Skip to content

Add Annotations for TLS Skip Verify and Ignoring Services for Kubernetes App Discovery #36394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tigrato merged 1 commit into from
Jan 12, 2024
Merged

Add Annotations for TLS Skip Verify and Ignoring Services for Kubernetes App Discovery #36394

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/types/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -696,6 +696,10 @@ const (
DiscoveryAppRewriteLabel = TeleportNamespace + "/app-rewrite"
// DiscoveryAppNameLabel specifies explicitly name of an app created from Kubernetes service.
DiscoveryAppNameLabel = TeleportNamespace + "/name"
// DiscoveryAppInsecureSkipVerify specifies the TLS verification enforcement for a discovered app created from Kubernetes service.
DiscoveryAppInsecureSkipVerify = TeleportNamespace + "/insecure-skip-verify"
// DiscoveryAppIgnore specifies if a Kubernetes service should be ignored by discovery service.
DiscoveryAppIgnore = TeleportNamespace + "/ignore"
Copy link
Copy Markdown
Contributor

@hugoShaka hugoShaka Jan 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we rename the constant to something more generic for operator usage as well? should the operator use resources.teleport.dev/ignore instead?

I would prefer a single annotation though.

Copy link
Copy Markdown
Contributor Author

@tigrato tigrato Jan 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used teleport.dev to keep consistency with all other labels used by app discovery 😭


// ReqAnnotationSchedulesLabel is the request annotation key at which schedules are stored for access plugins.
ReqAnnotationSchedulesLabel = "/schedules"
Expand Down
22 changes: 22 additions & 0 deletions docs/pages/application-access/enroll-kubernetes-applications/reference.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,28 @@ Controls resulting app name. If present it will override default app name patter
as a suffix to the annotation value, as `$APP_NAME-$PORT1_NAME`, `$APP_NAME-$PORT2_NAME` etc, where `$APP_NAME` is the name
set by the annotation.

### `teleport.dev/insecure-skip-verify`

Controls whether TLS certificate verification should be skipped for this app.
If present and set to `true`, TLS certificate verification will be skipped.

```yaml
annotations:
teleport.dev/insecure-skip-verify: "true"
```

### `teleport.dev/ignore`

Controls whether this service should be ignored by the Discovery Service.
This annotation is useful when you want to exclude a service from being imported as an app
when it matches the Discovery Service config. For example, you may want to exclude a service
that shares the same labels as another services that you want to import as apps.

```yaml
annotations:
teleport.dev/ignore: "true"
```

### `teleport.dev/app-rewrite`

Controls rewrite configuration for Teleport app, if needed. It should
Expand Down
13 changes: 11 additions & 2 deletions lib/services/app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,8 +191,9 @@ func NewApplicationFromKubeService(service corev1.Service, clusterName, protocol
Description: fmt.Sprintf("Discovered application in Kubernetes cluster %q", clusterName),
Labels: labels,
}, types.AppSpecV3{
URI: appURI,
Rewrite: rewriteConfig,
URI: appURI,
Rewrite: rewriteConfig,
InsecureSkipVerify: getTLSInsecureSkipVerify(service.GetAnnotations()),
})
if err != nil {
return nil, trace.Wrap(err, "could not create an app from Kubernetes service")
Expand Down Expand Up @@ -235,6 +236,14 @@ func getAppRewriteConfig(annotations map[string]string) (*types.Rewrite, error)
return &rw, nil
}

func getTLSInsecureSkipVerify(annotations map[string]string) bool {
val := annotations[types.DiscoveryAppInsecureSkipVerify]
if val == "" {
return false
}
return val == "true"
}

func getAppName(serviceName, namespace, clusterName, portName, nameAnnotation string) (string, error) {
if nameAnnotation != "" {
name := nameAnnotation
Expand Down
25 changes: 25 additions & 0 deletions lib/services/app_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,3 +290,28 @@ func TestGetAppLabels(t *testing.T) {
require.Equal(t, tt.expected, result)
}
}

func TestInsecureSkipVerify(t *testing.T) {
tests := []struct {
annotations map[string]string
expected bool
}{
{
annotations: map[string]string{types.DiscoveryAppInsecureSkipVerify: "true"},
expected: true,
},
{
annotations: map[string]string{types.DiscoveryAppInsecureSkipVerify: "false"},
expected: false,
},
{
annotations: map[string]string{},
expected: false,
},
}

for _, tt := range tests {
result := getTLSInsecureSkipVerify(tt.annotations)
require.Equal(t, tt.expected, result)
}
}
5 changes: 5 additions & 0 deletions lib/srv/discovery/fetchers/kube_services.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,11 @@ func (f *KubeAppFetcher) Get(ctx context.Context) (types.ResourcesWithLabels, er
continue
}

// If the service is marked with the ignore annotation, skip it.
if v := service.GetAnnotations()[types.DiscoveryAppIgnore]; v == "true" {
continue
}

g.Go(func() error {
protocolAnnotation := service.GetAnnotations()[types.DiscoveryProtocolLabel]

Expand Down