Secret Discovery Service for v2 APIs

[angelachin]

Hi,

We want to be able to rotate Envoy certs/keys without having to restart the Envoy. We're particularly interested in the client cert/key for connecting to upstream clusters. We recognize the CDS allows us to dynamically change clusters, but that doesn't let us rotate the cert used to connect to the CDS itself.

We see prior discussion about supporting cert rotation (#891) which was answered by pointing people towards the in-development LDS (#315). However, we don't see how the LDS solves the problem of rotating certs used to connect to the CDS.

What work would be required for support cert/key rotation for CDS without having to restart Envoy? This issue is a blocker for us using Envoy (we're looking at integrating it, and perhaps Istio, into Cloud Foundry).

We might be able to contribute the feature, if we had some guidance.

Cheers,
Angela and @rosenhouse

[mattklein123]

We don't have a good story/plan for this right now. However I recognize that it's an important use case. For now is it possible to hot restart the entire Envoy process until we figure out the right approach/resources for solving this?

[angelachin]

Thanks. Our process monitoring currently does not support hot restarting the Envoy, but we can probably find a work-around.

[mattklein123]

@htuch @dnoe @myidpt ^ for xDS TLS bootstrapping issue.

[htuch]

So, if we add KDS, we could have Envoy's client cert (presumably specified in bootstrap.proto) can either be on disk or via KDS.

[mattklein123]

But that doesn't implicitly handle rotation. If we want rotation KDS must be polling and able to update the context inline.

[mattklein123]

(Which I guess is where we were going anyway)

[htuch]

Yeah, it should support server initiated updates like the other APIs. I'm not if I fully grok the implementation complexity of this - can't we have a map somewhere from cert name to certificate and just have KDS map this essentially, with LDS consuming (for server certs) and also the xDS APIs consuming (for Envoy management server client certs).

[mattklein123]

Basically the question is where the KDS polling lives and how it actually physically does the update in the code if there is a key material change. For example, there are a few concrete implementation options:

1. KDS is able to reach into an existing listener or cluster, and modify the ssl_context with new key material (we should not limit KDS to xDS APIs, it should just be part of the generic cluster definition).
2. Listener/Clusters continue to be effectively immutable, and a KDS update logically regenerates the listener/cluster with new key material and forces an update of either the listener or cluster via LDS/CDS internal API.

I think either could work. Whoever does the actual implementation of this will need to do some design work.

[myidpt]

@wattli

Just to make it a little clear to me, in terms of triggering runtime cert rotation, I think there are two cases (please correct me if I misspoke):

1. Only change the file content of the files in ssl_context w/o changing the file paths. This requires recreating Ssl::ContextImpl:
   https://github.com/lyft/envoy/blob/7503ce005f346b04c762506c1becbfddea9a86ce/source/common/ssl/context_impl.cc#L22
   which is created at initiation of ClusterInfoImpl:
   https://github.com/lyft/envoy/blob/252c361a3a3c4b8383cce8c70ce1c2bbd173523d/source/common/upstream/upstream_impl.cc#L84
   I think the only instantiation is at start / when a new CDS update is pulled. But the CDS does not necessarily change. So we need to either 1) dynamically check the files for updates or 2) rely on KDS to recreate Ssl::ContextImpl.
2. Change the file paths in ssl_context to reflect a rotation. This requires reloading new configuration into memory. It is also triggered by CDS. This could be considered as a workround but not ideal.

Another question is (just thinking aloud), if the certificate is changed (SAN changed) in the middle of a connection, how to re-authenticate? This is like a corner case but I think we may need to cover it some time in the future.

[rosenhouse]

if the certificate is changed (SAN changed) in the middle of a connection, how to re-authenticate

Would it be possible to continue using the old cert until the connection can be drained, and only use the new cert for new connections?

[mattklein123]

Would it be possible to continue using the old cert until the connection can be drained, and only use the new cert for new connections?

Yes this is how it will work.

[myidpt]

I doubt that is a security issue. Suppose a client has a certificate with a specific SAN for only 10 min, if he uses that cert to establish a one-day connection, is that a problem?