Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/go_modules/tests/integration/golang.org/x/net-0.36.0
rfc-multi-tenant-workload-identity
dependabot/github_actions/ci-256d05664c
release/v2.5.x
main
release/v2.4.x
remove-notation-validation
release/v2.3.x
rfc-flux-bootstrap-oci
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.5.1
v2.5.0
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9a71003f10'
${ noResults }
flux2/rfcs/0000-build-in-tls-support/README.md

5.0 KiB
Raw Blame History

RFC-NNNN Built-in TLS support for Source and Notification Controllers

Status: provisional

Creation date: 2022-12-05

Last update: 2022-12-05

Summary

Create built-in TLS support for both Source and Notification controllers, so that in-cluster cross-component communications are always encrypted.

Motivation

Due to internal company policies, Data Protection laws and regulations, Flux users may be required to enforce encryption of data whilst in-transit. As of v0.37.0, there is no built-in way to provide TLS for Flux' endpoints.

The existing endpoints being:

  1. Source Controller: artifacts storage, used by Kustomize and HelmRelease controllers.
  2. Notification Controller: events receivers, used by all other Flux components to submit events.
  3. Notification Controller: webhooks for external services to contact Flux.

The webhooks endpoing would be typically used for external use only, and in that use case the recommended approach is to enable TLS at ingress. However, this proposal covers the first two endpoints to allow always encrypted in-cluster communications.

Goals

  • Add TLS support for Notification and Source controllers.
  • Establish a migration process when enabling TLS on existing clusters.
  • Define best practices on enabling the feature.

Non-Goals

  • Change how CA trust is established across Flux containers.
  • Define TLS rotation mechanisms.

Proposal

Controllers hosting web servers will introduce a new flag to configure the TLS secret: --tls-secret. The Secret type must be kubernetes.io/tls.

Invalid secret types, or content, will cause the controller to fail to start.

Source Controller

When TLS is enabled, the File Storage endpoint will serve both HTTP and HTTPS. Existing source objects previously reconciled won't be patched to a new .status.artifact.url, but all new reconciliations will cause that field to start with https://.

The HTTP endpoint will only serve a permanent redirect (301) to the HTTPS endpoint, enabling a smooth transition when users enable this feature in existing clusters.

The HTTPS endpoint will be served on port 9443 by default, which will be configurable via new flag --storage-https-addr or environment variable STORAGE_HTTPS_ADDR. The existing source-controller service will bind port 443 to 9443.

Notification Controller

When TLS is enabled, the HTTP endpoints will be disabled.

Events endpoint

The events HTTPS endpoint will be served on port 9443 by default, which will be configurable via new flag --events-https-addr. The existing notification-controller service will bind port 443 to 9443.

All flux components will need to be started with the (existing) flag below, for the TLS only endpoint to be used: --events-addr=https://notification-controller.flux-system.svc.cluster.local./

User Stories

Alternatives

Delegate in-trasit data encryption to CNI or Service Mesh

Instead of built-in support, it was considered the option of delegating this to external components that support the enablement of end-to-end encryption via TLS or mTLS. One of the issues with this approach is that the data would still come out of Flux unencrypted, and therefore privileged co-located components in the same worker node could be privy to the exchanged plain-text.

Another point considered for not pursuing this alternative was that, being one of the first workloads inside a cluster, Flux should be self-reliant in assuring the confidentiality and integrity of its communications.

Auto-detection of TLS events endpoint

Instead of having to change the --event-addr on each Flux component, an auto detection mechanism could be implemented to prefer the TLS endpoint whenever the notification controller's service has one working.

The challenge with such approach is that the security of cross component communication would be non deterministic from a client perspective, and would depend on the Notification controller having an active TLS endpoint at the time in which each Flux component started. The current approach requires additional configuration, but fails safe.

Design Details

TLS Versions and Ciphers Supported

For reduced complexity and increased security, only TLS 1.3 is supported.

Detect TLS Certificate changes

Controllers will watch the TLS secret for changes, once detected it will trigger a pod restart to refresh the certificates being used.

Expand TLS support for the webhooks endpoint

The TLS support could be expanded to the Notification controller webhooks endpoint to enable secure in-cluster communications.

Implementation History