Support client certificates in federator

CHANGELOG.md

@@ -22,7 +22,7 @@
 
 # [unreleased]
 
-[please put all changes that only affect federation into this section to unclutter the rest of the release notes.]
+[please put all changes that only affect federation into the "Federation changes" section to unclutter the rest of the release notes.]
 [if something is both an API change and a feature, please mention it twice (you can abbreviate the second mention and add "see above").]
 
 ## Release Notes
@@ -37,6 +37,9 @@
 
 ## Internal changes
 
+## Federation changes
+
+* Added client certificate support for server to server authentication (#1682)
 
 # [2021-08-16]
 
@@ -72,7 +75,6 @@ This is a routine release requiring only the routine upgrade steps.
 * Added a mechanism to derive `AsUnion` instances automatically (#1693)
 * Integration test coverage (#1696, #1704)
 
-
 # [2021-08-02]
 
 ## Release Notes
@@ -124,7 +126,6 @@ Upgrade nginz (#1658)
 * Renamed `DomainHeader` type to `OriginDomainHeader` (#1689)
 * Added golden tests for protobuf serialisation / deserialisation (#1644).
 
-
 # [2021-07-09]
 
 ## Release Notes

Makefile

@@ -334,6 +334,10 @@ chart-%:
 .PHONY: charts-integration
 charts-integration: $(foreach chartName,$(CHARTS_INTEGRATION),chart-$(chartName))
 
+.PHONY: charts-serve
+charts-serve: charts-integration
+	./hack/bin/serve-charts.sh $(CHARTS_INTEGRATION)
+
 # Usecase for this make target:
 # 1. for releases of helm charts
 # 2. for testing helm charts more generally

charts/federator/templates/ca.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "federator-ca"
+  labels:
+    wireService: federator
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+{{- if .Values.remoteCAContents }}
+  ca.crt: {{ .Values.remoteCAContents | quote }}
+{{- else }}
+  {}
+{{- end }}

charts/federator/templates/configmap.yaml

@@ -43,8 +43,10 @@ data:
       # Filepath to one or more PEM-encoded server certificates to use as a trust
       # store when making grpc requests to remote backends
       {{- if $.Values.remoteCAContents }}
-      remoteCAStore: "/etc/wire/federator/ca/remote-ca.pem"
+      remoteCAStore: "/etc/wire/federator/ca/ca.crt"
       {{- end }}
+      clientCertificate: "/etc/wire/federator/secrets/tls.crt"
+      clientPrivateKey: "/etc/wire/federator/secrets/tls.key"
       useSystemCAStore: {{ .useSystemCAStore }}
       federationStrategy:
         {{- if .federationStrategy.allowAll }}

charts/federator/templates/deployment.yaml

@@ -25,25 +25,43 @@ spec:
       annotations:
         # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
         checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
-        checksum/configmap-ca: {{ include (print .Template.BasePath "/configmap-ca.yaml") . | sha256sum }}
+        {{- if not .Values.tls.shareFederatorSecret }}
+        checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         fluentbit.io/parser: json
     spec:
       volumes:
         - name: "federator-config"
           configMap:
             name: "federator"
-        # federator-ca holds CA certificates to use as a trust store
-        # when making requests to remote backends
-        - name: "federator-ca"
+
+        # federator-secrets contains the client certificate and the
+        # corresponding private key to use when making requests to remote
+        # backends.
+        # NOTE: if tls.useSharedFederatorSecret is set, we use the same secret
+        # as the one for the federator ingress
+        - name: "federator-secrets"
           secret:
-            secretName: "federator-ca"
+            secretName: {{ if .Values.tls.useSharedFederatorSecret -}}
+              "federator-certificate-secret"
+              {{- else if .Values.clientCertificateContents -}}
+              "federator-secret"
+              {{- else }}
+              {{ fail "must set .Values.tls.useSharedFederatorSecret to true or specify .Values.clientCertificateContents" }}
+              {{- end }}
+
+        - name: "federator-ca"
+          configMap:
+            name: "federator-ca"
       containers:
         - name: federator
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
           volumeMounts:
             - name: "federator-config"
               mountPath: "/etc/wire/federator/conf"
+            - name: "federator-secrets"
+              mountPath: "/etc/wire/federator/secrets"
             - name: "federator-ca"
               mountPath: "/etc/wire/federator/ca"
           ports:

charts/federator/templates/secret.yaml

@@ -0,0 +1,19 @@
+{{- if not .Values.tls.useSharedFederatorSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "federator-secret"
+  labels:
+    wireService: federator
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+type: kubernetes.io/tls
+data:
+  {{- if .Values.clientPrivateKeyContents }}
+  tls.key: {{ .Values.clientPrivateKeyContents | b64enc | quote }}
+  {{- end -}}
+  {{- if .Values.clientCertificateContents }}
+  tls.crt: {{ .Values.clientCertificateContents | b64enc | quote }}
+  {{- end -}}
+{{- end -}}

charts/federator/templates/tests/federator-integration.yaml

@@ -13,10 +13,14 @@ spec:
     - name: "federator-config"
       configMap:
         name: "federator"
+    # integration tests need access to the client certificate private key
+    - name: "federator-secrets"
+      secret:
+        secretName: "federator-secret"
     # integration tests need access to the CA
     - name: "federator-ca"
-      secret:
-        secretName: "federator-ca"
+      configMap:
+        name: "federator-ca"
   containers:
   - name: integration
     command: ["federator-integration"]
@@ -26,6 +30,8 @@ spec:
       mountPath: "/etc/wire/integration"
     - name: "federator-config"
       mountPath: "/etc/wire/federator/conf"
+    - name: "federator-secrets"
+      mountPath: "/etc/wire/federator/secrets"
     - name: "federator-ca"
       mountPath: "/etc/wire/federator/ca"
   restartPolicy: Never

charts/federator/values.yaml

@@ -8,6 +8,11 @@ service:
   internalFederatorPort: 8080
   externalFederatorPort: 8081
 
+tls:
+  # if enabled, federator will get its client certificate and private key from
+  # the secret used by the federator ingress
+  useSharedFederatorSecret: false
+
 resources:
   # FUTUREWORK: come up with numbers which didn't appear out of thin air
   requests:
@@ -30,6 +35,9 @@ config:
     #
     # Using custom CA doesn't automatically disable system CA store, it should
     # be disabled explicitly by setting useSystemCAStore to false.
+    #
+    # A client certificate and corresponding private key can be specified
+    # similarly to a custom CA store.
     useSystemCAStore: true
     federationStrategy:
       allowedDomains: []

charts/nginx-ingress-services/templates/ca_federator.yaml

@@ -0,0 +1,19 @@
+{{- /* This is the CA used by the federator ingress to verify client
+certificates. This does not need to be a secret in principle, but the ingress
+controller requires it to be. Also, this could in principle be bundled with the
+corresponding certificate (in secret_federator.yaml), but it is a separate
+secret because cert-manager interferes with the ca.crt field when setting the
+certificate in a secret. */ -}}
+
+{{- if .Values.federator.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: federator-ca-secret
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  ca.crt: {{ .Values.secrets.tlsClientCA | b64enc | quote }}
+{{- end -}}

charts/nginx-ingress-services/templates/certificate.yaml

@@ -36,7 +36,4 @@ spec:
     {{- if .Values.accountPages.enabled }}
     - {{ .Values.config.dns.accountPages }}
     {{- end }}
-    {{- if .Values.federator.enabled }}
-    - {{ .Values.config.dns.federator }}
-    {{- end }}
 {{- end -}}

charts/nginx-ingress-services/templates/certificate_federator.yaml

@@ -0,0 +1,33 @@
+{{- if and .Values.federator.enabled (not .Values.tls.enabled) }}
+{{- fail "TLS is required by federator. Either disable federation or enable tls." }}
+{{- end }}
+{{- if and .Values.tls.enabled .Values.tls.useCertManager }}
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: "federator-{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  issuerRef:
+    name: letsencrypt-http01
+    kind: Issuer
+  usages:
+    - server auth
+  duration: 2160h     # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt
+  renewBefore: 360h   # 15d
+  isCA: false
+  keyAlgorithm: ecdsa
+  keySize: 256        # hs-tls only supports p256
+  keyEncoding: pkcs1
+  secretName: federator-certificate-secret
+  # NOTE: disabled due to https://github.com/jetstack/cert-manager/issues/2978
+  # TODO: enable when fixed (probably when cert-manager:v0.16 released)
+  #privateKey:
+  #  rotationPolicy: Always
+  dnsNames:
+    - {{ .Values.config.dns.federator }}
+{{- end -}}

charts/nginx-ingress-services/templates/ingress_federator.yaml

@@ -12,11 +12,13 @@ metadata:
     kubernetes.io/ingress.class: "nginx"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/federator-ca-secret"
 spec:
   tls:
   - hosts:
       - {{ .Values.config.dns.federator }}
-    secretName: {{ include "nginx-ingress-services.getCertificateSecretName" . | quote }}
+    secretName: "federator-certificate-secret"
   rules:
     - host: {{ .Values.config.dns.federator }}
       http:

charts/nginx-ingress-services/templates/secret.yaml

@@ -7,19 +7,17 @@ metadata:
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 type: kubernetes.io/tls
-{{ if .Values.tls.useCertManager -}}
-{{- /* NOTE: providing `data` (and empty strings) allows to manage this secret resource with Helm if cert-manager is used */ -}}
 data:
+{{- if .Values.tls.useCertManager }}
+  {{/* NOTE: providing `data` (and empty strings) allows to manage this secret resource with Helm if cert-manager is used */}}
   tls.crt: ""
   tls.key: ""
-{{- end -}}
-{{- if (not .Values.tls.useCertManager) -}}
-data:
-  {{- /* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
+{{- else }}
+  {{/* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
   for_helm_linting: {{ required "No .secrets found in configuration. Did you forget to helm <command> -f path/to/secrets.yaml ?" .Values.secrets | quote | b64enc | quote }}
 
   {{- with .Values.secrets }}
   tls.crt: {{ .tlsWildcardCert | b64enc | quote }}
   tls.key: {{ .tlsWildcardKey | b64enc | quote }}
-  {{- end }}
+  {{- end -}}
 {{- end -}}

charts/nginx-ingress-services/templates/secret_federator.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.federator.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: federator-certificate-secret
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: kubernetes.io/tls
+data:
+{{- if .Values.tls.useCertManager }}
+  {{/* NOTE: providing empty strings here allows to manage this secret resource with Helm if cert-manager is used */}}
+  tls.crt: ""
+  tls.key: ""
+{{- else }}
+  {{/* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
+  for_helm_linting: {{ required "No .secrets found in configuration. Did you forget to helm <command> -f path/to/secrets.yaml ?" .Values.secrets | quote | b64enc | quote }}
+
+  {{- with .Values.secrets }}
+  tls.crt: {{ .tlsWildcardCert | b64enc | quote }}
+  tls.key: {{ .tlsWildcardKey | b64enc | quote }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}

charts/nginx-ingress-services/values.yaml

@@ -75,6 +75,10 @@ service:
 #     tlsWildcardKey: |
 #         -----BEGIN PRIVATE KEY-----
 #         -----END PRIVATE KEY-----
+#     tlsClientCA: |
+#         -----BEGIN PRIVATE KEY-----
+#         -----END PRIVATE KEY-----
+#     ^ CA to use to verify client certificates.
 #
 # For Services:
 # service:

deploy/services-demo/conf/nginz/nginx.conf

@@ -130,6 +130,8 @@ http {
     ssl_certificate integration-leaf.pem;
     ssl_certificate_key integration-leaf-key.pem;
 
+    ssl_verify_client on;
+    ssl_client_certificate integration-ca.pem;
     ######## TLS/SSL block end ##############
 
     zauth_keystore resources/zauth/pubkeys.txt;