Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial support for CRL in Ingress Controller #3164

Merged
merged 1 commit into from
Sep 3, 2019

Conversation

rikatz
Copy link
Contributor

@rikatz rikatz commented Sep 30, 2018

What this PR does / why we need it: This PR adds support for CRL into Ingress Controller

Which issue this PR fixes : fixes #1514

Special notes for your reviewer: This is a WIP. Tests still need to be improved. Also this PR doesn't support dynamic ssl configuration (yet), needs @ElvinEfendi review ;) I couldn't make further e2e tests yet

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 30, 2018
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 1, 2018
@rikatz rikatz changed the title [WIP] - Initial support for CRL in Ingress Controller Initial support for CRL in Ingress Controller Oct 3, 2018
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 3, 2018
@rikatz
Copy link
Contributor Author

rikatz commented Oct 3, 2018

@aledbf @ElvinEfendi I'm not pretty aware how Dynamic Certs works internally, so I've made this PR and tested with it disabled.

We can deal with Dynamic Cert in this PR, or make another PR (as this got merged) just for the Dynamic Cert scenario.

Thanks!

@aledbf aledbf added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 3, 2018
@aledbf
Copy link
Member

aledbf commented Dec 22, 2018

@rikatz apologies for the delay.

We can deal with Dynamic Cert in this PR, or make another PR (as this got merged) just for the Dynamic Cert scenario.

Please do that in this PR. I want to switch to dynamic ssl certificates as default.

@bputt
Copy link

bputt commented Feb 26, 2019

any idea when this will get released?

4. If you want to use a Certificate Revocation List, the secret must be created containing both ca.crt and ca.crl as the following:

`kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could maybe also add the CRL file in that command:

-kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default
+kubectl create secret generic auth-tls-chain --from-file=ca.crt --from-file=ca.crl --namespace=default

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 10, 2019
@bputt
Copy link

bputt commented Jul 10, 2019

bad bot, keeping this alive

@johanfleury
Copy link

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 11, 2019
@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

@rikatz any chance you can finish this PR?

@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019 via email

@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

@aledbf I've started to look again into ingress code. Just to see if I'm the right direction, I'm changing the certificates.lua code to contain the following into call:

  local crl_file, crl_err = get_crl_file(hostname)
  if not crl_err then
    lua_ssl_crl = crl_file
  end

I'll also create this get_crl_file function to check wether the API contains a secret, and if the file pointed by this secret exists into the FS (and if that can be read). Is that ok?

If this is the path, I can also take a look into the CA authentication later :)

@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

by this secret exists into the FS (and if that can be read). Is that ok?

No. We don't write certificates to the disk anymore. We have to tables now https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/lua/configuration.lua#L38
hostname -> uuid (of the secret) then uid -> ssl certificate

This approach removes duplication of secrets and also the use of storage of files.

@ElvinEfendi
Copy link
Member

Hey @rikatz, thanks for resuming work on this. IMHO we don't need any Lua change for this feature. The way I see it is this feature is an extension of TLS client authentication. We currently extra TLS client certificate from the secret and store it on disk. And then configure respective Nginx directives. When the content of the certificate change, we reload Nginx. I think we should just do the same thing for CRL file: introduce a new field as you were planning to, extract it from the secret, and write to disk. Then finally configure ssl_crl respectively.

@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

Hey @rikatz, thanks for resuming work on this. IMHO we don't need any Lua change for this feature. The way I see it is this feature is an extension of TLS client authentication. We currently extra TLS client certificate from the secret and store it on disk. And then configure respective Nginx directives. When the content of the certificate change, we reload Nginx. I think we should just do the same thing for CRL file: introduce a new field as you were planning to, extract it from the secret, and write to disk. Then finally configure ssl_crl respectively.

Right :)

I've just stopped 'cause at that time NGINX Ingress was moving to dynamic certs, and didn't know how to deal with that.

If you and @aledbf are OK with that, I can resume the work with CRL and CA being written on disk (as it is today) and can think later how to move that to Lua :)

I think the bigger problem we try to solve here is to not reload the nginx configuration when we've some change into CA or CRL, so if Lua is able to everytime re-read the CRL file without reloading NGINX I think this is solved, BUT will probably have some impact into the I/O of the server.

WDYT?

@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

So better late than never, I've refactored the whole PR.

I'll make some further tests, if someone is also willing to test it and provide feedback, please reach me up here or into slack :)

@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

/assign @aledbf
/assign @ElvinEfendi

@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Sep 3, 2019
@ElvinEfendi
Copy link
Member

I think the bigger problem we try to solve here is to not reload the nginx configuration when we've some change into CA or CRL, so if Lua is able to everytime re-read the CRL file without reloading NGINX I think this is solved, BUT will probably have some impact into the I/O of the server.

In my comment above I'm suggesting to not try to avoid reloads when CRL change. This is similar to TLS client certificate, where we do not avoid reload either. We have dynamic reload only for TLS certificates for handshaking. Avoiding reloads for TLS client certificate and CRL certificate requires us to dynamically handle TLS client verification using Lua too, we currently do not do it and to my knowledge lua-nginx-module does not provide any API for that. With a little bit of search closest thing I could find was https://github.com/Kong/lua-kong-nginx-module.

I think writing CRL certificate to disk just like TLS client certificate is fine given we do not have a good/easy way to use Lua for that.

if err != nil {
t.Fatalf("unexpected error creating CRL file: %v", err)
}
if sslCert.CRLFileName == "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we assert expected filename instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we can. I was thinking about that, just didn't because of the previous test doing the same.

I'll correct this AND the other test.

@ElvinEfendi
Copy link
Member

Looks good to me, just one comment.

Signed-off-by: Ricardo Pchevuzinske Katz <[email protected]>

Add support to CRL

Signed-off-by: Ricardo Pchevuzinske Katz <[email protected]>
@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

Looks good to me, just one comment.

Tks :)

I'm running some tests here on Kind just to check if it works fine. I've also changed the Tests to reflect also the filename.

@aledbf aledbf removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 3, 2019
@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/retest

1 similar comment
@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/retest

@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 3, 2019
@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

Tested here, it worked as expected.

@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

Just in case, the e2e errors we see here are not related to the PR itself but to timeouts running the suite. I need to increase this value.

@rikatz
Copy link
Contributor Author

rikatz commented Sep 3, 2019

Just in case, the e2e errors we see here are not related to the PR itself but to timeouts running the suite. I need to increase this value.

Prow hates me all across the ORG anyway :P

@ElvinEfendi
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 3, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi, rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/retest

2 similar comments
@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/retest

@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

/retest

@k8s-ci-robot
Copy link
Contributor

@rikatz: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-ingress-nginx-e2e-1-12 51a1e88 link /test pull-ingress-nginx-e2e-1-12
pull-ingress-nginx-e2e-1-13 51a1e88 link /test pull-ingress-nginx-e2e-1-13

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@aledbf aledbf merged commit 9c51676 into kubernetes:master Sep 3, 2019
@aledbf
Copy link
Member

aledbf commented Sep 3, 2019

@rikatz thanks!

@ntavares
Copy link

ntavares commented Jun 12, 2020

@ElvinEfendi @rikatz @aledbf Hi! In regards to @ElvinEfendi comment here:

In my comment above I'm suggesting to not try to avoid reloads when CRL change.

I think this was missed. Currently, the controller (0.32.0) is not reloading after CRL changes (secret updated).... shall I open a separate issue?

Edit: I missed that #4904 was there already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for CRL when using TLS Auth
8 participants