feat(meshtls): policy implementation (kumahq#11254)

Signed-off-by: slonka <[email protected]> Co-authored-by: Lukasz Dziedziak <[email protected]> Co-authored-by: Mike Beaumont <[email protected]>
Automaat · Sep 5, 2024 · 749aed7 · 749aed7
1 parent 246232b
commit 749aed7
Show file tree

Hide file tree

Showing 54 changed files with 2,379 additions and 197 deletions.
diff --git a/api/common/v1alpha1/tls/tls.go b/api/common/v1alpha1/tls/tls.go
@@ -4,6 +4,8 @@ package tls
 import (
 	"slices"
 
+	tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+
 	"github.com/kumahq/kuma/pkg/core/validators"
 )
 
@@ -62,3 +64,43 @@ func ValidateVersion(version *Version) validators.ValidationError {
 
 	return verr
 }
+
+func ToTlsVersion(version *TlsVersion) tlsv3.TlsParameters_TlsProtocol {
+	switch *version {
+	case TLSVersion13:
+		return tlsv3.TlsParameters_TLSv1_3
+	case TLSVersion12:
+		return tlsv3.TlsParameters_TLSv1_2
+	case TLSVersion11:
+		return tlsv3.TlsParameters_TLSv1_1
+	case TLSVersion10:
+		return tlsv3.TlsParameters_TLSv1_0
+	case TLSVersionAuto:
+		fallthrough
+	default:
+		return tlsv3.TlsParameters_TLS_AUTO
+	}
+}
+
+// +kubebuilder:validation:Enum=ECDHE-ECDSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-CHACHA20-POLY1305;ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-CHACHA20-POLY1305
+type TlsCipher string
+
+const (
+	EcdheEcdsaAes128GcmSha256  TlsCipher = "ECDHE-ECDSA-AES128-GCM-SHA256"
+	EcdheEcdsaAes256GcmSha384  TlsCipher = "ECDHE-ECDSA-AES256-GCM-SHA384"
+	EcdheEcdsaChacha20Poly1305 TlsCipher = "ECDHE-ECDSA-CHACHA20-POLY1305"
+	EcdheRsaAes128GcmSha256    TlsCipher = "ECDHE-RSA-AES128-GCM-SHA256"
+	EcdheRsaAes256GcmSha384    TlsCipher = "ECDHE-RSA-AES256-GCM-SHA384"
+	EcdheRsaChacha20Poly1305   TlsCipher = "ECDHE-RSA-CHACHA20-POLY1305"
+)
+
+var AllCiphers = []string{
+	string(EcdheEcdsaAes128GcmSha256),
+	string(EcdheEcdsaAes256GcmSha384),
+	string(EcdheEcdsaChacha20Poly1305),
+	string(EcdheRsaAes128GcmSha256),
+	string(EcdheRsaAes256GcmSha384),
+	string(EcdheRsaChacha20Poly1305),
+}
+
+type TlsCiphers []TlsCipher
diff --git a/api/common/v1alpha1/tls/zz_generated.deepcopy.go b/api/common/v1alpha1/tls/zz_generated.deepcopy.go
diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml
@@ -6614,8 +6614,9 @@ spec:
                         'targetRef'
                       properties:
                         mode:
-                          description: Mode defines the behavior of inbound listeners
-                            with regard to traffic encryption.
+                          description: |-
+                            Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                            Default: Strict.
                           enum:
                           - Permissive
                           - Strict

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.gateway-api-present.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.gateway-api-present.yaml
@@ -6614,8 +6614,9 @@ spec:
                         'targetRef'
                       properties:
                         mode:
-                          description: Mode defines the behavior of inbound listeners
-                            with regard to traffic encryption.
+                          description: |-
+                            Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                            Default: Strict.
                           enum:
                           - Permissive
                           - Strict

diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml
@@ -6634,8 +6634,9 @@ spec:
                         'targetRef'
                       properties:
                         mode:
-                          description: Mode defines the behavior of inbound listeners
-                            with regard to traffic encryption.
+                          description: |-
+                            Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                            Default: Strict.
                           enum:
                           - Permissive
                           - Strict

diff --git a/app/kumactl/cmd/install/testdata/install-crds.all.golden.yaml b/app/kumactl/cmd/install/testdata/install-crds.all.golden.yaml
@@ -8104,8 +8104,9 @@ spec:
                         'targetRef'
                       properties:
                         mode:
-                          description: Mode defines the behavior of inbound listeners
-                            with regard to traffic encryption.
+                          description: |-
+                            Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                            Default: Strict.
                           enum:
                           - Permissive
                           - Strict

diff --git a/deployments/charts/kuma/crds/kuma.io_meshtlses.yaml b/deployments/charts/kuma/crds/kuma.io_meshtlses.yaml
@@ -58,8 +58,9 @@ spec:
                         'targetRef'
                       properties:
                         mode:
-                          description: Mode defines the behavior of inbound listeners
-                            with regard to traffic encryption.
+                          description: |-
+                            Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                            Default: Strict.
                           enum:
                           - Permissive
                           - Strict

diff --git a/docs/generated/openapi.yaml b/docs/generated/openapi.yaml
@@ -10298,6 +10298,8 @@ components:
                         description: >-
                           Mode defines the behavior of inbound listeners with
                           regard to traffic encryption.
+
+                          Default: Strict.
                         enum:
                           - Permissive
                           - Strict

diff --git a/docs/generated/raw/crds/kuma.io_meshtlses.yaml b/docs/generated/raw/crds/kuma.io_meshtlses.yaml
@@ -58,8 +58,9 @@ spec:
                         'targetRef'
                       properties:
                         mode:
-                          description: Mode defines the behavior of inbound listeners
-                            with regard to traffic encryption.
+                          description: |-
+                            Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                            Default: Strict.
                           enum:
                           - Permissive
                           - Strict

diff --git a/pkg/core/xds/types.go b/pkg/core/xds/types.go
@@ -5,6 +5,7 @@ import (
 	"slices"
 	"strings"
 
+	tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	"github.com/pkg/errors"
 
 	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
@@ -53,34 +54,25 @@ type TagSelectorSet []mesh_proto.TagSelector
 // DestinationMap holds a set of selectors for all reachable Dataplanes grouped by service name.
 // DestinationMap is based on ServiceName and not on the OutboundInterface because TrafficRoute can introduce new service destinations that were not included in a outbound section.
 // Policies that match on outbound connections also match by service destination name and not outbound interface for the same reason.
-type DestinationMap map[ServiceName]TagSelectorSet
-
-type TlsVersion int32
-
-const (
-	TLSVersionAuto TlsVersion = 0
-	TLSVersion10   TlsVersion = 1
-	TLSVersion11   TlsVersion = 2
-	TLSVersion12   TlsVersion = 3
-	TLSVersion13   TlsVersion = 4
+type (
+	DestinationMap  map[ServiceName]TagSelectorSet
+	ExternalService struct {
+		Protocol                 core_mesh.Protocol
+		TLSEnabled               bool
+		FallbackToSystemCa       bool
+		CaCert                   []byte
+		ClientCert               []byte
+		ClientKey                []byte
+		AllowRenegotiation       bool
+		SkipHostnameVerification bool
+		ServerName               string
+		SANs                     []SAN
+		MinTlsVersion            *tlsv3.TlsParameters_TlsProtocol
+		MaxTlsVersion            *tlsv3.TlsParameters_TlsProtocol
+		OwnerResource            *core_model.TypedResourceIdentifier
+	}
 )
 
-type ExternalService struct {
-	Protocol                 core_mesh.Protocol
-	TLSEnabled               bool
-	FallbackToSystemCa       bool
-	CaCert                   []byte
-	ClientCert               []byte
-	ClientKey                []byte
-	AllowRenegotiation       bool
-	SkipHostnameVerification bool
-	ServerName               string
-	SANs                     []SAN
-	MinTlsVersion            *TlsVersion
-	MaxTlsVersion            *TlsVersion
-	OwnerResource            *core_model.TypedResourceIdentifier
-}
-
 type MatchType string
 
 const (

diff --git a/pkg/plugins/policies/core/ordered/ordered.go b/pkg/plugins/policies/core/ordered/ordered.go
@@ -24,6 +24,8 @@ var Policies = []plugins.PluginName{
 	// Routes have to come first
 	plugins.PluginName(meshhttproute_api.MeshHTTPRouteResourceTypeDescriptor.KumactlArg),
 	plugins.PluginName(meshtcproute_api.MeshTCPRouteResourceTypeDescriptor.KumactlArg),
+	// MeshTLS needs to come before everything because it rebuilds the inbound listeners
+	plugins.PluginName(meshtls_api.MeshTLSResourceTypeDescriptor.KumactlArg),
 	// For other policies order isn't important at the moment
 	plugins.PluginName(meshloadbalancingstrategy_api.MeshLoadBalancingStrategyResourceTypeDescriptor.KumactlArg),
 	// has to be before MeshAccessLog so the plugin can access log filters that are added to the filter chains
@@ -38,7 +40,6 @@ var Policies = []plugins.PluginName{
 	plugins.PluginName(meshhealthcheck_api.MeshHealthCheckResourceTypeDescriptor.KumactlArg),
 	plugins.PluginName(meshretry_api.MeshRetryResourceTypeDescriptor.KumactlArg),
 	plugins.PluginName(meshmetric_api.MeshMetricResourceTypeDescriptor.KumactlArg),
-	plugins.PluginName(meshtls_api.MeshTLSResourceTypeDescriptor.KumactlArg),
 	// MeshProxyPatch comes after all others
 	plugins.PluginName(meshproxypatch_api.MeshProxyPatchResourceTypeDescriptor.KumactlArg),
 }
diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/meshtls.go b/pkg/plugins/policies/meshtls/api/v1alpha1/meshtls.go
@@ -27,29 +27,6 @@ type From struct {
 	Default Conf `json:"default,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=ECDHE-ECDSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-CHACHA20-POLY1305;ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-CHACHA20-POLY1305
-type TlsCipher string
-
-const (
-	EcdheEcdsaAes128GcmSha256  TlsCipher = "ECDHE-ECDSA-AES128-GCM-SHA256"
-	EcdheEcdsaAes256GcmSha384  TlsCipher = "ECDHE-ECDSA-AES256-GCM-SHA384"
-	EcdheEcdsaChacha20Poly1305 TlsCipher = "ECDHE-ECDSA-CHACHA20-POLY1305"
-	EcdheRsaAes128GcmSha256    TlsCipher = "ECDHE-RSA-AES128-GCM-SHA256"
-	EcdheRsaAes256GcmSha384    TlsCipher = "ECDHE-RSA-AES256-GCM-SHA384"
-	EcdheRsaChacha20Poly1305   TlsCipher = "ECDHE-RSA-CHACHA20-POLY1305"
-)
-
-var allCiphers = []string{
-	string(EcdheEcdsaAes128GcmSha256),
-	string(EcdheEcdsaAes256GcmSha384),
-	string(EcdheEcdsaChacha20Poly1305),
-	string(EcdheRsaAes128GcmSha256),
-	string(EcdheRsaAes256GcmSha384),
-	string(EcdheRsaChacha20Poly1305),
-}
-
-type TlsCiphers []TlsCipher
-
 // +kubebuilder:validation:Enum=Permissive;Strict
 type Mode string
 
@@ -65,8 +42,9 @@ type Conf struct {
 	TlsVersion *common_tls.Version `json:"tlsVersion,omitempty"`
 
 	// TlsCiphers section for providing ciphers specification.
-	TlsCiphers TlsCiphers `json:"tlsCiphers,omitempty"`
+	TlsCiphers common_tls.TlsCiphers `json:"tlsCiphers,omitempty"`
 
 	// Mode defines the behavior of inbound listeners with regard to traffic encryption.
+	// Default: Strict.
 	Mode *Mode `json:"mode,omitempty"`
 }
diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/schema.yaml b/pkg/plugins/policies/meshtls/api/v1alpha1/schema.yaml
@@ -31,7 +31,9 @@ properties:
                 'targetRef'
               properties:
                 mode:
-                  description: Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                  description: |-
+                    Mode defines the behavior of inbound listeners with regard to traffic encryption.
+                    Default: Strict.
                   enum:
                     - Permissive
                     - Strict

diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/full-invalid.input.yaml b/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/full-invalid.input.yaml
@@ -1,7 +1,9 @@
 targetRef:
-  kind: MeshService
-  name: svc-1
+  kind: Mesh
 from:
+  - targetRef:
+      kind: MeshHTTPRoute
+    default: {}
   - targetRef:
       kind: Mesh
     default:

diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/full-invalid.output.yaml b/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/full-invalid.output.yaml
@@ -1,11 +1,13 @@
 violations:
-- field: spec.from[0].default.mode
+- field: spec.from[0].targetRef.kind
+  message: value is not supported
+- field: spec.from[1].default.mode
   message: '"mode" must be one of ["Strict", "Permissive"]'
-- field: spec.from[0].default.tlsCiphers
+- field: spec.from[1].default.tlsCiphers
   message: '"tlsCiphers" must be one of ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384",
     "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-RSA-CHACHA20-POLY1305"]'
-- field: spec.from[0].default.version.min
+- field: spec.from[1].default.tlsVersion.min
   message: '"min" must be one of ["TLSAuto", "TLS10", "TLS11", "TLS12", "TLS13"]'
-- field: spec.from[0].default.version.max
+- field: spec.from[1].default.tlsVersion.max
   message: '"max" must be one of ["TLSAuto", "TLS10", "TLS11", "TLS12", "TLS13"]'
diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/full-valid.input.yaml b/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/full-valid.input.yaml
@@ -1,6 +1,5 @@
 targetRef:
-  kind: MeshService
-  name: svc-1
+  kind: Mesh
 from:
   - targetRef:
       kind: Mesh

diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/invalid-top-level.input.yaml b/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/invalid-top-level.input.yaml
@@ -0,0 +1,14 @@
+targetRef:
+  kind: MeshSubset
+  tags:
+    kuma.io/service: svc-1
+from:
+  - targetRef:
+      kind: Mesh
+    default:
+      tlsVersion:
+        min: TLS15
+        max: TLS16
+      tlsCiphers:
+        - "NotExistingCipher"
+      mode: Strict
diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/invalid-top-level.output.yaml b/pkg/plugins/policies/meshtls/api/v1alpha1/testdata/invalid-top-level.output.yaml
@@ -0,0 +1,5 @@
+violations:
+- field: spec.from[0].default.tlsCiphers
+  message: 'tlsCiphers can only be defined with top level targetRef kind: Mesh'
+- field: spec.from[0].default.tlsVersion
+  message: 'tlsVersion can only be defined with top level targetRef kind: Mesh'