Skip to content

Permissive mTLS: Config entry filtering and CLI warnings [OSS]#17183

Merged
pglass merged 6 commits intomainfrom
pglass/NET-3684/config-entry-filtering-oss
Apr 28, 2023
Merged

Permissive mTLS: Config entry filtering and CLI warnings [OSS]#17183
pglass merged 6 commits intomainfrom
pglass/NET-3684/config-entry-filtering-oss

Conversation

@pglass
Copy link

@pglass pglass commented Apr 28, 2023

Description

This adds filtering for service-defaults: consul config list -filter 'MutualTLSMode == "permissive"'.

It adds CLI warnings when the CLI writes a config entry and sees that either service-defaults or proxy-defaults contains MutualTLSMode=permissive, or sees that the mesh config entry contains AllowEnablingPermissiveMutualTLSMode=true.

Testing & Reproduction steps

  • consul agent -dev
  • Then run the follow script:
Example script 
echo
echo ">>> Write mesh config entry"
cat <<-EOF | consul config write -
Kind = "mesh"

AllowEnablingPermissiveMutualTLS = true
EOF

echo
echo ">>> Write proxy-defaults config entry"
cat <<-EOF | consul config write -
Kind = "proxy-defaults"
Name = "global"

mutual_tls_mode = "permissive"
EOF

echo
echo ">>> Write service-defaults config entry"
cat <<-EOF | consul config write -
Kind = "service-defaults"
Name = "web"

MutualTLSMode = "permissive"
EOF

Output

>>> Write mesh config entry
Config entry written: mesh/mesh
WARNING: AllowEnablingPermissiveMutualTLS=true allows insecure MutualTLSMode=permissive configurations in the proxy-defaults and service-defaults config entries. You can set AllowEnablingPermissiveMutualTLS=false at any time to disallow additional permissive configurations. To list services in permissive mode, run `consul config list -kind service-defaults -filter 'MutualTLSMode = "permissive"'`.

>>> Write proxy-defaults config entry
Config entry written: proxy-defaults/global
WARNING: MutualTLSMode=permissive is insecure. To keep your services secure, set MutualTLSMode to `strict` whenever possible and override with service-defaults only if necessary. To check which service-defaults are currently in permissive mode, run `consul config list -kind service-defaults -filter 'MutualTLSMode = "permissive"'`.

>>> Write service-defaults config entry
Config entry written: service-defaults/web
WARNING: MutualTLSMode=permissive is insecure. Set to `strict` when your service no longer needs to accept non-mTLS traffic. Check `tcp.permissive_public_listener` metrics in Envoy for non-mTLS traffic. Refer to Consul documentation for more information.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@pglass pglass requested review from cthain and johnlanda April 28, 2023 17:16
@github-actions github-actions bot added the theme/cli Flags and documentation for the CLI interface label Apr 28, 2023
cthain
cthain approved these changes Apr 28, 2023
View reviewed changes
Copy link
Contributor

@cthain cthain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@pglass pglass merged commit e4a341c into main Apr 28, 2023
@pglass pglass deleted the pglass/NET-3684/config-entry-filtering-oss branch April 28, 2023 17:51
@pglass pglass mentioned this pull request May 15, 2023
Merged
4 tasks
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Jun 12, 2023
Merged
4 tasks
@p-linnane p-linnane mentioned this pull request Jun 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@johnlanda johnlanda johnlanda approved these changes

@cthain cthain cthain approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr/no-backport pr/no-metrics-test theme/cli Flags and documentation for the CLI interface

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pglass @johnlanda @cthain