clusterlink icon indicating copy to clipboard operation
clusterlink copied to clipboard
verified publisher icon clusterlink-net

Explore certificate management options and variations

Open elevran opened this issue 2 years ago • 0 comments

Explore certificate management - both internal management and external tool integrations. Currently we use an internal CA. There are several options for integrating external tools, including SPIFEF/SPIRE, Let's Encrypt or Vault (both via certmgr, for example)

the current hierarchy of certificates is: fabric/mesh CA signing certificates for all site components (data, control, clients), so (root) fabric CA -> (leaf) certificates.

  • @orozery has suggested an alternative that introduces a site CA as well (which can be multi-use or single use and then regenerated when needed): (root) fabric CA -> (intermediate) Site CA -> (leaf) certificates. We can also validate that leaves are signed by the relevant site CA as extra validation.
  • an extension of that would be to introduce a second intermediary for the Site control plane. The final chain is: (root) fabric CA -> (intermediate) Site CA -> (intermediate) CP CA -> (leaf) certificates. Note that the Site and CP CAs can be combined if it is avaialable to the CP. The advantage would be to allow generating per workload certificates for dataplane communications instead of using a single dataplane certificate and communicating workload attributes. The workload certificate can include all attributes (via x509 extension) perhaps simplifying the authorization flow. This is closer to the way Istio ambient mesh works.

Certificates can carry constraints (e.g., Key Usage). One relevant constraint that we may wish to exploit are Name constraints, where a CA certificate includes a list of hosts, IPs or domains it can sign. If a leaf certificate includes an identity or SAN that violates the name constraints it is rejected by the client TLS library (assuming default verification is not bypassed). This can be used with root fabric CA (all sites share a DNS suffix (e.g., {name}.fabric so the constraints is .{name}.fabric - with a leading dot) as well for the intermediate Site CA (e.g., .{site}.peer.{name}.fabric)

Some relevant links:

elevran avatar Sep 21 '23 15:09 elevran