Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: loading certs with tls.crt improvements #51475

Closed
wants to merge 21 commits into from
Closed

WIP: loading certs with tls.crt improvements #51475

wants to merge 21 commits into from

Conversation

costinm
Copy link
Contributor

@costinm costinm commented Jun 8, 2024
edited by istio-policy-bot

Please provide a description of this PR:

This is WIP for fixing the tls.crt and adding more info about the chains - to get early feedback and
see if I'm missunderstanding something.

costinm and others added 17 commits May 9, 2024 01:23
@costinm
WIP
b985f34
@costinm
Merge branch 'master' of github.com:istio/istio into HEAD
2a83968
@costinm
Add affinity to ztunnel.
d3e9cf1 
Also includes a more convenient way to deploy ztunnel selectively on
nodes based on a 'ztunnel' label - this is very useful for canary and testing.

Can be achieved by using 'affinity' - if controversial I'll keep just affinity,
if not I'll add the docs for the option (and make a similar change to istio-cni)
@costinm
Merge branch 'master' of github.com:istio/istio into costin-min
6b576ce
@costinm
WIP
e281f5d
@costinm
WIP
8888157
@costinm
WIP: improve consistency and docs on cert loading
8ceecde
@costinm
Merge branch 'master' of github.com:istio/istio into costin-min
289cb5e
@costinm
WIP CA
b85caf1
@costinm
Merge branch 'master' of github.com:costinm/istio into costin-min
e7011ae
@costinm
Merge branch 'master' of github.com:istio/istio into costin-min
d6695de
@costinm
Add XDS address
0ff90ac
@costinm
Add a script for testing chained certs
af9030d
@costinm
Merge branch 'master' of github.com:istio/istio into costin-z-xdsaddr
16e18b3
@costinm
Incremental work
d5a37c3
@costinm
Merge branch 'master' of github.com:costinm/istio
85138c4
@costinm
More adjustments to loading tls.crt
12877cc
@costinm costinm requested review from a team as code owners June 8, 2024 01:02
@istio-testing istio-testing added do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 8, 2024
@istio-testing istio-testing added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 8, 2024
hzxuzhonghu
hzxuzhonghu reviewed Jun 11, 2024
View reviewed changes
architecture/security/ca.md

The code path for file-based certificate loading can also handle multiple roots and changing the root CA. The process is relatively complex - since rotations are not frequent, restarting istiod can be acceptable.

The file path - and the casecrets Secret - should be used with the standard K8S and CertManager naming conventions:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/casecrets/cacerts

hzxuzhonghu
hzxuzhonghu reviewed Jun 11, 2024
View reviewed changes
architecture/security/ca.md

CA has many options, depending on the security requirements and the existing environment of the user. From easiest to most secure:

1. Simplest: use the default istio-ca-secret. Append roots to the root-cert.pem key to support extra roots or for rotations. Doesn't work well with multiple clusters, but best for dev/testing. It is possible to use a tool to patch the root-cert.pem in each cluster with the merged roots - but if you have automation better use (2).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

istio-ca-secret is not maintained by user, how can we append extra roots for rotations

hzxuzhonghu
hzxuzhonghu reviewed Jun 11, 2024
View reviewed changes
architecture/security/ca.md

## Istiod with external DNS certs

Default is for Istiod to sign its own certificate, but volume mounts are also possible, using istio-tls and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is istio-tls

manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
@@ -236,6 +236,8 @@ spec:
expirationSeconds: 43200
path: istio-token
# Optional: user-generated root
# TODO: option to remove this mount - and use Secret directly.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@istio-testing istio-testing added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 13, 2024
@istio-testing
Copy link
Collaborator

@costinm: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
gencheck_istio e5f9d20 link true /test gencheck
lint_istio e5f9d20 link true /test lint
release-notes_istio e5f9d20 link true /test release-notes
unit-tests-arm64_istio e5f9d20 link true /test unit-tests-arm64
unit-tests_istio e5f9d20 link true /test unit-tests
integ-security-istiodremote_istio e5f9d20 link true /test integ-security-istiodremote
integ-security_istio e5f9d20 link true /test integ-security
integ-security-multicluster_istio e5f9d20 link true /test integ-security-multicluster

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jul 11, 2024
@craigbox craigbox removed the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jul 11, 2024
@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jul 12, 2024
@istio-policy-bot
Copy link

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-06-11. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

@istio-policy-bot istio-policy-bot added the lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. label Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hzxuzhonghu hzxuzhonghu hzxuzhonghu left review comments

Assignees

@jaellio jaellio

Labels
do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@costinm @istio-testing @istio-policy-bot @hzxuzhonghu @craigbox @jaellio