Allow certificates to contain subjects with allowed external namesΒ #630
Description
Overview
Currently, secret-operator can only sign/request certificates with IP/DNS names based on these scopes:
listener-volume(The external-name that is reported back by the Load Balancer controller1).node(eg:10.0.0.1ornode-1.local.domain. If I understand correctly, this becomes obsolete sincelistener-volumescope)pod(STS) (eg:pod-0.app-service.app-namespace.svc.cluster.local)service(FQDN of the named service, eg:app-service.app-namespace.svc.cluster.local
Customers often want to use an external2 DNS name, and in many cases use external-dns to automatically create DNS records for Services/Ingress/Gateway resources.
Common environment setups
In many environments (both Cloud and On-Prem):
- The kubelet clusterDomain is not usable outside of the cluster (especially
when it is the default ofcluster.local), and - Customers often use names under a suffix separate from the kubelet
clusterDomain. Often this is a shorter name (eg:app.team.example.com
instead ofapp.app-service.app-namespace.cluster.domain). - DNS is often auto-configured using External DNS, which is configured in these
ways:- For Services, an annotation is place to map the DNS name to the Service
(NodePort, or LoadBalancer) IP. - For Ingress/Gateway, there are dedicated fields for specifying the DNS name.
- For Services, an annotation is place to map the DNS name to the Service
- Load balancers do TLS termination
- In the case of internet-facing load balancers, this can be used to hide the
subject names on the internal certificate which leak information such as the
Kubernetes namespace and clusterDomain.
- In the case of internet-facing load balancers, this can be used to hide the
In some cases, they can work around this by using a Load Balancer that does L5 (TLS termination) or L7 (HTTP proxying), however with SNI checks becoming more prevalent these methods are becoming less effective when the external name used is not in the certificate used by the application.
This issue is about allowing external names to be added to certificates and a suggested approach follows...
Suggested approach
- Extend the
SecretClassto allow a list of suffixes (and minDepth/maxDepth number of dots) for additional names that can be added to the certificate. - Extend
Listenerwith anexternalName(or externalNames?) field.- If the listener-volume scope is used, and the suffix is permitted (within the minDepth/maxDepth bounds), then secret-operator will add that as a subject to the certificate request.
- Extend
Listenerwith aserviceAnnotationsfield.- We could use this opportunity to consistently name the fields in
ListenerandListenerClass(either all fields to be passed to Service are prefixed withservice, or we put everything underServiceOverrides.
- We could use this opportunity to consistently name the fields in
Important
Question: If the externalName set on the listener is not permitted in the certificate (or minDepth/maxDepth are out of bounds), where should an error event go? It could go on the Listener, but the listener doesn't concern itself too much with TLS details.
Example config:
Have a SecretClass which allows signing names under certain additional suffixes.
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: org-pki
spec:
backend:
# Using autoTls as an example, but same applies for any supported backend
autoTls:
ca:
secret:
name: secret-provisioner-tls-ca
namespace: default
autoGenerate: true
maxCertificateLifetime: 15d
# π New
allowedSuffixes: # maybe should be additionalSuffixes, since it is on top of existing names
- suffix: internal.example.com
maxDepth: 0 # allow anything under internal.example.com, eg: a.b.c.d.internal.example.com
# or
- suffix: internal.example.com
maxDepth: 1 # default, only allow one dot between the name and the suffix, eg: a.internal.example.com
# or
- suffix: internal.example.com
# Example: the organisation allows signing certs for $app.$team.internal.example.com
# by requiring two dots between the name and the suffix
# allow a.b.internal.example.com
# disallow a.internal.example.com
# disallow a.b.c.internal.example.com
minDepth: 2
maxDepth: 2
# alternatively we could define depth and make it mutually exclusive to minDepth/maxDepth
- suffix: internal.example.netHave a ListenerClass ready for making public facing AWS NLBs with TLS termination
apiVersion: listeners.stackable.tech/v1alpha1
kind: ListenerClass
metadata:
name: aws-ec2-nlb-public
spec:
# I think it would make more sense to make a serviceOverrides key instead of prefixing some with "service" and missing it in others (eg: loadBalancerClass)
serviceType: LoadBalancer
# https://docs.aws.amazon.com/eks/latest/userguide/auto-configure-nlb.html#_sample_service
loadBalancerClass: eks.amazonaws.com/nlb
loadBalancerAllocateNodePorts: false
preferredAddressType: HostnameConservative
serviceExternalTrafficPolicy: Local
serviceAnotations:
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip # Forward directly through node to Pod IP instead of an L3 hop/NAT through the node.
service.beta.kubernetes.io/aws-load-balancer-attributes: >-
proxy_protocol_v2.enabled=trueHave a NifiCluster, specifying an externalName (to be used in the resultant Listener) and service annotations to enable TLS temination on the Load Balancer, and a hostname to be configured by External DNS.
apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
metadata:
name: simple-nifi
spec:
clusterConfig:
tls:
serverSecretClass: org-pki
nodes:
roleConfig:
# I think this should be moved under listenerOverrides as className...
listenerClass: aws-nlb-tls
# π New
listenerOverrides:
className: aws-nlb-tls # moved from roleConfig.listenerClass
externalName: app.internal.example.com
serviceAnnotations:
external-dns.alpha.kubernetes.io/hostname: app.internal.example.com
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:123456789012:certificate/4e12c4fe-eed9-48db-98d8-820b6b50ace4
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "8443"Based on the configurations above, the objects below should be created by the NiFi Operator:
# This is the Listener produced by NifiCluster
kind: Listener
metadata:
name: the-nifi-listener
spec:
className: aws-nlb-tls-public
# π New
externalName: app.internal.example.com # this came from the NifiCluster overrides
# π Not yet available, see (see: https://github.com/stackabletech/listener-operator/issues/331)
serviceAnnotations:
external-dns.alpha.kubernetes.io/hostname: app.internal.example.com
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:123456789012:certificate/4e12c4fe-eed9-48db-98d8-820b6b50ace4
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "8443"# This is the Pod produced by the Deployment produced by the NifiCluster
apiVersion: v1
kind: Pod
metadata:
name: nifi-0
spec:
volumes:
- name: tls
ephemeral:
volumeClaimTemplate:
metadata:
annotations:
secrets.stackable.tech/class: org-pki
secrets.stackable.tech/scope: pod,service=nifi,listener-volume=the-nifi-listenerBased on the configurations above, the object below should be created by the Listener Operator:
apiVersion: v1
kind: Service
metadata:
name: nifi-listener
annotations:
external-dns.alpha.kubernetes.io/hostname: app.internal.example.com
service.beta.kubernetes.io/aws-load-balancer-attributes: proxy_protocol_v2.enabled=true
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:123456789012:certificate/4e12c4fe-eed9-48db-98d8-820b6b50ace4
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "8443"
spec:
type: LoadBalancer
loadBalancerClass: eks.amazonaws.com/nlb
loadBalancerAllocateNodePorts: false
externalTrafficPolicy: Local
ports: ...