Remove trustworthy and legacy jwt concepts. Always use trustworthy jwt (

istio#16147)
mfilipiak-ccg · Aug 9, 2019 · 6346034 · 6346034
1 parent a97b4c3
commit 6346034
Show file tree

Hide file tree

Showing 26 changed files with 81 additions and 200 deletions.
diff --git a/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml
@@ -247,11 +247,9 @@ spec:
           - name: sdsudspath
             mountPath: /var/run/sds
             readOnly: true
-          {{- if $.Values.global.sds.useTrustworthyJwt }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
           {{- end }}
-          {{- end }}
           {{- if $spec.sds }}
           {{- if $spec.sds.enabled }}
           - name: ingressgatewaysdsudspath
@@ -280,7 +278,6 @@ spec:
       - name: sdsudspath
         hostPath:
           path: /var/run/sds
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
@@ -289,7 +286,6 @@ spec:
               expirationSeconds: 43200
               audience: {{ $.Values.global.trustDomain }}
       {{- end }}
-      {{- end }}
       - name: istio-certs
         secret:
           secretName: istio.{{ $key }}-service-account

diff --git a/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml
@@ -13,7 +13,6 @@
       - hostPath:
           path: /var/run/sds
         name: sds-uds-path
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
@@ -22,7 +21,6 @@
               expirationSeconds: 43200
               path: istio-token
       {{- end }}
-      {{- end }}
       - name: uds-socket
         emptyDir: {}
       - name: policy-adapter-secret
@@ -168,11 +166,9 @@
         - name: sds-uds-path
           mountPath: /var/run/sds
           readOnly: true
-        {{- if $.Values.global.sds.useTrustworthyJwt }}
         - name: istio-token
           mountPath: /var/run/secrets/tokens
         {{- end }}
-        {{- end }}
         - name: uds-socket
           mountPath: /sock
         - name: policy-adapter-secret
@@ -192,7 +188,6 @@
       - hostPath:
           path: /var/run/sds
         name: sds-uds-path
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
@@ -201,7 +196,6 @@
               expirationSeconds: 43200
               path: istio-token
       {{- end }}
-      {{- end }}
       - name: uds-socket
         emptyDir: {}
       - name: telemetry-adapter-secret
@@ -353,11 +347,9 @@
         - name: sds-uds-path
           mountPath: /var/run/sds
           readOnly: true
-        {{- if $.Values.global.sds.useTrustworthyJwt }}
         - name: istio-token
           mountPath: /var/run/secrets/tokens
         {{- end }}
-        {{- end }}
         - name: uds-socket
           mountPath: /sock
 {{- end }}

diff --git a/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml b/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml
@@ -183,18 +183,15 @@ spec:
           - name: sds-uds-path
             mountPath: /var/run/sds
             readOnly: true
-          {{- if $.Values.global.sds.useTrustworthyJwt }}
           - name: istio-token
             mountPath: /var/run/secrets/tokens
           {{- end }}
-          {{- end }}
 {{- end }}
       volumes:
       {{- if $.Values.global.sds.enabled }}
       - hostPath:
           path: /var/run/sds
         name: sds-uds-path
-      {{- if $.Values.global.sds.useTrustworthyJwt }}
       - name: istio-token
         projected:
           sources:
@@ -203,7 +200,6 @@ spec:
               expirationSeconds: 43200
               path: istio-token
       {{- end }}
-      {{- end }}
       - name: config-volume
         configMap:
           name: istio

diff --git a/install/kubernetes/helm/istio/example-values/values-istio-example-sds-vault.yaml b/install/kubernetes/helm/istio/example-values/values-istio-example-sds-vault.yaml
@@ -9,7 +9,6 @@ global:
   sds:
     enabled: true
     udsPath: "unix:/var/run/sds/uds_path"
-    useNormalJwt: true
 
 nodeagent:
   enabled: true

diff --git a/install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml b/install/kubernetes/helm/istio/example-values/values-istio-googleca.yaml
@@ -9,7 +9,6 @@ global:
   sds:
     enabled: true
     udsPath: "unix:/var/run/sds/uds_path"
-    useTrustworthyJwt: true 
 
   trustDomain: ""
 

diff --git a/install/kubernetes/helm/istio/files/injection-template.yaml b/install/kubernetes/helm/istio/files/injection-template.yaml
@@ -231,7 +231,7 @@ containers:
       - NET_ADMIN
     runAsGroup: 1337
     {{ else -}}
-    {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }}
+    {{ if .Values.global.sds.enabled }}
     runAsGroup: 1337
     {{- end }}
     runAsUser: 1337
@@ -261,10 +261,8 @@ containers:
   - mountPath: /var/run/sds
     name: sds-uds-path
     readOnly: true
-  {{- if .Values.global.sds.useTrustworthyJwt }}
   - mountPath: /var/run/secrets/tokens
     name: istio-token
-  {{- end }}
   {{- if .Values.global.sds.customTokenDirectory }}
   - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
     name: custom-sds-token
@@ -299,20 +297,18 @@ volumes:
 - name: sds-uds-path
   hostPath:
     path: /var/run/sds
+- name: istio-token
+  projected:
+    sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.trustDomain }}
 {{- if .Values.global.sds.customTokenDirectory }}
 - name: custom-sds-token
   secret:
     secretName: sdstokensecret
 {{- end }}
-{{- if .Values.global.sds.useTrustworthyJwt }}
-- name: istio-token
-  projected:
-    sources:
-    - serviceAccountToken:
-        path: istio-token
-        expirationSeconds: 43200
-        audience: {{ .Values.global.trustDomain }}
-{{- end }}
 {{- else }}
 - name: istio-certs
   secret:

diff --git a/install/kubernetes/helm/istio/templates/configmap.yaml b/install/kubernetes/helm/istio/templates/configmap.yaml
@@ -104,20 +104,6 @@ data:
     # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. 
     sdsUdsPath: {{ .Values.global.sds.udsPath }}
 
-    # This flag is used by secret discovery service(SDS). 
-    # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount 
-    # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which 
-    # will be used to generate key/cert eventually. This isn't supported for non-k8s case.
-    enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }}
-
-    # This flag is used by secret discovery service(SDS). 
-    # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' 
-    # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) 
-    # and pass to sds server, which will be used to request key/cert eventually. 
-    # this flag is ignored if enableSdsTokenMount is set.
-    # This isn't supported for non-k8s case.
-    sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }}
-
     # The trust domain corresponds to the trust root of a system.
     # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
     trustDomain: {{ .Values.global.trustDomain }}

diff --git a/install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml b/install/kubernetes/helm/istio/test-values/values-istio-auth-sds.yaml
@@ -9,9 +9,6 @@ global:
   sds:
     enabled: true
     udsPath: "unix:/var/run/sds/uds_path"
-    # The e2e tests (old framework) are still using old Kubernetes version with no trustworthy jwts support.
-    useNormalJwt: true
-    useTrustworthyJwt: false
 
   proxy:
     enableCoreDump: true

diff --git a/install/kubernetes/helm/istio/values-istio-sds-auth.yaml b/install/kubernetes/helm/istio/values-istio-sds-auth.yaml
@@ -9,13 +9,6 @@ global:
   sds:
     enabled: true
     udsPath: "unix:/var/run/sds/uds_path"
-    # Trustworthy JWTs are available from Kubernetes 1.12 (beta) and later.
-    # On-prem k8s needs extra configuration.
-    # https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/?origin_team=T382U9E4U#service-account-token-volume-projection
-    # //TODO: Deprecate the useNormalJwt and useTrustworthyJwt fields, since trustworthy JWT
-    # is used by default when SDS is enabled.
-    useNormalJwt: false
-    useTrustworthyJwt: true
 
 nodeagent:
   enabled: true

diff --git a/install/kubernetes/helm/istio/values.yaml b/install/kubernetes/helm/istio/values.yaml
@@ -449,8 +449,6 @@ global:
     # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
     enabled: false
     udsPath: ""
-    useTrustworthyJwt: false
-    useNormalJwt: false
 
   # Configure the mesh networks to be used by the Split Horizon EDS.
   #

diff --git a/pilot/cmd/pilot-agent/main.go b/pilot/cmd/pilot-agent/main.go
@@ -52,7 +52,7 @@ import (
 	"istio.io/istio/pkg/util/protomarshal"
 )
 
-const jwtPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+const trustworthyJWTPath = "/var/run/secrets/tokens/istio-token"
 
 var (
 	role             = &model.Proxy{Metadata: map[string]string{}}
@@ -93,15 +93,13 @@ var (
 
 	wg sync.WaitGroup
 
-	instanceIPVar            = env.RegisterStringVar("INSTANCE_IP", "", "")
-	podNameVar               = env.RegisterStringVar("POD_NAME", "", "")
-	podNamespaceVar          = env.RegisterStringVar("POD_NAMESPACE", "", "")
-	istioNamespaceVar        = env.RegisterStringVar("ISTIO_NAMESPACE", "", "")
-	kubeAppProberNameVar     = env.RegisterStringVar(status.KubeAppProberEnvName, "", "")
-	sdsEnabledVar            = env.RegisterBoolVar("SDS_ENABLED", false, "")
-	sdsUdsPathVar            = env.RegisterStringVar("SDS_UDS_PATH", "/var/run/sds/uds_path", "SDS unix domain socket path")
-	sdsTrustworthyJWTPathVar = env.RegisterStringVar("SDS_JWT_PATH", "/var/run/secrets/tokens/istio-token",
-		"path of token which is used for request key/cert through SDS")
+	instanceIPVar        = env.RegisterStringVar("INSTANCE_IP", "", "")
+	podNameVar           = env.RegisterStringVar("POD_NAME", "", "")
+	podNamespaceVar      = env.RegisterStringVar("POD_NAMESPACE", "", "")
+	istioNamespaceVar    = env.RegisterStringVar("ISTIO_NAMESPACE", "", "")
+	kubeAppProberNameVar = env.RegisterStringVar(status.KubeAppProberEnvName, "", "")
+	sdsEnabledVar        = env.RegisterBoolVar("SDS_ENABLED", false, "")
+	sdsUdsPathVar        = env.RegisterStringVar("SDS_UDS_PATH", "/var/run/sds/uds_path", "SDS unix domain socket path")
 
 	sdsUdsWaitTimeout = time.Minute
 
@@ -291,7 +289,7 @@ var (
 			}
 
 			controlPlaneAuthEnabled := controlPlaneAuthPolicy == meshconfig.AuthenticationPolicy_MUTUAL_TLS.String()
-			sdsEnabled, sdsTokenPath := detectSds(controlPlaneBootstrap, controlPlaneAuthEnabled, sdsUdsPathVar.Get(), sdsTrustworthyJWTPathVar.Get(), jwtPath)
+			sdsEnabled, sdsTokenPath := detectSds(controlPlaneBootstrap, controlPlaneAuthEnabled, sdsUdsPathVar.Get(), trustworthyJWTPath)
 
 			// since Envoy needs the certs for mTLS, we wait for them to become available before starting it
 			// skip waiting cert if sds is enabled, otherwise it takes long time for pod to start.
@@ -474,7 +472,7 @@ func getDNSDomain(domain string) string {
 
 // check if SDS UDS path and token path exist, if both exist, requests key/cert
 // using SDS instead of secret mount.
-func detectSds(controlPlaneBootstrap, controlPlaneAuthEnabled bool, udspath, preferJwtpath, jwtpath string) (bool, string) {
+func detectSds(controlPlaneBootstrap, controlPlaneAuthEnabled bool, udspath, trustworthyJWTPath string) (bool, string) {
 	if !sdsEnabledVar.Get() {
 		return false, ""
 	}
@@ -485,11 +483,8 @@ func detectSds(controlPlaneBootstrap, controlPlaneAuthEnabled bool, udspath, pre
 		if _, err := os.Stat(udspath); err != nil {
 			return false, ""
 		}
-		if _, err := os.Stat(preferJwtpath); err == nil {
-			return true, preferJwtpath
-		}
-		if _, err := os.Stat(jwtpath); err == nil {
-			return true, jwtpath
+		if _, err := os.Stat(trustworthyJWTPath); err == nil {
+			return true, trustworthyJWTPath
 		}
 
 		return false, ""
@@ -507,11 +502,8 @@ func detectSds(controlPlaneBootstrap, controlPlaneAuthEnabled bool, udspath, pre
 	if !waitForFile(udspath, sdsUdsWaitTimeout) {
 		return false, ""
 	}
-	if _, err := os.Stat(preferJwtpath); err == nil {
-		return true, preferJwtpath
-	}
-	if _, err := os.Stat(jwtpath); err == nil {
-		return true, jwtpath
+	if _, err := os.Stat(trustworthyJWTPath); err == nil {
+		return true, trustworthyJWTPath
 	}
 
 	return false, ""

diff --git a/pilot/cmd/pilot-agent/main_test.go b/pilot/cmd/pilot-agent/main_test.go
@@ -139,7 +139,6 @@ func TestDetectSds(t *testing.T) {
 		controlPlaneBootstrap   bool
 		controlPlaneAuthEnabled bool
 		udsPath                 string
-		preferTokenPath         string
 		tokenPath               string
 		expectedSdsEnabled      bool
 		expectedSdsTokenPath    string
@@ -154,7 +153,7 @@ func TestDetectSds(t *testing.T) {
 			controlPlaneBootstrap:   true,
 			controlPlaneAuthEnabled: true,
 			udsPath:                 "/tmp/testtmpuds1.log",
-			preferTokenPath:         "/tmp/testtmptoken1.log",
+			tokenPath:               "/tmp/testtmptoken1.log",
 			expectedSdsEnabled:      true,
 			expectedSdsTokenPath:    "/tmp/testtmptoken1.log",
 		},
@@ -179,7 +178,7 @@ func TestDetectSds(t *testing.T) {
 		{
 			controlPlaneBootstrap: false,
 			udsPath:               "/tmp/test_tmp_uds2",
-			preferTokenPath:       "/tmp/test_tmp_token2",
+			tokenPath:             "/tmp/test_tmp_token2",
 			expectedSdsEnabled:    true,
 			expectedSdsTokenPath:  "/tmp/test_tmp_token2",
 		},
@@ -206,20 +205,14 @@ func TestDetectSds(t *testing.T) {
 				defer os.Remove(tt.udsPath)
 			}
 		}
-		if tt.preferTokenPath != "" {
-			if _, err := os.Stat(tt.preferTokenPath); err != nil {
-				os.Create(tt.preferTokenPath)
-				defer os.Remove(tt.preferTokenPath)
-			}
-		}
 		if tt.tokenPath != "" {
 			if _, err := os.Stat(tt.tokenPath); err != nil {
 				os.Create(tt.tokenPath)
 				defer os.Remove(tt.tokenPath)
 			}
 		}
 
-		enabled, path := detectSds(tt.controlPlaneBootstrap, tt.controlPlaneAuthEnabled, tt.udsPath, tt.preferTokenPath, tt.tokenPath)
+		enabled, path := detectSds(tt.controlPlaneBootstrap, tt.controlPlaneAuthEnabled, tt.udsPath, tt.tokenPath)
 		g.Expect(enabled).To(gomega.Equal(tt.expectedSdsEnabled))
 		g.Expect(path).To(gomega.Equal(tt.expectedSdsTokenPath))
 	}

diff --git a/pilot/pkg/kube/inject/inject.go b/pilot/pkg/kube/inject/inject.go
@@ -218,7 +218,6 @@ type Params struct {
 	DebugMode                    bool                   `json:"debugMode"`
 	Privileged                   bool                   `json:"privileged"`
 	SDSEnabled                   bool                   `json:"sdsEnabled"`
-	EnableSdsTokenMount          bool                   `json:"enableSdsTokenMount"`
 	PodDNSSearchNamespaces       []string               `json:"podDNSSearchNamespaces"`
 }
 
@@ -250,7 +249,6 @@ func (p *Params) intoHelmValues() map[string]string {
 		"global.proxy.readinessPeriodSeconds":        strconv.Itoa(int(p.ReadinessPeriodSeconds)),
 		"global.proxy.readinessFailureThreshold":     strconv.Itoa(int(p.ReadinessFailureThreshold)),
 		"global.sds.enabled":                         strconv.FormatBool(p.SDSEnabled),
-		"global.sds.useTrustworthyJwt":               strconv.FormatBool(p.EnableSdsTokenMount),
 		"global.proxy.includeIPRanges":               p.IncludeIPRanges,
 		"global.proxy.excludeIPRanges":               p.ExcludeIPRanges,
 		"global.proxy.includeInboundPorts":           p.IncludeInboundPorts,
@@ -821,7 +819,7 @@ func intoObject(sidecarTemplate string, valuesConfig string, meshconfig *meshcon
 	// due to bug https://github.com/kubernetes/kubernetes/issues/57923,
 	// k8s sa jwt token volume mount file is only accessible to root user, not istio-proxy(the user that istio proxy runs as).
 	// workaround by https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-	if meshconfig.EnableSdsTokenMount && meshconfig.SdsUdsPath != "" {
+	if meshconfig.SdsUdsPath != "" {
 		var grp = int64(1337)
 		podSpec.SecurityContext = &corev1.PodSecurityContext{
 			FSGroup: &grp,

diff --git a/pilot/pkg/kube/inject/inject_test.go b/pilot/pkg/kube/inject/inject_test.go
@@ -530,7 +530,6 @@ func TestIntoResourceFile(t *testing.T) {
 				ProxyImage:                   ProxyImageName(unitTestHub, unitTestTag, c.debugMode),
 				ImagePullPolicy:              "IfNotPresent",
 				SDSEnabled:                   false,
-				EnableSdsTokenMount:          false,
 				Verbosity:                    DefaultVerbosity,
 				SidecarProxyUID:              DefaultSidecarProxyUID,
 				Version:                      "12345678",

diff --git a/pilot/pkg/kube/inject/webhook.go b/pilot/pkg/kube/inject/webhook.go
@@ -567,7 +567,7 @@ func (wh *Webhook) inject(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionRespons
 	// due to bug https://github.com/kubernetes/kubernetes/issues/57923,
 	// k8s sa jwt token volume mount file is only accessible to root user, not istio-proxy(the user that istio proxy runs as).
 	// workaround by https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-	if wh.meshConfig.EnableSdsTokenMount && wh.meshConfig.SdsUdsPath != "" {
+	if wh.meshConfig.SdsUdsPath != "" {
 		var grp = int64(1337)
 		pod.Spec.SecurityContext = &corev1.PodSecurityContext{
 			FSGroup: &grp,