Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Commit

Permalink
Fix ingress backend broken SAN (#4914)
Browse files Browse the repository at this point in the history 
Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN.
This adds an e2e test to catch that going forward.
This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain)
  • Loading branch information
@steeling
steeling authored Jul 19, 2022
1 parent 9e9f712 commit 15e46da
Show file tree
Hide file tree
Showing 20 changed files with 275 additions and 179 deletions.
6 changes: 6 additions & 0 deletions pkg/catalog/catalog.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
meshSpec: meshSpec,
policyController: policyController,
configurator: cfg,
certManager: certManager,

kubeController: kubeController,
}
Expand All @@ -42,3 +43,8 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
func (mc *MeshCatalog) GetKubeController() k8s.Controller {
return mc.kubeController
}

// GetTrustDomain returns the currently configured trust domain, ie: cluster.local
func (mc *MeshCatalog) GetTrustDomain() string {
return mc.certManager.GetTrustDomain()
}
14 changes: 7 additions & 7 deletions pkg/catalog/inbound_traffic_policies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,8 @@ func (mc *MeshCatalog) getInboundTrafficPoliciesForUpstream(upstreamSvc service.
// Only a single rule for permissive mode.
inboundPolicyForUpstreamSvc.Rules = []*trafficpolicy.Rule{
{
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
AllowedServiceIdentities: mapset.NewSetWith(identity.WildcardServiceIdentity),
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
AllowedPrincipals: mapset.NewSetWith(identity.WildcardPrincipal),
},
}
} else {
Expand Down Expand Up @@ -178,17 +178,17 @@ func (mc *MeshCatalog) getRoutingRulesFromTrafficTarget(trafficTarget access.Tra
}

// Compute the allowed downstream service identities for the given TrafficTarget object
allowedDownstreamIdentities := mapset.NewSet()
trustDomain := mc.GetTrustDomain()
allowedDownstreamPrincipals := mapset.NewSet()
for _, source := range trafficTarget.Spec.Sources {
sourceSvcIdentity := trafficTargetIdentityToSvcAccount(source).ToServiceIdentity()
allowedDownstreamIdentities.Add(sourceSvcIdentity)
allowedDownstreamPrincipals.Add(trafficTargetIdentityToSvcAccount(source).AsPrincipal(trustDomain))
}

var routingRules []*trafficpolicy.Rule
for _, httpRouteMatch := range httpRouteMatches {
rule := &trafficpolicy.Rule{
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
AllowedServiceIdentities: allowedDownstreamIdentities,
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
AllowedPrincipals: allowedDownstreamPrincipals,
}
routingRules = append(routingRules, rule)
}
Expand Down
88 changes: 45 additions & 43 deletions pkg/catalog/inbound_traffic_policies_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"fmt"
"reflect"
"testing"
"time"

mapset "github.com/deckarep/golang-set"
"github.com/golang/mock/gomock"
Expand All @@ -15,6 +16,7 @@ import (
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

policyv1alpha1 "github.com/openservicemesh/osm/pkg/apis/policy/v1alpha1"
tresorFake "github.com/openservicemesh/osm/pkg/certificate/providers/tresor/fake"

"github.com/openservicemesh/osm/pkg/configurator"
"github.com/openservicemesh/osm/pkg/endpoint"
Expand Down Expand Up @@ -168,10 +170,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -207,10 +209,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -473,10 +475,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
{
Route: trafficpolicy.RouteWeightedClusters{
Expand All @@ -493,10 +495,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -532,10 +534,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
{
Route: trafficpolicy.RouteWeightedClusters{
Expand All @@ -552,10 +554,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -721,10 +723,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -758,10 +760,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -797,10 +799,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -914,7 +916,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand All @@ -941,7 +943,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -970,7 +972,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -1116,10 +1118,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
AllowedPrincipals: mapset.NewSet("sa2.ns2.cluster.local"),
},
},
},
Expand Down Expand Up @@ -1287,15 +1286,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(
AllowedPrincipals: mapset.NewSet(
identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity(),
}.AsPrincipal("cluster.local"),
identity.K8sServiceAccount{
Name: "sa3",
Namespace: "ns3",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1331,15 +1330,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(
AllowedPrincipals: mapset.NewSet(
identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity(),
}.AsPrincipal("cluster.local"),
identity.K8sServiceAccount{
Name: "sa3",
Namespace: "ns3",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1503,10 +1502,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1542,10 +1541,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1653,7 +1652,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand All @@ -1680,7 +1679,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
Weight: 100,
}),
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -1825,10 +1824,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1866,10 +1865,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
Name: "sa2",
Namespace: "ns2",
}.ToServiceIdentity()),
}.AsPrincipal("cluster.local")),
},
},
},
Expand Down Expand Up @@ -1953,7 +1952,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -1984,7 +1983,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
}),
RateLimit: perRouteRateLimitConfig,
},
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
},
},
},
Expand Down Expand Up @@ -2014,6 +2013,8 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
mockCtrl := gomock.NewController(t)
defer mockCtrl.Finish()

fakeCertManager := tresorFake.NewFake(nil, 1*time.Hour)

mockKubeController := k8s.NewMockController(mockCtrl)
mockPolicyController := policy.NewMockController(mockCtrl)
mockEndpointProvider := endpoint.NewMockProvider(mockCtrl)
Expand All @@ -2025,6 +2026,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
policyController: mockPolicyController,
endpointsProviders: []endpoint.Provider{mockEndpointProvider},
serviceProviders: []service.Provider{mockServiceProvider},
certManager: fakeCertManager,
configurator: mockCfg,
meshSpec: mockMeshSpec,
}
Expand Down
Loading

0 comments on commit 15e46da

Please sign in to comment.