Handle PrivateKeyProvider configuration#37681
Conversation
|
😊 Welcome @rveerama1! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
|
Hi @rveerama1. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
As it depends upon api changes, build fails. I will move to WIP. |
3ad09e4 to
5adfa5d
Compare
|
@howardjohn @jacob-delgado @ericvn PTAL about implementation of istio/api#2261 private key provider addition. |
|
/retest |
pilot/pkg/xds/sds.go
Outdated
There was a problem hiding this comment.
this has quite some duplicate code as the other toEnvoyKeyCertSecretWithPrivateKeyProvider(), could we refactor and try to share the common logic
There was a problem hiding this comment.
It has some, but not completely. Anyway I am working on QAT private key provider extension support. I will fine tune in that PR.
security/pkg/nodeagent/sds/server.go
Outdated
There was a problem hiding this comment.
Just some general questions
-
Regarding the
PrivateKeyProviderextension, is it actually providing any private key? The name is a bit confused to me because based on the PR and my understanding, it does not provide any private key but is just a new type (cryptomb) to wrap the TLS config that tells Envoy to process it with some hardware assisted acceleration? -
How are you going to e2e test the feature if it requires some special hardware support?
There was a problem hiding this comment.
- Regarding the
PrivateKeyProviderextension, is it actually providing any private key? The name is a bit confused to me because based on the PR and my understanding, it does not provide any private key but is just a new type (cryptomb) to wrap the TLS config that tells Envoy to process it with some hardware assisted acceleration?
Name is bit confusing, but I tried to sync with Envoy naming pattern https://github.com/envoyproxy/envoy/tree/main/api/contrib/envoy/extensions/private_key_providers
There was a problem hiding this comment.
I think there are two things which can be e2e tested. One is the functionality of setting a private key provider configuration to Envoy, and the other is a specific private key provider such as CryptoMB.
The first case is probably not too bad -- for example Envoy uses a software-only private key provider for testing the interfaces (https://github.com/envoyproxy/envoy/blob/main/test/extensions/transport_sockets/tls/test_private_key_method_provider.cc) and we could do something similar. The test private key provider isn't exposed by Envoy though, but that code could probably be used or reimplemented by istio/proxy test/envoye2e directory.
The second case (CryptoMB) is tricky because that will indeed require a very modern Xeon processor. An e2e test could be written but it should be behind a switch, and we need to understand if it's possible to make the CI tests run in an environment which supports AVX-512. @yangminzhu do you have any suggestions how this could be accomplished?
There was a problem hiding this comment.
Thanks for the detail explanation, the naming part is a bit confusing but I think it is fine if you could document it clearly in the code and documentation so that other users does not confuse it with things like Plug in certificate that is really providing its own private/public key to Istio.
Regarding the e2e tests, it would be nice if you can somehow mock the CryptoMB functionality in Envoy then run it like a real e2e test but I have no idea how to do it easily so you probably will end up with tests verifying the Envoy TLS configs generated correctly (but not executing them). Also I have no idea how to require a very modern Xeon processor in the CI environment (it gives you some flexibility in machine type but probably not to the level for custom CPU), @howardjohn might know about about the CI configuration.
65390da to
858ea4f
Compare
howardjohn
left a comment
There was a problem hiding this comment.
LGTM once we fix the gateway part, should be small fix
776ffcb to
0d7e4ac
Compare
|
/retest |
|
cc @rveerama1 Looks like you need to re-base, but have the appropriate approvals. |
When the PrivateKeyProvider configuration information is provided
through Istio operator yaml file, parse and pass it to gateway or
sidecars. Envoy will act based on the information provided by the
configuration.
To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`.
For example:
meshConfig:
defaultConfig:
privateKeyProvider:
cryptomb:
pollDelay: 0.01s
This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config`
annotation on the pod.
For example:
annotations:
proxy.istio.io/config: |
privateKeyProvider:
cryptomb:
pollDelay: 0.01s
0d7e4ac to
8a1e306
Compare
|
thank you, @jacob-delgado @howardjohn fixed the conflicts. can you remove the |
howardjohn
left a comment
There was a problem hiding this comment.
Thanks for the great work here!
* Handle PrivateKeyProvider configuration
When the PrivateKeyProvider configuration information is provided
through Istio operator yaml file, parse and pass it to gateway or
sidecars. Envoy will act based on the information provided by the
configuration.
To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`.
For example:
meshConfig:
defaultConfig:
privateKeyProvider:
cryptomb:
pollDelay: 0.01s
This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config`
annotation on the pod.
For example:
annotations:
proxy.istio.io/config: |
privateKeyProvider:
cryptomb:
pollDelay: 0.01s
* add release notes
* add validation and tests
* modify according to api change
* address comments
* Fix lint issues
* address comments
* address jacob-delgado and howardjohn comments
* add tests
* use default config
* fix rebase conflicts
* fix config for gateway cert
* fix rebase conflicts
* Handle PrivateKeyProvider configuration
When the PrivateKeyProvider configuration information is provided
through Istio operator yaml file, parse and pass it to gateway or
sidecars. Envoy will act based on the information provided by the
configuration.
To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`.
For example:
meshConfig:
defaultConfig:
privateKeyProvider:
cryptomb:
pollDelay: 0.01s
This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config`
annotation on the pod.
For example:
annotations:
proxy.istio.io/config: |
privateKeyProvider:
cryptomb:
pollDelay: 0.01s
* add release notes
* add validation and tests
* modify according to api change
* address comments
* Fix lint issues
* address comments
* address jacob-delgado and howardjohn comments
* add tests
* use default config
* fix rebase conflicts
* fix config for gateway cert
* fix rebase conflicts
@howardjohn I am looking into write e2e test setup for this. Need some help.
|
Please provide a description of this PR:
When the PrivateKeyProvider configuration information is provided through Istio operator yaml file, parse and pass it to gateway or sidecars. Envoy will act based on the information provided by the configuration.
To set the mesh wide defaults, configure the
defaultConfigsection ofmeshConfig.For example:
This can also be configured on a per-workload basis by configuring the
proxy.istio.io/configannotation on the pod.
For example:
This requires istio/api#2261