feat(mtls) enable controller mTLS by default (#959)

Enable controller mTLS by default using a generated certificate and CA. Mount generated CA for controller client certificate on proxy if available when no other client CA configuration is present. Default the gateway discovery DNS mode to pod for generated certificate compatibility. --------- Co-authored-by: Grzegorz Burzyński <[email protected]>
Kong · Dec 8, 2023 · 041b8d0 · 041b8d0
1 parent 06a2172
commit 041b8d0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl
@@ -441,6 +441,7 @@ The name of the Service which will be used by the controller to update the Ingre
 
   {{- if .Values.ingressController.gatewayDiscovery.enabled -}}
     {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (printf "%s/%s-%s" (include "kong.namespace" .) (include "kong.fullname" .) "admin") -}}
+    {{- $_ := set $autoEnv "CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY" "pod" -}}
   {{- else -}}
     {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}}
   {{- end -}}
@@ -641,6 +642,13 @@ The name of the Service which will be used by the controller to update the Ingre
 - name: admin-client-ca
   configMap:
     name: {{ template "kong.fullname" . }}-admin-client-ca
+{{- else if (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) }}
+- name: admin-client-ca
+  secret:
+    secretName: {{ template "adminApiService.caSecretName" . }}
+    items:
+    - key: tls.crt
+      path: tls.crt
 {{- end -}}
 {{- range $secretVolume := .Values.secretVolumes }}
 - name: {{ . }}
@@ -710,7 +718,7 @@ The name of the Service which will be used by the controller to update the Ingre
   mountPath: /kong_dbless/
     {{- end }}
   {{- end }}
-{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }}
+{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) }}
 - name: admin-client-ca
   mountPath: /etc/admin-client-ca/
   readOnly: true
@@ -867,7 +875,7 @@ the template that it itself is using form the above sections.
   {{- $_ := set $listenConfig "address" (default $address .address) -}}
   {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
 
-  {{- if or .tls.client.secretName .tls.client.caBundle -}}
+  {{- if or .tls.client.secretName .tls.client.caBundle (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) -}}
     {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}}
     {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}}
   {{- end -}}

diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml
@@ -182,6 +182,9 @@ admin:
     # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
     # - caBundle (PEM-encoded certificate string).
     # If both are set, caBundle takes precedence.
+    # If neither are set, and the controller uses generated client certificates
+    # (ingressController.adminApi.tls.client.enabled=true and ingressController.adminApi.tls.client.certProvided=false),
+    # the chart will use the generated certificate's CA for the Kong admin API
     client:
       caBundle: ""
       secretName: ""
@@ -718,7 +721,7 @@ ingressController:
     tls:
       client:
         # Enable TLS client authentication for the Admin API.
-        enabled: false
+        enabled: true
 
         # If set to false, Helm will generate certificates for you.
         # If set to true, you are expected to provide your own secret (see secretName, caSecretName).