Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Istio Gateway Secret CA Cert Bundling #2226

Merged
merged 56 commits into from
Feb 24, 2025
Merged

feat: Istio Gateway Secret CA Cert Bundling #2226

merged 56 commits into from
Feb 24, 2025

Conversation

LeelaChacha
Copy link
Contributor

@LeelaChacha LeelaChacha commented Jan 31, 2025
edited
Loading

Description

Changes proposed in this pull request:

  • CA Bundle Handler for zero downtime handling of the istio gateway secret.
  • Flag in bootstrap code to choose between legacy and zero downtime strategy.
  • Requeue Intervals in the Istio Gateway Secret Controller.
  • Removal of ca-rotation-test E2E (already covered in legacy istio gateway secret E2E test)
  • E2E test to verify that no downtime occurs.

Related issue(s)

Closes #1506

@LeelaChacha LeelaChacha requested a review from a team as a code owner January 31, 2025 08:22
@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 31, 2025
@kyma-bot kyma-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 6, 2025
@LeelaChacha
Copy link
Contributor Author

LeelaChacha commented Feb 6, 2025
edited
Loading

TO BE CONFIRMED/Discussed:

  • The default values of the newly introduced flags:
	DefaultIstioGatewayCertSwitchBeforeExpirationTime                   = 24 * time.Hour
	DefaultIstioGatewaySecretRequeueSuccessInterval                     = 5 * time.Minute
	DefaultIstioGatewaySecretRequeueErrInterval                         = 2 * time.Second
  • If a new annotation should be added to the secret to make it explicit which strategy it is using for rotation. (The new changes can implicitly switch between strategies for existing gateway secret on restart)

@kyma-bot kyma-bot removed the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Feb 10, 2025
@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

1 similar comment
@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions

This comment was marked as spam.

Sign in to view
@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@Tomasz-Smelcerz-SAP
Copy link
Member

Tomasz-Smelcerz-SAP commented Feb 21, 2025
edited
Loading

Step StepName RootSecret Gateway key+crt Gateway CaBundle Gatewy tmp-ca SKR client key+crt SKR client CaBundle notes
-5 Working setup A rootA rootA rootA - rootA rootA current setup
-4 Cert rotation rootB rootA rootA - rootA rootA next rotation
-3 Update Gateway Secret rootB rootB rootB - rootA rootA downtime
-2 Migrate clients rootB rootB rootB - rootA or rootB rootA or rootB all clients have initial downtime, migrated clients work
-1 Working setup B rootB rootB rootB - rootB rootB all clients migrated
Step StepName RootSecret Gateway key+crt Gateway CaBundle Gatewy tmp-ca SKR client key+crt SKR client CaBundle notes
0 Deployment of new logic rootB rootB rootB - rootB rootB
1 Bootstrap rootB rootB rootB rootB rootB rootB bootstrap code "sees" there's no tmp-ca, so it creates it
2 Cert rotation rootC rootB rootB rootB rootB rootB
3 Update Gateway CA rootC rootB [rootC,rootB] rootB rootB rootB clients still work as rootB is still in Gateway's CA bundle
4 Migrate clients rootC rootB [rootC,rootB] rootB rootB or rootC rootB or [rootC,rootB] Gateway accepts both old and migrated clients. Old and migrated clients will accept Gateway
5 Switch Gateway Cert rootC rootC [rootC,rootB] rootC rootB or rootC rootB or [rootC,rootB] Gateway accepts only migrated clients. Old clients (if any) have downtime
6 Configure clients rootC rootC [rootC,rootB] rootC rootC [rootC,rootB] Configure all new + outdated clients (if any)
Step StepName RootSecret Gateway key+crt Gateway CaBundle Gatewy tmp-ca SKR client key+crt SKR client CaBundle notes
7 Cert rotation rootD rootC [rootC,rootB] rootC rootC [rootC,rootB]
8 Update Gateway CA rootD rootC [rootD,rootC] rootC rootC [rootC,rootB] clients still work as rootC is still in Gateway's CA bundle
9 Migrate clients rootD rootC [rootD,rootC] rootC rootC or rootD [rootC,rootB] or [rootD,rootC] Gateway accepts both old and migrated clients. Old and migrated clients will accept Gateway
10 Switch Gateway Cert rootD rootD [rootD,rootC] rootD rootC or rootD [rootC,rootB] or [rootD,rootC] Gateway accepts only migrated clients. Old clients (if any) have downtime
11 Configure clients rootD rootD [rootD,rootC] rootD rootD [rootD,rootC] Configure all new + outdated clients (if any)

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@github-actions GitHub Actions
Copy link

⚠️ Pipeline-related file changes detected! Please review if related updates (e.g. manifest generation or workflow adjustments) are required.

@kyma-bot kyma-bot added the lgtm Looks good to me! label Feb 24, 2025
@LeelaChacha LeelaChacha merged commit 1773f62 into kyma-project:main Feb 24, 2025
73 of 74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tomasz-Smelcerz-SAP Tomasz-Smelcerz-SAP Tomasz-Smelcerz-SAP approved these changes

Assignees

@Tomasz-Smelcerz-SAP Tomasz-Smelcerz-SAP

Labels
cla: yes Indicates the PR's author has signed the CLA. lgtm Looks good to me! pipeline-changed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: [Zero-Downtime] Istio-Gateway Secret Certificate Bundling
3 participants
@LeelaChacha @Tomasz-Smelcerz-SAP @kyma-bot