Skip to content

Commit

Permalink
aeraki and envoy communicate through mTLS
Browse files Browse the repository at this point in the history
  • Loading branch information
wsd0543 committed Dec 12, 2023
1 parent 1011e10 commit 6bff254
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 2 deletions.
24 changes: 24 additions & 0 deletions internal/bootstrap/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@ import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net"
"net/http"
"os"

//nolint
_ "net/http/pprof" // pprof
Expand Down Expand Up @@ -163,6 +165,9 @@ func NewServer(args *AerakiArgs) (*Server, error) {
if err := server.initRootCA(); err != nil {
return nil, fmt.Errorf("error initializing root ca: %v", err)
}
if err := server.initXdsServer(); err != nil {
return nil, fmt.Errorf("error initializing xds server: %v", err)
}
if err := server.initSecureWebhookServer(args); err != nil {
return nil, fmt.Errorf("error initializing webhook server: %v", err)
}
Expand All @@ -177,6 +182,25 @@ func NewServer(args *AerakiArgs) (*Server, error) {
return server, err
}

func (s *Server) initXdsServer() error {
pool := x509.NewCertPool()
istiodCACertPath := "/var/run/secrets/istio/root-cert.pem"
caCrt, err := os.ReadFile(istiodCACertPath)
if err != nil {
return fmt.Errorf("failed to read istio ca cert file: %v", err)
}
pool.AppendCertsFromPEM(caCrt)

s.xdsServer.TlsConfig = tls.Config{
GetCertificate: s.getAerakiCertificate,
MinVersion: tls.VersionTLS12,
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: pool,
}

return nil
}

func (s *Server) initAerakiServer(args *AerakiArgs) {
// make sure we have a readiness probe before serving HTTP to avoid marking ready too soon
s.initReadinessProbes()
Expand Down
42 changes: 42 additions & 0 deletions internal/controller/kube/sidecar_bootstrap_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,48 @@ var bootstrapConfig = `
]
}
]
},
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"common_tls_context": {
"validation_context_sds_secret_config": {
"name": "ROOTCA",
"sds_config": {
"api_config_source": {
"api_type": "GRPC",
"grpc_services": [{
"envoy_grpc": {
"cluster_name": "sds-grpc"
}
}],
"set_node_on_first_message_only": true,
"transport_api_version": "V3"
},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
}
},
"tls_certificate_sds_secret_configs": [{
"name": "default",
"sds_config": {
"api_config_source": {
"api_type": "GRPC",
"grpc_services": [{
"envoy_grpc": {
"cluster_name": "sds-grpc"
}
}],
"set_node_on_first_message_only": true,
"transport_api_version": "V3"
},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
}
}]
}
}
}
}
]
Expand Down
9 changes: 7 additions & 2 deletions internal/xds/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ package xds

import (
"context"
"crypto/tls"
"google.golang.org/grpc/credentials"
"net"

routeservice "github.com/envoyproxy/go-control-plane/envoy/service/route/v3"
Expand All @@ -39,8 +41,9 @@ type cacheMgr interface {

// Server serves xDS resources to Envoy sidecars
type Server struct {
addr string
cacheMgr cacheMgr
addr string
cacheMgr cacheMgr
TlsConfig tls.Config
}

// NewServer creates a xDS server
Expand All @@ -59,6 +62,8 @@ func (s *Server) Run(stopCh <-chan struct{}) {
// availability problems.
var grpcOptions []grpc.ServerOption
grpcOptions = append(grpcOptions, grpc.MaxConcurrentStreams(grpcMaxConcurrentStreams))
tlsCreds := credentials.NewTLS(&s.TlsConfig)
grpcOptions = append(grpcOptions, grpc.Creds(tlsCreds))
grpcServer := grpc.NewServer(grpcOptions...)

lis, err := net.Listen("tcp", s.addr)
Expand Down

0 comments on commit 6bff254

Please sign in to comment.