Skip to content

Commit 15e46da

Browse files
steelingsteeling
authored
Fix ingress backend broken SAN (openservicemesh#4914)
Fix ingress backend SAN's, which were getting the trust domain appended to the provided SAN. This adds an e2e test to catch that going forward. This also switches the internal builders to use the principal (trust domain appended) vs the identity (no trust domain)
1 parent 9e9f712 commit 15e46da

20 files changed

+275
-179
lines changed

pkg/catalog/catalog.go

+6
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
2525
meshSpec: meshSpec,
2626
policyController: policyController,
2727
configurator: cfg,
28+
certManager: certManager,
2829

2930
kubeController: kubeController,
3031
}
@@ -42,3 +43,8 @@ func NewMeshCatalog(kubeController k8s.Controller, meshSpec smi.MeshSpec, certMa
4243
func (mc *MeshCatalog) GetKubeController() k8s.Controller {
4344
return mc.kubeController
4445
}
46+
47+
// GetTrustDomain returns the currently configured trust domain, ie: cluster.local
48+
func (mc *MeshCatalog) GetTrustDomain() string {
49+
return mc.certManager.GetTrustDomain()
50+
}

pkg/catalog/inbound_traffic_policies.go

+7-7
Original file line numberDiff line numberDiff line change
@@ -131,8 +131,8 @@ func (mc *MeshCatalog) getInboundTrafficPoliciesForUpstream(upstreamSvc service.
131131
// Only a single rule for permissive mode.
132132
inboundPolicyForUpstreamSvc.Rules = []*trafficpolicy.Rule{
133133
{
134-
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
135-
AllowedServiceIdentities: mapset.NewSetWith(identity.WildcardServiceIdentity),
134+
Route: *trafficpolicy.NewRouteWeightedCluster(trafficpolicy.WildCardRouteMatch, []service.WeightedCluster{localCluster}, upstreamTrafficSetting),
135+
AllowedPrincipals: mapset.NewSetWith(identity.WildcardPrincipal),
136136
},
137137
}
138138
} else {
@@ -178,17 +178,17 @@ func (mc *MeshCatalog) getRoutingRulesFromTrafficTarget(trafficTarget access.Tra
178178
}
179179

180180
// Compute the allowed downstream service identities for the given TrafficTarget object
181-
allowedDownstreamIdentities := mapset.NewSet()
181+
trustDomain := mc.GetTrustDomain()
182+
allowedDownstreamPrincipals := mapset.NewSet()
182183
for _, source := range trafficTarget.Spec.Sources {
183-
sourceSvcIdentity := trafficTargetIdentityToSvcAccount(source).ToServiceIdentity()
184-
allowedDownstreamIdentities.Add(sourceSvcIdentity)
184+
allowedDownstreamPrincipals.Add(trafficTargetIdentityToSvcAccount(source).AsPrincipal(trustDomain))
185185
}
186186

187187
var routingRules []*trafficpolicy.Rule
188188
for _, httpRouteMatch := range httpRouteMatches {
189189
rule := &trafficpolicy.Rule{
190-
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
191-
AllowedServiceIdentities: allowedDownstreamIdentities,
190+
Route: *trafficpolicy.NewRouteWeightedCluster(httpRouteMatch, []service.WeightedCluster{routingCluster}, upstreamTrafficSetting),
191+
AllowedPrincipals: allowedDownstreamPrincipals,
192192
}
193193
routingRules = append(routingRules, rule)
194194
}

pkg/catalog/inbound_traffic_policies_test.go

+45-43
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"fmt"
55
"reflect"
66
"testing"
7+
"time"
78

89
mapset "github.com/deckarep/golang-set"
910
"github.com/golang/mock/gomock"
@@ -15,6 +16,7 @@ import (
1516
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1617

1718
policyv1alpha1 "github.com/openservicemesh/osm/pkg/apis/policy/v1alpha1"
19+
tresorFake "github.com/openservicemesh/osm/pkg/certificate/providers/tresor/fake"
1820

1921
"github.com/openservicemesh/osm/pkg/configurator"
2022
"github.com/openservicemesh/osm/pkg/endpoint"
@@ -168,10 +170,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
168170
Weight: 100,
169171
}),
170172
},
171-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
173+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
172174
Name: "sa2",
173175
Namespace: "ns2",
174-
}.ToServiceIdentity()),
176+
}.AsPrincipal("cluster.local")),
175177
},
176178
},
177179
},
@@ -207,10 +209,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
207209
Weight: 100,
208210
}),
209211
},
210-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
212+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
211213
Name: "sa2",
212214
Namespace: "ns2",
213-
}.ToServiceIdentity()),
215+
}.AsPrincipal("cluster.local")),
214216
},
215217
},
216218
},
@@ -473,10 +475,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
473475
Weight: 100,
474476
}),
475477
},
476-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
478+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
477479
Name: "sa2",
478480
Namespace: "ns2",
479-
}.ToServiceIdentity()),
481+
}.AsPrincipal("cluster.local")),
480482
},
481483
{
482484
Route: trafficpolicy.RouteWeightedClusters{
@@ -493,10 +495,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
493495
Weight: 100,
494496
}),
495497
},
496-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
498+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
497499
Name: "sa2",
498500
Namespace: "ns2",
499-
}.ToServiceIdentity()),
501+
}.AsPrincipal("cluster.local")),
500502
},
501503
},
502504
},
@@ -532,10 +534,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
532534
Weight: 100,
533535
}),
534536
},
535-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
537+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
536538
Name: "sa2",
537539
Namespace: "ns2",
538-
}.ToServiceIdentity()),
540+
}.AsPrincipal("cluster.local")),
539541
},
540542
{
541543
Route: trafficpolicy.RouteWeightedClusters{
@@ -552,10 +554,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
552554
Weight: 100,
553555
}),
554556
},
555-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
557+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
556558
Name: "sa2",
557559
Namespace: "ns2",
558-
}.ToServiceIdentity()),
560+
}.AsPrincipal("cluster.local")),
559561
},
560562
},
561563
},
@@ -721,10 +723,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
721723
Weight: 100,
722724
}),
723725
},
724-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
726+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
725727
Name: "sa2",
726728
Namespace: "ns2",
727-
}.ToServiceIdentity()),
729+
}.AsPrincipal("cluster.local")),
728730
},
729731
},
730732
},
@@ -758,10 +760,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
758760
Weight: 100,
759761
}),
760762
},
761-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
763+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
762764
Name: "sa2",
763765
Namespace: "ns2",
764-
}.ToServiceIdentity()),
766+
}.AsPrincipal("cluster.local")),
765767
},
766768
},
767769
},
@@ -797,10 +799,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
797799
Weight: 100,
798800
}),
799801
},
800-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
802+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
801803
Name: "sa2",
802804
Namespace: "ns2",
803-
}.ToServiceIdentity()),
805+
}.AsPrincipal("cluster.local")),
804806
},
805807
},
806808
},
@@ -914,7 +916,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
914916
Weight: 100,
915917
}),
916918
},
917-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
919+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
918920
},
919921
},
920922
},
@@ -941,7 +943,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
941943
Weight: 100,
942944
}),
943945
},
944-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
946+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
945947
},
946948
},
947949
},
@@ -970,7 +972,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
970972
Weight: 100,
971973
}),
972974
},
973-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
975+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
974976
},
975977
},
976978
},
@@ -1116,10 +1118,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
11161118
Weight: 100,
11171119
}),
11181120
},
1119-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1120-
Name: "sa2",
1121-
Namespace: "ns2",
1122-
}.ToServiceIdentity()),
1121+
AllowedPrincipals: mapset.NewSet("sa2.ns2.cluster.local"),
11231122
},
11241123
},
11251124
},
@@ -1287,15 +1286,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
12871286
Weight: 100,
12881287
}),
12891288
},
1290-
AllowedServiceIdentities: mapset.NewSet(
1289+
AllowedPrincipals: mapset.NewSet(
12911290
identity.K8sServiceAccount{
12921291
Name: "sa2",
12931292
Namespace: "ns2",
1294-
}.ToServiceIdentity(),
1293+
}.AsPrincipal("cluster.local"),
12951294
identity.K8sServiceAccount{
12961295
Name: "sa3",
12971296
Namespace: "ns3",
1298-
}.ToServiceIdentity()),
1297+
}.AsPrincipal("cluster.local")),
12991298
},
13001299
},
13011300
},
@@ -1331,15 +1330,15 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
13311330
Weight: 100,
13321331
}),
13331332
},
1334-
AllowedServiceIdentities: mapset.NewSet(
1333+
AllowedPrincipals: mapset.NewSet(
13351334
identity.K8sServiceAccount{
13361335
Name: "sa2",
13371336
Namespace: "ns2",
1338-
}.ToServiceIdentity(),
1337+
}.AsPrincipal("cluster.local"),
13391338
identity.K8sServiceAccount{
13401339
Name: "sa3",
13411340
Namespace: "ns3",
1342-
}.ToServiceIdentity()),
1341+
}.AsPrincipal("cluster.local")),
13431342
},
13441343
},
13451344
},
@@ -1503,10 +1502,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
15031502
Weight: 100,
15041503
}),
15051504
},
1506-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1505+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
15071506
Name: "sa2",
15081507
Namespace: "ns2",
1509-
}.ToServiceIdentity()),
1508+
}.AsPrincipal("cluster.local")),
15101509
},
15111510
},
15121511
},
@@ -1542,10 +1541,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
15421541
Weight: 100,
15431542
}),
15441543
},
1545-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1544+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
15461545
Name: "sa2",
15471546
Namespace: "ns2",
1548-
}.ToServiceIdentity()),
1547+
}.AsPrincipal("cluster.local")),
15491548
},
15501549
},
15511550
},
@@ -1653,7 +1652,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
16531652
Weight: 100,
16541653
}),
16551654
},
1656-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1655+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
16571656
},
16581657
},
16591658
},
@@ -1680,7 +1679,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
16801679
Weight: 100,
16811680
}),
16821681
},
1683-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1682+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
16841683
},
16851684
},
16861685
},
@@ -1825,10 +1824,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
18251824
}),
18261825
RateLimit: perRouteRateLimitConfig,
18271826
},
1828-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1827+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
18291828
Name: "sa2",
18301829
Namespace: "ns2",
1831-
}.ToServiceIdentity()),
1830+
}.AsPrincipal("cluster.local")),
18321831
},
18331832
},
18341833
},
@@ -1866,10 +1865,10 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
18661865
}),
18671866
RateLimit: perRouteRateLimitConfig,
18681867
},
1869-
AllowedServiceIdentities: mapset.NewSet(identity.K8sServiceAccount{
1868+
AllowedPrincipals: mapset.NewSet(identity.K8sServiceAccount{
18701869
Name: "sa2",
18711870
Namespace: "ns2",
1872-
}.ToServiceIdentity()),
1871+
}.AsPrincipal("cluster.local")),
18731872
},
18741873
},
18751874
},
@@ -1953,7 +1952,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
19531952
}),
19541953
RateLimit: perRouteRateLimitConfig,
19551954
},
1956-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1955+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
19571956
},
19581957
},
19591958
},
@@ -1984,7 +1983,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
19841983
}),
19851984
RateLimit: perRouteRateLimitConfig,
19861985
},
1987-
AllowedServiceIdentities: mapset.NewSet(identity.WildcardServiceIdentity),
1986+
AllowedPrincipals: mapset.NewSet(identity.WildcardPrincipal),
19881987
},
19891988
},
19901989
},
@@ -2014,6 +2013,8 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
20142013
mockCtrl := gomock.NewController(t)
20152014
defer mockCtrl.Finish()
20162015

2016+
fakeCertManager := tresorFake.NewFake(nil, 1*time.Hour)
2017+
20172018
mockKubeController := k8s.NewMockController(mockCtrl)
20182019
mockPolicyController := policy.NewMockController(mockCtrl)
20192020
mockEndpointProvider := endpoint.NewMockProvider(mockCtrl)
@@ -2025,6 +2026,7 @@ func TestGetInboundMeshTrafficPolicy(t *testing.T) {
20252026
policyController: mockPolicyController,
20262027
endpointsProviders: []endpoint.Provider{mockEndpointProvider},
20272028
serviceProviders: []service.Provider{mockServiceProvider},
2029+
certManager: fakeCertManager,
20282030
configurator: mockCfg,
20292031
meshSpec: mockMeshSpec,
20302032
}

0 commit comments

Comments
 (0)