-
Notifications
You must be signed in to change notification settings - Fork 688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bootstrap: support for Envoy xDS certificate rotation #2333
bootstrap: support for Envoy xDS certificate rotation #2333
Conversation
Sorry for failing test cases! I'm submitting this only to get comments and ask questions. This PR is related to creating Envoy bootstrap configuration according to this plan, based on the assumption I can get envoyproxy/envoy#10163 accepted. Now instead of creating single file
In this PR I re-purposed the first command line argument for the target directory. That is, instead of This change is backwards incompatible - bootstrap configuration generation will fail if user forgets to update the arguments of the Question: should we rather keep the old behavior by default and create another parameter for this? Any other comments are of course welcome! |
IIRC, the files are already passed in as flags. So could you just use the files specifies by the flags? |
I think I did not understand how to do that. Currently we only pass one path as a target where to write the configuration file, and named arguments to point out certificates and key. Now when using SDS, there will be three configuration files (see slide no 6 for illustration). These new config files contain SDS protobuf messages with JSON serialization. To provide paths for all three config files, maybe the command line could look something like: contour bootstrap \
/config/envoy.json \
/config/envoy-sds-auth-secret-tls-certicate.json \
/config/envoy-sds-auth-secret-validation-context.json \
--xds-address=contour \
--xds-port=8001 \
--envoy-cafile=/certs/ca.crt \
--envoy-cert-file=/certs/tls.crt \
--envoy-key-file=/certs/tls.key But here the position of unnamed arguments would become very critical and easy to mess up. Alternatively I could use the current arguments contour bootstrap \
/config/envoy.json \
--xds-address=contour \
--xds-port=8001 \
--envoy-cafile=/certs/ca.crt \
--envoy-cert-file=/certs/tls.crt \
--envoy-key-file=/certs/tls.key then get dirname of |
Of course, yet another viewpoint is that when NOT using TLS, the SDS configuration files would not need to be created at all. |
I'll play with this and review next week. I agree that we should add a flag to enable this new behaviour; not sure what that should be yet. |
Marking this PR stale since there has been no activity for 14 days. It will be closed if there is no activity for another 90 days. |
Ping @jpeach |
@tsaarni A couple of questions
|
Yes this change is needed: this is preparation for that Envoy PR. I have also some material linked in #2333 (comment) The need to split the files comes from moving from static files to SDS resources. And the motivation to move to SDS is that it has existing logic to hot-reload the certificates. The number of files come from the two config parameters that refer to the SDS resources ( Here is a snippet of static bootstrap that refers to two {
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext",
"common_tls_context": {
"tls_certificate_sds_secret_configs": {
"sds_config": {
"path": "/path/to/envoy-sds-auth-secret-tls-certicate.json"
}
},
"validation_context_sds_secret_config": {
"sds_config": {
"path": "/path/to/envoy-sds-auth-secret-validation-context.json"
}
}
}
}
}
} and the referred files look like this: {
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.auth.Secret",
"tls_certificate": {
"certificate_chain": {
"filename": "/path/to/envoy.pem"
},
"private_key": {
"filename": "/path/to/envoy-key.pem"
}
}
}
]
} {
"resources": [
{
"@type": "type.googleapis.com/envoy.api.v2.auth.Secret",
"validation_context": {
"trusted_ca": {
"filename": "/path/to/internal-root-ca.pem"
}
}
}
]
} Maybe it could be possible to have just one file for SDS The above was of course all existing logic within Envoy's protobuf based configuration and SDS code. What the Envoy PR changes is that Envoy will make an inotify subscription to
According to my (very limited) understanding, Envoy's runtime configuration with It is not 100% clear to me what is the scope of virtual file system based config. In the documentation there is example of setting |
Support for certificate rotation is now scheduled for Envoy 1.14.0
|
@tsaarni Sorry it took so long for me to get back to you. I think that the flag we need to add is This faked-up diff shows more about what I'm getting at here.
|
@stevesloka @youngnick PTAL at the |
bd7f38f
to
c2abce8
Compare
I updated the PR according to |
Why do we need different files? Why inject? I'm not following the need for this. If the secret is rotated, we just need to know it happened and reload right? I don't like the idea of users being able to inject their own arbitrary Envoy configuration into Contour. |
@stevesloka I have added feature to Envoy that can be used to get Envoy to automatically reload its xDS gRPC certificates. Taking that feature into use requires changes to Envoy bootstrap configuration, therefore this PR is required in Contour. I have documented the new Envoy feature here https://www.envoyproxy.io/docs/envoy/v1.14.1/configuration/security/secret#example-three-certificate-rotation-for-xds-grpc-connection I have also depicted the solution from Contour's perspective in this slideset on page 6. |
Sure bootstrap can change, but why does it need to be injected by users? In my head, we would just change the init command to generate a different bootstrap config. |
This PR only changes the command to generate different bootstrap config - user has no way to inject custom configuration. I believe @jpeach just proposed a directory layout for the new bootstrap config that could potentially also facilitate user specified customization at some later point, which is not part of this PR in any way. He was responding to my question in this comment #2333 (comment) edit: corrected typo |
Envoy watches secrets to reload them only if SDS is being used. But the only way to use SDS is to break out the secrets resources in this context is to separate files on disk.
Yep, pretty much.
That's not being proposed. What I'm proposing is a general approach that can facilitate secrets reloading, rather than a special case that only addresses secrets. |
Over at the community meeting today I promised to add documentation links that explain why two new files are needed. We use CommonTlsContext message to configure certificates and keys. Currently tls_certificates and validation_context attributes are used there. These are of type DataSource, which can hold either inline PEM buffer or filenames that point to PEM files. The problem is that there is no hot-reload support when certificates and keys are configured in this way. When investigating this, it was pointed out to me that we could use SDS path based resources instead. The benefit here is that SDS logic in Envoy already knows how to hot-reload certificates and keys into active SSL context without disconnecting. Envoy also knew how to load SDS resources from a file instead of loading them from xDS server. All I needed to add was a trigger to activate this behavior when the certificate and key files changed on disk. The complexity comes from the fact, that when using SDS resources on local path, we need to refer not only to the certificate and key files, but also to two new files: the JSON representation of the SDS resources / protobuf messages. See #2333 (comment). So the proposed change is: The bootstrap will now contain CommonTlsContext message with tls_certificate_sds_secret_configs and validation_context_sds_secret_config attributes. These refer to type SdsSecretConfig which uses ConfigSource message type (instead of DataSource as previously). Note that there is no "inline" alternative in the ConfigSource message, so we cannot inline the SDS resources - we need to write two new files. There is no way for user to inject anything additional: the main bootstrap file explicitly refers to these two new files. Furthermore it refers to the files in context of tls_certificate_sds_secret_configs and validation_context_sds_secret_config attributes, which can only refer to SDS resources like shown in #2333 (comment). Envoy would reject the configuration if user would try to replace the content of these files with some other protobuf message types. |
I see now, thanks for clarifying with the docs @tsaarni! The param makes sense to point to a path on the file system. I wonder if we need the parameter at all to define where the certs will live. Seems like we can default to our own, and folks could map them in as they see fit from the secret reference. If we need to keep the param, we should call it something that makes it specific to SDS and secrets, to me, the name |
How could the default configuration directory layout look? Currently the to-be-generated bootstrap file is given as parameter now As discussed above, I think one aspect in whatever approach we take is backwards compatibility: users might upgrade Contour without studying all the detailed changes in example deployment manifest. If semantics of command line parameters change we might cause problems to users.
Specifically related to certificates: the possibility to customize the certificate/key paths is important when integrating with different software that issues the certificates. For example, there Secrets created by |
The reason I suggested a generic name for this was that I was concerned that we might start using the external files for more resource kinds over time. The idea behind |
Okay, sorry to have not checked in here for a while. I think the two important things to keep in mind here are:
I agree that keeping this with a more generic name is probably better, as it allows us to use this option for other things if we need to. I don't think that we need to be concerned about people using this to pass arbitrary Envoy config, as Envoy is configured by the bootstrap. If people want to write their own bootstrap config, that's fine, and has always been intended as an extension point. If they want seamless certificate rotation, they'll need to do this as well though. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it is heading in the right direction. I had some suggestions about how to structure the bootstrap changes to make them more testable.
We will need to add some documentation about the new flags (this can be in a separate issue).
We will also need to update the default deployment (this can be in a separate issue).
c2abce8
to
aa65f21
Compare
Codecov Report
@@ Coverage Diff @@
## master #2333 +/- ##
==========================================
+ Coverage 76.57% 76.85% +0.28%
==========================================
Files 68 68
Lines 5515 5612 +97
==========================================
+ Hits 4223 4313 +90
- Misses 1194 1203 +9
+ Partials 98 96 -2
|
aa65f21
to
10b8606
Compare
Added new flag --resources-dir to bootstrap command for supporting path-based SDS resources to define xDS certificate and key. When using the flag, following changes take place: - Bootstrap file will contain references to SDS resource files instead of direct cert/key paths. - SDS resource file is written into resources dir for xDS client cert and key - SDS resource file is written into resources dir for xDS trusted CA cert With this change there is no need to restart Envoy anymore when certificates are rotated. Envoy will monitor and automatically reload the certificate and key files without causing an interruption to traffic. Any recent version of Envoy supports the above configuration, but Envoy 1.14.1 or later is required for automatic certificate reload. Signed-off-by: Tero Saarni <[email protected]>
10b8606
to
a70cdc3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @tsaarni
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, nice work @tsaarni
bootstrap: support for Envoy xDS certificate rotation
Added new flag --resources-dir to bootstrap command for supporting path-based
SDS resources to define xDS certificate and key. When using the flag,
following changes take place:
With this change there is no need to restart Envoy anymore when certificates
are rotated. Envoy will monitor and automatically reload the certificate and
key files without causing an interruption to traffic.
Any recent version of Envoy supports the above configuration, but Envoy 1.14.1
or later is required for automatic certificate reload.
Signed-off-by: Tero Saarni [email protected]