Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2687

OSSM 2.1 Federation gateway does not send full cert chain when using external certificates

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-2.1.1
    • maistra-2.1.0
    • None
    • None
    • Sprint 10, Sprint 12, Sprint 13, Sprint 14

      OSSM 2.1 Federation support different root certificates

      ===
      Updated Description for doc:

      OSSM 2.1 Federation egress gateway only sends the client certificate.
      Because the federation ingress gateway only knows about the root certificate, it can not verify the client certificate without adding the ca certificate. The client egress gateway should send both the client certificate and ca certificate.

      Workaround
      User need to provide both of the root certificate and ca certificates when setting federation import ConfigMap.
      For example,
      import/configmap.yaml

      apiVersion: v1
kind: ConfigMap
metadata:
  name: mesh1-ca-root-cert
  namespace: mesh2-system
data:
  root-cert.pem: |-
    {{MESH1_CERT}}

      $ MESH1_CERT=$(cat cacerts/root-cert.pem cacerts/ca-cert.pem | sed ':a;N;$!ba;s/\n/\\\n    /g')
$ sed "s:{{MESH1_CERT}}:$MESH1_CERT:g" import/configmap.yaml | oc apply -f -

      ===

      istiod error log

      error	federation	watch failed: status code is not OK: 503 (503 Service Unavailable)	component=federation-registry
2021-09-24T20:52:26.905022Z	info	federation	starting watch	component=federation-registry

      mesh2-egress error log

      [2021-09-24T20:51:44.869Z] "GET /v1/watch HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure} - "-" 0 91 38 - "10.131.0.81" "Go-http-client/1.1" "ac136c09-4f30-9c82-adc4-430fdadb9b5d" "discovery.mesh1-system.svc.mesh2.local" "172.30.130.242:8188" outbound|8188|federation-discovery-mesh2-egress|discovery.mesh1-system.svc.mesh2.local - 10.128.2.66:8188 10.131.0.81:55540 - federation-discovery-mesh2-egress

      How to reproduce :
      1. follow the federation example install.sh with the following modification
      https://github.com/maistra/maistra-test-tool/blob/federation/testdata/examples/x86/federation/install_diff_cert.sh

      a. create a secret in mesh1-system

      log "Configure mesh1 smcp for using different root cert"
oc1 create -n mesh1-system secret generic cacerts \
  --from-file=cacerts/ca-cert.pem \
  --from-file=cacerts/ca-key.pem \
  --from-file=cacerts/root-cert.pem \
  --from-file=cacerts/cert-chain.pem

      b. Apply an export smcp yaml with the root cert spec

      apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: fed-export
  namespace: mesh1-system
spec:
  version: v2.1
  runtime:
    defaults:
      container:
        # for testing, to ensure we're always using the latest dev image
        imagePullPolicy: Always
  addons:
    grafana:
      enabled: true
    kiali:
      enabled: true
    prometheus:
      enabled: true
  tracing:
    type: Jaeger
    sampling: 10000
  proxy:
    accessLogging:
      file:
        name: /dev/stdout
  gateways:
    additionalEgress:
      # egress gateway definition for sending requests from mesh2
      mesh2-egress:
        enabled: true
        requestedNetworkView:
        # we want to view services on mesh2's network
        - network-mesh2
        routerMode: sni-dnat
        service:
          metadata:
            labels:
              # to prevent mesh2-egress's service from including default egress pods
              federation.maistra.io/egress-for: mesh2
          ports:
          # required for sending service requests to mesh2
          - port: 15443
            name: tls
          # required for sending discovery requests to mesh2
          - port: 8188
            name: http-discovery
        runtime:
          deployment:
            autoScaling:
              enabled: false
          container:
            # constrain resources for use in smaller environments
            resources:
              requests:
                cpu: 10m
                memory: 128Mi
              limits: {}
    additionalIngress:
      # ingress gateway definition for handing requests from mesh2
      mesh2-ingress:
        enabled: true
        routerMode: sni-dnat
        service:
          type: LoadBalancer
          metadata:
            labels:
              # to prevent mesh2-ingress's service from including default ingress pods
              federation.maistra.io/ingress-for: mesh2
            annotations:
              # use the network load balancer on AWS
              service.beta.kubernetes.io/aws-load-balancer-type: nlb
          ports:
          # required for handling service requests from mesh2
          - port: 15443
            name: tls
          # required for handing discovery requests from mesh2
          - port: 8188
            name: https-discovery
        runtime:
          deployment:
            autoScaling:
              enabled: false
          container:
            # constrain resources for use in smaller environments
            resources:
              requests:
                cpu: 10m
                memory: 128Mi
              limits: {}
  security:
    trust:
      # unique trust domain for this mesh, mesh1
      domain: mesh1.local
    dataPlane:
      mtls: true
    certificateAuthority:
      type: Istiod
      istiod:
        type: PrivateKey
        privateKey:
          rootCADir: /etc/cacerts

              yuaxu@redhat.com Yuanlin Xu
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: