istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/cmd/pilot-agent/options/security.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/cmd/pilot-agent/options/security.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package options
    16  
    17  import (
    18  	"fmt"
    19  	"strings"
    20  
    21  	meshconfig "istio.io/api/mesh/v1alpha1"
    22  	"istio.io/istio/pilot/pkg/features"
    23  	"istio.io/istio/pkg/config/constants"
    24  	"istio.io/istio/pkg/jwt"
    25  	"istio.io/istio/pkg/log"
    26  	"istio.io/istio/pkg/security"
    27  	"istio.io/istio/security/pkg/credentialfetcher"
    28  	"istio.io/istio/security/pkg/nodeagent/cafile"
    29  )
    30  
    31  func NewSecurityOptions(proxyConfig *meshconfig.ProxyConfig, stsPort int, tokenManagerPlugin string) (*security.Options, error) {
    32  	o := &security.Options{
    33  		CAEndpoint:                     caEndpointEnv,
    34  		CAProviderName:                 caProviderEnv,
    35  		PilotCertProvider:              features.PilotCertProvider,
    36  		OutputKeyCertToDir:             outputKeyCertToDir,
    37  		ProvCert:                       provCert,
    38  		ClusterID:                      clusterIDVar.Get(),
    39  		FileMountedCerts:               fileMountedCertsEnv,
    40  		WorkloadNamespace:              PodNamespaceVar.Get(),
    41  		ServiceAccount:                 serviceAccountVar.Get(),
    42  		XdsAuthProvider:                xdsAuthProvider.Get(),
    43  		TrustDomain:                    trustDomainEnv,
    44  		WorkloadRSAKeySize:             workloadRSAKeySizeEnv,
    45  		Pkcs8Keys:                      pkcs8KeysEnv,
    46  		ECCSigAlg:                      eccSigAlgEnv,
    47  		ECCCurve:                       eccCurvEnv,
    48  		SecretTTL:                      secretTTLEnv,
    49  		FileDebounceDuration:           fileDebounceDuration,
    50  		SecretRotationGracePeriodRatio: secretRotationGracePeriodRatioEnv,
    51  		STSPort:                        stsPort,
    52  		CertSigner:                     certSigner.Get(),
    53  		CARootPath:                     cafile.CACertFilePath,
    54  		CertChainFilePath:              security.DefaultCertChainFilePath,
    55  		KeyFilePath:                    security.DefaultKeyFilePath,
    56  		RootCertFilePath:               security.DefaultRootCertFilePath,
    57  	}
    58  
    59  	o, err := SetupSecurityOptions(proxyConfig, o, jwtPolicy.Get(),
    60  		credFetcherTypeEnv, credIdentityProvider)
    61  	if err != nil {
    62  		return o, err
    63  	}
    64  
    65  	return o, err
    66  }
    67  
    68  func SetupSecurityOptions(proxyConfig *meshconfig.ProxyConfig, secOpt *security.Options, jwtPolicy,
    69  	credFetcherTypeEnv, credIdentityProvider string,
    70  ) (*security.Options, error) {
    71  	jwtPath := constants.ThirdPartyJwtPath
    72  	switch jwtPolicy {
    73  	case jwt.PolicyThirdParty:
    74  		log.Info("JWT policy is third-party-jwt")
    75  		jwtPath = constants.ThirdPartyJwtPath
    76  	case jwt.PolicyFirstParty:
    77  		log.Warnf("Using deprecated JWT policy 'first-party-jwt'; treating as 'third-party-jwt'")
    78  		jwtPath = constants.ThirdPartyJwtPath
    79  	default:
    80  		log.Info("Using existing certs")
    81  	}
    82  
    83  	o := secOpt
    84  
    85  	// If not set explicitly, default to the discovery address.
    86  	if o.CAEndpoint == "" {
    87  		o.CAEndpoint = proxyConfig.DiscoveryAddress
    88  		o.CAEndpointSAN = istiodSAN.Get()
    89  	}
    90  
    91  	o.CredIdentityProvider = credIdentityProvider
    92  	credFetcher, err := credentialfetcher.NewCredFetcher(credFetcherTypeEnv, o.TrustDomain, jwtPath, o.CredIdentityProvider)
    93  	if err != nil {
    94  		return nil, fmt.Errorf("failed to create credential fetcher: %v", err)
    95  	}
    96  	log.Infof("using credential fetcher of %s type in %s trust domain", credFetcherTypeEnv, o.TrustDomain)
    97  	o.CredFetcher = credFetcher
    98  
    99  	if o.CAProviderName == security.GkeWorkloadCertificateProvider {
   100  		if !security.CheckWorkloadCertificate(security.GkeWorkloadCertChainFilePath,
   101  			security.GkeWorkloadKeyFilePath, security.GkeWorkloadRootCertFilePath) {
   102  			return nil, fmt.Errorf("GKE workload certificate files (%v, %v, %v) not present",
   103  				security.GkeWorkloadCertChainFilePath, security.GkeWorkloadKeyFilePath, security.GkeWorkloadRootCertFilePath)
   104  		}
   105  		if o.ProvCert != "" {
   106  			return nil, fmt.Errorf(
   107  				"invalid options: PROV_CERT and FILE_MOUNTED_CERTS of GKE workload cert are mutually exclusive")
   108  		}
   109  		o.FileMountedCerts = true
   110  		o.CertChainFilePath = security.GkeWorkloadCertChainFilePath
   111  		o.KeyFilePath = security.GkeWorkloadKeyFilePath
   112  		o.RootCertFilePath = security.GkeWorkloadRootCertFilePath
   113  		return o, nil
   114  	}
   115  
   116  	// Default the CA provider where possible
   117  	if strings.Contains(o.CAEndpoint, "googleapis.com") {
   118  		o.CAProviderName = security.GoogleCAProvider
   119  	}
   120  
   121  	if o.ProvCert != "" && o.FileMountedCerts {
   122  		return nil, fmt.Errorf("invalid options: PROV_CERT and FILE_MOUNTED_CERTS are mutually exclusive")
   123  	}
   124  	return o, nil
   125  }