Initial support for CRL in Ingress Controller #3164
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
size/L
rikatz
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@aledbf @ElvinEfendi I'm not pretty aware how Dynamic Certs works internally, so I've made this PR and tested with it disabled. We can deal with Dynamic Cert in this PR, or make another PR (as this got merged) just for the Dynamic Cert scenario. Thanks! |
aledbf
added
the
do-not-merge/hold
|
@rikatz apologies for the delay.
Please do that in this PR. I want to switch to dynamic ssl certificates as default. |
|
any idea when this will get released? |
| 4. If you want to use a Certificate Revocation List, the secret must be created containing both ca.crt and ca.crl as the following: | ||
|
|
||
| `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default` |
There was a problem hiding this comment.
You could maybe also add the CRL file in that command:
-kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default
+kubectl create secret generic auth-tls-chain --from-file=ca.crt --from-file=ca.crl --namespace=default
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
bad bot, keeping this alive |
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
@rikatz any chance you can finish this PR? |
|
Hi there! Sorry for being away so much time.
Yes, I can take a look again into it. The problem is that I don’t know Lua
and how evolve this.
I’m OOO this week, but will try to figure out what changed since I’ve first
started this PR and try to improve this.
Anyway, if is there someone willing to help, please raise your hand and
I’ll be more than happy to at least explain how I see this feature :)
Em seg, 2 de set de 2019 às 21:41, Manuel Alejandro de Brito Fontes <
[email protected]> escreveu:
… @rikatz <https://github.com/rikatz> any chance you can finish this PR?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3164?email_source=notifications&email_token=ABWZQBPB5I2Y54P7ZTUQURTQHWQB3A5CNFSM4FYEZYC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5WWS7Y#issuecomment-527264127>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABWZQBLH3QGBPEGQNUST5YTQHWQB3ANCNFSM4FYEZYCQ>
.
|
|
@aledbf I've started to look again into ingress code. Just to see if I'm the right direction, I'm changing the certificates.lua code to contain the following into call: I'll also create this If this is the path, I can also take a look into the CA authentication later :) |
No. We don't write certificates to the disk anymore. We have to tables now https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/lua/configuration.lua#L38 This approach removes duplication of secrets and also the use of storage of files. |
|
Hey @rikatz, thanks for resuming work on this. IMHO we don't need any Lua change for this feature. The way I see it is this feature is an extension of TLS client authentication. We currently extra TLS client certificate from the secret and store it on disk. And then configure respective Nginx directives. When the content of the certificate change, we reload Nginx. I think we should just do the same thing for CRL file: introduce a new field as you were planning to, extract it from the secret, and write to disk. Then finally configure |
Right :) I've just stopped 'cause at that time NGINX Ingress was moving to dynamic certs, and didn't know how to deal with that. If you and @aledbf are OK with that, I can resume the work with CRL and CA being written on disk (as it is today) and can think later how to move that to Lua :) I think the bigger problem we try to solve here is to not reload the nginx configuration when we've some change into CA or CRL, so if Lua is able to everytime re-read the CRL file without reloading NGINX I think this is solved, BUT will probably have some impact into the I/O of the server. WDYT? |
|
So better late than never, I've refactored the whole PR. I'll make some further tests, if someone is also willing to test it and provide feedback, please reach me up here or into slack :) |
|
/assign @aledbf |
|
/ok-to-test |
k8s-ci-robot
added
the
ok-to-test
In my comment above I'm suggesting to not try to avoid reloads when CRL change. This is similar to TLS client certificate, where we do not avoid reload either. We have dynamic reload only for TLS certificates for handshaking. Avoiding reloads for TLS client certificate and CRL certificate requires us to dynamically handle TLS client verification using Lua too, we currently do not do it and to my knowledge lua-nginx-module does not provide any API for that. With a little bit of search closest thing I could find was https://github.com/Kong/lua-kong-nginx-module. I think writing CRL certificate to disk just like TLS client certificate is fine given we do not have a good/easy way to use Lua for that. |
internal/net/ssl/ssl_test.go
Outdated
| if err != nil { | ||
| t.Fatalf("unexpected error creating CRL file: %v", err) | ||
| } | ||
| if sslCert.CRLFileName == "" { |
There was a problem hiding this comment.
Can we assert expected filename instead?
There was a problem hiding this comment.
Yes we can. I was thinking about that, just didn't because of the previous test doing the same.
I'll correct this AND the other test.
|
Looks good to me, just one comment. |
Signed-off-by: Ricardo Pchevuzinske Katz <[email protected]> Add support to CRL Signed-off-by: Ricardo Pchevuzinske Katz <[email protected]>
Tks :) I'm running some tests here on Kind just to check if it works fine. I've also changed the Tests to reflect also the filename. |
aledbf
removed
the
do-not-merge/hold
|
/retest |
1 similar comment
|
/retest |
|
/approve |
k8s-ci-robot
added
the
approved
|
Tested here, it worked as expected. |
|
Just in case, the e2e errors we see here are not related to the PR itself but to timeouts running the suite. I need to increase this value. |
Prow hates me all across the ORG anyway :P |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, ElvinEfendi, rikatz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
@rikatz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@rikatz thanks! |
|
@ElvinEfendi @rikatz @aledbf Hi! In regards to @ElvinEfendi comment here:
I think this was missed. Currently, the controller (0.32.0) is not reloading after CRL changes (secret updated).... shall I open a separate issue? Edit: I missed that #4904 was there already. |
What this PR does / why we need it: This PR adds support for CRL into Ingress Controller
Which issue this PR fixes : fixes #1514
Special notes for your reviewer: This is a WIP. Tests still need to be improved. Also this PR doesn't support dynamic ssl configuration (yet), needs @ElvinEfendi review ;) I couldn't make further e2e tests yet