ACM certificates are not actually supported for EKS VirtualGateway->listener->tls->validation->trust config
pequalsnp opened this issue · comments
Describe the bug
The CRDS show that you should be able to pass configuration like this (this is from terraform, that's where the variables are coming from):
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualGateway
metadata:
name: ${local.ingress_gateway_app_name}
namespace: ${kubernetes_namespace.ingress_gw_namespace.metadata[0].name}
spec:
namespaceSelector:
matchLabels:
gateway: ${local.ingress_gateway_app_name}
podSelector:
matchLabels:
app: ${local.ingress_gateway_app_name}
listeners:
- portMapping:
port: 50051
protocol: grpc
tls:
certificate:
acm:
certificateARN: ${local.private_regional_certificate_arn}
mode: STRICT
validation:
trust:
acm:
certificateAuthorityARNs:
- <ARN>
but if you create a VirtualGateway with that configuration you will recieve an error:
BadRequestException: One type of TLS Validation Context Trust must be set.
This appears to be because although ACM is defined in the Go type the conversion code doesn't actually consider ACM.
Steps to reproduce
Using a k8s VirtualGateway object in EKS, attempt to use ACM (specifically an ACM Private certificate authority ARN) for listener tls validation.
Expected outcome
Client requests are verified against the given ACM Private CA.
Environment
- App Mesh controller version
v1.4.3 - Envoy version
840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.20.0.1-prod - Are you using any integrations? X-ray, Jaeger etc. If so versions?
No - Kubernetes version
v1.21.5-eks-bc4871b - Using EKS (yes/no), if so version?
Yes, see above.
Additional Context:
If you can't fix the implementation, at least fix the custom resource definitions to dis-allow this.
This can be worked around by storing the certificate in a secret and using it by file, again this is using terraform:
resource "kubernetes_secret" "ingress_gateway_pki" {
provider = kubernetes.gsa_us_east_2
metadata {
name = "pki"
namespace = kubernetes_namespace.ingress_gw_namespace.metadata[0].name
}
data = {
"ca.crt" = data.aws_acmpca_certificate_authority.acmpca.certificate
}
}
Then in your deployment
volumeMounts:
- name: pki
mountPath: "/mnt/pki"
readOnly: true
volumes:
- name: pki
secret:
secretName: ${kubernetes_secret.ingress_gateway_pki.metadata[0].name}
and modify the VirtualGateway spec above
validation:
trust:
file:
certificateChain: /mnt/pki/ca.crt