EMCO CA Certificate Distribution Igor DC igorduartecardosointelcom Onsite Eric Multanen ericwmultanenintelcom Subin John subinjohnintelcom Website httpprojectemcoio ID: 1043943
Download Presentation The PPT/PDF document "@twitter June 14 th 2022" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1.
2. @twitterJune 14th 2022EMCO:CA Certificate DistributionIgor DC, igor.duarte.cardoso@intel.com (On-site)Eric Multanen, eric.w.multanen@intel.comSubin John, subin.john@intel.com
3. Website: http://project-emco.io/GitLab: https://gitlab.com/project-emco/core/emco-baseWiki: https://wiki.lfnetworking.org/display/EMCO/Welcome+to+the+EMCO+Wiki
4. LF Networking4Problem statementEMCO solutionEMCO solution componentsSample solution flowNext stepsAgenda
5. LF Networking5Architecture overviewCluster ManagerResource Synchronizer & Status MonitoringNetwork ManagerK8s APIAzure ArcFlux v2AnthosPlatformsEnterprise EdgesEdge & Network CloudsTelco COEdgesPub/Pvt CloudsGitOps Based CloudsCLI/GUIDistributed Cloud ManagerApplication Config ManagerDistributed Application ManagementDistributed Application Scheduler Generic Action ControllerHardware Platform Aware Placement ControllerService Mesh ControllerOpenWRT ControllerSFC ControllerTemporal Controller5GFF EDS Placement controller(*)Cert Distribution ManagerOther pluginsCert Distribution Manager Enrolls and distributes intermediate CA certificates to clusters added to EMCO to allow for inter and intra cluster secure and authenticated cross-app communication.
6. EMCO Problem StatementEMCO ClusterEdge ClusterEdge ClusterIstioIstioEMCO monitorEMCO monitorEMCOEMCO deploys a Composite Application (App1, App2, App3) to some Edge ClustersEMCO DTC intents were provided to configure Istio VirtualService and other Istio configuration entries so apps can communicate – both intra and inter cluster.If the Istio installations in the Edge Clusters do not have compatible CA certificates, then the apps will not be able to communicate via mTLS.App1App3App3SCSCSCmTLS – Certificates in the sidecars in each cluster need common root CA CertificatemTLS
7. LF Networking7EMCO ApproachNew controller (ca-certs) will prepare and distribute a compatible set of CA Certificates to an identified set of clustersTwo Scenarios:Update the default CA Certificate for the Istio Service mesh in a set of clustersConfigure CA Certificates for specific namespaces for the Istio Service mesh in a set of clustersDifferent EMCO Logical Clouds (namespace across a set of clusters) can have different Istio CA Certificates
8. LF Networking8EMCO Solution ComponentsEMCO + (new) ca-certs controllercert-manager – use ClusterIssuer to provide certificatesIstio – use cert-manager as certSignerKNCC – used to configure Istio ConfigMap
9. LF Networking9EMCO ca-certs: Default Istio CA CertificatesCA Cert Intent API summary:CA Cert Intent: cluster-provider/{name}/ca-certs- identifies the Issuing Cluster and ClusterIssuer- provides details for the CertificateRequestsClusterGroup Intent: cluster-provider/{name}/ca-certs/{cert-intent}/clusters- identify clusters for the cluster provider by label or explicitly by nameCA Cert Lifecycle API summary:Enrollment: cluster-provider/{name}/ca-certs/{cert-intent}/enrollment/[instantiate|terminate|update|status]- prepares Intermediate CA Certificates for the identified set of edge clustersDistribution: cluster-provider/{name}/ca-certs/{cert-intent}/distribution/[instantiate|terminate|update|status]- distributes the CA Certificiates to the edge clusters and configure Istio in the edge clusters to use them
10. LF Networking10EMCO ca-certs: Namespaced Istio CA CertificatesCA Cert Intent API summary:CA Cert Intent: projects/{proj-name}/ca-certs- identifies the Issuing Cluster and ClusterIssuer- provides details for the CertificateRequestsLogical Cloud Intent: projects/{proj-name}/ca-certs/{cert-intent}/logical-clouds- identify a logical cloudClusterGroup Intent: projects/{proj-name}/ca-certs/{cert-intent}/logical-clouds/{lc-intent}/clusters- identify clusters within the logical cloud by label or explicitly by nameCA Cert Lifecycle API summary:Enrollment: projects/{proj-name}/ca-certs/{cert-intent}/enrollment/[instantiate|terminate|update|status]- prepares Intermediate CA Certificates for the identified set of edge clustersDistribution: projects/{proj-name}/ca-certs/{cert-intent}/distribution/[instantiate|terminate|update|status]- distributes the CA Certificiates to the edge clusters and configure Istio in the edge clusters to use them
11. LF Networking11Cert-manager in the Edge ClusterIstio will be installed/configured to use cert-manager to provide certificates.This integration allows Istio to use multiple CA certificates - i.e. for different namespaces.Installed as:helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set featureGates="ExperimentalCertificateSigningRequestControllers=true" --set installCRDs=true
12. LF Networking12Istio in the Edge ClusterIstio 13.1 or greaterIstio meshConfig is configured to use cert-manager ClusterIssuers as certSignersProxyConfig resources can be created in namespaces to associate with specific certSigners
13. LF Networking13KNCC ControllerKubernetes Native ConfigMap ControllerEMCO ecosystem projectkncc · master · project-emco / ecosystem / K8sappconfig · GitLabEMCO will use this to update the Istio configmap when CA Cert configuration changes
14. LF Networking14EMCO Solution - Components SetupEMCO ClusterEdge Clusters with cert-manager and Istio and KNCC installedIssuing Clustercert-managerEMCO monitorcert-managerEdge ClusterEdge ClusterEdge Clustercert-managercert-managerIstioIstioIstioEMCO monitorEMCO monitorEMCO monitorEMCO KNCCEMCO KNCCEMCO KNCCCluster IssuerEMCOA cert-manager ClusterIssuer is prepared with the root CA Cert chain.Logical Clouds are created with the Edge Clusters. Issuing Cluster and Edge Clusters onboarded to EMCO (clm).Labeled to indicate CA Certs support is present.
15. LF Networking15EMCO Solution – CA Cert Enrollment StepEMCO ClusterIssuing Clustercert-managerEMCO monitorcert-managerEdge ClusterEdge ClusterEdge Clustercert-managercert-managerIstioIstioIstioEMCO monitorEMCO monitorEMCO monitorEMCO KNCCEMCO KNCCEMCO KNCCCluster IssuerEMCOEMCO rsyncEMCO ca-certsCreate a CA Cert IntentAdd Logical Cloud(s)Add Cluster IDInstantiate the CA Cert Enrollmentca-certs prepares the Enrollmentrsync deploys the Enrollment to the Issuing Cluster – creating CertificateRequestsClusterIssuer processes the CertificateRequest and updates statusEMCO monitor updates rsync with CertificateRequest statusIntent identifies the Issuing Cluster and ClusterIssuerCertificateRequestCertificateRequestCertificateRequestThe ClusterIssuer will Issue Intermediate CA Certificates to each CertificateRequest
16. LF Networking16EMCO Solution – CA Cert Distribution StepEMCO Clustercert-managerEdge ClusterEdge ClusterEdge Clustercert-managercert-managerIstioIstioIstioEMCO monitorEMCO monitorEMCO monitorEMCO KNCCEMCO KNCCEMCO KNCCEMCOEMCO rsyncEMCO ca-certsInstantiate the CA Cert Distribution (checks if the status of the Enrollment is ‘Ready’)ca-certs prepares the Distribution (resources to be deployed to each Edge Cluster)rsync deploys the Distribution resources to the Edge ClustersSecretCluster IssuerKNCC CRProxyConfigSecretCluster IssuerKNCC CRProxyConfigSecretCluster IssuerKNCC CRProxyConfigAfter the Distribution resources are deployed on the Edge ClusterKNCC updates the Istio ConfigMap to identify the CA Cert to use for a given Signer (ClusterIssuer).ProxyConfig associates a Signer with a Namespace
17. LF Networking17TimelineInitial ca-certs implementation is coming in release 22.06Further enhancements that take advantage of SGX enabled components will follow(final slide)
18.