", "--mode", "zone", "--zone", "zone-1"},
errorMsg: "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// got:'http://192.168.0.1:1234'",
errorMsg: "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'http://192.168.0.1:1234'",
}),
Entry("--kds-global-address is used with standalone", errTestCase{
extraArgs: []string{"--kds-global-address", "192.168.0.1:1234", "--mode", "standalone"},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -407,7 +407,7 @@ spec:
- name: KUMA_MODE
value: "zone"
- name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
value: "grpcs://192.168.0.1:5685"
value: "grpc://192.168.0.1:5685"
- name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
value: "/var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt"
- name: KUMA_MULTIZONE_ZONE_NAME
Expand Down
4 changes: 2 additions & 2 deletions deployments/charts/kuma/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,8 @@ returns: formatted image string
{{ fail "controlPlane.kdsGlobalAddress can't be empty when controlPlane.mode=='zone', needs to be the global control-plane address" }}
{{ else }}
{{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }}
{{ if not (eq $url.scheme "grpcs") }}
{{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
{{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }}
{{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
{{ fail $msg }}
{{ end }}
{{ end }}
Expand Down
2 changes: 2 additions & 0 deletions pkg/config/app/kuma-cp/kuma-cp.defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,8 @@ multizone:
refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
# Interval for flushing Zone Insights (stats of multi-zone communication)
zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
# TlsEnabled turns on TLS for KDS
tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
# TlsCertFile defines a path to a file with PEM-encoded TLS cert.
tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key.
Expand Down
3 changes: 3 additions & 0 deletions pkg/config/loader_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,7 @@ var _ = Describe("Config loader", func() {
Expect(cfg.Multizone.Global.KDS.TlsMinVersion).To(Equal("TLSv1_3"))
Expect(cfg.Multizone.Global.KDS.TlsMaxVersion).To(Equal("TLSv1_3"))
Expect(cfg.Multizone.Global.KDS.TlsCipherSuites).To(Equal([]string{"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_AES_256_GCM_SHA384"}))
Expect(cfg.Multizone.Global.KDS.TlsEnabled).To(Equal(false))
Expect(cfg.Multizone.Global.KDS.TlsCertFile).To(Equal("/cert"))
Expect(cfg.Multizone.Global.KDS.TlsKeyFile).To(Equal("/key"))
Expect(cfg.Multizone.Global.KDS.MaxMsgSize).To(Equal(uint32(1)))
Expand Down Expand Up @@ -500,6 +501,7 @@ multizone:
grpcPort: 1234
refreshInterval: 2s
zoneInsightFlushInterval: 5s
tlsEnabled: false
tlsCertFile: /cert
tlsKeyFile: /key
tlsMinVersion: TLSv1_3
Expand Down Expand Up @@ -756,6 +758,7 @@ proxy:
"KUMA_MODE": "zone",
"KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT": "1234",
"KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL": "2s",
"KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED": "false",
"KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE": "/cert",
"KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE": "/key",
"KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION": "TLSv1_3",
Expand Down
2 changes: 2 additions & 0 deletions pkg/config/multizone/kds.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ type KdsServerConfig struct {
RefreshInterval config_types.Duration `json:"refreshInterval" envconfig:"kuma_multizone_global_kds_refresh_interval"`
// Interval for flushing Zone Insights (stats of multi-zone communication)
ZoneInsightFlushInterval config_types.Duration `json:"zoneInsightFlushInterval" envconfig:"kuma_multizone_global_kds_zone_insight_flush_interval"`
// TlsEnabled turns on TLS for KDS
TlsEnabled bool `json:"tlsEnabled" envconfig:"kuma_multizone_global_kds_tls_enabled"`
// TlsCertFile defines a path to a file with PEM-encoded TLS cert.
TlsCertFile string `json:"tlsCertFile" envconfig:"kuma_multizone_global_kds_tls_cert_file"`
// TlsKeyFile defines a path to a file with PEM-encoded TLS key.
Expand Down
1 change: 1 addition & 0 deletions pkg/config/multizone/multicluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func DefaultGlobalConfig() *GlobalConfig {
GrpcPort: 5685,
RefreshInterval: config_types.Duration{Duration: 1 * time.Second},
ZoneInsightFlushInterval: config_types.Duration{Duration: 10 * time.Second},
TlsEnabled: true,
MaxMsgSize: 10 * 1024 * 1024,
MsgSendTimeout: config_types.Duration{Duration: 60 * time.Second},
TlsMinVersion: "TLSv1_2",
Expand Down
2 changes: 1 addition & 1 deletion pkg/kds/mux/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func (s *server) Start(stop <-chan struct{}) error {
grpc.MaxSendMsgSize(int(s.config.MaxMsgSize)),
}
grpcOptions = append(grpcOptions, s.metrics.GRPCServerInterceptors()...)
if s.config.TlsCertFile != "" {
if s.config.TlsCertFile != "" && s.config.TlsEnabled {
cert, err := tls.LoadX509KeyPair(s.config.TlsCertFile, s.config.TlsKeyFile)
if err != nil {
return errors.Wrap(err, "failed to load TLS certificate")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ stringData:
WithHelmReleaseName(releaseName),
WithCPReplicas(2),
WithHelmOpt("controlPlane.environment", "universal"),
WithHelmOpt("controlPlane.envVars.KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED", "false"),
WithHelmOpt("controlPlane.envVars.KUMA_STORE_POSTGRES_HOST", "postgres-release-postgresql"),
WithHelmOpt("controlPlane.envVars.KUMA_STORE_POSTGRES_PORT", "5432"),
WithHelmOpt("controlPlane.envVars.KUMA_STORE_POSTGRES_USER", "mesh"),
Expand All @@ -85,7 +86,7 @@ stringData:
Install(Kuma(core.Zone,
WithInstallationMode(HelmInstallationMode),
WithHelmReleaseName(releaseName),
WithGlobalAddress(global.GetKDSServerAddress()),
WithGlobalAddress(global.GetKDSInsecureServerAddress()),
WithHelmOpt("ingress.enabled", "true"),
)).
Install(NamespaceWithSidecarInjection(TestNamespace)).
Expand Down
1 change: 1 addition & 0 deletions test/framework/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,7 @@ type ControlPlane interface {
GetName() string
GetMetrics() (string, error)
GetKDSServerAddress() string
GetKDSInsecureServerAddress() string
GetGlobalStatusAPI() string
GetAPIServerAddress() string
GenerateDpToken(mesh, serviceName string) (string, error)
Expand Down
19 changes: 16 additions & 3 deletions test/framework/k8s_controlplane.go
Original file line number Diff line number Diff line change
Expand Up @@ -208,8 +208,21 @@ func (c *K8sControlPlane) InstallCP(args ...string) (string, error) {
return c.kumactl.KumactlInstallCP(c.mode, args...)
}

// A naive implementation to find the URL where Zone CP exposes its API
func (c *K8sControlPlane) GetKDSInsecureServerAddress() string {
return c.getKDSServerAddress(false)
}

func (c *K8sControlPlane) GetKDSServerAddress() string {
return c.getKDSServerAddress(true)
}

// A naive implementation to find the URL where Zone CP exposes its API
func (c *K8sControlPlane) getKDSServerAddress(secure bool) string {
var protocol = "grpcs"
if !secure {
protocol = "grpc"
}

// As EKS and AWS generally returns dns records of load balancers instead of
// IP addresses, accessing this data (hostname) was only tested there,
// so the env var was created for that purpose
Expand All @@ -222,11 +235,11 @@ func (c *K8sControlPlane) GetKDSServerAddress() string {
address = svc.Status.LoadBalancer.Ingress[0].Hostname
}

return "grpcs://" + address + ":" + strconv.FormatUint(loadBalancerKdsPort, 10)
return protocol + "://" + address + ":" + strconv.FormatUint(loadBalancerKdsPort, 10)
}

pod := c.GetKumaCPPods()[0]
return "grpcs://" + net.JoinHostPort(
return protocol + "://" + net.JoinHostPort(
pod.Status.HostIP, strconv.FormatUint(uint64(kdsPort), 10))
}

Expand Down
15 changes: 14 additions & 1 deletion test/framework/universal_controlplane.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,21 @@ func (c *UniversalControlPlane) GetName() string {
return c.name
}

func (c *UniversalControlPlane) GetKDSInsecureServerAddress() string {
return c.getKDSServerAddress(false)
}

func (c *UniversalControlPlane) GetKDSServerAddress() string {
return "grpcs://" + net.JoinHostPort(c.cpNetworking.IP, "5685")
return c.getKDSServerAddress(true)
}

func (c *UniversalControlPlane) getKDSServerAddress(secure bool) string {
var protocol = "grpcs"
if !secure {
protocol = "grpc"
}

return protocol + "://" + net.JoinHostPort(c.cpNetworking.IP, "5685")
}

func (c *UniversalControlPlane) GetGlobalStatusAPI() string {
Expand Down