Add command args to configure Isitod with externally managed certific…

…ates (#23116)

* Read sidecar-injector certificates default values from env variables if it exists

* rename vars

* Add prefix INJECTION_WEBHOOK_

* Add optional defaults for Istiod servers TLS certs

* Fix lint checks

* Add command args to configure Isitod with externally managed certificates

* Handler for failed CA read

pilot/cmd/pilot-discovery/main.go

@@ -169,6 +169,14 @@ func init() {
 	discoveryCmd.PersistentFlags().BoolVar(&serverArgs.DiscoveryOptions.EnableProfiling, "profile", true,
 		"Enable profiling via web interface host:port/debug/pprof")
 
+	// Use TLS certificates if provided.
+	discoveryCmd.PersistentFlags().StringVar(&serverArgs.TLSOptions.CaCertFile, "caCertFile", "",
+		"File containing the x509 Server CA Certificate")
+	discoveryCmd.PersistentFlags().StringVar(&serverArgs.TLSOptions.CertFile, "tlsCertFile", "",
+		"File containing the x509 Server Certificate")
+	discoveryCmd.PersistentFlags().StringVar(&serverArgs.TLSOptions.KeyFile, "tlsKeyFile", "",
+		"File containing the x509 private key matching --tlsCertFile")
+
 	// Attach the Istio logging options to the command.
 	loggingOptions.AttachCobraFlags(rootCmd)
 

pilot/pkg/bootstrap/options.go

@@ -83,6 +83,8 @@ type PilotArgs struct {
 	KeepaliveOptions   *istiokeepalive.Options
 	// ForceStop is set as true when used for testing to make the server stop quickly
 	ForceStop bool
+	// Optional TLS configuration
+	TLSOptions TLSOptions
 }
 
 // DiscoveryServiceOptions contains options for create a new discovery
@@ -118,6 +120,13 @@ type MCPOptions struct {
 	InitialConnWindowSize int
 }
 
+// Optional TLS parameters for the server.
+type TLSOptions struct {
+	CaCertFile string
+	CertFile   string
+	KeyFile    string
+}
+
 var PodNamespaceVar = env.RegisterStringVar("POD_NAMESPACE", "istio-system", "")
 var podNameVar = env.RegisterStringVar("POD_NAME", "", "")
 var serviceAccountVar = env.RegisterStringVar("SERVICE_ACCOUNT", "", "")

pilot/pkg/bootstrap/server.go

@@ -19,6 +19,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"path"
@@ -219,7 +220,7 @@ func NewServer(args *PilotArgs) (*Server, error) {
 	}
 
 	// CA signing certificate must be created first.
-	if s.EnableCA() {
+	if args.TLSOptions.CaCertFile == "" && s.EnableCA() {
 		var err error
 		var corev1 v1.CoreV1Interface
 		if s.kubeClient != nil {
@@ -274,7 +275,7 @@ func NewServer(args *PilotArgs) (*Server, error) {
 		return nil, fmt.Errorf("error initializing cluster registries: %v", err)
 	}
 	if dns.DNSAddr.Get() != "" {
-		if err := s.initDNSTLSListener(dns.DNSAddr.Get()); err != nil {
+		if err := s.initDNSTLSListener(dns.DNSAddr.Get(), args.TLSOptions); err != nil {
 			log.Warna("error initializing DNS-over-TLS listener ", err)
 		}
 
@@ -540,22 +541,31 @@ func (s *Server) initGrpcServer(options *istiokeepalive.Options) {
 }
 
 // initialize DNS server listener - uses the same certs as gRPC
-func (s *Server) initDNSTLSListener(dns string) error {
+func (s *Server) initDNSTLSListener(dns string, tlsOptions TLSOptions) error {
 	if dns == "" {
 		return nil
 	}
 	certDir := dnsCertDir
 
-	key := path.Join(certDir, constants.KeyFilename)
-	cert := path.Join(certDir, constants.CertChainFilename)
+	key := model.GetOrDefault(tlsOptions.KeyFile, path.Join(certDir, constants.KeyFilename))
+	cert := model.GetOrDefault(tlsOptions.CertFile, path.Join(certDir, constants.CertChainFilename))
 
 	certP, err := tls.LoadX509KeyPair(cert, key)
 	if err != nil {
 		return err
 	}
 
 	cp := x509.NewCertPool()
-	rootCertBytes := s.ca.GetCAKeyCertBundle().GetRootCertPem()
+	var rootCertBytes []byte
+	if tlsOptions.CaCertFile != "" {
+		rootCertBytes, err = ioutil.ReadFile(tlsOptions.CaCertFile)
+		if err != nil {
+			return err
+		}
+	} else {
+		rootCertBytes = s.ca.GetCAKeyCertBundle().GetRootCertPem()
+	}
+
 	cp.AppendCertsFromPEM(rootCertBytes)
 
 	// TODO: check if client certs can be used with coredns or others.
@@ -579,19 +589,28 @@ func (s *Server) initDNSTLSListener(dns string) error {
 }
 
 // initialize secureGRPCServer - using DNS certs
-func (s *Server) initSecureGrpcServer(port string, keepalive *istiokeepalive.Options) error {
+func (s *Server) initSecureGrpcServer(port string, keepalive *istiokeepalive.Options, tlsOptions TLSOptions) error {
 	certDir := dnsCertDir
 
-	key := path.Join(certDir, constants.KeyFilename)
-	cert := path.Join(certDir, constants.CertChainFilename)
+	key := model.GetOrDefault(tlsOptions.KeyFile, path.Join(certDir, constants.KeyFilename))
+	cert := model.GetOrDefault(tlsOptions.CertFile, path.Join(certDir, constants.CertChainFilename))
 
 	certP, err := tls.LoadX509KeyPair(cert, key)
 	if err != nil {
 		return err
 	}
 
 	cp := x509.NewCertPool()
-	rootCertBytes := s.ca.GetCAKeyCertBundle().GetRootCertPem()
+	var rootCertBytes []byte
+	if tlsOptions.CaCertFile != "" {
+		rootCertBytes, err = ioutil.ReadFile(tlsOptions.CaCertFile)
+		if err != nil {
+			return err
+		}
+	} else {
+		rootCertBytes = s.ca.GetCAKeyCertBundle().GetRootCertPem()
+	}
+
 	cp.AppendCertsFromPEM(rootCertBytes)
 
 	cfg := &tls.Config{
@@ -795,7 +814,7 @@ func (s *Server) initSecureGrpcListener(args *PilotArgs) error {
 		// Feature disabled
 		return nil
 	}
-	if s.ca == nil {
+	if args.TLSOptions.CaCertFile == "" && s.ca == nil {
 		// Running locally without configured certs - no TLS mode
 		return nil
 	}
@@ -817,7 +836,7 @@ func (s *Server) initSecureGrpcListener(args *PilotArgs) error {
 	}
 
 	// run secure grpc server for Istiod - using DNS-based certs from K8S
-	err = s.initSecureGrpcServer(port, args.KeepaliveOptions)
+	err = s.initSecureGrpcServer(port, args.KeepaliveOptions, args.TLSOptions)
 	if err != nil {
 		return err
 	}

pilot/pkg/bootstrap/sidecarinjector.go

@@ -22,6 +22,8 @@ import (
 	"path/filepath"
 	"time"
 
+	"istio.io/istio/pilot/pkg/model"
+
 	"k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/client-go/kubernetes"
@@ -66,8 +68,8 @@ func (s *Server) initSidecarInjector(args *PilotArgs) error {
 		ValuesFile: filepath.Join(injectPath, "values"),
 		MeshFile:   args.Mesh.ConfigFile,
 		Env:        s.environment,
-		CertFile:   filepath.Join(dnsCertDir, "cert-chain.pem"),
-		KeyFile:    filepath.Join(dnsCertDir, "key.pem"),
+		CertFile:   model.GetOrDefault(args.TLSOptions.CertFile, filepath.Join(dnsCertDir, "cert-chain.pem")),
+		KeyFile:    model.GetOrDefault(args.TLSOptions.KeyFile, filepath.Join(dnsCertDir, "key.pem")),
 		// Disable monitoring. The injection metrics will be picked up by Pilots metrics exporter already
 		MonitoringPort: -1,
 		Mux:            s.httpsMux,

pilot/pkg/bootstrap/validation.go

@@ -18,6 +18,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	"istio.io/istio/pilot/pkg/model"
+
 	"k8s.io/client-go/dynamic"
 
 	"istio.io/pkg/env"
@@ -55,8 +57,8 @@ func (s *Server) initConfigValidation(args *PilotArgs) error {
 		MixerValidator: validate.NewDefaultValidator(false),
 		Schemas:        collections.Istio,
 		DomainSuffix:   args.Config.ControllerOptions.DomainSuffix,
-		CertFile:       filepath.Join(dnsCertDir, "cert-chain.pem"),
-		KeyFile:        filepath.Join(dnsCertDir, "key.pem"),
+		CertFile:       model.GetOrDefault(args.TLSOptions.CertFile, filepath.Join(dnsCertDir, "cert-chain.pem")),
+		KeyFile:        model.GetOrDefault(args.TLSOptions.KeyFile, filepath.Join(dnsCertDir, "key.pem")),
 		Mux:            s.httpsMux,
 	}
 	whServer, err := server.New(params)

pilot/pkg/bootstrap/webhook.go

@@ -21,6 +21,8 @@ import (
 	"net/url"
 	"time"
 
+	"istio.io/istio/pilot/pkg/model"
+
 	"istio.io/pkg/filewatcher"
 	"istio.io/pkg/log"
 
@@ -57,14 +59,17 @@ func (s *Server) initHTTPSWebhookServer(args *PilotArgs) error {
 		},
 	}
 
+	certFile := model.GetOrDefault(args.TLSOptions.CertFile, dnsCertFile)
+	keyFile := model.GetOrDefault(args.TLSOptions.KeyFile, dnsKeyFile)
+
 	// load the cert/key and setup a persistent watch for updates.
-	cert, err := server.ReloadCertkey(dnsCertFile, dnsKeyFile)
+	cert, err := server.ReloadCertkey(certFile, keyFile)
 	if err != nil {
 		return err
 	}
 	s.webhookCert = cert
 	keyCertWatcher := filewatcher.NewWatcher()
-	for _, file := range []string{dnsCertFile, dnsKeyFile} {
+	for _, file := range []string{certFile, keyFile} {
 		if err := keyCertWatcher.Add(file); err != nil {
 			return fmt.Errorf("could not watch %v: %v", file, err)
 		}
@@ -77,26 +82,26 @@ func (s *Server) initHTTPSWebhookServer(args *PilotArgs) error {
 				case <-keyCertTimerC:
 					keyCertTimerC = nil
 
-					cert, err := server.ReloadCertkey(dnsCertFile, dnsKeyFile)
+					cert, err := server.ReloadCertkey(certFile, keyFile)
 					if err != nil {
 						return // error logged and metric reported by server.ReloadCertKey
 					}
 
 					s.webhookCertMu.Lock()
 					s.webhookCert = cert
 					s.webhookCertMu.Unlock()
-				case <-keyCertWatcher.Events(dnsCertFile):
+				case <-keyCertWatcher.Events(certFile):
 					if keyCertTimerC == nil {
 						keyCertTimerC = time.After(watchDebounceDelay)
 					}
-				case <-keyCertWatcher.Events(dnsKeyFile):
+				case <-keyCertWatcher.Events(keyFile):
 					if keyCertTimerC == nil {
 						keyCertTimerC = time.After(watchDebounceDelay)
 					}
-				case <-keyCertWatcher.Errors(dnsCertFile):
-					log.Errorf("error watching %v: %v", dnsCertFile, err)
-				case <-keyCertWatcher.Errors(dnsKeyFile):
-					log.Errorf("error watching %v: %v", dnsKeyFile, err)
+				case <-keyCertWatcher.Errors(certFile):
+					log.Errorf("error watching %v: %v", certFile, err)
+				case <-keyCertWatcher.Errors(keyFile):
+					log.Errorf("error watching %v: %v", keyFile, err)
 				case <-stop:
 					return
 				}