feat: backend TLS SAN validation (envoyproxy#3507)

* BTLS: enforce SAN validation Signed-off-by: Guy Daich <[email protected]> * use dedicated cert for ext-proc e2e test Signed-off-by: Guy Daich <[email protected]> * fix ext-proc server client tls settings Signed-off-by: Guy Daich <[email protected]> --------- Signed-off-by: Guy Daich <[email protected]>
arkodg · May 31, 2024 · dc201ba · dc201ba
1 parent bcaa1b0
commit dc201ba
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 58 deletions.
diff --git a/...al/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/...al/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml
@@ -24,6 +24,10 @@
         '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         commonTlsContext:
           validationContext:
+            matchTypedSubjectAltNames:
+            - matcher:
+                exact: example.com
+              sanType: DNS
             trustedCa:
               filename: /etc/ssl/certs/ca-certificates.crt
         sni: example.com

diff --git a/...xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/...xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml
@@ -23,11 +23,17 @@
       typedConfig:
         '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         commonTlsContext:
-          validationContextSdsSecretConfig:
-            name: policy-btls/policies-ca2
-            sdsConfig:
-              ads: {}
-              resourceApiVersion: V3
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: bar.example.com
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls/policies-ca2
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
         sni: bar.example.com
   - match:
       name: httproute/envoy-gateway/httproute-btls/rule/0/tls/1
@@ -37,11 +43,17 @@
       typedConfig:
         '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         commonTlsContext:
-          validationContextSdsSecretConfig:
-            name: policy-btls/policies-ca
-            sdsConfig:
-              ads: {}
-              resourceApiVersion: V3
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: example.com
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls/policies-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
         sni: example.com
   type: EDS
 - circuitBreakers:
@@ -85,10 +97,16 @@
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
             commonTlsContext:
-              validationContextSdsSecretConfig:
-                name: policy-btls-2/policies-ca
-                sdsConfig:
-                  ads: {}
-                  resourceApiVersion: V3
+              combinedValidationContext:
+                defaultValidationContext:
+                  matchTypedSubjectAltNames:
+                  - matcher:
+                      exact: example.com
+                    sanType: DNS
+                validationContextSdsSecretConfig:
+                  name: policy-btls-2/policies-ca
+                  sdsConfig:
+                    ads: {}
+                    resourceApiVersion: V3
             sni: example.com
   type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml
@@ -23,10 +23,16 @@
       typedConfig:
         '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         commonTlsContext:
-          validationContextSdsSecretConfig:
-            name: policy-btls/policies-ca
-            sdsConfig:
-              ads: {}
-              resourceApiVersion: V3
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: example.com
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls/policies-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
         sni: example.com
   type: EDS
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
@@ -813,6 +813,16 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3.
 								Filename: "/etc/ssl/certs/ca-certificates.crt",
 							},
 						},
+						MatchTypedSubjectAltNames: []*tlsv3.SubjectAltNameMatcher{
+							{
+								SanType: tlsv3.SubjectAltNameMatcher_DNS,
+								Matcher: &matcherv3.StringMatcher{
+									MatchPattern: &matcherv3.StringMatcher_Exact{
+										Exact: tlsConfig.SNI,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -822,10 +832,24 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3.
 		tlsCtx = &tlsv3.UpstreamTlsContext{
 			CommonTlsContext: &tlsv3.CommonTlsContext{
 				TlsCertificateSdsSecretConfigs: nil,
-				ValidationContextType: &tlsv3.CommonTlsContext_ValidationContextSdsSecretConfig{
-					ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{
-						Name:      tlsConfig.CACertificate.Name,
-						SdsConfig: makeConfigSource(),
+				ValidationContextType: &tlsv3.CommonTlsContext_CombinedValidationContext{
+					CombinedValidationContext: &tlsv3.CommonTlsContext_CombinedCertificateValidationContext{
+						ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{
+							Name:      tlsConfig.CACertificate.Name,
+							SdsConfig: makeConfigSource(),
+						},
+						DefaultValidationContext: &tlsv3.CertificateValidationContext{
+							MatchTypedSubjectAltNames: []*tlsv3.SubjectAltNameMatcher{
+								{
+									SanType: tlsv3.SubjectAltNameMatcher_DNS,
+									Matcher: &matcherv3.StringMatcher{
+										MatchPattern: &matcherv3.StringMatcher_Exact{
+											Exact: tlsConfig.SNI,
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},

diff --git a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml
@@ -86,4 +86,4 @@ spec:
     - name: grpc-ext-proc-ca
       group: ''
       kind: ConfigMap
-    hostname: grpc-ext-proc
+    hostname: grpc-ext-proc.envoygateway
diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml
@@ -127,6 +127,7 @@ data:
     	// Create TLS configuration
     	tlsConfig := &tls.Config{
     		RootCAs: certPool,
+    		ServerName: "grpc-ext-proc.envoygateway",
     	}
 
     	// Create gRPC dial options
@@ -312,8 +313,8 @@ metadata:
   namespace: gateway-conformance-infra
 type: kubernetes.io/tls
 data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZxekNDQTVPZ0F3SUJBZ0lVVnV6VUJrakZOeGxOdlorTVB5UjFBQzdUcWI4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05aM0p3WXkxbGVIUXRZWFYwYURBZUZ3MHlOREF6TURrd016VXpNVGRhRncwegpOREF6TURjd016VXpNVGRhTUJneEZqQVVCZ05WQkFNTURXZHljR010WlhoMExXRjFkR2d3Z2dJaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUUNabmplR2xaYkRWZW50MHZFdkZRWllMUjhYL0ZlTU45TzgKenhGSVp1OXdHQkVIazNTd24vWnhvOG1hTk5CMUw3UjEvTnMydVQwdUdXdS9YSHVVeVJyOG5zeDNGS21uTkxINwp0WFNsbGxFV1NXM05UTnQ2T2lNVXFReWdCcE5seUhETDRXRHpNWG53S200bFFhRFlqcGdzUVZPM3pJWERWRVUyCjRGRllONVJSZGkyOVBLMlRTTWxWYWt0RExic2ltWFM0WXIwQlBkbTZHRTczajFzU2d6WHd5RnZ6a24rQWNIVFYKdTBkN2diT1MwUjBjRTFUK0JSSVExVENCMWJvRndDNW5BNjNySUMrb0lzZUFJS2s4OHYyT3prV0dQeDM5KzlFTQowVEVqbUZCdG9ZcXRzbXhGVlB6YkdhbytieGZKR0g3cG5FSWN0V1h1WHhheEVkb25tMFpVSWJqQlpsUTlVaHJHCnFQWnA3ZHB4YytsR2FmTlRWcngwb1hsNExLelZUTnVKZnFJdXZwVlRTd3hOWTJoZE8weHdqbDBWYlovb2pzNVoKVXVLU3AxNktNaitpN2drMmN5ckxuQlRER2FpWnEyVXUwZ21QVjczTUtjOExFcW9JN2c4Ymk2b3BBYjkzaGxpbApzSkNtWWtneTZCdytIM3J0THpZeCtFcENRZjVyWno2Q3hBZCtML1pIQURGY0d1VFNSRE9DNnd1RGZpNFFDSWJPCjdyNmdzbytzem5xbVJDZDhCMXZSVC9ORjZUOElhU1k2aGJwZkZCKzdrWDFyQysrVjdOZlZ4ODFXS2pUUHNJU2kKODBrb2JWdkM4cWp2di82bENESHZMNWZiWmI2YnUwSG9FN3kzK1lrYU9YaEtOcHdHaWZQT2tobTM4TzhHd280MQp3TTZtVW5HdHZ3SURBUUFCbzRIc01JSHBNQjBHQTFVZERnUVdCQlFGd2E2bkkyZk5iRmkvZ0Jwb0dXemFpR2JhCnp6QWZCZ05WSFNNRUdEQVdnQlFGd2E2bkkyZk5iRmkvZ0Jwb0dXemFpR2JhenpBSkJnTlZIUk1FQWpBQU1Bc0cKQTFVZER3UUVBd0lGNERBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQk1CZ05WSFJFRVJUQkRnZzFuY25CagpMV1Y0ZEMxaGRYUm9naWRuY25CakxXVjRkQzFoZFhSb0xtZGhkR1YzWVhrdFkyOXVabTl5YldGdVkyVXRhVzVtCmNtR0NDV3h2WTJGc2FHOXpkREFzQmdsZ2hrZ0JodmhDQVEwRUh4WWRUM0JsYmxOVFRDQkhaVzVsY21GMFpXUWcKUTJWeWRHbG1hV05oZEdVd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFKSXpTb0M5UFEvUjhmMDJwKzREV3ZUegpXNzh2S0pJeGlMa283b25SMXF0MEgyT0x2NUtjNGF0blQvanh0N1ZaV3k0VUprZmowYlZxVHVXVTRXeWFobWxICmIxUUt3V2lYM2Jqditzd2JvOC93WkoyMnNIdzBib3FuMEdWcmdyUVgwaEViaDZUNDdlWUNjQnR2Z1ZWbUNLbnIKaXNzbVUwSGhwb3g2cm9UM3dhbjhsOWRGRDR4bzlpaHE0ckh1b3JCbElNQ2d2RWhkSVVIVDB3eVgyejRLWFJTWgpiZ0U4ZXpVZ295dWVPamdvRTZhZ0xidEs4S1VVUVdmTExxZ0ZRT3M4ckE3SGZ2blF4Qjd3aUpkdXZJZGV5ZitpCnRuN2ZRVkNxcFd6c0h1R2Z2WTNpdmpuQWNRYjlUb3ErUTRJKy9YdHExN0doMzlnbzYrMW5tL1Yvb0pQRWFnRWcKWEwrT3pjT0Y2Y09NRDdaeW92M1BXVmJKbVJGc3F2aTIvaWpmOHZ0Z201ZkdVRlJJY0pLWmFrN2Y0QzlENUNpagorM3l5aThQaG9RSHlxQzZxK0dNRWF4czJGQ1hXQW1vMXhXVTY3cENDWU9NZ2VnS2NtWGFoR2hWRHB3VHV1RHNICmUxUXdUTGZNQUNrczB2UVd0OWxMMHUxN090cXpROTR6TnRMRTlkU3VMYVp2U1hxaTBQaklWcXVNdXFVQnU5djgKMDFaMVRWQmZGd1VOTzB0Z1VBaU1STWNWbGZqS2ozZkUweE5aZUIvbVhodmFpeTVoWmE2dlVxSXJFYzl5eHJJdwp1Q28zQWNnZmY5YUYrM0FVQlg0b1dpYURtUDBaTDVWMHJEMGRWU1dlQW1qYWdXVXRUc1ZGelk4Y2J5T0c2aFd4CmlGSTFVZkxRL0N1T3ROc0RUYmkwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ1puamVHbFpiRFZlbnQKMHZFdkZRWllMUjhYL0ZlTU45Tzh6eEZJWnU5d0dCRUhrM1N3bi9aeG84bWFOTkIxTDdSMS9OczJ1VDB1R1d1LwpYSHVVeVJyOG5zeDNGS21uTkxIN3RYU2xsbEVXU1czTlROdDZPaU1VcVF5Z0JwTmx5SERMNFdEek1YbndLbTRsClFhRFlqcGdzUVZPM3pJWERWRVUyNEZGWU41UlJkaTI5UEsyVFNNbFZha3RETGJzaW1YUzRZcjBCUGRtNkdFNzMKajFzU2d6WHd5RnZ6a24rQWNIVFZ1MGQ3Z2JPUzBSMGNFMVQrQlJJUTFUQ0IxYm9Gd0M1bkE2M3JJQytvSXNlQQpJS2s4OHYyT3prV0dQeDM5KzlFTTBURWptRkJ0b1lxdHNteEZWUHpiR2FvK2J4ZkpHSDdwbkVJY3RXWHVYeGF4CkVkb25tMFpVSWJqQlpsUTlVaHJHcVBacDdkcHhjK2xHYWZOVFZyeDBvWGw0TEt6VlROdUpmcUl1dnBWVFN3eE4KWTJoZE8weHdqbDBWYlovb2pzNVpVdUtTcDE2S01qK2k3Z2syY3lyTG5CVERHYWlacTJVdTBnbVBWNzNNS2M4TApFcW9JN2c4Ymk2b3BBYjkzaGxpbHNKQ21Za2d5NkJ3K0gzcnRMell4K0VwQ1FmNXJaejZDeEFkK0wvWkhBREZjCkd1VFNSRE9DNnd1RGZpNFFDSWJPN3I2Z3NvK3N6bnFtUkNkOEIxdlJUL05GNlQ4SWFTWTZoYnBmRkIrN2tYMXIKQysrVjdOZlZ4ODFXS2pUUHNJU2k4MGtvYlZ2QzhxanZ2LzZsQ0RIdkw1ZmJaYjZidTBIb0U3eTMrWWthT1hoSwpOcHdHaWZQT2tobTM4TzhHd280MXdNNm1Vbkd0dndJREFRQUJBb0lDQUJ4bml2RFJ2QnpHU0FqM2xpMFVnQ1hSCndnd1hWc0RRbWRBeG9ZcDNyaEpXQU9BYnZkbmkyaGpOSmp2alJDQkcvK0ZKTGVlQ2ZQT0hNOHNnZUtGY1JpY3IKM2JhdkZXZWJjTVdRR2M5OGFlWHJFZWlDSzVzQUlQaHpBYWlkVHFmbFZpWDh1SVovUVlMTTlhemg0N0huTy9BQwo3RTN4L1ZIT3hUV09hTHdkR3NtdFJtdlZTbXNQYkZyazJxSERWUFRpMXhnNCthVy9JQUV1K1hzQkFOLzlidjNrCnJrdnRiTEg5R1QxajhhVytwOHVmNnZnRUF4VXRMdGY1ODR3dVRzVTljZGNPY1J3bXlXa1hkVGdWMGZVNUlQVkUKNHNvZDVaZk85aXFlaTYxL1BtL25ETk50U0dQUmdTZXFLVForS0RIQTI4YXFZL2NXKzVBRitSWW9yT1BoN0REYwo3REIxQjQ2SVNyZDVZRzZadjQxaVA4Ui85WWpwYXFwMk13bXhsNWlWUVBWd0psbGZPV3p3VHEwa3BNS1lpWDlBCmE4ZWpMc3RXdEM3c0lCVHdKeldWK3RVNnVIckhyZ0hEdlJYaFZHRHN0eXVIUUhxczA0ZXVrZmlhVHJVdlR1WVgKbUp3SFprVVNTb1U0WGFMTURGYWFwN0tyaEZaTEZsTzJZdVhna25oNTFlc0x2RVB3ekVPUFNWMmJGc0hZS0pxbwo5Q1IyeDdBNzZPcXU5cGhSTVRacXVwMCt6R0hsU2VHNlo0clZKKzNYWExLS1pubjV4UXJjWlY4Y0d3SXo2dnZPCnJvU0tIaC9tV0VvQll0UEJEMkhYT010THUwMHdZUlF6ckdOa3VOcmtlQlQxZkNndG1za3VxOGNEZHo0bWs1c3AKYkR2UFhKNW5URWlsOEo2VXFhNGhBb0lCQVFESVZXWkhlOVhnUk9ZU2tEUmNGNFEwYUZrRkxGN2ZMOVY5V0hyeQpmVGVvdnFuMjVFQlVaTCtKMmhDbURMOVZ5MUR6YWhSd083TVZRYjRHT09iejhncFVqckxzb2RycGFydjlQNFhiClV6VTRvTTM5ZjU1OFhkTGtBRHk0VUxtTTZVNHBJait3YzdhSFhMMmRHNE5zNkplN0lLclh1c3pnQTl1S3c4UFcKRXYweVlZN2lIOXUydlM2MXZxQlBzQkRNbUltL2I0ekx2UEFwTnR5MkIrNWh3anFoTjRWSEpEUFVQRVVQWXJ6cwpmZEkwL2krWTZtaURweHptSXk1VWh4TkJvVitBblZ5L3BiU0tOc1Q3bHdPekQ2REJaREQ3MEFsenRUNlo5OXh3CkFseWhBU2t2ZmxneFd2TWJ3MEVKN25HUWNhTTR6YW5HNE00SGRCZXZJSnozMmpFSEFvSUJBUURFVGJ5R3AvNVQKcnhoNzNoT05xT3NZOGpxdFI0eVg3REpJcFB2eVNocUVoTUVXQVpYb1ZjRTQvSXd2c1JDVXdxald3VkN5ampJUQpKSUh4TmNEU1Rtd1JPcEQ5OGY2S01zamx0bWRtd3pLblBiZnhleEhwZTRMQmh0UFc5bE9GRHpYblpXWnNWSk1PCm9DV3pwL0N2cldCM3dzM1FsTElzTXhUTDhhTW1KOVBiUFcrUEcyWXphM05rMWV1bm4zWm81SGtkeHJFaDBCVngKMjMxRjA2ZGdoNmZBcDZVZXg0WXdiSUlRU1hGRkI4cmJ3V3Frb0RZYTNWVlZTQ29Dbk9VNHBRb0pudHVkb0cyOQpwTnJaQzlHVWFwUGdycDJoV3Iya0tCY3lYVTBQRksrM1hWSE80aHJLY1FVU3M1c2dTd1NiS3F3eGQ0eEs2djB6CllHeXhuYmR4cDhlSkFvSUJBUURETnFTaUI4UVQ5RStWeXp1YWViZjBNYko5WGcxY3d3bndTT1lWb1hzNVRnSGwKZWVwTjBwYnF4N250ZFFLRm9jZlNTbzU4QjFDczZCRTVrdjFLdlpMZmJ1WmZ2Q0RMejV3OFhVZ2N2dXBmc2lMSQpZVEdZMHZ5TC9NY3VmRXN6U3ExRlhBQmYrNEhrU2JUamdVb0NPR3lTaG5TMEgyMUE1Y0ZyYVBST2lOWjkzNThTCkxpVTEzd2ZEUm15RStuYUVTQ2dDaWJyVFZkdFk3Z01JeHBXK1lUd3NtU09nZldDYjhkY0I5UjlQL0JONFhERVoKZTJJNDJBRkxLUUVla1Rsc2ZNbkpWSTVxbWhoaGpwbEk2SkZNVFhCQ3cxVVFMRnJwaTdYaTV5ckJZeXZNSUl0MwpvbEJpVjlRS082d0c5M2xtWGJYRnhuTW9QeXZGQzVXQXEvRUpmRzdGQW9JQkFRQ1d2R3FMcSt3ckxrVEt1TmlpCjZwYThiU1NKY211UExSdmZsSEN5dUJ4c3JkUG1wZ2tLZ3U4QVowenVRalROUmp5SHk2Ry91bGpPOUhtalV2ZGgKaGo2TmJEOXlBS1RJVWY3YUJacVkya0xIRVNseUVHTE11cjdKQkZNZXViK2dhUEduWWNHb1pia1dmZnIxWFh3QQpLazN0S0hVS09XUW5kSUgvcU9qeW41cWF1eTR5NFlNMDhNbUhJSXo0QmdiU3ZMNFVFMEpwQ0hPdkhpK3ZzcnJQCjhOcnJvTSsyTnRmZnp6S0FkeVMzTVNpZ1hvRVpNTHpiSENJdWZsOWo2ajVKcE5GMFdidWg2bExhVVFDTHNmdVkKejg0RnRZL3RHdFNNZlF4eTdCb0Qvb3AvYnZVbXU1Qis2eEpPTGdSc1k2NkJ4OTY1aldiNUVFQ2xkdUYvOGUrdgpJbnFoQW9JQkFFS2tza29mRE5lKzZTeWpsTFBzUVVBbkljdVdBOWttMlQ1OFRrSGF3emlJWmFMVjN4eFpCcUhXCjJQek9OUE40dlZzNzNNLzJJb1JjSmZYdmZlVnF1Rkk4QVdDbzh5b0Z2cFVFYnJKOHVwV2ZGVExVTjZ6UFRMdkgKSTBDVU5Gb1A0TWI1ZGNWUXBwT3pWY3d3UWUvM2FuN3hrZHBpdkFMTWZwYU5YaHg5dG5rc3JQVXJiQjBuNzVZbQo1WGxvVTZPNTY3cmN4c0g4b2VLaUpGZUdxMnJRQ1d5K2NJREk0T3cvNlJmcWd2TEdjb2JleDMwY1ZLT29iRWVVCmNnWnZNM2VvczZ5TCtRdGY2bUhldnN0VkRkaldsaUpoUGlBUkVTeVZwdy9XVE1aU1pORnpjZ1R6M2p3TklHMUwKQndaaVNnMTkxMzdlTlFjalIxdUxHYnVWSWtXVGN0bz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREF0TVJVd0V3WURWUVFLREF4bGVHRnQKY0d4bElFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEkwTURVek1ERTNOVEV3TkZvWApEVE0wTURVeU9ERTNOVEV3TkZvd056RVdNQlFHQTFVRUF3d05aM0p3WXkxbGVIUXRjSEp2WXpFZE1Cc0dBMVVFCkNnd1VaWGhoYlhCc1pTQnZjbWRoYm1sNllYUnBiMjR3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNLVTVuemp4SXUwMjlrY0JOZXpuTEJFKy9DSTRDd3FMRmNBblc5RFFwYjNDdG5lYkFPdjVicApMNktWVTc0NnZ5WVh5Q2pmaURRMzN5RnRsOTRPTUEyQ3EzWmpSTXRLWXNraXlHUmFIQXZHOTFBc0x6cmljdVIyCk5QSFgzTW1pN0pjWWtET2dVeDB0VWJXTnltY3hCeExsRG1uM3NjMHhJV1psRHNpTk5wM1FnQnJpMWFzMERCNC8KT29ucWhMd1g2YXRjUW5OSE1MbytMaEpJTUhwNDROeEk5azloQVo3VStBOG5seURydm9IQnZIMHJBQ2hhNklhYgpBa0VZWW1wWmNKRDZiTFI2MUV4V293U3hJRUN6RDl4RU0yUDJJeXVHTHY2cVNEVXFPWnYvTmx4UUJlNGVaWHR3CkpCUmlRWWlPdWRhQ3kvOWJYOVZiUFJMZ0VQcklnWnB0QWdNQkFBR2phVEJuTUNVR0ExVWRFUVFlTUJ5Q0dtZHkKY0dNdFpYaDBMWEJ5YjJNdVpXNTJiM2xuWVhSbGQyRjVNQjBHQTFVZERnUVdCQlJzYWYyL01HL1VkMHJBcEZiOApQdXZIQml2SXFqQWZCZ05WSFNNRUdEQVdnQlJzRkpHQUFrWEZQZjZrbG5CT2NaVnNUUHpCRHpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFuSnR1eUJDRXBRb2Q4bmdHWUVPMUVyV3dBcVd3ZzFZQUtBSEs0NzZNMHNhR21Gb0wKaW5DeHRRbDM0dHZVKzAzbFl1SUJobUpuYzdEQjQxb29XYkJWRGhaYWRscmw0V1BUSWtWQWpvaHNsU2VaSzh1UgpRVkVOVEN6VUM3TEU0TW42YUhzVm1sbE9wc0FldzBNdWRHaWlUN21TZE80QVF2WmU0ZE5CNit1cWUxYzBHZ1h6CnZZa1BWMjh6MVZMUm5MY25FaEpKL3c1ZlMzMjEvWUlUNGRrNEFmaE5EdVNQMTZMQW9hSkVPNEhzYlBYZUl1eGIKZGluVVJNTG5OTXZYeEhtSHJGcGdWZnZyTkJRTzBsK3VBVDMxTWpBM1lBRjViblhBcEpsUm0xMCtjbDdmeldFdwpHQmlsdVdsRll1TFhIeVBJSVgyTXU2U1grVjg2eXd1YVlLMVdaQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ0tVNW56anhJdTAyOWsKY0JOZXpuTEJFKy9DSTRDd3FMRmNBblc5RFFwYjNDdG5lYkFPdjVicEw2S1ZVNzQ2dnlZWHlDamZpRFEzM3lGdApsOTRPTUEyQ3EzWmpSTXRLWXNraXlHUmFIQXZHOTFBc0x6cmljdVIyTlBIWDNNbWk3SmNZa0RPZ1V4MHRVYldOCnltY3hCeExsRG1uM3NjMHhJV1psRHNpTk5wM1FnQnJpMWFzMERCNC9Pb25xaEx3WDZhdGNRbk5ITUxvK0xoSkkKTUhwNDROeEk5azloQVo3VStBOG5seURydm9IQnZIMHJBQ2hhNklhYkFrRVlZbXBaY0pENmJMUjYxRXhXb3dTeApJRUN6RDl4RU0yUDJJeXVHTHY2cVNEVXFPWnYvTmx4UUJlNGVaWHR3SkJSaVFZaU91ZGFDeS85Ylg5VmJQUkxnCkVQcklnWnB0QWdNQkFBRUNnZ0VBUWZidVFzVG1vZWY0aGdnZ1pLVEUrcWhjUE5PYmFpTjRPTzEvWWtGV3dFbTEKZFNvRnVITExMN2Frck50N3F4NCt0emFmcjBHUHpWa2Q0dHA2YlgraTRiNk12WGd3RGZBZ0JQTlZUOWR5RWxjYwpKNFg2YWNUcWlDaGxjRkI4NDdJNXQrQUVqcDgwR2NtT2IraW0zeTJGYURCQWZudU80N0FPMllCOFNVTlRiUHNHCjNJMUkwM09SK2U4aTBrRTJISGZqWCttS1oyNnRDbk95SVQ2SmhudTZ6ZzdwOFFwWEphaFZDbHUrMmR1MFYwUEgKWWNBdURzekFjbVM1WGpvaUw4NmV1Zk9SWVpxSFpybnNpMFlwR0xvZEMwbjNLK1M0TitGQXJUNlRiQjBoMkEwOApPSk40ZEJGTFRQTFZOZ1k3Y3VQOVdjQUtBTmZpQ21ZSzFha3djcHo0clFLQmdRQzhSNEl5dll6aWFqY0w3M1JjClk3empVQVVTN2JWV1ZGNEh1UlVSSEVmVlBpb2Nvcy9MUS81a3ArejFnbSt4ZjNsOTRiVlRxZDJOWEkyRHMxY0kKMHBEeDNsVkhaU0V5QjVvQlBFbVBlQVBpMXQyL2JmaG9DMkF0YXZDeDVOWkEzVHdHdlBhcUFMbmxPcUVLQ3F6dApqUU1qcEppQUQ1cXZhOWVFcXhCMEVmeEVTd0tCZ1FDOEZJT014V1E3WXJpQTZQUHloSDV1eUJic21ZZEhzWXlqCm9QTkVzSUduMW1KbWh6YUFpREM2MWFJZHEzU2ZYYUNvajhQUkRnb04za1g4Z0E0U2prdmRNY2VJMDdaQm45MEsKZFZEdldIV3ZEa2FDZjZINEt6d05BNytxc3FtY3hIVklPNFhOQnhLaEU2Z1FPWDJUZkhTVjM0cVVmdXpZQUdyWQpXU0FIVzR1NUp3S0JnQ2crUUo0SDFlMHZOc1RlVWNqTnFMb05pSWdiTnY5VTJTUmRjeHROS0MxME5Cd2EwTDlwCnNSNWlwa3R6cmR3S216VkU0VFVZd2JwTlpoSVlheW4vbCt1YTBpK0lkaWZ6Wi8rTG0wMkhJWTJDejdMekZuMW0Kc1JBRUk1NWlnMGtxQUlLUU1VajFEc2JvV1RPRVJLSWgyZUhzZEl3cXlhMWxKNU83M0xCeWg3RXhBb0dCQUlXdQp0d281eTFLQ2lzM2x4bThjU1ptSVV2TDg5VEM2UEZLWnRnK2V2YW1FTWhEYURwMHhNQ0c4Y3l4UGorY3ViMkVnClBuaTdWOTRmblBNcU9kWnFtZld3eWppdzhweVdlbEJTcnFKUTUrVHphcDZiQlk4VmUrdHNQTEdocC9rcmtva3kKOVptVGEyUmVTbGl0NUZvT1hmZWhHaWtPUmw0SmZlZ2xBU1Q1cHNpRkFvR0FOc1hSWGZBSGZkNGZlZWtPek9LNwppR3FmNHovTlFaZHlCWGNKZlRhdUpLak1XSGxvSUN2ZjdyblM0YXVEcUE1bmoxTy9Eam5tY01lT2QyNW4yakVlCk1ibU1DMnR1U2VRSW02NjNoaEFYaUk0L2w5SU5Nc3hRUDlzUEJQUjg4Z1RFK3lCTUsvTFY4Mm9vd1BvOG1XNnkKWDdESlJSK3dJY3RueXh6bVBQOExRaE09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -323,37 +324,24 @@ metadata:
 data:
   ca.crt: |
     -----BEGIN CERTIFICATE-----
-    MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL
-    BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z
-    NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG
-    SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8
-    zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7
-    tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2
-    4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV
-    u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM
-    0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG
-    qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z
-    UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil
-    sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO
-    7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi
-    80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41
-    wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba
-    zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG
-    A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj
-    LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m
-    cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
-    Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz
-    W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH
-    b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr
-    issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ
-    bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i
-    tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg
-    XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij
-    +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH
-    e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8
-    01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw
-    uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx
-    iFI1UfLQ/CuOtNsDTbi0
+    MIIDOzCCAiOgAwIBAgIUeZ0sEx2jyxnKQmDw0bllLyag+cgwDQYJKoZIhvcNAQEL
+    BQAwLTEVMBMGA1UECgwMZXhhbXBsZSBJbmMuMRQwEgYDVQQDDAtleGFtcGxlLmNv
+    bTAeFw0yNDA1MzAxNzM4NDBaFw0zNDA1MjgxNzM4NDBaMC0xFTATBgNVBAoMDGV4
+    YW1wbGUgSW5jLjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEB
+    AQUAA4IBDwAwggEKAoIBAQDJEyqHtNXUVlDM3OtzMBUWcB4OdGC6ZA7JrT24PVVs
+    yUXGCvu3P47HLb6GuW7w7IILBhACdTFNBPQ8pNT2ouItASmaX6oZGVCnud6st/Y+
+    KnV0G406IRA/hZOdBO7hSH4pt//j7iDWPF5OEEwH1LJMXEX/5FdIoDKQHdfJdqHz
+    ANE5LP8RAR/A0hdalvBrDhfMzcVRC7wSGyg1AbXDbo+q7M8xPhGa+95KwcMzj7WX
+    vOcnTcjrKHYTuiJEaINSMo9EEfTEMOp0bgqDtSgdCAQWLUL+p5b59tvYOozbOG5P
+    1CLPzZs8K56AbESBA3tK1dO1fMuvV/oMTVU+IstuflC1AgMBAAGjUzBRMB0GA1Ud
+    DgQWBBRsFJGAAkXFPf6klnBOcZVsTPzBDzAfBgNVHSMEGDAWgBRsFJGAAkXFPf6k
+    lnBOcZVsTPzBDzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAM
+    LrFgkTZPXt3zl9WSI22Tk5BT5jgxB+PwDoIsbmd7koXTpAtdFCoSHJQC1c3GQ66i
+    wcTa3ewrqScI62+cMNtgHBYo+j2jMKuND+N2YotzEBlSgsYKua+ehb2n5H7CTvHZ
+    ED9Ch0cP0c4ke4YPW0Xz2hN4SKPwYNVyqaapaW3iQ7zyOPJSPegDbhDRh/soFF5v
+    kDVQC8/fz6VAmPaq+hiem7w8H69FPdPHI3nseqUT+kyUEZkD5eH08MVuQ4uVyYNy
+    cwN8WlDLDCPxxPt9bclj70Xo1/Nae/VSg+rKgfsjwsKweE5gZ7UhWngsjkMVpFzO
+    QPLCCvayjtnIbYbtsXLE
     -----END CERTIFICATE-----
 ---
 apiVersion: apps/v1