Support IPsec Certificate-based Authentication

Introduce antrea-signer to sign CertificateSigningRequests requested
by Antrea Agents for IPsec authentication.

Signed-off-by: Xu Liu <xliu2@vmware.com>

build/charts/antrea/README.md

@@ -73,6 +73,9 @@ Kubernetes: `>= 1.16.0-0`
 | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/antrea-ubuntu","tag":"latest"}` | Container image to use for Antrea components. |
 | ipsec.psk | string | `"changeme"` | Preshared Key (PSK) for IKE authentication. It will be stored in a secret and passed to antrea-agent as an environment variable. |
+| ipsecSigner.autoApprovePolicy | string | `"validateAgentPodName"` | Auto approve policy of Antrea signer |
+| ipsecSigner.enable | bool | `false` |  |
+| ipsecSigner.selfSignedCA | bool | `true` |  |
 | kubeAPIServerOverride | string | `""` | Address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. |
 | logVerbosity | int | `0` |  |
 | multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |

build/charts/antrea/conf/antrea-controller.conf

@@ -71,3 +71,25 @@ nodeIPAM:
   # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
   nodeCIDRMaskSizeIPv6: {{ .nodeCIDRMaskSizeIPv6 }}
 {{- end }}
+
+ipsecSigner:
+{{- with .Values.ipsecSigner }}
+  # Enable the signer controller within the Antrea controller.
+  enable: {{ .enable }}
+  # Determines the auto approval policy of Antrea signer for IPsec certificates management.
+  # It has the following options:
+  # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+  #                                 to be approved manually by `kubectl certificate approve`
+  # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the creator can
+  #                                 be validated. This ensures that each Agent can only request certificates for
+  #                                 its own Node. This requires `BoundServiceAccountTokenVolume` feature to
+  #                                 be enabled.
+  # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+  #                                 the identity of the creator.
+  autoApprovePolicy: {{ .autoApprovePolicy | quote }}
+  # Indicates whether to use auto-generated self-signed CA certificate.
+  # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+  #   ca.crt: <CA certificate>
+  #   ca.key: <CA private key>
+  selfSignedCA: {{ .selfSignedCA }}
+{{- end }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -180,3 +180,17 @@ rules:
       - get
       - list
       - watch
+  {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
+  {{- end }}

build/charts/antrea/templates/agent/daemonset.yaml

@@ -205,6 +205,11 @@ spec:
           - name: host-var-run-antrea
             mountPath: /var/run/openvswitch
             subPath: openvswitch
+          {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+          - name: antrea-ipsec-ca
+            mountPath: /var/run/openvswitch/ca
+            readOnly: true
+          {{- end }}
           # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
           # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
           - name: host-var-run-antrea
@@ -305,6 +310,9 @@ spec:
           - name: host-var-log-antrea
             mountPath: /var/log/strongswan
             subPath: strongswan
+          - mountPath: /etc/ipsec.d/cacerts
+            name: antrea-ipsec-ca
+            readOnly: true
         {{- end }}
       volumes:
         - name: antrea-config
@@ -322,6 +330,11 @@ spec:
         - name: host-var-run-netns
           hostPath:
             path: /var/run/netns
+        {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+        - name: antrea-ipsec-ca
+          configMap:
+            name: antrea-ipsec-ca
+        {{- end }}
         - name: host-var-run-antrea
           hostPath:
             path: /var/run/antrea

build/charts/antrea/templates/controller/clusterrole.yaml

@@ -80,14 +80,32 @@ rules:
       - configmaps
     resourceNames:
       - antrea-ca
+      {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+      - antrea-ipsec-ca
+      {{- end }}
       - antrea-cluster-identity
     verbs:
       - get
       - update
+  {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-ipsec-ca
+    verbs:
+      - get
+      - update
+      - watch
+  {{- end }}
   - apiGroups:
       - ""
     resources:
       - configmaps
+      {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+      - secrets
+      {{- end }}
     verbs:
       - create
   - apiGroups:
@@ -128,6 +146,32 @@ rules:
     verbs:
       - get
       - update
+  {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests/approval
+    - certificatesigningrequests/status
+    verbs:
+    - update
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - signers
+    resourceNames:
+    - antrea.io/signer
+    verbs:
+    - approve
+    - sign
+  {{- end }}
   - apiGroups:
       - crd.antrea.io
     resources:

build/charts/antrea/values.yaml

@@ -89,6 +89,12 @@ nodeIPAM:
   # -- Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster.
   nodeCIDRMaskSizeIPv6: 64
 
+ipsecSigner:
+  # -- Auto approve policy of Antrea signer
+  autoApprovePolicy: "validateAgentPodName"
+  enable: false
+  selfSignedCA: true
+
 # -- Address of Kubernetes apiserver, to override any value provided in
 # kubeconfig or InClusterConfig.
 kubeAPIServerOverride: ""

build/yamls/antrea-aks.yml

@@ -394,6 +394,26 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecSigner:
+      # Enable the signer controller within the Antrea controller.
+      enable: false
+      # Determines the auto approval policy of Antrea signer for IPsec certificates management.
+      # It has the following options:
+      # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+      #                                 to be approved manually by `kubectl certificate approve`
+      # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the creator can
+      #                                 be validated. This ensures that each Agent can only request certificates for
+      #                                 its own Node. This requires `BoundServiceAccountTokenVolume` feature to
+      #                                 be enabled.
+      # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+      #                                 the identity of the creator.
+      autoApprovePolicy: "validateAgentPodName"
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   ca.crt: <CA certificate>
+      #   ca.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -3486,7 +3506,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: dd6b34730b68c2f4159c567a8f97011dade5d9b566537a8120c1ddb7f845af98
       labels:
         app: antrea
         component: antrea-agent
@@ -3726,7 +3746,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: dd6b34730b68c2f4159c567a8f97011dade5d9b566537a8120c1ddb7f845af98
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -394,6 +394,26 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecSigner:
+      # Enable the signer controller within the Antrea controller.
+      enable: false
+      # Determines the auto approval policy of Antrea signer for IPsec certificates management.
+      # It has the following options:
+      # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+      #                                 to be approved manually by `kubectl certificate approve`
+      # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the creator can
+      #                                 be validated. This ensures that each Agent can only request certificates for
+      #                                 its own Node. This requires `BoundServiceAccountTokenVolume` feature to
+      #                                 be enabled.
+      # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+      #                                 the identity of the creator.
+      autoApprovePolicy: "validateAgentPodName"
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   ca.crt: <CA certificate>
+      #   ca.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -3486,7 +3506,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: dd6b34730b68c2f4159c567a8f97011dade5d9b566537a8120c1ddb7f845af98
       labels:
         app: antrea
         component: antrea-agent
@@ -3728,7 +3748,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: dd6b34730b68c2f4159c567a8f97011dade5d9b566537a8120c1ddb7f845af98
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -394,6 +394,26 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecSigner:
+      # Enable the signer controller within the Antrea controller.
+      enable: false
+      # Determines the auto approval policy of Antrea signer for IPsec certificates management.
+      # It has the following options:
+      # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+      #                                 to be approved manually by `kubectl certificate approve`
+      # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the creator can
+      #                                 be validated. This ensures that each Agent can only request certificates for
+      #                                 its own Node. This requires `BoundServiceAccountTokenVolume` feature to
+      #                                 be enabled.
+      # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+      #                                 the identity of the creator.
+      autoApprovePolicy: "validateAgentPodName"
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   ca.crt: <CA certificate>
+      #   ca.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -3486,7 +3506,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: edef4c00e4f28a10dc1e077086ef68641a9a3b53d0fe7d47ff3dafc2ce5d5c9b
+        checksum/config: beae75e2e51b9f980bafdb2974b763444c4ce48eafabffd91a363166d9bf6024
       labels:
         app: antrea
         component: antrea-agent
@@ -3726,7 +3746,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: edef4c00e4f28a10dc1e077086ef68641a9a3b53d0fe7d47ff3dafc2ce5d5c9b
+        checksum/config: beae75e2e51b9f980bafdb2974b763444c4ce48eafabffd91a363166d9bf6024
       labels:
         app: antrea
         component: antrea-controller