adding mtls config #1170
adding mtls config #1170
Conversation
| func MergeMapStringString(modified *bool, existing *map[string]string, desired map[string]string) { | ||
| if *existing == nil { | ||
| *existing = map[string]string{} | ||
| } | ||
|
|
||
| // for each desired key value set, e.g. labels | ||
| // check if it's present in existing. if not add it to existing. | ||
| // e.g. preserving existing labels while adding those that are in the desired set. | ||
| for desiredKey, desiredValue := range desired { | ||
| if existingValue, exists := (*existing)[desiredKey]; !exists || existingValue != desiredValue { | ||
| (*existing)[desiredKey] = desiredValue | ||
| *modified = true | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Could we use labels.Set.Merge from the apimachinery to do this over defining our own.
There was a problem hiding this comment.
it's not a map merge operation. It's doing what the comments say.
controllers/mtls_reconciler.go
Outdated
| err = r.ReconcileResource(eventCtx, &v12.Deployment{}, deployment, reconcilers.DeploymentMutator(deploymentMutators...)) | ||
| } | ||
|
|
||
| valueMap := map[string]interface{}{ |
There was a problem hiding this comment.
Everything here being a map[sting]interface seems like a code smell.
There was a problem hiding this comment.
I believe this is the standard way that EnvoyFilter Config Object Patches arehandle. You can see an exmaple of this here https://github.com/Kuadrant/kuadrant-controller/blob/22535aa8e4f142bf07a69dc6391c84a59b232255/pkg/istio/envoy_filters.go#L14-L47
laurafitzgerald
force-pushed
the
mtls
branch
from
7b55e2a to
83a6d54
Compare
|
|
||
| func IsLimitadorOperatorInstalled(restMapper meta.RESTMapper, logger logr.Logger) (bool, error) { | ||
| if ok, err := utils.IsCRDInstalled(restMapper, kuadrantv1beta1.LimitadorGroupKind.Group, kuadrantv1beta1.LimitadorGroupKind.Kind, limitadorv1alpha1.GroupVersion.Version); !ok || err != nil { | ||
| logger.V(1).Error(err, "Limitador Operator CRD was not installed", "group", kuadrantv1beta1.AuthorinoGroupKind.Group, "kind", kuadrantv1beta1.AuthorinoGroupKind.Kind, "version", authorinooperatorv1beta1.GroupVersion.Version) |
There was a problem hiding this comment.
Might want to fix the references to the authorino types here.
| type MTLS struct { | ||
| Enable bool `json:"enable,omitempty"` | ||
| } | ||
|
|
There was a problem hiding this comment.
At some point can you add a comment to what the mtls struct is for. The comment gets added to the CRD definition as a description. You will also need to run make manifest , bundle and helm at some point.
laurafitzgerald
force-pushed
the
mtls
branch
3 times, most recently
from
da6de62 to
e64e213
Compare
Signed-off-by: Laura Fitzgerald <[email protected]>
Signed-off-by: Laura Fitzgerald <[email protected]>
…ation Signed-off-by: Laura Fitzgerald <[email protected]>
…ts to limitador and authorino crs Signed-off-by: Laura Fitzgerald <[email protected]>
…e other cleanup and it's runnable now Signed-off-by: Laura Fitzgerald <[email protected]>
Signed-off-by: Laura Fitzgerald <[email protected]>
Signed-off-by: Laura Fitzgerald <[email protected]>
Signed-off-by: Laura Fitzgerald <[email protected]>
Signed-off-by: Laura Fitzgerald <[email protected]>
| if kObj == nil && kObj.Spec.MTLS == nil && (!kObj.Spec.MTLS.Enable || anyAttachedAuthorRateLimitPolicy == false) { | ||
| defer logger.V(1).Info("mtls not enabled or applicable", "status", "completed") | ||
| peerAuthentications := lo.FilterMap(topology.Objects().Items(), func(item machinery.Object, _ int) (machinery.Object, bool) { | ||
| if peerAuthentication, ok := item.(*PeerAuthentication); ok { |
There was a problem hiding this comment.
This isn't working yet. It's not picking up the exising PeerAuthentications.
There was a problem hiding this comment.
Very good progress.
Few questions:
- If the gateway provider is not Istio and a user enables mtls, should we report in kuadrant status?
- When a user deletes a gateway, the peerAuthentications objects gets deleted? (not very important now and can be tackled in follow up PR's)
| To: DeploymentGroupKind, | ||
| Func: func(child machinery.Object) []machinery.Object { | ||
| return lo.Filter(authorinos, func(k machinery.Object, _ int) bool { | ||
| return k.GetNamespace() == child.GetNamespace() && child.GetName() == "authorino" |
There was a problem hiding this comment.
I am not very familiar with these linking functions. I still need to educate myself.
Question: child's type is Authorino, isn't it? Then, isn't this linking function linking all deployments in Authorino namespace to Authorino? even those that are not authorino deployment, like limitador deployment?
| @@ -3,4 +3,6 @@ apiVersion: kuadrant.io/v1beta1 | |||
| kind: Kuadrant | |||
| metadata: | |||
| name: kuadrant-sample | |||
| spec: {} | |||
| spec: | |||
There was a problem hiding this comment.
This is the sample being shown in operatorhub web console. Do we want to add (optional) mtls config to it?
| "tls_certificate_sds_secret_configs": []interface{}{ | ||
| map[string]interface{}{ | ||
| "name": "default", | ||
| "sds_config": map[string]interface{}{ |
There was a problem hiding this comment.
Am I correct assuming that the gateway will fetch the client certificate from XDS interface?
| @@ -56,6 +56,10 @@ func (r *IstioAuthClusterReconciler) Reconcile(ctx context.Context, _ []controll | |||
| if kuadrant == nil { | |||
| return nil | |||
| } | |||
| mtls := false | |||
| if kuadrant != nil && kuadrant.Spec.MTLS != nil && kuadrant.Spec.MTLS.Enable { | |||
There was a problem hiding this comment.
nit: when this kind of checks depend entirely on an object internal state and can be reused, they can be implemented in the object
diff --git a/api/v1beta1/kuadrant_types.go b/api/v1beta1/kuadrant_types.go
index 12bb1545..10316535 100644
--- a/api/v1beta1/kuadrant_types.go
+++ b/api/v1beta1/kuadrant_types.go
@@ -52,6 +52,14 @@ func (p *Kuadrant) GetLocator() string {
return machinery.LocatorFromObject(p)
}
+func (p *Kuadrant) IsMTLSEnabled() bool {
+ if p == nil {
+ return false
+ }
+
+ return p.Spec.MTLS != nil && p.Spec.MTLS.Enable
+}
+
// KuadrantSpec defines the desired state of Kuadrant
type KuadrantSpec struct {
Observability Observability `json:"observability,omitempty"`It works even when kuadrant object is nil.
| targetables := topology.Targetables() | ||
| gateways := targetables.Items(func(o machinery.Object) bool { | ||
| gateway, ok := o.(*machinery.Gateway) | ||
| return ok && gateway.Spec.GatewayClassName == "istio" |
There was a problem hiding this comment.
It's better to check the GatewayClass instead of that. Check out how the observability reconciler is doing this https://github.com/Kuadrant/kuadrant-operator/blob/main/controllers/observability_reconciler.go#L399-L422
| } | ||
| } | ||
| */ | ||
| func LinkDeploymentToAuthorino(objs controller.Store) machinery.LinkFunc { |
There was a problem hiding this comment.
| "k8s.io/apimachinery/pkg/api/meta" | ||
| ) | ||
|
|
||
| func IsLimitadorOperatorInstalled(restMapper meta.RESTMapper, logger logr.Logger) (bool, error) { |
There was a problem hiding this comment.
Why is required to check the existence of the operator? Shouldn't it be Limitador itself?
| func MergeMapStringString(modified *bool, existing *map[string]string, desired map[string]string) { | ||
| if *existing == nil { | ||
| *existing = map[string]string{} | ||
| } | ||
|
|
||
| // for each desired key value set, e.g. labels | ||
| // check if it's present in existing. if not add it to existing. | ||
| // e.g. preserving existing labels while adding those that are in the desired set. | ||
| for desiredKey, desiredValue := range desired { | ||
| if existingValue, exists := (*existing)[desiredKey]; !exists || existingValue != desiredValue { | ||
| (*existing)[desiredKey] = desiredValue | ||
| *modified = true | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
it's not a map merge operation. It's doing what the comments say.
Closes #1157
Changes
Verification steps
Run the following on this branch.
make local-setupkubectl apply -f config/samples/kuadrant_v1beta1_kuadrant.yamlFollow steps in https://docs.kuadrant.io/dev/kuadrant-operator/doc/user-guides/full-walkthrough/secure-protect-connect/
Update the kuadrant cr to enable mts using
kubectl patch kuadrant kuadrant-sample --type='json' -p='[{"op": "replace", "path": "/spec/mtls/enable", "value": true}]'Verify that a Peer Authentication exists
kubectl get peerauthentication default -n default -o yamlwhich has the following details
Verify that the two envoyfilters have a CLUSTER patch with a key "transport_socket" in spec.configPatches applyTo CLUSTER.patch.value
kubectl get envoyfilter -A -o yamlVerify that the limitador and authorino deployments have the expected labels
kubectl get deployment limitador-limitador -o yaml | yq e '.spec.template.metadata.labels' kubectl get deployment authorino -o yaml | yq e '.spec.template.metadata.labels'Both should output