Giters

aws / aws-app-mesh-controller-for-k8s

A controller to help manage App Mesh resources for a Kubernetes cluster.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ACM certificates are not actually supported for EKS VirtualGateway->listener->tls->validation->trust config

pequalsnp opened this issue · comments

commented

Describe the bug
The CRDS show that you should be able to pass configuration like this (this is from terraform, that's where the variables are coming from):

apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualGateway
metadata:
  name: ${local.ingress_gateway_app_name}
  namespace: ${kubernetes_namespace.ingress_gw_namespace.metadata[0].name}
spec:
  namespaceSelector:
    matchLabels:
      gateway: ${local.ingress_gateway_app_name}
  podSelector:
    matchLabels:
      app: ${local.ingress_gateway_app_name}
  listeners:
    - portMapping:
        port: 50051
        protocol: grpc
      tls:
        certificate:
          acm:
            certificateARN: ${local.private_regional_certificate_arn}
        mode: STRICT
        validation:
          trust:
            acm:
              certificateAuthorityARNs:
                - <ARN>

but if you create a VirtualGateway with that configuration you will recieve an error:

BadRequestException: One type of TLS Validation Context Trust must be set.

This appears to be because although ACM is defined in the Go type the conversion code doesn't actually consider ACM.

Steps to reproduce

Using a k8s VirtualGateway object in EKS, attempt to use ACM (specifically an ACM Private certificate authority ARN) for listener tls validation.

Expected outcome
Client requests are verified against the given ACM Private CA.

Environment

  • App Mesh controller version
    v1.4.3
  • Envoy version
    840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.20.0.1-prod
  • Are you using any integrations? X-ray, Jaeger etc. If so versions?
    No
  • Kubernetes version
    v1.21.5-eks-bc4871b
  • Using EKS (yes/no), if so version?
    Yes, see above.

Additional Context:

If you can't fix the implementation, at least fix the custom resource definitions to dis-allow this.

This can be worked around by storing the certificate in a secret and using it by file, again this is using terraform:

resource "kubernetes_secret" "ingress_gateway_pki" {
  provider = kubernetes.gsa_us_east_2
  metadata {
    name      = "pki"
    namespace = kubernetes_namespace.ingress_gw_namespace.metadata[0].name
  }

  data = {
    "ca.crt" = data.aws_acmpca_certificate_authority.acmpca.certificate
  }
}

Then in your deployment

 volumeMounts:
            - name: pki
              mountPath: "/mnt/pki"
              readOnly: true
      volumes:
        - name: pki
          secret:
            secretName: ${kubernetes_secret.ingress_gateway_pki.metadata[0].name}

and modify the VirtualGateway spec above

        validation:
          trust:
            file:
              certificateChain: /mnt/pki/ca.crt