Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACM certificates are not actually supported for EKS VirtualGateway->listener->tls->validation->trust config #575

Open
pequalsnp opened this issue Apr 13, 2022 · 0 comments
Open

ACM certificates are not actually supported for EKS VirtualGateway->listener->tls->validation->trust config #575

pequalsnp opened this issue Apr 13, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@pequalsnp
Copy link

Describe the bug
The CRDS show that you should be able to pass configuration like this (this is from terraform, that's where the variables are coming from):

apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualGateway
metadata:
  name: ${local.ingress_gateway_app_name}
  namespace: ${kubernetes_namespace.ingress_gw_namespace.metadata[0].name}
spec:
  namespaceSelector:
    matchLabels:
      gateway: ${local.ingress_gateway_app_name}
  podSelector:
    matchLabels:
      app: ${local.ingress_gateway_app_name}
  listeners:
    - portMapping:
        port: 50051
        protocol: grpc
      tls:
        certificate:
          acm:
            certificateARN: ${local.private_regional_certificate_arn}
        mode: STRICT
        validation:
          trust:
            acm:
              certificateAuthorityARNs:
                - <ARN>

but if you create a VirtualGateway with that configuration you will recieve an error:

BadRequestException: One type of TLS Validation Context Trust must be set.

This appears to be because although ACM is defined in the Go type the conversion code doesn't actually consider ACM.

Steps to reproduce

Using a k8s VirtualGateway object in EKS, attempt to use ACM (specifically an ACM Private certificate authority ARN) for listener tls validation.

Expected outcome
Client requests are verified against the given ACM Private CA.

Environment

  • App Mesh controller version
    v1.4.3
  • Envoy version
    840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.20.0.1-prod
  • Are you using any integrations? X-ray, Jaeger etc. If so versions?
    No
  • Kubernetes version
    v1.21.5-eks-bc4871b
  • Using EKS (yes/no), if so version?
    Yes, see above.

Additional Context:

If you can't fix the implementation, at least fix the custom resource definitions to dis-allow this.

This can be worked around by storing the certificate in a secret and using it by file, again this is using terraform:

resource "kubernetes_secret" "ingress_gateway_pki" {
  provider = kubernetes.gsa_us_east_2
  metadata {
    name      = "pki"
    namespace = kubernetes_namespace.ingress_gw_namespace.metadata[0].name
  }

  data = {
    "ca.crt" = data.aws_acmpca_certificate_authority.acmpca.certificate
  }
}

Then in your deployment

 volumeMounts:
            - name: pki
              mountPath: "/mnt/pki"
              readOnly: true
      volumes:
        - name: pki
          secret:
            secretName: ${kubernetes_secret.ingress_gateway_pki.metadata[0].name}

and modify the VirtualGateway spec above

        validation:
          trust:
            file:
              certificateChain: /mnt/pki/ca.crt
@pequalsnp pequalsnp added the bug Something isn't working label Apr 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pequalsnp