From dc201ba00dad4b493d205680c245be0c18f91722 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 30 May 2024 21:29:17 -0500 Subject: [PATCH] feat: backend TLS SAN validation (#3507) * BTLS: enforce SAN validation Signed-off-by: Guy Daich * use dedicated cert for ext-proc e2e test Signed-off-by: Guy Daich * fix ext-proc server client tls settings Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- ...e-with-tls-system-truststore.clusters.yaml | 4 ++ ...ith-tlsbundle-multiple-certs.clusters.yaml | 48 +++++++++++------ .../http-route-with-tlsbundle.clusters.yaml | 16 ++++-- internal/xds/translator/translator.go | 32 +++++++++-- .../ext-proc-envoyextensionpolicy.yaml | 2 +- test/e2e/testdata/ext-proc-service.yaml | 54 ++++++++----------- 6 files changed, 98 insertions(+), 58 deletions(-) diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index 670a5464edb..573625b4671 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -24,6 +24,10 @@ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext commonTlsContext: validationContext: + matchTypedSubjectAltNames: + - matcher: + exact: example.com + sanType: DNS trustedCa: filename: /etc/ssl/certs/ca-certificates.crt sni: example.com diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index 8a7225b4cce..ccfa16dbd99 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -23,11 +23,17 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext commonTlsContext: - validationContextSdsSecretConfig: - name: policy-btls/policies-ca2 - sdsConfig: - ads: {} - resourceApiVersion: V3 + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: bar.example.com + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls/policies-ca2 + sdsConfig: + ads: {} + resourceApiVersion: V3 sni: bar.example.com - match: name: httproute/envoy-gateway/httproute-btls/rule/0/tls/1 @@ -37,11 +43,17 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext commonTlsContext: - validationContextSdsSecretConfig: - name: policy-btls/policies-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: example.com + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls/policies-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 sni: example.com type: EDS - circuitBreakers: @@ -85,10 +97,16 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext commonTlsContext: - validationContextSdsSecretConfig: - name: policy-btls-2/policies-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: example.com + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-2/policies-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 sni: example.com type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index 695386bb24b..f368f4c94d0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -23,10 +23,16 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext commonTlsContext: - validationContextSdsSecretConfig: - name: policy-btls/policies-ca - sdsConfig: - ads: {} - resourceApiVersion: V3 + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: example.com + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls/policies-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 sni: example.com type: EDS diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index cce16d428e9..44f8bb373d6 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -813,6 +813,16 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. Filename: "/etc/ssl/certs/ca-certificates.crt", }, }, + MatchTypedSubjectAltNames: []*tlsv3.SubjectAltNameMatcher{ + { + SanType: tlsv3.SubjectAltNameMatcher_DNS, + Matcher: &matcherv3.StringMatcher{ + MatchPattern: &matcherv3.StringMatcher_Exact{ + Exact: tlsConfig.SNI, + }, + }, + }, + }, }, }, }, @@ -822,10 +832,24 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. tlsCtx = &tlsv3.UpstreamTlsContext{ CommonTlsContext: &tlsv3.CommonTlsContext{ TlsCertificateSdsSecretConfigs: nil, - ValidationContextType: &tlsv3.CommonTlsContext_ValidationContextSdsSecretConfig{ - ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{ - Name: tlsConfig.CACertificate.Name, - SdsConfig: makeConfigSource(), + ValidationContextType: &tlsv3.CommonTlsContext_CombinedValidationContext{ + CombinedValidationContext: &tlsv3.CommonTlsContext_CombinedCertificateValidationContext{ + ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{ + Name: tlsConfig.CACertificate.Name, + SdsConfig: makeConfigSource(), + }, + DefaultValidationContext: &tlsv3.CertificateValidationContext{ + MatchTypedSubjectAltNames: []*tlsv3.SubjectAltNameMatcher{ + { + SanType: tlsv3.SubjectAltNameMatcher_DNS, + Matcher: &matcherv3.StringMatcher{ + MatchPattern: &matcherv3.StringMatcher_Exact{ + Exact: tlsConfig.SNI, + }, + }, + }, + }, + }, }, }, }, diff --git a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml index 32ee0eef4a2..b4031a94d87 100644 --- a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml +++ b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml @@ -86,4 +86,4 @@ spec: - name: grpc-ext-proc-ca group: '' kind: ConfigMap - hostname: grpc-ext-proc + hostname: grpc-ext-proc.envoygateway diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml index 91b698ed674..e9c48e7fc2f 100644 --- a/test/e2e/testdata/ext-proc-service.yaml +++ b/test/e2e/testdata/ext-proc-service.yaml @@ -127,6 +127,7 @@ data: // Create TLS configuration tlsConfig := &tls.Config{ RootCAs: certPool, + ServerName: "grpc-ext-proc.envoygateway", } // Create gRPC dial options @@ -312,8 +313,8 @@ metadata: namespace: gateway-conformance-infra type: kubernetes.io/tls data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZxekNDQTVPZ0F3SUJBZ0lVVnV6VUJrakZOeGxOdlorTVB5UjFBQzdUcWI4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05aM0p3WXkxbGVIUXRZWFYwYURBZUZ3MHlOREF6TURrd016VXpNVGRhRncwegpOREF6TURjd016VXpNVGRhTUJneEZqQVVCZ05WQkFNTURXZHljR010WlhoMExXRjFkR2d3Z2dJaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUUNabmplR2xaYkRWZW50MHZFdkZRWllMUjhYL0ZlTU45TzgKenhGSVp1OXdHQkVIazNTd24vWnhvOG1hTk5CMUw3UjEvTnMydVQwdUdXdS9YSHVVeVJyOG5zeDNGS21uTkxINwp0WFNsbGxFV1NXM05UTnQ2T2lNVXFReWdCcE5seUhETDRXRHpNWG53S200bFFhRFlqcGdzUVZPM3pJWERWRVUyCjRGRllONVJSZGkyOVBLMlRTTWxWYWt0RExic2ltWFM0WXIwQlBkbTZHRTczajFzU2d6WHd5RnZ6a24rQWNIVFYKdTBkN2diT1MwUjBjRTFUK0JSSVExVENCMWJvRndDNW5BNjNySUMrb0lzZUFJS2s4OHYyT3prV0dQeDM5KzlFTQowVEVqbUZCdG9ZcXRzbXhGVlB6YkdhbytieGZKR0g3cG5FSWN0V1h1WHhheEVkb25tMFpVSWJqQlpsUTlVaHJHCnFQWnA3ZHB4YytsR2FmTlRWcngwb1hsNExLelZUTnVKZnFJdXZwVlRTd3hOWTJoZE8weHdqbDBWYlovb2pzNVoKVXVLU3AxNktNaitpN2drMmN5ckxuQlRER2FpWnEyVXUwZ21QVjczTUtjOExFcW9JN2c4Ymk2b3BBYjkzaGxpbApzSkNtWWtneTZCdytIM3J0THpZeCtFcENRZjVyWno2Q3hBZCtML1pIQURGY0d1VFNSRE9DNnd1RGZpNFFDSWJPCjdyNmdzbytzem5xbVJDZDhCMXZSVC9ORjZUOElhU1k2aGJwZkZCKzdrWDFyQysrVjdOZlZ4ODFXS2pUUHNJU2kKODBrb2JWdkM4cWp2di82bENESHZMNWZiWmI2YnUwSG9FN3kzK1lrYU9YaEtOcHdHaWZQT2tobTM4TzhHd280MQp3TTZtVW5HdHZ3SURBUUFCbzRIc01JSHBNQjBHQTFVZERnUVdCQlFGd2E2bkkyZk5iRmkvZ0Jwb0dXemFpR2JhCnp6QWZCZ05WSFNNRUdEQVdnQlFGd2E2bkkyZk5iRmkvZ0Jwb0dXemFpR2JhenpBSkJnTlZIUk1FQWpBQU1Bc0cKQTFVZER3UUVBd0lGNERBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQk1CZ05WSFJFRVJUQkRnZzFuY25CagpMV1Y0ZEMxaGRYUm9naWRuY25CakxXVjRkQzFoZFhSb0xtZGhkR1YzWVhrdFkyOXVabTl5YldGdVkyVXRhVzVtCmNtR0NDV3h2WTJGc2FHOXpkREFzQmdsZ2hrZ0JodmhDQVEwRUh4WWRUM0JsYmxOVFRDQkhaVzVsY21GMFpXUWcKUTJWeWRHbG1hV05oZEdVd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFKSXpTb0M5UFEvUjhmMDJwKzREV3ZUegpXNzh2S0pJeGlMa283b25SMXF0MEgyT0x2NUtjNGF0blQvanh0N1ZaV3k0VUprZmowYlZxVHVXVTRXeWFobWxICmIxUUt3V2lYM2Jqditzd2JvOC93WkoyMnNIdzBib3FuMEdWcmdyUVgwaEViaDZUNDdlWUNjQnR2Z1ZWbUNLbnIKaXNzbVUwSGhwb3g2cm9UM3dhbjhsOWRGRDR4bzlpaHE0ckh1b3JCbElNQ2d2RWhkSVVIVDB3eVgyejRLWFJTWgpiZ0U4ZXpVZ295dWVPamdvRTZhZ0xidEs4S1VVUVdmTExxZ0ZRT3M4ckE3SGZ2blF4Qjd3aUpkdXZJZGV5ZitpCnRuN2ZRVkNxcFd6c0h1R2Z2WTNpdmpuQWNRYjlUb3ErUTRJKy9YdHExN0doMzlnbzYrMW5tL1Yvb0pQRWFnRWcKWEwrT3pjT0Y2Y09NRDdaeW92M1BXVmJKbVJGc3F2aTIvaWpmOHZ0Z201ZkdVRlJJY0pLWmFrN2Y0QzlENUNpagorM3l5aThQaG9RSHlxQzZxK0dNRWF4czJGQ1hXQW1vMXhXVTY3cENDWU9NZ2VnS2NtWGFoR2hWRHB3VHV1RHNICmUxUXdUTGZNQUNrczB2UVd0OWxMMHUxN090cXpROTR6TnRMRTlkU3VMYVp2U1hxaTBQaklWcXVNdXFVQnU5djgKMDFaMVRWQmZGd1VOTzB0Z1VBaU1STWNWbGZqS2ozZkUweE5aZUIvbVhodmFpeTVoWmE2dlVxSXJFYzl5eHJJdwp1Q28zQWNnZmY5YUYrM0FVQlg0b1dpYURtUDBaTDVWMHJEMGRWU1dlQW1qYWdXVXRUc1ZGelk4Y2J5T0c2aFd4CmlGSTFVZkxRL0N1T3ROc0RUYmkwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ1puamVHbFpiRFZlbnQKMHZFdkZRWllMUjhYL0ZlTU45Tzh6eEZJWnU5d0dCRUhrM1N3bi9aeG84bWFOTkIxTDdSMS9OczJ1VDB1R1d1LwpYSHVVeVJyOG5zeDNGS21uTkxIN3RYU2xsbEVXU1czTlROdDZPaU1VcVF5Z0JwTmx5SERMNFdEek1YbndLbTRsClFhRFlqcGdzUVZPM3pJWERWRVUyNEZGWU41UlJkaTI5UEsyVFNNbFZha3RETGJzaW1YUzRZcjBCUGRtNkdFNzMKajFzU2d6WHd5RnZ6a24rQWNIVFZ1MGQ3Z2JPUzBSMGNFMVQrQlJJUTFUQ0IxYm9Gd0M1bkE2M3JJQytvSXNlQQpJS2s4OHYyT3prV0dQeDM5KzlFTTBURWptRkJ0b1lxdHNteEZWUHpiR2FvK2J4ZkpHSDdwbkVJY3RXWHVYeGF4CkVkb25tMFpVSWJqQlpsUTlVaHJHcVBacDdkcHhjK2xHYWZOVFZyeDBvWGw0TEt6VlROdUpmcUl1dnBWVFN3eE4KWTJoZE8weHdqbDBWYlovb2pzNVpVdUtTcDE2S01qK2k3Z2syY3lyTG5CVERHYWlacTJVdTBnbVBWNzNNS2M4TApFcW9JN2c4Ymk2b3BBYjkzaGxpbHNKQ21Za2d5NkJ3K0gzcnRMell4K0VwQ1FmNXJaejZDeEFkK0wvWkhBREZjCkd1VFNSRE9DNnd1RGZpNFFDSWJPN3I2Z3NvK3N6bnFtUkNkOEIxdlJUL05GNlQ4SWFTWTZoYnBmRkIrN2tYMXIKQysrVjdOZlZ4ODFXS2pUUHNJU2k4MGtvYlZ2QzhxanZ2LzZsQ0RIdkw1ZmJaYjZidTBIb0U3eTMrWWthT1hoSwpOcHdHaWZQT2tobTM4TzhHd280MXdNNm1Vbkd0dndJREFRQUJBb0lDQUJ4bml2RFJ2QnpHU0FqM2xpMFVnQ1hSCndnd1hWc0RRbWRBeG9ZcDNyaEpXQU9BYnZkbmkyaGpOSmp2alJDQkcvK0ZKTGVlQ2ZQT0hNOHNnZUtGY1JpY3IKM2JhdkZXZWJjTVdRR2M5OGFlWHJFZWlDSzVzQUlQaHpBYWlkVHFmbFZpWDh1SVovUVlMTTlhemg0N0huTy9BQwo3RTN4L1ZIT3hUV09hTHdkR3NtdFJtdlZTbXNQYkZyazJxSERWUFRpMXhnNCthVy9JQUV1K1hzQkFOLzlidjNrCnJrdnRiTEg5R1QxajhhVytwOHVmNnZnRUF4VXRMdGY1ODR3dVRzVTljZGNPY1J3bXlXa1hkVGdWMGZVNUlQVkUKNHNvZDVaZk85aXFlaTYxL1BtL25ETk50U0dQUmdTZXFLVForS0RIQTI4YXFZL2NXKzVBRitSWW9yT1BoN0REYwo3REIxQjQ2SVNyZDVZRzZadjQxaVA4Ui85WWpwYXFwMk13bXhsNWlWUVBWd0psbGZPV3p3VHEwa3BNS1lpWDlBCmE4ZWpMc3RXdEM3c0lCVHdKeldWK3RVNnVIckhyZ0hEdlJYaFZHRHN0eXVIUUhxczA0ZXVrZmlhVHJVdlR1WVgKbUp3SFprVVNTb1U0WGFMTURGYWFwN0tyaEZaTEZsTzJZdVhna25oNTFlc0x2RVB3ekVPUFNWMmJGc0hZS0pxbwo5Q1IyeDdBNzZPcXU5cGhSTVRacXVwMCt6R0hsU2VHNlo0clZKKzNYWExLS1pubjV4UXJjWlY4Y0d3SXo2dnZPCnJvU0tIaC9tV0VvQll0UEJEMkhYT010THUwMHdZUlF6ckdOa3VOcmtlQlQxZkNndG1za3VxOGNEZHo0bWs1c3AKYkR2UFhKNW5URWlsOEo2VXFhNGhBb0lCQVFESVZXWkhlOVhnUk9ZU2tEUmNGNFEwYUZrRkxGN2ZMOVY5V0hyeQpmVGVvdnFuMjVFQlVaTCtKMmhDbURMOVZ5MUR6YWhSd083TVZRYjRHT09iejhncFVqckxzb2RycGFydjlQNFhiClV6VTRvTTM5ZjU1OFhkTGtBRHk0VUxtTTZVNHBJait3YzdhSFhMMmRHNE5zNkplN0lLclh1c3pnQTl1S3c4UFcKRXYweVlZN2lIOXUydlM2MXZxQlBzQkRNbUltL2I0ekx2UEFwTnR5MkIrNWh3anFoTjRWSEpEUFVQRVVQWXJ6cwpmZEkwL2krWTZtaURweHptSXk1VWh4TkJvVitBblZ5L3BiU0tOc1Q3bHdPekQ2REJaREQ3MEFsenRUNlo5OXh3CkFseWhBU2t2ZmxneFd2TWJ3MEVKN25HUWNhTTR6YW5HNE00SGRCZXZJSnozMmpFSEFvSUJBUURFVGJ5R3AvNVQKcnhoNzNoT05xT3NZOGpxdFI0eVg3REpJcFB2eVNocUVoTUVXQVpYb1ZjRTQvSXd2c1JDVXdxald3VkN5ampJUQpKSUh4TmNEU1Rtd1JPcEQ5OGY2S01zamx0bWRtd3pLblBiZnhleEhwZTRMQmh0UFc5bE9GRHpYblpXWnNWSk1PCm9DV3pwL0N2cldCM3dzM1FsTElzTXhUTDhhTW1KOVBiUFcrUEcyWXphM05rMWV1bm4zWm81SGtkeHJFaDBCVngKMjMxRjA2ZGdoNmZBcDZVZXg0WXdiSUlRU1hGRkI4cmJ3V3Frb0RZYTNWVlZTQ29Dbk9VNHBRb0pudHVkb0cyOQpwTnJaQzlHVWFwUGdycDJoV3Iya0tCY3lYVTBQRksrM1hWSE80aHJLY1FVU3M1c2dTd1NiS3F3eGQ0eEs2djB6CllHeXhuYmR4cDhlSkFvSUJBUURETnFTaUI4UVQ5RStWeXp1YWViZjBNYko5WGcxY3d3bndTT1lWb1hzNVRnSGwKZWVwTjBwYnF4N250ZFFLRm9jZlNTbzU4QjFDczZCRTVrdjFLdlpMZmJ1WmZ2Q0RMejV3OFhVZ2N2dXBmc2lMSQpZVEdZMHZ5TC9NY3VmRXN6U3ExRlhBQmYrNEhrU2JUamdVb0NPR3lTaG5TMEgyMUE1Y0ZyYVBST2lOWjkzNThTCkxpVTEzd2ZEUm15RStuYUVTQ2dDaWJyVFZkdFk3Z01JeHBXK1lUd3NtU09nZldDYjhkY0I5UjlQL0JONFhERVoKZTJJNDJBRkxLUUVla1Rsc2ZNbkpWSTVxbWhoaGpwbEk2SkZNVFhCQ3cxVVFMRnJwaTdYaTV5ckJZeXZNSUl0MwpvbEJpVjlRS082d0c5M2xtWGJYRnhuTW9QeXZGQzVXQXEvRUpmRzdGQW9JQkFRQ1d2R3FMcSt3ckxrVEt1TmlpCjZwYThiU1NKY211UExSdmZsSEN5dUJ4c3JkUG1wZ2tLZ3U4QVowenVRalROUmp5SHk2Ry91bGpPOUhtalV2ZGgKaGo2TmJEOXlBS1RJVWY3YUJacVkya0xIRVNseUVHTE11cjdKQkZNZXViK2dhUEduWWNHb1pia1dmZnIxWFh3QQpLazN0S0hVS09XUW5kSUgvcU9qeW41cWF1eTR5NFlNMDhNbUhJSXo0QmdiU3ZMNFVFMEpwQ0hPdkhpK3ZzcnJQCjhOcnJvTSsyTnRmZnp6S0FkeVMzTVNpZ1hvRVpNTHpiSENJdWZsOWo2ajVKcE5GMFdidWg2bExhVVFDTHNmdVkKejg0RnRZL3RHdFNNZlF4eTdCb0Qvb3AvYnZVbXU1Qis2eEpPTGdSc1k2NkJ4OTY1aldiNUVFQ2xkdUYvOGUrdgpJbnFoQW9JQkFFS2tza29mRE5lKzZTeWpsTFBzUVVBbkljdVdBOWttMlQ1OFRrSGF3emlJWmFMVjN4eFpCcUhXCjJQek9OUE40dlZzNzNNLzJJb1JjSmZYdmZlVnF1Rkk4QVdDbzh5b0Z2cFVFYnJKOHVwV2ZGVExVTjZ6UFRMdkgKSTBDVU5Gb1A0TWI1ZGNWUXBwT3pWY3d3UWUvM2FuN3hrZHBpdkFMTWZwYU5YaHg5dG5rc3JQVXJiQjBuNzVZbQo1WGxvVTZPNTY3cmN4c0g4b2VLaUpGZUdxMnJRQ1d5K2NJREk0T3cvNlJmcWd2TEdjb2JleDMwY1ZLT29iRWVVCmNnWnZNM2VvczZ5TCtRdGY2bUhldnN0VkRkaldsaUpoUGlBUkVTeVZwdy9XVE1aU1pORnpjZ1R6M2p3TklHMUwKQndaaVNnMTkxMzdlTlFjalIxdUxHYnVWSWtXVGN0bz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREF0TVJVd0V3WURWUVFLREF4bGVHRnQKY0d4bElFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEkwTURVek1ERTNOVEV3TkZvWApEVE0wTURVeU9ERTNOVEV3TkZvd056RVdNQlFHQTFVRUF3d05aM0p3WXkxbGVIUXRjSEp2WXpFZE1Cc0dBMVVFCkNnd1VaWGhoYlhCc1pTQnZjbWRoYm1sNllYUnBiMjR3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNLVTVuemp4SXUwMjlrY0JOZXpuTEJFKy9DSTRDd3FMRmNBblc5RFFwYjNDdG5lYkFPdjVicApMNktWVTc0NnZ5WVh5Q2pmaURRMzN5RnRsOTRPTUEyQ3EzWmpSTXRLWXNraXlHUmFIQXZHOTFBc0x6cmljdVIyCk5QSFgzTW1pN0pjWWtET2dVeDB0VWJXTnltY3hCeExsRG1uM3NjMHhJV1psRHNpTk5wM1FnQnJpMWFzMERCNC8KT29ucWhMd1g2YXRjUW5OSE1MbytMaEpJTUhwNDROeEk5azloQVo3VStBOG5seURydm9IQnZIMHJBQ2hhNklhYgpBa0VZWW1wWmNKRDZiTFI2MUV4V293U3hJRUN6RDl4RU0yUDJJeXVHTHY2cVNEVXFPWnYvTmx4UUJlNGVaWHR3CkpCUmlRWWlPdWRhQ3kvOWJYOVZiUFJMZ0VQcklnWnB0QWdNQkFBR2phVEJuTUNVR0ExVWRFUVFlTUJ5Q0dtZHkKY0dNdFpYaDBMWEJ5YjJNdVpXNTJiM2xuWVhSbGQyRjVNQjBHQTFVZERnUVdCQlJzYWYyL01HL1VkMHJBcEZiOApQdXZIQml2SXFqQWZCZ05WSFNNRUdEQVdnQlJzRkpHQUFrWEZQZjZrbG5CT2NaVnNUUHpCRHpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFuSnR1eUJDRXBRb2Q4bmdHWUVPMUVyV3dBcVd3ZzFZQUtBSEs0NzZNMHNhR21Gb0wKaW5DeHRRbDM0dHZVKzAzbFl1SUJobUpuYzdEQjQxb29XYkJWRGhaYWRscmw0V1BUSWtWQWpvaHNsU2VaSzh1UgpRVkVOVEN6VUM3TEU0TW42YUhzVm1sbE9wc0FldzBNdWRHaWlUN21TZE80QVF2WmU0ZE5CNit1cWUxYzBHZ1h6CnZZa1BWMjh6MVZMUm5MY25FaEpKL3c1ZlMzMjEvWUlUNGRrNEFmaE5EdVNQMTZMQW9hSkVPNEhzYlBYZUl1eGIKZGluVVJNTG5OTXZYeEhtSHJGcGdWZnZyTkJRTzBsK3VBVDMxTWpBM1lBRjViblhBcEpsUm0xMCtjbDdmeldFdwpHQmlsdVdsRll1TFhIeVBJSVgyTXU2U1grVjg2eXd1YVlLMVdaQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ0tVNW56anhJdTAyOWsKY0JOZXpuTEJFKy9DSTRDd3FMRmNBblc5RFFwYjNDdG5lYkFPdjVicEw2S1ZVNzQ2dnlZWHlDamZpRFEzM3lGdApsOTRPTUEyQ3EzWmpSTXRLWXNraXlHUmFIQXZHOTFBc0x6cmljdVIyTlBIWDNNbWk3SmNZa0RPZ1V4MHRVYldOCnltY3hCeExsRG1uM3NjMHhJV1psRHNpTk5wM1FnQnJpMWFzMERCNC9Pb25xaEx3WDZhdGNRbk5ITUxvK0xoSkkKTUhwNDROeEk5azloQVo3VStBOG5seURydm9IQnZIMHJBQ2hhNklhYkFrRVlZbXBaY0pENmJMUjYxRXhXb3dTeApJRUN6RDl4RU0yUDJJeXVHTHY2cVNEVXFPWnYvTmx4UUJlNGVaWHR3SkJSaVFZaU91ZGFDeS85Ylg5VmJQUkxnCkVQcklnWnB0QWdNQkFBRUNnZ0VBUWZidVFzVG1vZWY0aGdnZ1pLVEUrcWhjUE5PYmFpTjRPTzEvWWtGV3dFbTEKZFNvRnVITExMN2Frck50N3F4NCt0emFmcjBHUHpWa2Q0dHA2YlgraTRiNk12WGd3RGZBZ0JQTlZUOWR5RWxjYwpKNFg2YWNUcWlDaGxjRkI4NDdJNXQrQUVqcDgwR2NtT2IraW0zeTJGYURCQWZudU80N0FPMllCOFNVTlRiUHNHCjNJMUkwM09SK2U4aTBrRTJISGZqWCttS1oyNnRDbk95SVQ2SmhudTZ6ZzdwOFFwWEphaFZDbHUrMmR1MFYwUEgKWWNBdURzekFjbVM1WGpvaUw4NmV1Zk9SWVpxSFpybnNpMFlwR0xvZEMwbjNLK1M0TitGQXJUNlRiQjBoMkEwOApPSk40ZEJGTFRQTFZOZ1k3Y3VQOVdjQUtBTmZpQ21ZSzFha3djcHo0clFLQmdRQzhSNEl5dll6aWFqY0w3M1JjClk3empVQVVTN2JWV1ZGNEh1UlVSSEVmVlBpb2Nvcy9MUS81a3ArejFnbSt4ZjNsOTRiVlRxZDJOWEkyRHMxY0kKMHBEeDNsVkhaU0V5QjVvQlBFbVBlQVBpMXQyL2JmaG9DMkF0YXZDeDVOWkEzVHdHdlBhcUFMbmxPcUVLQ3F6dApqUU1qcEppQUQ1cXZhOWVFcXhCMEVmeEVTd0tCZ1FDOEZJT014V1E3WXJpQTZQUHloSDV1eUJic21ZZEhzWXlqCm9QTkVzSUduMW1KbWh6YUFpREM2MWFJZHEzU2ZYYUNvajhQUkRnb04za1g4Z0E0U2prdmRNY2VJMDdaQm45MEsKZFZEdldIV3ZEa2FDZjZINEt6d05BNytxc3FtY3hIVklPNFhOQnhLaEU2Z1FPWDJUZkhTVjM0cVVmdXpZQUdyWQpXU0FIVzR1NUp3S0JnQ2crUUo0SDFlMHZOc1RlVWNqTnFMb05pSWdiTnY5VTJTUmRjeHROS0MxME5Cd2EwTDlwCnNSNWlwa3R6cmR3S216VkU0VFVZd2JwTlpoSVlheW4vbCt1YTBpK0lkaWZ6Wi8rTG0wMkhJWTJDejdMekZuMW0Kc1JBRUk1NWlnMGtxQUlLUU1VajFEc2JvV1RPRVJLSWgyZUhzZEl3cXlhMWxKNU83M0xCeWg3RXhBb0dCQUlXdQp0d281eTFLQ2lzM2x4bThjU1ptSVV2TDg5VEM2UEZLWnRnK2V2YW1FTWhEYURwMHhNQ0c4Y3l4UGorY3ViMkVnClBuaTdWOTRmblBNcU9kWnFtZld3eWppdzhweVdlbEJTcnFKUTUrVHphcDZiQlk4VmUrdHNQTEdocC9rcmtva3kKOVptVGEyUmVTbGl0NUZvT1hmZWhHaWtPUmw0SmZlZ2xBU1Q1cHNpRkFvR0FOc1hSWGZBSGZkNGZlZWtPek9LNwppR3FmNHovTlFaZHlCWGNKZlRhdUpLak1XSGxvSUN2ZjdyblM0YXVEcUE1bmoxTy9Eam5tY01lT2QyNW4yakVlCk1ibU1DMnR1U2VRSW02NjNoaEFYaUk0L2w5SU5Nc3hRUDlzUEJQUjg4Z1RFK3lCTUsvTFY4Mm9vd1BvOG1XNnkKWDdESlJSK3dJY3RueXh6bVBQOExRaE09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K --- apiVersion: v1 kind: ConfigMap @@ -323,37 +324,24 @@ metadata: data: ca.crt: | -----BEGIN CERTIFICATE----- - MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL - BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z - NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG - SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 - zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 - tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 - 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV - u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM - 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG - qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z - UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil - sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO - 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi - 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 - wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba - zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG - A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj - LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m - cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg - Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz - W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH - b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr - issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ - bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i - tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg - XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij - +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH - e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 - 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw - uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx - iFI1UfLQ/CuOtNsDTbi0 + MIIDOzCCAiOgAwIBAgIUeZ0sEx2jyxnKQmDw0bllLyag+cgwDQYJKoZIhvcNAQEL + BQAwLTEVMBMGA1UECgwMZXhhbXBsZSBJbmMuMRQwEgYDVQQDDAtleGFtcGxlLmNv + bTAeFw0yNDA1MzAxNzM4NDBaFw0zNDA1MjgxNzM4NDBaMC0xFTATBgNVBAoMDGV4 + YW1wbGUgSW5jLjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDJEyqHtNXUVlDM3OtzMBUWcB4OdGC6ZA7JrT24PVVs + yUXGCvu3P47HLb6GuW7w7IILBhACdTFNBPQ8pNT2ouItASmaX6oZGVCnud6st/Y+ + KnV0G406IRA/hZOdBO7hSH4pt//j7iDWPF5OEEwH1LJMXEX/5FdIoDKQHdfJdqHz + ANE5LP8RAR/A0hdalvBrDhfMzcVRC7wSGyg1AbXDbo+q7M8xPhGa+95KwcMzj7WX + vOcnTcjrKHYTuiJEaINSMo9EEfTEMOp0bgqDtSgdCAQWLUL+p5b59tvYOozbOG5P + 1CLPzZs8K56AbESBA3tK1dO1fMuvV/oMTVU+IstuflC1AgMBAAGjUzBRMB0GA1Ud + DgQWBBRsFJGAAkXFPf6klnBOcZVsTPzBDzAfBgNVHSMEGDAWgBRsFJGAAkXFPf6k + lnBOcZVsTPzBDzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAM + LrFgkTZPXt3zl9WSI22Tk5BT5jgxB+PwDoIsbmd7koXTpAtdFCoSHJQC1c3GQ66i + wcTa3ewrqScI62+cMNtgHBYo+j2jMKuND+N2YotzEBlSgsYKua+ehb2n5H7CTvHZ + ED9Ch0cP0c4ke4YPW0Xz2hN4SKPwYNVyqaapaW3iQ7zyOPJSPegDbhDRh/soFF5v + kDVQC8/fz6VAmPaq+hiem7w8H69FPdPHI3nseqUT+kyUEZkD5eH08MVuQ4uVyYNy + cwN8WlDLDCPxxPt9bclj70Xo1/Nae/VSg+rKgfsjwsKweE5gZ7UhWngsjkMVpFzO + QPLCCvayjtnIbYbtsXLE -----END CERTIFICATE----- --- apiVersion: apps/v1