diff --git a/rfcs/0012-mtls.md b/rfcs/0012-mtls.md new file mode 100644 index 0000000..63dce5f --- /dev/null +++ b/rfcs/0012-mtls.md @@ -0,0 +1,106 @@ +# RFC Template + +- Feature Name: `mtls` +- Start Date: 2024-11-27 +- RFC PR: [Kuadrant/architecture#110](https://github.com/Kuadrant/architecture/pull/110) +- Issue tracking: [Kuadrant/kuadrant-operator#1049](https://github.com/Kuadrant/kuadrant-operator/issues/1049) + +# Summary +[summary]: #summary + +MTLS support for communication between the Wasm plugin in the gateway pod, and Authorino & Limitador. + +# Motivation +[motivation]: #motivation + +For security reasons so that all traffic is encrypted, and certificates validated. +This aligns with a 'zero trust' architecture. + +# Guide-level explanation +[guide-level-explanation]: #guide-level-explanation + +Update the Kuadrant CR to have a new configuration option `mtls` for users to configure if mtls should be enabled for either authorino or limitador. +The reason for having separate flags for either component is to allow flexibility where the resource overhead of tls may be considered too high when enabled for a specific component e.g. for checking limits on each request in limitador. +The new config in the Kuadrant CR would look like this: + +```yaml +apiVersion: Kuadrant.io/v1alpha1 +kind: kuadrant +spec: + mtls: + authorino: true + limitador: true +``` + +When enabled for a specific component, the following changes are performed by the kuadrant-operator and/or component operators. This may require trickling down configuration to other operator resources, like the Authorino or Limitador resources: + +## Enabling the Istio sidecar proxy in that component + +This can be done by adding the `sidecar.istio.io/inject=true` label to the component deployment template. +The pod spec is updated dynamically by Istio to inject the `istio-proxy` sidecar into the pod. + +## Enabling mtls in the Wasm plugin when communicating with that component + +The corresponding EnvoyFilter for the component requires the following `transport_socket` configuration to be added: + +```yaml + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_certificate_sds_secret_configs: + - name: default + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: sds-grpc + validation_context_sds_secret_config: + name: ROOTCA + sds_config: + api_config_source: + api_type: GRPC + grpc_services: + - envoy_grpc: + cluster_name: sds-grpc +``` + +This configuration tells the gateway pod (envoy proxy) to use tls and validate certificates when talking with the upstream service (e.g. limitador or authorino). It also configures the location to get certificate information from i.e. the sds service/cluster in Istio. + +## Configuring the Istio PeerAuthentication resource to use STRICT mtls mode + +The appropriate operator should create a [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/) resource for either component to enable STRICT mtls mode. +The resource can specify a pod label match so that it only takes effect for the authorino or limitador pod. +For example: + +```yaml +apiVersion: security.istio.io/v1 +kind: PeerAuthentication +metadata: + name: limitador-mtls + namespace: kuadrant-system +spec: + selector: + matchLabels: + app: limitador + mtls: + mode: STRICT +``` + +# Drawbacks +[drawbacks]: #drawbacks + +Additional paths through the operator that result in a different configuration set of components to support. + +# Rationale and alternatives +[rationale-and-alternatives]: #rationale-and-alternatives + +- Manual configuraton is an option (investigated in https://github.com/Kuadrant/kuadrant-operator/issues/1049 and documented in https://github.com/Kuadrant/kuadrant-operator/pull/1054) + +# Unresolved questions +[unresolved-questions]: #unresolved-questions + +- What components will create and manage the resources and configuration detailed above? +- What configuration options makes sense to bubble up via the Limitador and Authorino components, if any?