Control Plane (xDS Server - Envoy) Auth + Authz

[arkodg]

This issue tracks how the the data plane Envoy Proxy authenticates and authorizes with the xDS Server within Envoy Gateway

[danehans]

@LukeShu I assigned this issue to you based on the 5/24/22 community meeting notes. Please unassign yourself if that's not the case.

[danehans]

xref https://github.com/envoyproxy/gateway/issues/97#issuecomment-1150602629 regarding how CP<>DP auth can be supported.

[youngnick]

I think the relevant part of that comment is:

In terms of authenticating between the control plane and Envoy, Contour has solved this problem in the simple case, using an on-disk SDS for hot-reload of certificates, an install process that generates one-year validity certs for both Contour and Envoy, and updates them on each upgrade. The update is seamless because the secrets change "on disk", Envoy sees the SDS change, and then control plane connection is rebuilt in less than 30 seconds. Notably, because it uses Kubernetes Secrets as intended and can handle rotations whenever you're ready, it plugs in easily to Vault or other secret-management tools - the Secret admin just has to ensure that the Secrets are updated for both Envoy and Contour around the same time.

I think that Contour's solution here is pretty great (maybe I'm biased, lol), and will work well to allow secure xds-server <-> Envoy comms no matter what provider is in use (although for things that use localhost only, we can probably skip TLS).

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[youngnick]

Not stale, just backlogged.

[danehans]

FYI @arkodg I'm going to take this work on.