Skip to content

Commit

Permalink
feat(MeshExternalService): implement validator (#10306)
Browse files Browse the repository at this point in the history 
* feat(MeshExternalService): first draft of validator

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): try running it

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): make make check pass

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): add full without extension

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): add full invalid example

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): add more cases

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): make check pass

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): make golden files

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): add check for min max version

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): make check pass

Signed-off-by: slonka <slonka@users.noreply.github.com>

* feat(MeshExternalService): fix auto case

Signed-off-by: slonka <slonka@users.noreply.github.com>

---------

Signed-off-by: slonka <slonka@users.noreply.github.com>
  • Loading branch information
@slonka
slonka committed May 27, 2024
1 parent 45d9ca7 commit 186d39b
Show file tree
Hide file tree
Showing 27 changed files with 492 additions and 117 deletions.
12 changes: 2 additions & 10 deletions app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,6 @@ spec:
type: integer
required:
- address
- port
type: object
type: array
extension:
Expand Down Expand Up @@ -368,13 +367,13 @@ spec:
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipALL
- SkipAll
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
Expand Down Expand Up @@ -422,14 +421,7 @@ spec:
- TLS12
- TLS13
type: string
required:
- max
- min
type: object
required:
- allowRenegotiation
- verification
- version
type: object
required:
- match
Expand Down
12 changes: 2 additions & 10 deletions app/kumactl/cmd/install/testdata/install-control-plane.gateway-api-present.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,6 @@ spec:
type: integer
required:
- address
- port
type: object
type: array
extension:
Expand Down Expand Up @@ -368,13 +367,13 @@ spec:
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipALL
- SkipAll
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
Expand Down Expand Up @@ -422,14 +421,7 @@ spec:
- TLS12
- TLS13
type: string
required:
- max
- min
type: object
required:
- allowRenegotiation
- verification
- version
type: object
required:
- match
Expand Down
12 changes: 2 additions & 10 deletions app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,6 @@ spec:
type: integer
required:
- address
- port
type: object
type: array
extension:
Expand Down Expand Up @@ -388,13 +387,13 @@ spec:
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipALL
- SkipAll
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
Expand Down Expand Up @@ -442,14 +441,7 @@ spec:
- TLS12
- TLS13
type: string
required:
- max
- min
type: object
required:
- allowRenegotiation
- verification
- version
type: object
required:
- match
Expand Down
12 changes: 2 additions & 10 deletions app/kumactl/cmd/install/testdata/install-crds.all.golden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1731,7 +1731,6 @@ spec:
type: integer
required:
- address
- port
type: object
type: array
extension:
Expand Down Expand Up @@ -1842,13 +1841,13 @@ spec:
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipALL
- SkipAll
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
Expand Down Expand Up @@ -1896,14 +1895,7 @@ spec:
- TLS12
- TLS13
type: string
required:
- max
- min
type: object
required:
- allowRenegotiation
- verification
- version
type: object
required:
- match
Expand Down
12 changes: 2 additions & 10 deletions deployments/charts/kuma/crds/kuma.io_meshexternalservices.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@ spec:
type: integer
required:
- address
- port
type: object
type: array
extension:
Expand Down Expand Up @@ -171,13 +170,13 @@ spec:
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipALL
- SkipAll
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
Expand Down Expand Up @@ -225,14 +224,7 @@ spec:
- TLS12
- TLS13
type: string
required:
- max
- min
type: object
required:
- allowRenegotiation
- verification
- version
type: object
required:
- match
Expand Down
12 changes: 2 additions & 10 deletions docs/generated/raw/crds/kuma.io_meshexternalservices.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@ spec:
type: integer
required:
- address
- port
type: object
type: array
extension:
Expand Down Expand Up @@ -171,13 +170,13 @@ spec:
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipALL
- SkipAll
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
Expand Down Expand Up @@ -225,14 +224,7 @@ spec:
- TLS12
- TLS13
type: string
required:
- max
- min
type: object
required:
- allowRenegotiation
- verification
- version
type: object
required:
- match
Expand Down
68 changes: 53 additions & 15 deletions pkg/core/resources/apis/meshexternalservice/api/v1alpha1/meshexternalservice.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,30 @@ type MeshExternalService struct {
// Match defines traffic that should be routed through the sidecar.
Match Match `json:"match"`
// Extension struct for a plugin configuration, in the presence of an extension `endpoints` and `tls` are not required anymore - it's up to the extension to validate them independently.
Extension Extension `json:"extension,omitempty"`
Extension *Extension `json:"extension,omitempty"`
// Endpoints defines a list of destinations to send traffic to.
Endpoints []Endpoint `json:"endpoints,omitempty"`
// Tls provides a TLS configuration when proxy is resposible for a TLS origination
Tls Tls `json:"tls,omitempty"`
Tls *Tls `json:"tls,omitempty"`
}

// +kubebuilder:validation:Enum=HostnameGenerator
type MatchType string

const (
HostnameGeneratorType MatchType = "HostnameGenerator"
)

// +kubebuilder:validation:Enum=tcp;grpc;http;http2
type ProtocolType string

const (
TcpProtocol ProtocolType = "tcp"
GrpcProtocol ProtocolType = "grpc"
HttpProtocol ProtocolType = "http"
Http2Protocol ProtocolType = "http2"
)

type Match struct {
// Type of the match, only `HostnameGenerator` is available at the moment.
// +kubebuilder:default=HostnameGenerator
Expand All @@ -47,7 +58,7 @@ type Extension struct {

// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
type EndpointPort int
type Port int

type Endpoint struct {
// Address defines an address to which a user want to send a request. Is possible to provide `domain`, `ip` and `unix` sockets.
Expand All @@ -57,44 +68,66 @@ type Endpoint struct {
// +kubebuilder:validation:MinLength=1
Address string `json:"address"`
// Port of the endpoint
Port EndpointPort `json:"port"`
Port *Port `json:"port,omitempty"`
}

type Tls struct {
// Enabled defines if proxy should originate TLS.
// +kubebuilder:default=false
Enabled bool `json:"enabled,omitempty"`
// Version section for providing version specification.
Version TlsVersion `json:"version"`
Version *Version `json:"version,omitempty"`
// AllowRenegotiation defines if TLS sessions will allow renegotiation.
// Setting this to true is not recommended for security reasons.
// +kubebuilder:default=false
AllowRenegotiation bool `json:"allowRenegotiation"`
AllowRenegotiation bool `json:"allowRenegotiation,omitempty"`
// Verification section for providing TLS verification details.
Verification Verification `json:"verification"`
Verification *Verification `json:"verification,omitempty"`
}

// +kubebuilder:validation:Enum=TLSAuto;TLS10;TLS11;TLS12;TLS13
type TlsMinMaxVersion string
type TlsVersion string

const (
TLSVersionAuto TlsVersion = "TLSAuto"
TLSVersion10 TlsVersion = "TLS10"
TLSVersion11 TlsVersion = "TLS11"
TLSVersion12 TlsVersion = "TLS12"
TLSVersion13 TlsVersion = "TLS13"
)

type TlsVersion struct {
var tlsVersionOrder = map[TlsVersion]int{
TLSVersion10: 0,
TLSVersion11: 1,
TLSVersion12: 2,
TLSVersion13: 3,
}

type Version struct {
// Min defines minimum supported version. One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
// +kubebuilder:default=TLSAuto
Min TlsMinMaxVersion `json:"min"`
Min *TlsVersion `json:"min,omitempty"`
// Max defines maximum supported version. One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
// +kubebuilder:default=TLSAuto
Max TlsMinMaxVersion `json:"max"`
Max *TlsVersion `json:"max,omitempty"`
}

// +kubebuilder:validation:Enum=SkipSAN;SkipCA;Secured;SkipALL
// +kubebuilder:validation:Enum=SkipSAN;SkipCA;Secured;SkipAll
type VerificationMode string

const (
TLSVerificationSkipSAN VerificationMode = "SkipSAN"
TLSVerificationSkipCA VerificationMode = "SkipCA"
TLSVerificationSkipAll VerificationMode = "SkipAll"
TLSVerificationSecured VerificationMode = "Secured"
)

type Verification struct {
// Mode defines if proxy should skip verification, one of `SkipSAN`, `SkipCA`, `Secured`, `SkipALL`. Default `Secured`.
// Mode defines if proxy should skip verification, one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default `Secured`.
// +kubebuilder:default=Secured
Mode VerificationMode `json:"mode,omitempty"`
Mode *VerificationMode `json:"mode,omitempty"`
// SubjectAltNames list of names to verify in the certificate.
SubjectAltNames []SANMatch `json:"subjectAltNames,omitempty"`
SubjectAltNames *[]SANMatch `json:"subjectAltNames,omitempty"`
// CaCert defines a certificate of CA.
CaCert *v1alpha1.DataSource `json:"caCert,omitempty"`
// ClientCert defines a certificate of a client.
Expand All @@ -106,6 +139,11 @@ type Verification struct {
// +kubebuilder:validation:Enum=Exact;Prefix
type SANMatchType string

const (
SANMatchExact SANMatchType = "Exact"
SANMatchPrefix SANMatchType = "Prefix"
)

type SANMatch struct {
// Type specifies matching type, one of `Exact`, `Prefix`. Default: `Exact`
// +kubebuilder:default=Exact
Expand Down
Loading

0 comments on commit 186d39b

Please sign in to comment.