Support IPsec Certificate-based Authentication

Introduce antrea-signer to sign CertificateSigningRequests requested
by Antrea Agents for IPsec authentication.

Signed-off-by: Xu Liu <xliu2@vmware.com>

build/charts/antrea/README.md

@@ -73,6 +73,9 @@ Kubernetes: `>= 1.16.0-0`
 | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/antrea-ubuntu","tag":"latest"}` | Container image to use for Antrea components. |
 | ipsec.psk | string | `"changeme"` | Preshared Key (PSK) for IKE authentication. It will be stored in a secret and passed to antrea-agent as an environment variable. |
+| ipsecCSRSigner.autoApprovePolicy | string | `"validateAgentPodName"` | Auto approve policy of Antrea signer |
+| ipsecCSRSigner.enable | bool | `false` |  |
+| ipsecCSRSigner.selfSignedCA | bool | `true` |  |
 | kubeAPIServerOverride | string | `""` | Address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. |
 | logVerbosity | int | `0` |  |
 | multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |

build/charts/antrea/conf/antrea-agent.conf

@@ -267,3 +267,12 @@ antreaProxy:
   # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
   proxyLoadBalancerIPs: {{ .proxyLoadBalancerIPs }}
 {{- end }}
+
+# ipsec specifies IPsec related configurations.
+ipsec:
+{{- with .Values.ipsec }}
+  # The authentication mode of IPsec tunnel. It has the following options:
+  # - psk (default): Use pre-shared key (PSK) for IKE authentication.
+  # - cert:          Use CA-signed certificates for IKE authentication.
+  authenticationMode: {{ .authenticationMode | quote }}
+{{- end }}

build/charts/antrea/conf/antrea-controller.conf

@@ -71,3 +71,25 @@ nodeIPAM:
   # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
   nodeCIDRMaskSizeIPv6: {{ .nodeCIDRMaskSizeIPv6 }}
 {{- end }}
+
+ipsecCSRSigner:
+{{- with .Values.ipsec }}
+  enable: {{ eq .csrSigner.autoApprovePolicy "cert" }}
+  # Enable the CSR signer controller within the Antrea controller.
+  # Determines the auto approval policy of Antrea CSR signer for IPsec certificates management.
+  # It has the following options:
+  # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+  #                                 to be approved manually by `kubectl certificate approve`
+  # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the requestor
+  #                                 can be validated. This ensures that each Agent can only request certificates
+  #                                 for its own Node. This requires K8s `BoundServiceAccountTokenVolume` feature
+  #                                 to be enabled.
+  # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+  #                                 the identity of the requestor.
+  autoApprovePolicy: {{ .csrSigner.autoApprovePolicy | quote }}
+  # Indicates whether to use auto-generated self-signed CA certificate.
+  # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+  #   tls.crt: <CA certificate>
+  #   tls.key: <CA private key>
+  selfSignedCA: {{ .csrSigner.selfSignedCA }}
+{{- end }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -180,3 +180,17 @@ rules:
       - get
       - list
       - watch
+  {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
+  {{- end }}

build/charts/antrea/templates/agent/daemonset.yaml

@@ -205,6 +205,11 @@ spec:
           - name: host-var-run-antrea
             mountPath: /var/run/openvswitch
             subPath: openvswitch
+          {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+          - name: antrea-ipsec-ca
+            mountPath: /var/run/openvswitch/ca
+            readOnly: true
+          {{- end }}
           # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
           # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
           - name: host-var-run-antrea
@@ -305,6 +310,9 @@ spec:
           - name: host-var-log-antrea
             mountPath: /var/log/strongswan
             subPath: strongswan
+          - mountPath: /etc/ipsec.d/cacerts
+            name: antrea-ipsec-ca
+            readOnly: true
         {{- end }}
       volumes:
         - name: antrea-config
@@ -322,6 +330,11 @@ spec:
         - name: host-var-run-netns
           hostPath:
             path: /var/run/netns
+        {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+        - name: antrea-ipsec-ca
+          configMap:
+            name: antrea-ipsec-ca
+        {{- end }}
         - name: host-var-run-antrea
           hostPath:
             path: /var/run/antrea

build/charts/antrea/templates/controller/clusterrole.yaml

@@ -80,14 +80,32 @@ rules:
       - configmaps
     resourceNames:
       - antrea-ca
+      {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+      - antrea-ipsec-ca
+      {{- end }}
       - antrea-cluster-identity
     verbs:
       - get
       - update
+  {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-ipsec-ca
+    verbs:
+      - get
+      - update
+      - watch
+  {{- end }}
   - apiGroups:
       - ""
     resources:
       - configmaps
+      {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+      - secrets
+      {{- end }}
     verbs:
       - create
   - apiGroups:
@@ -128,6 +146,32 @@ rules:
     verbs:
       - get
       - update
+  {{- if eq .Values.trafficEncryptionMode "ipsec" }}
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests/approval
+    - certificatesigningrequests/status
+    verbs:
+    - update
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - signers
+    resourceNames:
+    - antrea.io/ipsec
+    verbs:
+    - approve
+    - sign
+  {{- end }}
   - apiGroups:
       - crd.antrea.io
     resources:

build/charts/antrea/values.yaml

@@ -48,9 +48,17 @@ wireGuard:
   port: 51820
 
 ipsec:
+  # -- The authentication mode to use for IPsec. Must be one of "psk" or "cert". "cert" is recommended.
+  authenticationMode: "cert"
   # -- Preshared Key (PSK) for IKE authentication. It will be stored in a secret
   # and passed to antrea-agent as an environment variable.
   psk: "changeme"
+  # -- CSR signer configuration when the authenticationMode is "cert".
+  csrSigner:
+    # -- Auto approve policy of Antrea signer. Must be one of "validateAgentPodName", "never" or "always".
+    autoApprovePolicy: "validateAgentPodName"
+    # --- Whether or not to use auto-generated self-signed CA.
+    selfSignedCA: true
 
 egress:
   # -- CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.

build/yamls/antrea-aks.yml

@@ -302,6 +302,13 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+
+    # ipsec specifies IPsec related configurations.
+    ipsec:
+      # The authentication mode of IPsec tunnel. It has the following options:
+      # - psk (default): Use pre-shared key (PSK) for IKE authentication.
+      # - cert:          Use CA-signed certificates for IKE authentication.
+      authenticationMode: "cert"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -394,6 +401,26 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecCSRSigner:
+      enable: false
+      # Enable the CSR signer controller within the Antrea controller.
+      # Determines the auto approval policy of Antrea CSR signer for IPsec certificates management.
+      # It has the following options:
+      # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+      #                                 to be approved manually by `kubectl certificate approve`
+      # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the requestor
+      #                                 can be validated. This ensures that each Agent can only request certificates
+      #                                 for its own Node. This requires K8s `BoundServiceAccountTokenVolume` feature
+      #                                 to be enabled.
+      # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+      #                                 the identity of the requestor.
+      autoApprovePolicy: "validateAgentPodName"
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   tls.crt: <CA certificate>
+      #   tls.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -3486,7 +3513,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: 8ce7324ea85bc926a0047f6c42bacc22f8ab5761ade23003577571986314fa7d
       labels:
         app: antrea
         component: antrea-agent
@@ -3726,7 +3753,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: 8ce7324ea85bc926a0047f6c42bacc22f8ab5761ade23003577571986314fa7d
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -302,6 +302,13 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+
+    # ipsec specifies IPsec related configurations.
+    ipsec:
+      # The authentication mode of IPsec tunnel. It has the following options:
+      # - psk (default): Use pre-shared key (PSK) for IKE authentication.
+      # - cert:          Use CA-signed certificates for IKE authentication.
+      authenticationMode: "cert"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -394,6 +401,26 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecCSRSigner:
+      enable: false
+      # Enable the CSR signer controller within the Antrea controller.
+      # Determines the auto approval policy of Antrea CSR signer for IPsec certificates management.
+      # It has the following options:
+      # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+      #                                 to be approved manually by `kubectl certificate approve`
+      # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the requestor
+      #                                 can be validated. This ensures that each Agent can only request certificates
+      #                                 for its own Node. This requires K8s `BoundServiceAccountTokenVolume` feature
+      #                                 to be enabled.
+      # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+      #                                 the identity of the requestor.
+      autoApprovePolicy: "validateAgentPodName"
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   tls.crt: <CA certificate>
+      #   tls.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -3486,7 +3513,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: 8ce7324ea85bc926a0047f6c42bacc22f8ab5761ade23003577571986314fa7d
       labels:
         app: antrea
         component: antrea-agent
@@ -3728,7 +3755,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4554a36b927c6e64fdbc53b4d4c64673d48c9c829ec444e3be6e699ade8481b6
+        checksum/config: 8ce7324ea85bc926a0047f6c42bacc22f8ab5761ade23003577571986314fa7d
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -302,6 +302,13 @@ data:
       # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and
       # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic.
       proxyLoadBalancerIPs: true
+
+    # ipsec specifies IPsec related configurations.
+    ipsec:
+      # The authentication mode of IPsec tunnel. It has the following options:
+      # - psk (default): Use pre-shared key (PSK) for IKE authentication.
+      # - cert:          Use CA-signed certificates for IKE authentication.
+      authenticationMode: "cert"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -394,6 +401,26 @@ data:
       # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
       # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
       nodeCIDRMaskSizeIPv6: 64
+
+    ipsecCSRSigner:
+      enable: false
+      # Enable the CSR signer controller within the Antrea controller.
+      # Determines the auto approval policy of Antrea CSR signer for IPsec certificates management.
+      # It has the following options:
+      # never:                          Controller will never auto-approve CertificateSingingRequests and they need
+      #                                 to be approved manually by `kubectl certificate approve`
+      # validateAgentPodName (default): Controller will auto-approve the CertificateSingingRequest if the requestor
+      #                                 can be validated. This ensures that each Agent can only request certificates
+      #                                 for its own Node. This requires K8s `BoundServiceAccountTokenVolume` feature
+      #                                 to be enabled.
+      # always:                         Controller will auto-approve the CertificateSingingRequest without checking
+      #                                 the identity of the requestor.
+      autoApprovePolicy: "validateAgentPodName"
+      # Indicates whether to use auto-generated self-signed CA certificate.
+      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
+      #   tls.crt: <CA certificate>
+      #   tls.key: <CA private key>
+      selfSignedCA: true
 ---
 # Source: antrea/templates/crds/antreaagentinfo.yaml
 apiVersion: apiextensions.k8s.io/v1
@@ -3486,7 +3513,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: edef4c00e4f28a10dc1e077086ef68641a9a3b53d0fe7d47ff3dafc2ce5d5c9b
+        checksum/config: 239eaaf25580fabdd67f8b425d86822b68d0bd13a46d75e28241c8d6721930f7
       labels:
         app: antrea
         component: antrea-agent
@@ -3726,7 +3753,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: edef4c00e4f28a10dc1e077086ef68641a9a3b53d0fe7d47ff3dafc2ce5d5c9b
+        checksum/config: 239eaaf25580fabdd67f8b425d86822b68d0bd13a46d75e28241c8d6721930f7
       labels:
         app: antrea
         component: antrea-controller