Skip to content
This repository has been archived by the owner on Apr 22, 2024. It is now read-only.

Allow to load trusted CAs from k8s secrets #60

Closed
wants to merge 2 commits into from
Closed

Allow to load trusted CAs from k8s secrets #60

wants to merge 2 commits into from

Conversation

sergicastro
Copy link
Contributor

In addition to the last PRs about trusted CAs, this one adds the ability to load the CA from a kubernetes secret instead.

It creates the k8s.SecretReader that loads the bytes from a secret. This makes the tls.Pool to load and manage the tls.Configs the same way regardless if they are loaded(and reloaded) from a file or a secret.

At the same time, this PR:

  • creates a Prerunner that provides a k8s.Client instance if there are any secret ref in the config, so we have a single point of k8s client load. (k8s.ClientLoader)
  • modifies the current k8s.SecretLoader to use the new k8s.SecretReader, this would allow to easily setup a refresh interval in a future PR.
  • move internal.TLSPool to tls.Pool to avoid import cycles.
  • updates the istio e2e to use keycloak serving TLS and configuring authservice to load the CA from a secret.

@nacx @zhaohuabing I would like to listen to your thoughts about this since I feel this conflicts a little bit with #54 that refreshes client-secrets with a k8s controller.

I would like to load and reload secrets the same way, client secrets or CA certs. I feel it offers a better understanding for users and developers.

Let me start with the advantages of this implementation:

  • It works the same way for files or secrets refs.
  • It does not pull more dependencies to the project (related to Take care of the authservice image size #56)
    Disadvantages:
  • It does not detect immediate changes based on events; it needs the interval to finish to detect a change.

@codecov Codecov
Copy link

codecov bot commented Feb 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 96.11650% with 4 lines in your changes are missing coverage. Please review.

Project coverage is 93.03%. Comparing base (bef473d) to head (8c66dab).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #60      +/-   ##
==========================================
- Coverage   93.42%   93.03%   -0.39%     
==========================================
  Files          22       22              
  Lines        1430     1494      +64     
==========================================
+ Hits         1336     1390      +54     
- Misses         56       66      +10     
  Partials       38       38
Files Coverage Δ
internal/authz/oidc.go 93.55% <100.00%> (ø)
internal/oidc/jwks.go 96.15% <100.00%> (ø)
internal/server/authz.go 94.79% <100.00%> (ø)
internal/tls/tls.go 91.17% <100.00%> (ø)
internal/k8s/client.go 94.11% <92.30%> (-5.89%) ⬇️
internal/k8s/secrets.go 96.36% <95.45%> (-3.64%) ⬇️

... and 1 file with indirect coverage changes

@sergicastro
Copy link
Contributor Author

@nacx @zhaohuabing I opened this other PR to show how it would be reloading client secret from k8s secrets and files #61

This would also add an easy way to add future sources of secrets, for example, loading them from env vars.

@sergicastro sergicastro closed this Mar 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nacx nacx Awaiting requested review from nacx

@zhaohuabing zhaohuabing Awaiting requested review from zhaohuabing

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sergicastro