SPIFFE Implementation PoC - needs crate patches

[blaggacao]

As promised: #189 (comment) /cc @imacg

Try it out

Note: this tooling trades ease of use (a.k.a. reproducability) for disk space. expect this closure of this nix-shell to be about 400-600MB.

→ have a look at the updated quick-install

$ curl -L https://nixos.org/nix/install | sh
$ cd .../trow
$ nix-shell
$ cd ./dev
$ menu # informative
...
$ just-menu # informative
...
$ dns-activate # see visuals below
...
$ ca-install # see visuals below
...
$ just quick-install # launches a 100% reproducible dev cluster based on k3d
...

$ # explore

$ just tear-down
...
$ dns-deactivate
...
$ ca-uninstall
...

Some Visuals

switch on

switch off

[blaggacao]

trow-svc with spiffe TLS

$ kubectl alpha debug -n trow-dev pod/trow-deploy-7bf6d8ddb6-hbdpk -i -t --image=curlimages/curl -- sh
...
$ / $ curl --insecure -vvI https://trow-svc
*   Trying 10.43.106.163:443...
* Connected to trow-svc (10.43.106.163) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* error setting certificate verify locations, continuing anyway:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; O=SPIRE; CN=trow-svc
*  start date: Oct 13 05:24:34 2020 GMT
*  expire date: Oct 13 06:24:44 2020 GMT
*  issuer: C=US; O=SPIFFE
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> HEAD / HTTP/1.1
> Host: trow-svc
> User-Agent: curl/7.72.0-DEV
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Connection: close
Connection: close
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Server: Rocket
Server: Rocket
< Docker-Distribution-API-Version: registry/2.0
Docker-Distribution-API-Version: registry/2.0
< Content-Length: 89
Content-Length: 89
< Date: Tue, 13 Oct 2020 05:37:54 GMT
Date: Tue, 13 Oct 2020 05:37:54 GMT

<
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):

→ [2020-10-13T05:37:54Z ERROR rocket::rocket] No matching routes for HEAD /

[blaggacao]

registry.local with local cert

$ curl --insecure -vvI https://registry.local
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to registry.local (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=mkcert development certificate; OU=blaggacao@dar (David Arnold)
*  start date: Jun  1 00:00:00 2019 GMT
*  expire date: Oct  9 23:48:36 2030 GMT
*  issuer: O=mkcert development CA; OU=blaggacao@dar (David Arnold); CN=mkcert blaggacao@dar (David Arnold)
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b6cbff3db0)
> HEAD / HTTP/2
> Host: registry.local
> user-agent: curl/7.68.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 500
HTTP/2 500
< vary: Accept-Encoding
vary: Accept-Encoding
< content-type: text/plain; charset=utf-8
content-type: text/plain; charset=utf-8
< content-length: 21
content-length: 21
< date: Tue, 13 Oct 2020 05:41:35 GMT
date: Tue, 13 Oct 2020 05:41:35 GMT

<
* Connection #0 to host registry.local left intact

→ problem @amouat Would you have a clue? I acknowledge that it's using TLS1.2. What could that bear to it?

│ [2020-10-13T05:41:35Z ERROR rustls::session] TLS alert received: Message {                                      │
│         typ: Alert,                                                                                             │
│         version: TLSv1_2,                                                                                       │
│         payload: Alert(                                                                                         │
│             AlertMessagePayload {                                                                               │
│                 level: Fatal,                                                                                   │
│                 description: BadCertificate,                                                                    │
│             },                                                                                                  │
│         ),                                                                                                      │
│     }