From 1fd2f455728b16ce2e6b68b09b249c9000a53a9e Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Fri, 16 Feb 2024 16:01:28 +0000 Subject: [PATCH 1/5] Add end-to-end test for ECC 256 + 384 Signed-off-by: SpectralHiss --- deploy/charts/istio-csr/values.yaml | 2 +- make/02_mod.mk | 1 + make/test-ecc.mk | 32 ++++++++++ test/ecc/.gitignore | 2 + test/ecc/cleanup.sh | 30 +++++++++ test/ecc/env.sh | 30 +++++++++ test/ecc/issuers/root.yaml | 27 ++++++++ test/ecc/issuers/selfsigned.yaml | 7 +++ test/ecc/reset-istio-csr.sh | 34 ++++++++++ test/ecc/run.sh | 46 ++++++++++++++ test/ecc/setup.sh | 65 ++++++++++++++++++++ test/ecc/test.sh | 71 +++++++++++++++++++++ test/ecc/values/istio-csr-ecdsa_p256.yaml | 39 ++++++++++++ test/ecc/values/istio-csr-ecdsa_p384.yaml | 39 ++++++++++++ test/ecc/values/istio-ecdsa_p256.yaml | 24 ++++++++ test/ecc/values/istio-ecdsa_p384.yaml | 24 ++++++++ test/ecc/workloads/httpbin.yaml | 70 +++++++++++++++++++++ test/ecc/workloads/sleep.yaml | 75 +++++++++++++++++++++++ 18 files changed, 617 insertions(+), 1 deletion(-) create mode 100644 make/test-ecc.mk create mode 100644 test/ecc/.gitignore create mode 100755 test/ecc/cleanup.sh create mode 100755 test/ecc/env.sh create mode 100644 test/ecc/issuers/root.yaml create mode 100644 test/ecc/issuers/selfsigned.yaml create mode 100755 test/ecc/reset-istio-csr.sh create mode 100755 test/ecc/run.sh create mode 100755 test/ecc/setup.sh create mode 100755 test/ecc/test.sh create mode 100644 test/ecc/values/istio-csr-ecdsa_p256.yaml create mode 100644 test/ecc/values/istio-csr-ecdsa_p384.yaml create mode 100644 test/ecc/values/istio-ecdsa_p256.yaml create mode 100644 test/ecc/values/istio-ecdsa_p384.yaml create mode 100644 test/ecc/workloads/httpbin.yaml create mode 100644 test/ecc/workloads/sleep.yaml diff --git a/deploy/charts/istio-csr/values.yaml b/deploy/charts/istio-csr/values.yaml index 4a2a22b3..407806e7 100644 --- a/deploy/charts/istio-csr/values.yaml +++ b/deploy/charts/istio-csr/values.yaml @@ -131,7 +131,7 @@ app: istiodCertificateRenewBefore: 30m # Create the default certificate as part of install. istiodCertificateEnable: true - # Number of bits to use for istiod-tls RSAKey + # Number of bits to use for istiod-tls Key istiodPrivateKeySize: 2048 server: diff --git a/make/02_mod.mk b/make/02_mod.mk index 4a16b48b..ff7e6472 100644 --- a/make/02_mod.mk +++ b/make/02_mod.mk @@ -19,6 +19,7 @@ $(kind_cluster_config): make/config/kind/cluster.yaml | $(bin_dir)/scratch include make/test-e2e.mk include make/test-carotation.mk +include make/test-ecc.mk include make/test-unit.mk .PHONY: release diff --git a/make/test-ecc.mk b/make/test-ecc.mk new file mode 100644 index 00000000..1a1bdf83 --- /dev/null +++ b/make/test-ecc.mk @@ -0,0 +1,32 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: test-ecc +## ecc test +## @category Testing +test-ecc: kind_cluster_name := "istio-csr-ecc" +test-ecc: e2e-setup-cert-manager oci-load-manager | $(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) $(NEEDS_KUBECTL) $(NEEDS_HELM) $(NEEDS_KIND) $(NEEDS_GOJQ) + $(eval oci_image_tar := $(bin_dir)/scratch/image/oci-layout-manager.$(oci_manager_image_tag).docker.tar) + + ARTIFACTS=$(ARTIFACTS) \ + ISTIO_CSR_IMAGE=$(oci_manager_image_name_development) \ + ISTIO_CSR_IMAGE_TAR=$(oci_image_tar) \ + ISTIO_CSR_IMAGE_TAG=$(oci_manager_image_tag) \ + KIND_CLUSTER_NAME=$(kind_cluster_name) \ + ISTIO_BIN=$(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) \ + KUBECTL_BIN=$(KUBECTL) \ + HELM_BIN=$(HELM) \ + KIND_BIN=$(KIND) \ + JQ_BIN=$(GOJQ) \ + ./test/ecc/run.sh diff --git a/test/ecc/.gitignore b/test/ecc/.gitignore new file mode 100644 index 00000000..43138a54 --- /dev/null +++ b/test/ecc/.gitignore @@ -0,0 +1,2 @@ +/ca.pem +/istio-csr-serving.pems \ No newline at end of file diff --git a/test/ecc/cleanup.sh b/test/ecc/cleanup.sh new file mode 100755 index 00000000..e681dd62 --- /dev/null +++ b/test/ecc/cleanup.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Copyright 2021 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o nounset +set -o errexit +set -o pipefail + +echo "======================================" +echo ">> cleaning up resources" + +rm -f "$TEST_DIR/ca.pem" +rm -f "${ISTIO_CSR_SERVING_CERTFILE}" +echo ">> exporting kind loads" +$KIND_BIN export logs "$ARTIFACTS" --name "$KIND_CLUSTER_NAME" + +echo ">> deleting cluster..." +$KIND_BIN delete cluster --name "$KIND_CLUSTER_NAME" diff --git a/test/ecc/env.sh b/test/ecc/env.sh new file mode 100755 index 00000000..d35b9a87 --- /dev/null +++ b/test/ecc/env.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Copyright 2021 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +export ARTIFACTS="${ARTIFACTS:-./_bin/artifacts}" +export ISTIO_CSR_IMAGE_TAR="${ISTIO_CSR_IMAGE_TAR:-./_bin/scratch/image/oci-layout-manager.v0.7.1.docker.tar}" +export ISTIO_CSR_IMAGE="${ISTIO_CSR_IMAGE:-cert-manager.local/cert-manager-istio-csr}" +export ISTIO_CSR_IMAGE_TAG="${ISTIO_CSR_IMAGE_TAG:-canary}" +export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-istio-ca-ecc}" + +export ISTIO_BIN="${ISTIO_BIN:-./_bin/scratch/istioctl-1.20.2}" +export KUBECTL_BIN="${KUBECTL_BIN:-./_bin/tools/kubectl}" +export HELM_BIN="${HELM_BIN:-./_bin/tools/helm}" +export KIND_BIN="${KIND_BIN:-./_bin/tools/kind}" +export JQ_BIN="${JQ_BIN:-./_bin/tools/jq}" +export RED="\e[31m" +export GREEN="\e[32m" +export ENDCOLOR="\e[0m" diff --git a/test/ecc/issuers/root.yaml b/test/ecc/issuers/root.yaml new file mode 100644 index 00000000..17cc9085 --- /dev/null +++ b/test/ecc/issuers/root.yaml @@ -0,0 +1,27 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: istio-root-1 + namespace: istio-system +spec: + isCA: true + duration: 2160h + secretName: istio-root-1 + commonName: istio-root-1 + subject: + organizations: + - cluster.local + - cert-manager-root-1 + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: istio-root-1 + namespace: istio-system +spec: + ca: + secretName: istio-root-1 \ No newline at end of file diff --git a/test/ecc/issuers/selfsigned.yaml b/test/ecc/issuers/selfsigned.yaml new file mode 100644 index 00000000..2416a817 --- /dev/null +++ b/test/ecc/issuers/selfsigned.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned + namespace: istio-system +spec: + selfSigned: {} diff --git a/test/ecc/reset-istio-csr.sh b/test/ecc/reset-istio-csr.sh new file mode 100755 index 00000000..ee4aa582 --- /dev/null +++ b/test/ecc/reset-istio-csr.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +# Copyright 2021 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o nounset +set -o errexit +set -o pipefail + +echo "======================================" +echo ">> resetting Istio + istio-csr for another test" + +echo ">> $HELM_BIN uninstall cert-manager-istio-csr -n cert-manager" +$HELM_BIN uninstall cert-manager-istio-csr -n cert-manager + + +echo ">> resetting Istio for another test" +echo ">> $ISTIO_BIN uninstall -y -f \"$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml\"" + +$ISTIO_BIN uninstall -y --purge -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml" + +$KUBECTL_BIN delete mutatingwebhookconfigurations istio-revision-tag-default +rm -f "${ISTIO_CSR_SERVING_CERTFILE}" diff --git a/test/ecc/run.sh b/test/ecc/run.sh new file mode 100755 index 00000000..0eeea076 --- /dev/null +++ b/test/ecc/run.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +# Copyright 2021 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o nounset +set -o errexit +set -o pipefail + +TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +ISTIO_CSR_SERVING_CERTFILE="${TEST_DIR}"/istio-csr-serving.pems + +export TEST_DIR +# This will contain the signed certificate of "istio-csr-serving" CertificateRequests to run assertions against +export ISTIO_CSR_SERVING_CERTFILE +source "$TEST_DIR/env.sh" + +# Ensure we always clean up after ourselves. +cleanup() { + "$TEST_DIR/cleanup.sh" +} +trap cleanup EXIT + +echo "======================================" +echo ">> running full ECC 256 and 384 support" + +export KEY_SIZE="256" +"$TEST_DIR/setup.sh" +"$TEST_DIR/test.sh" + +"$TEST_DIR/reset-istio-csr.sh" +export KEY_SIZE="384" +"$TEST_DIR/setup.sh" +"$TEST_DIR/test.sh" + diff --git a/test/ecc/setup.sh b/test/ecc/setup.sh new file mode 100755 index 00000000..79e65390 --- /dev/null +++ b/test/ecc/setup.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash + +# Copyright 2021 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o nounset +set -o errexit +set -o pipefail + +echo "======================================" +echo ">> creating root of trust" + +echo ">> creating cert-manager issuers" +$KUBECTL_BIN create namespace istio-system || true +$KUBECTL_BIN apply -f "$TEST_DIR/issuers/." + +echo ">> waiting for issuers to become ready" +$KUBECTL_BIN get issuers -n istio-system +$KUBECTL_BIN wait --timeout=180s -n istio-system --for=condition=ready issuer istio-root-1 +$KUBECTL_BIN get issuers -n istio-system + +echo ">> extracting root of trust" +$KUBECTL_BIN get secret -n istio-system istio-root-1 -o jsonpath="{.data['ca\.crt']}" | base64 -d > "$TEST_DIR/ca.pem" + +echo ">> creating root of trust secret" +$KUBECTL_BIN create secret generic istio-root-certs --from-file=ca.pem="$TEST_DIR/ca.pem" -n cert-manager || true + +echo "======================================" +echo ">> installing istio-csr with roots of trust, using issuer from root-1" + +echo ">> installing cert-manager-istio-csr with using ecdsa key type" +echo "$HELM_BIN upgrade -i cert-manager-istio-csr ./deploy/charts/istio-csr -n cert-manager --values $TEST_DIR/values/istio-csr-ecdsa_p${KEY_SIZE}.yaml --wait" + +$HELM_BIN upgrade -i cert-manager-istio-csr ./deploy/charts/istio-csr \ + -n cert-manager \ + --values "$TEST_DIR/values/istio-csr-ecdsa_p${KEY_SIZE}.yaml" \ + --set image.repository="$ISTIO_CSR_IMAGE" \ + --set image.tag="$ISTIO_CSR_IMAGE_TAG" \ + --wait + +echo ">> installing istio" +$ISTIO_BIN install -y -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml" + +echo ">> enforcing mTLS everywhere" +$KUBECTL_BIN apply -n istio-system -f - <> installing workloads and testing connectivity" + +echo ">> installing workloads" +$KUBECTL_BIN apply -f "$TEST_DIR/workloads" --wait --timeout=180s +$KUBECTL_BIN wait -n sandbox --for=condition=ready pod -l app=sleep --timeout=180s +$KUBECTL_BIN wait -n sandbox --for=condition=ready pod -l app=httpbin --timeout=180s + +echo ">> testing mTLS connection between workloads" +POD_NAME=$($KUBECTL_BIN get pod -n sandbox -l app=sleep -o jsonpath='{.items[0].metadata.name}') +$KUBECTL_BIN exec "$POD_NAME" -c sleep -n sandbox -- curl -sS httpbin:8000/ip + +echo "Ensuring the workload certificates are of the right type" +set -x + +ISTIOD_KEY_ALGORITHM=$($KUBECTL_BIN get certificate -n istio-system istiod -o jsonpath='{.spec.privateKey.algorithm}') +echo "Ensuring Istiod certificate key algorithm is ECDSA.." +if ! [[ "${ISTIOD_KEY_ALGORITHM}" == "ECDSA" ]]; then + echo -e "${RED} ✗ Wrong key type, got ${ISTIOD_KEY_ALGORITHM} expected ECDSA ${ENDCOLOR}" + exit 1 +fi +echo -e "${GREEN} ✓ Success ${ENDCOLOR}" + +echo "Ensuring Istiod certificate key size is ${KEY_SIZE}" +ISTIOD_KEY_SIZE=$($KUBECTL_BIN get certificate -n istio-system istiod -o jsonpath='{.spec.privateKey.size}') +if ! [[ "${ISTIOD_KEY_SIZE}" == "${KEY_SIZE}" ]]; then + echo -e "${RED} ✗ Wrong key size, got ${ISTIOD_KEY_SIZE} expected ${KEY_SIZE} ${ENDCOLOR}" + exit 1 +fi + +echo -e "${GREEN} ✓ Success ${ENDCOLOR} " + +echo "Getting all 'istio-csr-serving' certificates" +ISTIO_CSR_SERVING_CERTFILE="${TEST_DIR}"/istio-csr-serving.pems + +$KUBECTL_BIN -n istio-system get cr -n istio-system \ + -o=jsonpath='{.items[?(@.metadata.annotations.istio\.cert-manager\.io/identities=="istio-csr-serving")].status.certificate}' \ + | xargs -n 1 echo -e | base64 -d > "${ISTIO_CSR_SERVING_CERTFILE}" + +echo "Ensuring an IstioCSR certificate key size is ECC with ${KEY_SIZE}" + +TOTAL_CERTS="$(openssl storeutl -noout -text -certs "${ISTIO_CSR_SERVING_CERTFILE}" | grep 'Total found' | awk '{print $3}')" +CERTS_WITH_CORRECT_ALG="$(openssl storeutl -noout -text -certs "${ISTIO_CSR_SERVING_CERTFILE}" | grep "NIST CURVE: P-${KEY_SIZE}" | wc -l)" + +echo "$CERTS_WITH_CORRECT_ALG" +echo "$TOTAL_CERTS" +if ! [[ "${CERTS_WITH_CORRECT_ALG}" == "${TOTAL_CERTS}" ]] ; then + echo -e "${RED} ✗ Wrong istiod key size got expected ${KEY_SIZE} ${ENDCOLOR}" + exit 1 +fi +echo -e "${GREEN} ✓ Success ${ENDCOLOR}" +set +x \ No newline at end of file diff --git a/test/ecc/values/istio-csr-ecdsa_p256.yaml b/test/ecc/values/istio-csr-ecdsa_p256.yaml new file mode 100644 index 00000000..62f90cea --- /dev/null +++ b/test/ecc/values/istio-csr-ecdsa_p256.yaml @@ -0,0 +1,39 @@ +image: + pullPolicy: Never + +app: + logLevel: 3 + + certmanager: + namespace: istio-system + # WARNING: do not enable this option in production, or environments with + # any non-trivial number of workloads for an extended period of time. Doing + # so will balloon the resource consumption of both ETCD and the API server, + # leading to errors and slow down. This option is intended for debugging + # purposes only, for limited periods of time. + preserveCertificateRequests: true + issuer: + group: cert-manager.io + kind: Issuer + name: istio-root-1 + + tls: + trustDomain: foo.bar + rootCAFile: /var/run/secrets/istio-csr/ca.pem + certificateDuration: 20s + istiodCertificateEnable: true + # Number of bits to use for istiod-tls Key + istiodPrivateKeySize: 256 + + server: + serving: + certificateKeySize: 256 + signatureAlgorithm: "ECDSA" + +volumes: +- name: istio-root-certs + secret: + secretName: istio-root-certs +volumeMounts: +- name: istio-root-certs + mountPath: /var/run/secrets/istio-csr diff --git a/test/ecc/values/istio-csr-ecdsa_p384.yaml b/test/ecc/values/istio-csr-ecdsa_p384.yaml new file mode 100644 index 00000000..e0547284 --- /dev/null +++ b/test/ecc/values/istio-csr-ecdsa_p384.yaml @@ -0,0 +1,39 @@ +image: + pullPolicy: Never + +app: + logLevel: 3 + + certmanager: + namespace: istio-system + # WARNING: do not enable this option in production, or environments with + # any non-trivial number of workloads for an extended period of time. Doing + # so will balloon the resource consumption of both ETCD and the API server, + # leading to errors and slow down. This option is intended for debugging + # purposes only, for limited periods of time. + preserveCertificateRequests: true + issuer: + group: cert-manager.io + kind: Issuer + name: istio-root-1 + + tls: + trustDomain: foo.bar + rootCAFile: /var/run/secrets/istio-csr/ca.pem + certificateDuration: 20s + istiodCertificateEnable: true + # Number of bits to use for istiod-tls Key + istiodPrivateKeySize: 384 + + server: + serving: + certificateKeySize: 384 + signatureAlgorithm: "ECDSA" + +volumes: +- name: istio-root-certs + secret: + secretName: istio-root-certs +volumeMounts: +- name: istio-root-certs + mountPath: /var/run/secrets/istio-csr diff --git a/test/ecc/values/istio-ecdsa_p256.yaml b/test/ecc/values/istio-ecdsa_p256.yaml new file mode 100644 index 00000000..b685bb2a --- /dev/null +++ b/test/ecc/values/istio-ecdsa_p256.yaml @@ -0,0 +1,24 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + profile: "minimal" + meshConfig: + # Change the following line to configure the trust domain of the Istio cluster. + trustDomain: foo.bar + defaultConfig: + proxyMetadata: + ECC_SIGNATURE_ALGORITHM: "ECDSA" + ECC_CURVE: "P256" + values: + global: + # Change certificate provider to cert-manager istio agent for istio agent + caAddress: cert-manager-istio-csr.cert-manager.svc:443 + components: + pilot: + k8s: + env: + # Disable istiod CA Sever functionality + - name: ENABLE_CA_SERVER + value: "false" diff --git a/test/ecc/values/istio-ecdsa_p384.yaml b/test/ecc/values/istio-ecdsa_p384.yaml new file mode 100644 index 00000000..8d0e136d --- /dev/null +++ b/test/ecc/values/istio-ecdsa_p384.yaml @@ -0,0 +1,24 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + profile: "minimal" + meshConfig: + # Change the following line to configure the trust domain of the Istio cluster. + trustDomain: foo.bar + defaultConfig: + proxyMetadata: + ECC_SIGNATURE_ALGORITHM: "ECDSA" + ECC_CURVE: "P384" + values: + global: + # Change certificate provider to cert-manager istio agent for istio agent + caAddress: cert-manager-istio-csr.cert-manager.svc:443 + components: + pilot: + k8s: + env: + # Disable istiod CA Sever functionality + - name: ENABLE_CA_SERVER + value: "false" diff --git a/test/ecc/workloads/httpbin.yaml b/test/ecc/workloads/httpbin.yaml new file mode 100644 index 00000000..216b77dc --- /dev/null +++ b/test/ecc/workloads/httpbin.yaml @@ -0,0 +1,70 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# httpbin service +################################################################################################## +apiVersion: v1 +kind: Namespace +metadata: + name: sandbox + labels: + istio-injection: enabled +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin + namespace: sandbox +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + namespace: sandbox + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 80 + selector: + app: httpbin +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin + namespace: sandbox +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/kong/httpbin:0.1.0 + imagePullPolicy: Never + name: httpbin + ports: + - containerPort: 80 diff --git a/test/ecc/workloads/sleep.yaml b/test/ecc/workloads/sleep.yaml new file mode 100644 index 00000000..2982147f --- /dev/null +++ b/test/ecc/workloads/sleep.yaml @@ -0,0 +1,75 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: Namespace +metadata: + name: sandbox + labels: + istio-injection: enabled +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sleep + namespace: sandbox +--- +apiVersion: v1 +kind: Service +metadata: + name: sleep + namespace: sandbox + labels: + app: sleep + service: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sleep + namespace: sandbox +spec: + replicas: 1 + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + spec: + serviceAccountName: sleep + containers: + - image: quay.io/curl/curl:8.5.0 + imagePullPolicy: Never + name: sleep + command: ["/bin/sleep", "3650d"] + volumeMounts: + - mountPath: /etc/sleep/tls + name: secret-volume + volumes: + - name: secret-volume + secret: + secretName: sleep-secret + optional: true +--- From 61b2e47a543094ccbdd680c2e60029a2c3381c31 Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Fri, 16 Feb 2024 18:05:37 +0000 Subject: [PATCH 2/5] Implements P384 key size for the istio serving cert Signed-off-by: SpectralHiss --- pkg/tls/tls.go | 16 ++++++++++++---- test/ecc/cleanup.sh | 2 +- test/ecc/reset-istio-csr.sh | 2 +- test/ecc/test.sh | 2 +- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go index 6756cf37..875a0322 100644 --- a/pkg/tls/tls.go +++ b/pkg/tls/tls.go @@ -292,17 +292,25 @@ func (p *Provider) fetchCertificate(ctx context.Context) (time.Time, error) { defer func() { metricCertRequest.With(prometheus.Labels{"success": success}).Inc() }() opts := pkiutil.CertOptions{ - Host: strings.Join(p.opts.ServingCertificateDNSNames, ","), - IsServer: true, - TTL: p.opts.ServingCertificateDuration, - RSAKeySize: p.opts.ServingCertificateKeySize, + Host: strings.Join(p.opts.ServingCertificateDNSNames, ","), + IsServer: true, + TTL: p.opts.ServingCertificateDuration, } switch p.opts.ServingSignatureAlgorithm { case "RSA": opts.ECSigAlg = "" + opts.RSAKeySize = p.opts.ServingCertificateKeySize case "ECDSA": opts.ECSigAlg = pkiutil.EcdsaSigAlg + switch p.opts.ServingCertificateKeySize { + case 256: + opts.ECCCurve = pkiutil.P256Curve + case 384: + opts.ECCCurve = pkiutil.P384Curve + default: + return time.Time{}, fmt.Errorf("unsupported serving certificate key size (supported: 256, 384): %d", p.opts.ServingCertificateKeySize) + } default: return time.Time{}, fmt.Errorf("unknown signature algorithm (supported: \"RSA\", \"ECDSA\"): %s", p.opts.ServingSignatureAlgorithm) } diff --git a/test/ecc/cleanup.sh b/test/ecc/cleanup.sh index e681dd62..77f876ff 100755 --- a/test/ecc/cleanup.sh +++ b/test/ecc/cleanup.sh @@ -22,7 +22,7 @@ echo "======================================" echo ">> cleaning up resources" rm -f "$TEST_DIR/ca.pem" -rm -f "${ISTIO_CSR_SERVING_CERTFILE}" +#rm -f "${ISTIO_CSR_SERVING_CERTFILE}" echo ">> exporting kind loads" $KIND_BIN export logs "$ARTIFACTS" --name "$KIND_CLUSTER_NAME" diff --git a/test/ecc/reset-istio-csr.sh b/test/ecc/reset-istio-csr.sh index ee4aa582..07671b8f 100755 --- a/test/ecc/reset-istio-csr.sh +++ b/test/ecc/reset-istio-csr.sh @@ -29,6 +29,6 @@ echo ">> resetting Istio for another test" echo ">> $ISTIO_BIN uninstall -y -f \"$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml\"" $ISTIO_BIN uninstall -y --purge -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml" - +$KUBECTL_BIN delete cr --all -n istio-system $KUBECTL_BIN delete mutatingwebhookconfigurations istio-revision-tag-default rm -f "${ISTIO_CSR_SERVING_CERTFILE}" diff --git a/test/ecc/test.sh b/test/ecc/test.sh index acf5676b..d6349d43 100755 --- a/test/ecc/test.sh +++ b/test/ecc/test.sh @@ -64,7 +64,7 @@ CERTS_WITH_CORRECT_ALG="$(openssl storeutl -noout -text -certs "${ISTIO_CSR_SERV echo "$CERTS_WITH_CORRECT_ALG" echo "$TOTAL_CERTS" if ! [[ "${CERTS_WITH_CORRECT_ALG}" == "${TOTAL_CERTS}" ]] ; then - echo -e "${RED} ✗ Wrong istiod key size got expected ${KEY_SIZE} ${ENDCOLOR}" + echo -e "${RED} ✗ Wrong istio serving cert expected ${KEY_SIZE} ${ENDCOLOR}" exit 1 fi echo -e "${GREEN} ✓ Success ${ENDCOLOR}" From ef63c4217c2187b8e25b2ebf1426e5c7e2f6755c Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Fri, 16 Feb 2024 18:26:47 +0000 Subject: [PATCH 3/5] Update helm-docs Signed-off-by: SpectralHiss --- deploy/charts/istio-csr/README.md | 4 ++-- deploy/charts/istio-csr/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy/charts/istio-csr/README.md b/deploy/charts/istio-csr/README.md index 52c75b54..e6ef69e8 100644 --- a/deploy/charts/istio-csr/README.md +++ b/deploy/charts/istio-csr/README.md @@ -264,7 +264,7 @@ Create the default certificate as part of install. > 2048 > ``` -Number of bits to use for istiod-tls RSAKey +Number of bits to use for istiod-tls Key #### **app.server.clusterID** ~ `string` > Default value: > ```yaml @@ -301,7 +301,7 @@ Container port to serve istio-csr gRPC service. > 2048 > ``` -Number of bits to use for the server's serving certificate (RSAKeySize). +Number of bits to use for the server's serving certificate, can only be 256 or 384 when signature algorithm is ECDSA. #### **app.server.serving.signatureAlgorithm** ~ `string` > Default value: > ```yaml diff --git a/deploy/charts/istio-csr/values.yaml b/deploy/charts/istio-csr/values.yaml index 407806e7..bca1c08d 100644 --- a/deploy/charts/istio-csr/values.yaml +++ b/deploy/charts/istio-csr/values.yaml @@ -148,7 +148,7 @@ app: address: 0.0.0.0 # Container port to serve istio-csr gRPC service. port: 6443 - # Number of bits to use for the server's serving certificate (RSAKeySize). + # Number of bits to use for the server's serving certificate, can only be 256 or 384 when signature algorithm is ECDSA. certificateKeySize: 2048 # The type of signature algorithm to use when generating private keys. Currently only RSA and ECDSA are supported. By default RSA is used. signatureAlgorithm: "RSA" From de3e7698660abb67ab9d72e7553e7ac2e9c27c32 Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Thu, 29 Feb 2024 11:44:33 +0000 Subject: [PATCH 4/5] Remove unused make test-ecc e2e variable Signed-off-by: SpectralHiss --- make/test-ecc.mk | 1 - test/ecc/env.sh | 1 - 2 files changed, 2 deletions(-) diff --git a/make/test-ecc.mk b/make/test-ecc.mk index 1a1bdf83..7a0cb189 100644 --- a/make/test-ecc.mk +++ b/make/test-ecc.mk @@ -21,7 +21,6 @@ test-ecc: e2e-setup-cert-manager oci-load-manager | $(bin_dir)/scratch/istioctl- ARTIFACTS=$(ARTIFACTS) \ ISTIO_CSR_IMAGE=$(oci_manager_image_name_development) \ - ISTIO_CSR_IMAGE_TAR=$(oci_image_tar) \ ISTIO_CSR_IMAGE_TAG=$(oci_manager_image_tag) \ KIND_CLUSTER_NAME=$(kind_cluster_name) \ ISTIO_BIN=$(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) \ diff --git a/test/ecc/env.sh b/test/ecc/env.sh index d35b9a87..0a1f9c78 100755 --- a/test/ecc/env.sh +++ b/test/ecc/env.sh @@ -15,7 +15,6 @@ # limitations under the License. export ARTIFACTS="${ARTIFACTS:-./_bin/artifacts}" -export ISTIO_CSR_IMAGE_TAR="${ISTIO_CSR_IMAGE_TAR:-./_bin/scratch/image/oci-layout-manager.v0.7.1.docker.tar}" export ISTIO_CSR_IMAGE="${ISTIO_CSR_IMAGE:-cert-manager.local/cert-manager-istio-csr}" export ISTIO_CSR_IMAGE_TAG="${ISTIO_CSR_IMAGE_TAG:-canary}" export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-istio-ca-ecc}" From 1f1b9fb5aa4eaead96a5024e8224b5a48ef2e58f Mon Sep 17 00:00:00 2001 From: SpectralHiss Date: Thu, 29 Feb 2024 12:30:51 +0000 Subject: [PATCH 5/5] Fix helm schema Signed-off-by: SpectralHiss --- deploy/charts/istio-csr/values.schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/charts/istio-csr/values.schema.json b/deploy/charts/istio-csr/values.schema.json index 7d626e19..39f74114 100644 --- a/deploy/charts/istio-csr/values.schema.json +++ b/deploy/charts/istio-csr/values.schema.json @@ -353,7 +353,7 @@ }, "helm-values.app.server.serving.certificateKeySize": { "default": 2048, - "description": "Number of bits to use for the server's serving certificate (RSAKeySize).", + "description": "Number of bits to use for the server's serving certificate, can only be 256 or 384 when signature algorithm is ECDSA.", "type": "number" }, "helm-values.app.server.serving.port": { @@ -436,7 +436,7 @@ }, "helm-values.app.tls.istiodPrivateKeySize": { "default": 2048, - "description": "Number of bits to use for istiod-tls RSAKey", + "description": "Number of bits to use for istiod-tls Key", "type": "number" }, "helm-values.app.tls.rootCAFile": {