Comments (14)
Hi @snovak7, I want to implement this feature.
If I'm not mistaken, the ECC you mentioned refers to Elliptic Curve Cryptography
, right?
The keypair that I generated according to this article https://www.scottbrady91.com/openssl/creating-elliptical-curve-keys-using-openssl should be the same as what you're using, correct?
from cilium.
@chaunceyjiang I think it is. Like in cert-manager at https://cert-manager.io/docs/faq/#is-ecc-elliptic-curve-cryptography-supported and https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey which can currently be RSA, ECDSA or Ed25519.
from cilium.
Can you post an example configuration and the resulting output? I'd like to know exactly where the rejection is happening.
from cilium.
Well in my scenario the certificate is origin cloudflare certificate which is also generated on their side.
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
-----BEGIN PRIVATE KEY-----
...ECC or RSA DATA...
-----END PRIVATE KEY-----
ECC/RSA has the ascii guard naming 'BEGIN PRIVATE KEY', so you cannot distinguish it easily, except for the size of data between the beginning and end lines.
While inspecting the ecc key
openssl ec -in key.pem -inform PEM -noout -text
We get some metadata from the key
read EC key
Private-Key: (256 bit)
priv:
[redacted]
pub:
[ommited]
ASN1 OID: prime256v1
NIST CURVE: P-256
When I got the key, along with certificate I installed the tls secret, and used it in the Gateway CRD on a listener
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: api
namespace: hosting-system
spec:
gatewayClassName: cilium
listeners:
- name: api-secure
protocol: HTTPS
port: 443
tls:
certificateRefs:
- kind: Secret
name: api-secret
allowedRoutes:
namespaces:
from: All
In next steps I also included CA chain (one additional cert with the pair), but it was the same effect
The Gateway CRD resource status reported InvalidCertificateRef, and no routes were mounted as an effect.
Hope this helps!
from cilium.
@rgl Got it.
from cilium.
@chaunceyjiang ECDSA originally, while Ed25519 is also in ECC family
from cilium.
Could it be related to the below check ?
cilium/operator/pkg/gateway-api/gateway_reconcile.go
Lines 514 to 527 in 0390689
from cilium.
Could it be related to the below check ?
I believe so.
from cilium.
Well in my scenario the certificate is origin cloudflare certificate which is also generated on their side.
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
-----BEGIN PRIVATE KEY-----
...ECC or RSA DATA...
-----END PRIVATE KEY-----
Is your ecc private key still starting with -----BEGIN PRIVATE KEY-----
?
Why does my ecc start with -----BEGIN EC PRIVATE KEY-----
?
# openssl ec -in private-key.pem -inform PEM -noout -text
read EC key
Private-Key: (256 bit)
priv:
f4:d3:12:8f:b8:d2:27:48:a6:a2:a4:fc:a8:98:c1:
6d:90:59:18:a5:3a:10:40:8b:c1:a9:f2:ec:c1:c5:
2f:f8
pub:
04:db:61:e1:be:5e:03:4d:f7:d9:38:ef:fd:47:5b:
e2:37:99:e6:f5:88:9f:a6:95:1b:de:4b:ba:94:51:
c1:3a:61:0a:ac:62:3b:29:c4:d8:07:42:ea:35:0b:
2a:18:ca:81:f4:c4:6f:73:ca:9e:51:a6:7f:54:a6:
1a:7c:09:0a:2d
ASN1 OID: prime256v1
NIST CURVE: P-256
# cat private-key.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPTTEo+40idIpqKk/KiYwW2QWRilOhBAi8Gp8uzBxS/4oAoGCCqGSM49
AwEHoUQDQgAE22Hhvl4DTffZOO/9R1viN5nm9YifppUb3ku6lFHBOmEKrGI7KcTY
B0LqNQsqGMqB9MRvc8qeUaZ/VKYafAkKLQ==
-----END EC PRIVATE KEY-----
from cilium.
@chaunceyjiang see https://security.stackexchange.com/a/84331
from cilium.
@rgl Got it , thanks for your reply.
No matter whether I use private-key.pem
or private-key-pkcs1.pem
, my gateway
always works properly.
Moreover, I also found that the tutorials provided in the official documentation seem to use ECDSA
.
# kubectl create secret tls demo-cert --cert=cert.pem --key=private-key-pkcs1.pem
secret/demo-cert created
# kubectl get gateway
NAME CLASS ADDRESS PROGRAMMED AGE
tls-gateway cilium 10.0.10.195 True 3h36m
# kubectl get gateway tls-gateway -oyaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
creationTimestamp: "2024-01-30T11:28:28Z"
generation: 2
name: tls-gateway
namespace: default
resourceVersion: "28348"
uid: 1486d061-1587-4726-9833-50c76f8b680f
spec:
gatewayClassName: cilium
listeners:
- allowedRoutes:
namespaces:
from: All
hostname: bookinfo.daocloud.io
name: https-1
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: demo-cert
mode: Terminate
- allowedRoutes:
namespaces:
from: All
hostname: hipstershop.daocloid.io
name: https-2
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: demo-cert
mode: Terminate
status:
addresses:
- type: IPAddress
value: 10.0.10.195
conditions:
- lastTransitionTime: "2024-01-30T14:41:01Z"
message: Gateway successfully scheduled
observedGeneration: 2
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: "2024-01-30T14:41:02Z"
message: Gateway successfully reconciled
observedGeneration: 2
reason: Programmed
status: "True"
type: Programmed
listeners:
- attachedRoutes: 1
conditions:
- lastTransitionTime: "2024-01-30T15:05:30Z"
message: Listener Programmed
observedGeneration: 2
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: "2024-01-30T15:05:30Z"
message: Listener Accepted
observedGeneration: 2
reason: Accepted
status: "True"
type: Accepted
name: https-1
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- attachedRoutes: 0
conditions:
- lastTransitionTime: "2024-01-30T15:05:30Z"
message: Listener Programmed
observedGeneration: 2
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: "2024-01-30T15:05:30Z"
message: Listener Accepted
observedGeneration: 2
reason: Accepted
status: "True"
type: Accepted
name: https-2
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem
openssl ec -in private-key.pem -pubout -out public-key.pem
openssl req -new -x509 -key private-key.pem -out cert.pem -days 360
openssl pkcs8 -topk8 -nocrypt -in private-key.pem -out private-key-pkcs1.pem
# openssl ec -in private-key.pem -inform PEM -noout -text
read EC key
Private-Key: (256 bit)
priv:
f4:d3:12:8f:b8:d2:27:48:a6:a2:a4:fc:a8:98:c1:
6d:90:59:18:a5:3a:10:40:8b:c1:a9:f2:ec:c1:c5:
2f:f8
pub:
04:db:61:e1:be:5e:03:4d:f7:d9:38:ef:fd:47:5b:
e2:37:99:e6:f5:88:9f:a6:95:1b:de:4b:ba:94:51:
c1:3a:61:0a:ac:62:3b:29:c4:d8:07:42:ea:35:0b:
2a:18:ca:81:f4:c4:6f:73:ca:9e:51:a6:7f:54:a6:
1a:7c:09:0a:2d
ASN1 OID: prime256v1
NIST CURVE: P-256
# cat private-key.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPTTEo+40idIpqKk/KiYwW2QWRilOhBAi8Gp8uzBxS/4oAoGCCqGSM49
AwEHoUQDQgAE22Hhvl4DTffZOO/9R1viN5nm9YifppUb3ku6lFHBOmEKrGI7KcTY
B0LqNQsqGMqB9MRvc8qeUaZ/VKYafAkKLQ==
-----END EC PRIVATE KEY-----
# openssl ec -in private-key-pkcs1.pem -inform PEM -noout -text
read EC key
Private-Key: (256 bit)
priv:
f4:d3:12:8f:b8:d2:27:48:a6:a2:a4:fc:a8:98:c1:
6d:90:59:18:a5:3a:10:40:8b:c1:a9:f2:ec:c1:c5:
2f:f8
pub:
04:db:61:e1:be:5e:03:4d:f7:d9:38:ef:fd:47:5b:
e2:37:99:e6:f5:88:9f:a6:95:1b:de:4b:ba:94:51:
c1:3a:61:0a:ac:62:3b:29:c4:d8:07:42:ea:35:0b:
2a:18:ca:81:f4:c4:6f:73:ca:9e:51:a6:7f:54:a6:
1a:7c:09:0a:2d
ASN1 OID: prime256v1
NIST CURVE: P-256
# cat private-key-pkcs1.pem
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg9NMSj7jSJ0imoqT8
qJjBbZBZGKU6EECLwany7MHFL/ihRANCAATbYeG+XgNN99k47/1HW+I3meb1iJ+m
lRveS7qUUcE6YQqsYjspxNgHQuo1CyoYyoH0xG9zyp5Rpn9Uphp8CQot
-----END PRIVATE KEY-----
from cilium.
When was this fixed then? I am using 1.14.4 version
But what I am seeing that changing secret/cert doesn't refresh the gateway api, unless I make a change to the resource.
from cilium.
I would recommend to test it out with 1.15.0
from cilium.
Tested and it works with 1.15.1
from cilium.
Related Issues (20)
- node.SetDefaultPrefix causing traffic blackhole using multi-pool IPAM, native routing, eBPF HOT 5
- ci: Add /retest option to rerun only failed test HOT 2
- Cilium dropping UDP fragments of packets of certain sizes
- CI: Cilium E2E Upgrade: cilium-health-ep is failing HOT 4
- Report the use of components with vulnerabilities in cilium
- TCP connection drops with LB mode: DSR ON when trying to reach ingress endpoint from outside the cluster
- Linux 5.10 (minikube ISO) crashes on "address family not supported by protocol" HOT 1
- Gateway API 1.1.0 released HOT 9
- enable-nat46x64-gateway breaks network connectivity over tun interfaces HOT 2
- Issues with Cilium in eBPF replacement mode on Rocky 9.1 HOT 1
- Ingress paths with multiples match does not give precedence to the longest match HOT 1
- Move program attachment logic out of `replaceDatapath()`
- Stale service conntrack entries causing packet drop HOT 4
- Cilium dropping IPIP packets w/ unknown drop reason of 119 HOT 11
- CFP: add loadBalancerSourceRanges to the Gateway HOT 1
- CFP: add loadBalancerSourceRanges to the Gateway listeners
- Ingress annotations not propagated to the generated Kubernetes service object HOT 1
- Delayed NLRI withdrawl for ingress-nginx endpoint removal HOT 3
- CFP: propagate gateway annotation for source-range to the load-balancer managed by the gateway
- Problems with coredns timeouts and pods DNS resolution with bpf.masquerade enabled HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cilium.