Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
56b457e
Require client certificates in demo nginz
pcapriotti Jul 26, 2021
aa445d5
Wrap CA store in a TLSSettings structure
pcapriotti Jul 26, 2021
bcbf93b
Add settings for client certificate
pcapriotti Jul 26, 2021
3f98c49
Access TLSSettings in Remote
pcapriotti Jul 26, 2021
64f1403
Use leaf as client cert in integration tests
pcapriotti Jul 26, 2021
a768032
Configure client certificate in helm
pcapriotti Jul 26, 2021
eda1e5b
Enable client certificates in federator ingress
pcapriotti Jul 26, 2021
32ca046
Validate credentials and add tests
pcapriotti Jul 27, 2021
6c9973d
Document client certificate options
pcapriotti Jul 27, 2021
a4bec3f
Update CHANGELOG
pcapriotti Jul 27, 2021
7481032
Fix federator-integration chart
pcapriotti Jul 28, 2021
e642d0e
try out helm templating also when using certificates
jschaul Jul 28, 2021
90af59c
Add leaf certificates for integration tests
pcapriotti Jul 29, 2021
dc70198
Remove default value for useSystemCAStore from template
pcapriotti Jul 30, 2021
68579e0
Move defRunSettings to a test module
pcapriotti Jul 30, 2021
bdb9490
Use interpolate QQ for configuration tests
pcapriotti Jul 30, 2021
6fc85ba
Make federator-secret of type tls
pcapriotti Jul 30, 2021
629792e
Use a different certificate for federator
pcapriotti Jul 30, 2021
2fd0234
Enable sharing federator and ingress secrets
pcapriotti Jul 30, 2021
d94dee4
Fix naming of federator secret
pcapriotti Jul 30, 2021
8af4fd2
Fix federator certificate secret chart
pcapriotti Aug 2, 2021
f1df55c
Remove staging issuer
pcapriotti Aug 3, 2021
06e6ff7
Hi CI
pcapriotti Aug 3, 2021
19ad195
Fix whitespace in template
pcapriotti Aug 5, 2021
7d99903
Add script to serve helm charts locally
pcapriotti Aug 6, 2021
0dfadf2
Fix secret name when sharing federator secrets
pcapriotti Aug 6, 2021
cad8c1d
Separate ca secret from tls secret
pcapriotti Aug 6, 2021
4fd5bfc
Add ca volume to federator integration pod
pcapriotti Aug 9, 2021
24aa191
Fix one more issue in federator integration chart
pcapriotti Aug 9, 2021
ae4fa09
Client certificate config with secret sharing
pcapriotti Aug 11, 2021
803fce7
Change ECDSA certificate to use p256 curve
pcapriotti Aug 11, 2021
c7d717a
Rename shareFederatorSecret
pcapriotti Aug 11, 2021
3322865
Make client certificates required
pcapriotti Aug 11, 2021
5054ada
Update FUTUREWORK comment
pcapriotti Aug 11, 2021
c31d88b
Fix helm template syntax
pcapriotti Aug 11, 2021
78b97fc
Upgrade to tls 1.5.5
pcapriotti Aug 12, 2021
11ca67d
Hi CI
pcapriotti Aug 13, 2021
e80417d
Ensure that tls is enabled when federation is
pcapriotti Aug 13, 2021
476e320
serve-charts.sh: Make compatible with nixos
akshaymankar Aug 16, 2021
c575858
charts/federator: Ensure client certs are provided
akshaymankar Aug 16, 2021
9249c17
Merge branch 'develop' into pcapriotti/client-certificates
akshaymankar Aug 16, 2021
fa2698b
Fix CHANGELOG
akshaymankar Aug 16, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@

# [unreleased]

[please put all changes that only affect federation into this section to unclutter the rest of the release notes.]
[please put all changes that only affect federation into the "Federation changes" section to unclutter the rest of the release notes.]
[if something is both an API change and a feature, please mention it twice (you can abbreviate the second mention and add "see above").]

## Release Notes
Expand All @@ -37,6 +37,9 @@

## Internal changes

## Federation changes

* Added client certificate support for server to server authentication (#1682)

# [2021-08-16]

Expand Down Expand Up @@ -72,7 +75,6 @@ This is a routine release requiring only the routine upgrade steps.
* Added a mechanism to derive `AsUnion` instances automatically (#1693)
* Integration test coverage (#1696, #1704)


# [2021-08-02]

## Release Notes
Expand Down Expand Up @@ -124,7 +126,6 @@ Upgrade nginz (#1658)
* Renamed `DomainHeader` type to `OriginDomainHeader` (#1689)
* Added golden tests for protobuf serialisation / deserialisation (#1644).


# [2021-07-09]

## Release Notes
Expand Down
4 changes: 4 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,10 @@ chart-%:
.PHONY: charts-integration
charts-integration: $(foreach chartName,$(CHARTS_INTEGRATION),chart-$(chartName))

.PHONY: charts-serve
charts-serve: charts-integration
./hack/bin/serve-charts.sh $(CHARTS_INTEGRATION)

# Usecase for this make target:
# 1. for releases of helm charts
# 2. for testing helm charts more generally
Expand Down
15 changes: 15 additions & 0 deletions charts/federator/templates/ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: "federator-ca"
labels:
wireService: federator
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
{{- if .Values.remoteCAContents }}
ca.crt: {{ .Values.remoteCAContents | quote }}
{{- else }}
{}
{{- end }}
14 changes: 0 additions & 14 deletions charts/federator/templates/configmap-ca.yaml

This file was deleted.

4 changes: 3 additions & 1 deletion charts/federator/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,10 @@ data:
# Filepath to one or more PEM-encoded server certificates to use as a trust
# store when making grpc requests to remote backends
{{- if $.Values.remoteCAContents }}
remoteCAStore: "/etc/wire/federator/ca/remote-ca.pem"
remoteCAStore: "/etc/wire/federator/ca/ca.crt"
{{- end }}
clientCertificate: "/etc/wire/federator/secrets/tls.crt"
clientPrivateKey: "/etc/wire/federator/secrets/tls.key"
useSystemCAStore: {{ .useSystemCAStore }}
federationStrategy:
{{- if .federationStrategy.allowAll }}
Expand Down
28 changes: 23 additions & 5 deletions charts/federator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,25 +25,43 @@ spec:
annotations:
# An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/configmap-ca: {{ include (print .Template.BasePath "/configmap-ca.yaml") . | sha256sum }}
{{- if not .Values.tls.shareFederatorSecret }}
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }}
fluentbit.io/parser: json
spec:
volumes:
- name: "federator-config"
configMap:
name: "federator"
# federator-ca holds CA certificates to use as a trust store
# when making requests to remote backends
- name: "federator-ca"

# federator-secrets contains the client certificate and the
# corresponding private key to use when making requests to remote
# backends.
# NOTE: if tls.useSharedFederatorSecret is set, we use the same secret
# as the one for the federator ingress
- name: "federator-secrets"
secret:
secretName: "federator-ca"
secretName: {{ if .Values.tls.useSharedFederatorSecret -}}
"federator-certificate-secret"
{{- else if .Values.clientCertificateContents -}}
"federator-secret"
{{- else }}
{{ fail "must set .Values.tls.useSharedFederatorSecret to true or specify .Values.clientCertificateContents" }}
{{- end }}

- name: "federator-ca"
configMap:
name: "federator-ca"
containers:
- name: federator
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
volumeMounts:
- name: "federator-config"
mountPath: "/etc/wire/federator/conf"
- name: "federator-secrets"
mountPath: "/etc/wire/federator/secrets"
- name: "federator-ca"
mountPath: "/etc/wire/federator/ca"
ports:
Expand Down
19 changes: 19 additions & 0 deletions charts/federator/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if not .Values.tls.useSharedFederatorSecret -}}
apiVersion: v1
kind: Secret
metadata:
name: "federator-secret"
labels:
wireService: federator
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: kubernetes.io/tls
data:
{{- if .Values.clientPrivateKeyContents }}
tls.key: {{ .Values.clientPrivateKeyContents | b64enc | quote }}
{{- end -}}
{{- if .Values.clientCertificateContents }}
tls.crt: {{ .Values.clientCertificateContents | b64enc | quote }}
{{- end -}}
{{- end -}}
10 changes: 8 additions & 2 deletions charts/federator/templates/tests/federator-integration.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,14 @@ spec:
- name: "federator-config"
configMap:
name: "federator"
# integration tests need access to the client certificate private key
- name: "federator-secrets"
secret:
secretName: "federator-secret"
# integration tests need access to the CA
- name: "federator-ca"
secret:
secretName: "federator-ca"
configMap:
name: "federator-ca"
containers:
- name: integration
command: ["federator-integration"]
Expand All @@ -26,6 +30,8 @@ spec:
mountPath: "/etc/wire/integration"
- name: "federator-config"
mountPath: "/etc/wire/federator/conf"
- name: "federator-secrets"
mountPath: "/etc/wire/federator/secrets"
- name: "federator-ca"
mountPath: "/etc/wire/federator/ca"
restartPolicy: Never
8 changes: 8 additions & 0 deletions charts/federator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ service:
internalFederatorPort: 8080
externalFederatorPort: 8081

tls:
# if enabled, federator will get its client certificate and private key from
# the secret used by the federator ingress
useSharedFederatorSecret: false

resources:
# FUTUREWORK: come up with numbers which didn't appear out of thin air
requests:
Expand All @@ -30,6 +35,9 @@ config:
#
# Using custom CA doesn't automatically disable system CA store, it should
# be disabled explicitly by setting useSystemCAStore to false.
#
# A client certificate and corresponding private key can be specified
# similarly to a custom CA store.
useSystemCAStore: true
federationStrategy:
allowedDomains: []
19 changes: 19 additions & 0 deletions charts/nginx-ingress-services/templates/ca_federator.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- /* This is the CA used by the federator ingress to verify client
certificates. This does not need to be a secret in principle, but the ingress
controller requires it to be. Also, this could in principle be bundled with the
corresponding certificate (in secret_federator.yaml), but it is a separate
secret because cert-manager interferes with the ca.crt field when setting the
certificate in a secret. */ -}}

{{- if .Values.federator.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: federator-ca-secret
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
data:
ca.crt: {{ .Values.secrets.tlsClientCA | b64enc | quote }}
{{- end -}}
3 changes: 0 additions & 3 deletions charts/nginx-ingress-services/templates/certificate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,4 @@ spec:
{{- if .Values.accountPages.enabled }}
- {{ .Values.config.dns.accountPages }}
{{- end }}
{{- if .Values.federator.enabled }}
- {{ .Values.config.dns.federator }}
{{- end }}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{{- if and .Values.federator.enabled (not .Values.tls.enabled) }}
{{- fail "TLS is required by federator. Either disable federation or enable tls." }}
{{- end }}
{{- if and .Values.tls.enabled .Values.tls.useCertManager }}
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: "federator-{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr"
namespace: {{ .Release.Namespace }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
issuerRef:
name: letsencrypt-http01
kind: Issuer
usages:
- server auth
duration: 2160h # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt
renewBefore: 360h # 15d
isCA: false
keyAlgorithm: ecdsa
keySize: 256 # hs-tls only supports p256
keyEncoding: pkcs1
secretName: federator-certificate-secret
# NOTE: disabled due to https://github.com/jetstack/cert-manager/issues/2978
# TODO: enable when fixed (probably when cert-manager:v0.16 released)
#privateKey:
# rotationPolicy: Always
dnsNames:
- {{ .Values.config.dns.federator }}
{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,13 @@ metadata:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/federator-ca-secret"
spec:
tls:
- hosts:
- {{ .Values.config.dns.federator }}
secretName: {{ include "nginx-ingress-services.getCertificateSecretName" . | quote }}
secretName: "federator-certificate-secret"
rules:
- host: {{ .Values.config.dns.federator }}
http:
Expand Down
12 changes: 5 additions & 7 deletions charts/nginx-ingress-services/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,17 @@ metadata:
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: kubernetes.io/tls
{{ if .Values.tls.useCertManager -}}
{{- /* NOTE: providing `data` (and empty strings) allows to manage this secret resource with Helm if cert-manager is used */ -}}
data:
{{- if .Values.tls.useCertManager }}
{{/* NOTE: providing `data` (and empty strings) allows to manage this secret resource with Helm if cert-manager is used */}}
tls.crt: ""
tls.key: ""
{{- end -}}
{{- if (not .Values.tls.useCertManager) -}}
data:
{{- /* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
{{- else }}
{{/* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
for_helm_linting: {{ required "No .secrets found in configuration. Did you forget to helm <command> -f path/to/secrets.yaml ?" .Values.secrets | quote | b64enc | quote }}

{{- with .Values.secrets }}
tls.crt: {{ .tlsWildcardCert | b64enc | quote }}
tls.key: {{ .tlsWildcardKey | b64enc | quote }}
{{- end }}
{{- end -}}
{{- end -}}
25 changes: 25 additions & 0 deletions charts/nginx-ingress-services/templates/secret_federator.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{{- if .Values.federator.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: federator-certificate-secret
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: kubernetes.io/tls
data:
{{- if .Values.tls.useCertManager }}
{{/* NOTE: providing empty strings here allows to manage this secret resource with Helm if cert-manager is used */}}
tls.crt: ""
tls.key: ""
{{- else }}
{{/* for_helm_linting is necessary only since the 'with' block below does not throw an error upon an empty .Values.secrets */}}
for_helm_linting: {{ required "No .secrets found in configuration. Did you forget to helm <command> -f path/to/secrets.yaml ?" .Values.secrets | quote | b64enc | quote }}

{{- with .Values.secrets }}
tls.crt: {{ .tlsWildcardCert | b64enc | quote }}
tls.key: {{ .tlsWildcardKey | b64enc | quote }}
{{- end -}}
{{- end -}}
{{- end -}}
4 changes: 4 additions & 0 deletions charts/nginx-ingress-services/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ service:
# tlsWildcardKey: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
# tlsClientCA: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
# ^ CA to use to verify client certificates.
#
# For Services:
# service:
Expand Down
2 changes: 2 additions & 0 deletions deploy/services-demo/conf/nginz/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ http {
ssl_certificate integration-leaf.pem;
ssl_certificate_key integration-leaf-key.pem;

ssl_verify_client on;
ssl_client_certificate integration-ca.pem;
######## TLS/SSL block end ##############

zauth_keystore resources/zauth/pubkeys.txt;
Expand Down
Loading