From c15fd39414a9dc741bd24794737613462795d622 Mon Sep 17 00:00:00 2001 From: Travis Raines <571832+rainest@users.noreply.github.com> Date: Thu, 7 Dec 2023 16:50:32 -0800 Subject: [PATCH] feat(mtls) enable controller mTLS by default (#971) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enable controller mTLS by default using a generated certificate and CA. Mount generated CA for controller client certificate on proxy if available when no other client CA configuration is present. Default the gateway discovery DNS mode to pod for generated certificate compatibility. * Update charts/kong/values.yaml Co-authored-by: Grzegorz Burzyński --------- Co-authored-by: Grzegorz Burzyński --- charts/kong/templates/_helpers.tpl | 12 ++++++++++-- charts/kong/values.yaml | 5 ++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index 6043b02b2..95f74098d 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -441,6 +441,7 @@ The name of the Service which will be used by the controller to update the Ingre {{- if .Values.ingressController.gatewayDiscovery.enabled -}} {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (printf "%s/%s-%s" (include "kong.namespace" .) (include "kong.fullname" .) "admin") -}} + {{- $_ := set $autoEnv "CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY" "pod" -}} {{- else -}} {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}} {{- end -}} @@ -641,6 +642,13 @@ The name of the Service which will be used by the controller to update the Ingre - name: admin-client-ca configMap: name: {{ template "kong.fullname" . }}-admin-client-ca +{{- else if (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) }} +- name: admin-client-ca + secret: + secretName: {{ template "adminApiService.caSecretName" . }} + items: + - key: tls.crt + path: tls.crt {{- end -}} {{- range $secretVolume := .Values.secretVolumes }} - name: {{ . }} @@ -710,7 +718,7 @@ The name of the Service which will be used by the controller to update the Ingre mountPath: /kong_dbless/ {{- end }} {{- end }} -{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }} +{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) }} - name: admin-client-ca mountPath: /etc/admin-client-ca/ readOnly: true @@ -867,7 +875,7 @@ the template that it itself is using form the above sections. {{- $_ := set $listenConfig "address" (default $address .address) -}} {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} - {{- if or .tls.client.secretName .tls.client.caBundle -}} + {{- if or .tls.client.secretName .tls.client.caBundle (and $.Values.ingressController.adminApi.tls.client.enabled (not $.Values.ingressController.adminApi.tls.client.certProvided)) -}} {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}} {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}} {{- end -}} diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 8097ea580..9e9e30177 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -182,6 +182,9 @@ admin: # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate. # - caBundle (PEM-encoded certificate string). # If both are set, caBundle takes precedence. + # If neither are set, and the controller uses generated client certificates + # (ingressController.adminApi.tls.client.enabled=true and ingressController.adminApi.tls.client.certProvided=false), + # the chart will use the generated certificate's CA for the Kong admin API client: caBundle: "" secretName: "" @@ -718,7 +721,7 @@ ingressController: tls: client: # Enable TLS client authentication for the Admin API. - enabled: false + enabled: true # If set to false, Helm will generate certificates for you. # If set to true, you are expected to provide your own secret (see secretName, caSecretName).