Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2687

OSSM 2.1 Federation gateway does not send full cert chain when using external certificates

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • maistra-2.1.0
    • maistra-2.1.1
    • None
    • None

    Description

      OSSM 2.1 Federation support different root certificates

      ===
      Updated Description for doc:

      OSSM 2.1 Federation egress gateway only sends the client certificate.
      Because the federation ingress gateway only knows about the root certificate, it can not verify the client certificate without adding the ca certificate. The client egress gateway should send both the client certificate and ca certificate.

      Workaround
      User need to provide both of the root certificate and ca certificates when setting federation import ConfigMap.
      For example,
      import/configmap.yaml

      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: mesh1-ca-root-cert
        namespace: mesh2-system
      data:
        root-cert.pem: |-
          {{MESH1_CERT}}
      
      $ MESH1_CERT=$(cat cacerts/root-cert.pem cacerts/ca-cert.pem | sed ':a;N;$!ba;s/\n/\\\n    /g')
      $ sed "s:{{MESH1_CERT}}:$MESH1_CERT:g" import/configmap.yaml | oc apply -f -
      

      ===

      istiod error log

      error	federation	watch failed: status code is not OK: 503 (503 Service Unavailable)	component=federation-registry
      2021-09-24T20:52:26.905022Z	info	federation	starting watch	component=federation-registry
      

      mesh2-egress error log

      [2021-09-24T20:51:44.869Z] "GET /v1/watch HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure} - "-" 0 91 38 - "10.131.0.81" "Go-http-client/1.1" "ac136c09-4f30-9c82-adc4-430fdadb9b5d" "discovery.mesh1-system.svc.mesh2.local" "172.30.130.242:8188" outbound|8188|federation-discovery-mesh2-egress|discovery.mesh1-system.svc.mesh2.local - 10.128.2.66:8188 10.131.0.81:55540 - federation-discovery-mesh2-egress
      

      How to reproduce :
      1. follow the federation example install.sh with the following modification
      https://github.com/maistra/maistra-test-tool/blob/federation/testdata/examples/x86/federation/install_diff_cert.sh

      a. create a secret in mesh1-system

      log "Configure mesh1 smcp for using different root cert"
      oc1 create -n mesh1-system secret generic cacerts \
        --from-file=cacerts/ca-cert.pem \
        --from-file=cacerts/ca-key.pem \
        --from-file=cacerts/root-cert.pem \
        --from-file=cacerts/cert-chain.pem
      

      b. Apply an export smcp yaml with the root cert spec

      apiVersion: maistra.io/v2
      kind: ServiceMeshControlPlane
      metadata:
        name: fed-export
        namespace: mesh1-system
      spec:
        version: v2.1
        runtime:
          defaults:
            container:
              # for testing, to ensure we're always using the latest dev image
              imagePullPolicy: Always
        addons:
          grafana:
            enabled: true
          kiali:
            enabled: true
          prometheus:
            enabled: true
        tracing:
          type: Jaeger
          sampling: 10000
        proxy:
          accessLogging:
            file:
              name: /dev/stdout
        gateways:
          additionalEgress:
            # egress gateway definition for sending requests from mesh2
            mesh2-egress:
              enabled: true
              requestedNetworkView:
              # we want to view services on mesh2's network
              - network-mesh2
              routerMode: sni-dnat
              service:
                metadata:
                  labels:
                    # to prevent mesh2-egress's service from including default egress pods
                    federation.maistra.io/egress-for: mesh2
                ports:
                # required for sending service requests to mesh2
                - port: 15443
                  name: tls
                # required for sending discovery requests to mesh2
                - port: 8188
                  name: http-discovery
              runtime:
                deployment:
                  autoScaling:
                    enabled: false
                container:
                  # constrain resources for use in smaller environments
                  resources:
                    requests:
                      cpu: 10m
                      memory: 128Mi
                    limits: {}
          additionalIngress:
            # ingress gateway definition for handing requests from mesh2
            mesh2-ingress:
              enabled: true
              routerMode: sni-dnat
              service:
                type: LoadBalancer
                metadata:
                  labels:
                    # to prevent mesh2-ingress's service from including default ingress pods
                    federation.maistra.io/ingress-for: mesh2
                  annotations:
                    # use the network load balancer on AWS
                    service.beta.kubernetes.io/aws-load-balancer-type: nlb
                ports:
                # required for handling service requests from mesh2
                - port: 15443
                  name: tls
                # required for handing discovery requests from mesh2
                - port: 8188
                  name: https-discovery
              runtime:
                deployment:
                  autoScaling:
                    enabled: false
                container:
                  # constrain resources for use in smaller environments
                  resources:
                    requests:
                      cpu: 10m
                      memory: 128Mi
                    limits: {}
        security:
          trust:
            # unique trust domain for this mesh, mesh1
            domain: mesh1.local
          dataPlane:
            mtls: true
          certificateAuthority:
            type: Istiod
            istiod:
              type: PrivateKey
              privateKey:
                rootCADir: /etc/cacerts
      
      

      Attachments

        Issue Links

          Activity

            People

              yuaxu@redhat.com Yuanlin Xu
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: