fix(meshservice): permissive mTLS of synced services (#11749)

## Motivation

We want to use permissive mTLS with MeshServices. It turned out that
synced services are not marked as TLS ready in this case, but actually
it's the only way to access them (through Zone Ingress)

## Implementation information

Always mark synced MeshService as TLS ready

## Supporting documentation

No issue created. Reported by Baptiste

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>

pkg/core/resources/apis/meshservice/api/v1alpha1/helpers.go

@@ -43,15 +43,15 @@ func (m *MeshServiceResource) FindPortByName(name string) (Port, bool) {
 	return Port{}, false
 }
 
-func (m *MeshServiceResource) IsLocalMeshService(localZone string) bool {
+func (m *MeshServiceResource) IsLocalMeshService() bool {
 	if len(m.GetMeta().GetLabels()) == 0 {
 		return true // no labels mean that it's a local resource
 	}
-	resZone, ok := m.GetMeta().GetLabels()[mesh_proto.ZoneTag]
+	origin, ok := m.GetMeta().GetLabels()[mesh_proto.ResourceOriginLabel]
 	if !ok {
 		return true // no zone label mean that it's a local resource
 	}
-	return resZone == localZone
+	return origin == string(mesh_proto.ZoneResourceOrigin)
 }
 
 var _ core_vip.ResourceHoldingVIPs = &MeshServiceResource{}

pkg/core/resources/apis/meshservice/status/updater.go

@@ -112,7 +112,7 @@ func (s *StatusUpdater) updateStatus(ctx context.Context) error {
 	dppsForMs := meshservice.MatchDataplanesWithMeshServices(dpList.Items, msList.Items, false)
 
 	for ms, dpps := range dppsForMs {
-		if !ms.IsLocalMeshService(s.localZone) {
+		if !ms.IsLocalMeshService() {
 			// identities are already computed by the other zone
 			continue
 		}

pkg/core/resources/apis/meshservice/status/updater_test.go

@@ -72,7 +72,8 @@ var _ = Describe("Updater", func() {
 		// when
 		Expect(samples.MeshServiceBackendBuilder().
 			WithLabels(map[string]string{
-				v1alpha1.ZoneTag: "west",
+				v1alpha1.ZoneTag:             "west",
+				v1alpha1.ResourceOriginLabel: string(v1alpha1.GlobalResourceOrigin),
 			}).
 			AddServiceTagIdentity("backend").
 			Create(resManager)).To(Succeed())

pkg/plugins/policies/core/xds/meshroute/clusters.go

@@ -96,9 +96,12 @@ func GenerateClusters(
 					}
 				} else {
 					if realResourceRef := service.BackendRef().RealResourceBackendRef(); realResourceRef != nil {
+						tlsReady = true // tls readiness is only relevant for MeshService
 						if common_api.TargetRefKind(realResourceRef.Resource.ResourceType) == common_api.MeshService {
 							if ms := meshCtx.MeshServiceByIdentifier[pointer.Deref(realResourceRef.Resource).ResourceIdentifier]; ms != nil {
-								tlsReady = ms.Status.TLS.Status == meshservice_api.TLSReady
+								// we only check TLS status for local service
+								// services that are synced can be accessed only with TLS through ZoneIngress
+								tlsReady = !ms.IsLocalMeshService() || ms.Status.TLS.Status == meshservice_api.TLSReady
 							}
 						}
 						edsClusterBuilder.Configure(envoy_clusters.ClientSideMultiIdentitiesMTLS(

pkg/xds/topology/outbound.go

@@ -130,7 +130,7 @@ func BuildEdsEndpointMap(
 	fillExternalServicesOutboundsThroughEgress(outbound, externalServices, meshExternalServices, zoneEgresses, mesh, localZone)
 
 	// it has to be last because it reuses endpoints for other cases
-	fillMeshMultiZoneServices(outbound, meshServicesByName, meshMultiZoneServices, localZone)
+	fillMeshMultiZoneServices(outbound, meshServicesByName, meshMultiZoneServices)
 
 	return outbound
 }
@@ -139,7 +139,6 @@ func fillMeshMultiZoneServices(
 	outbound core_xds.EndpointMap,
 	meshServicesByName map[model.ResourceIdentifier]*meshservice_api.MeshServiceResource,
 	meshMultiZoneServices []*meshmzservice_api.MeshMultiZoneServiceResource,
-	localZone string,
 ) {
 	for _, mzSvc := range meshMultiZoneServices {
 		for _, matchedMs := range mzSvc.Status.MeshServices {
@@ -153,7 +152,7 @@ func fillMeshMultiZoneServices(
 			if !ok {
 				continue
 			}
-			if !ms.IsLocalMeshService(localZone) && ms.Spec.State != meshservice_api.StateAvailable {
+			if !ms.IsLocalMeshService() && ms.Spec.State != meshservice_api.StateAvailable {
 				// we don't want to load balance to zones that has no available endpoints.
 				// we check this only for non-local services, because if service is unavailable in the local zone it has no endpoints.
 				// if a new local endpoint just become healthy, we can add it immediately without waiting for state to be reconciled.
@@ -215,7 +214,7 @@ func fillRemoteMeshServices(
 	}
 
 	for _, ms := range services {
-		if ms.IsLocalMeshService(localZone) {
+		if ms.IsLocalMeshService() {
 			continue
 		}
 		msZone := ms.GetMeta().GetLabels()[mesh_proto.ZoneTag]
@@ -328,7 +327,7 @@ func fillLocalMeshServices(
 ) {
 	dppsForMs := meshservice.MatchDataplanesWithMeshServices(dataplanes, meshServices, true)
 	for meshSvc, dpps := range dppsForMs {
-		if !meshSvc.IsLocalMeshService(localZone) {
+		if !meshSvc.IsLocalMeshService() {
 			continue
 		}
 

test/e2e_env/multizone/meshservice/connectivity.go

@@ -9,7 +9,9 @@ import (
 	"github.com/onsi/gomega/types"
 	kube_meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1"
 	"github.com/kumahq/kuma/pkg/config/core"
+	"github.com/kumahq/kuma/pkg/test/resources/samples"
 	"github.com/kumahq/kuma/test/e2e_env/kubernetes/gateway"
 	. "github.com/kumahq/kuma/test/framework"
 	"github.com/kumahq/kuma/test/framework/client"
@@ -29,7 +31,11 @@ func Connectivity() {
 	var testServerPodNames []string
 	BeforeAll(func() {
 		Expect(NewClusterSetup().
-			Install(MTLSMeshWithMeshServicesUniversal(meshName, "Everywhere")).
+			Install(Yaml(samples.MeshMTLSBuilder().
+				WithName(meshName).
+				WithMeshServicesEnabled(mesh_proto.Mesh_MeshServices_Everywhere).
+				WithPermissiveMTLSBackends(),
+			)).
 			Install(MeshTrafficPermissionAllowAllUniversal(meshName)).
 			Install(YamlUniversal(fmt.Sprintf(`
 type: HostnameGenerator