search

openfaas / faas-netes

Serverless Functions For Kubernetes
https://www.openfaas.com
MIT License
2.12k stars 473 forks source link

[Bug] Errors when installing with Istio mTLS enabled #645

Closed dustbort closed 3 years ago

dustbort commented 4 years ago

Expected Behaviour

kubectl apply -f openfaas.yaml should run without errors

Current Behaviour

kubectl apply -f openfaas.yaml outputs errors: unable to recognize "openfaas.yaml": no matches for kind "Policy" in version "authentication.istio.io/v1alpha1"

Possible Solution

It seems that Istio policy enforcement is deprecated, so this help chart may need to be updated to be compatible with Istio. https://istio.io/docs/tasks/policy-enforcement/

Steps to Reproduce (for bugs)

istioctl install --set profile=demo

kubectl apply -n istio-system -f - <<EOF
---
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT
---
EOF

helm repo add openfaas https://openfaas.github.io/faas-netes/

helm repo update

kubectl apply -f https://raw.githubusercontent.com/openfaas/faas-netes/master/namespaces.yml

git clone https://github.com/openfaas/faas-netes.git
cd faas-netes

PASSWORD=$(head -c 24 /dev/urandom | base64)

kubectl -n openfaas create secret generic basic-auth \
  --from-literal=basic-auth-user=admin \
  --from-literal=basic-auth-password="$PASSWORD"

helm template openfaas chart/openfaas/ \
  --namespace openfaas \
  --set exposeServices=false \
  --set basic_auth=true \
  --set functionNamespace=openfaas-fn \
  --set faasnetes.httpProbe=false \
  --set httpProbe=false \
  --set istio.mtls=true \
  > openfaas.yaml

kubectl apply -f openfaas.yaml

Context

I want to enable mTLS for mesh security so that I can host functions written by external parties and prevent them from snooping network traffic.

Your Environment

CLI: commit: f7c29ea19b5df9d7aa87e9c70aacf4d9315da2cd version: 0.12.4


* Docker version `docker version` (e.g. Docker 17.0.05 ):

Client: Version: 19.03.11-ce API version: 1.40 Go version: go1.14.3 Git commit: 42e35e61f3 Built: Tue Jun 2 15:09:26 2020 OS/Arch: linux/amd64 Experimental: false

Server: Engine: Version: 19.03.10-ce API version: 1.40 (minimum version 1.12) Go version: go1.14.3 Git commit: 9424aeaee9 Built: Fri May 29 11:14:15 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.3.4.m GitCommit: d76c121f76a5fc8a462dc64594aea72fe18e1178.m runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683


* What version and distriubtion of Kubernetes are you using? `kubectl version`

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"archive", BuildDate:"2020-05-22T20:04:08Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.5+k3s1", GitCommit:"58ebdb2a2ec5318ca40649eb7bd31679cb679f71", GitTreeState:"clean", BuildDate:"2020-05-06T23:43:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}


* Operating System and version (e.g. Linux, Windows, MacOS):

Kernel : Linux 5.4.43-1-MANJARO (x86_64) Version : #1 SMP PREEMPT Wed May 27 20:25:12 UTC 2020 C Library : GNU C Library / (GNU libc) 2.31 Distribution : Manjaro Linux


* Link to your project or a code example to reproduce issue:

Code given above.

I'm new to Istio and I can't find anything stating why Policy wouldn't be recognized. Can't find any CRD needed for Policy to work. Note that the Istio docs that refer to Policy are marked as deprecated. https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ 
They state that the demo profile (used in above code sample) has policy checks enabled by default. I also tried using the default profile and enabling policy checks, but get the same errors.

istioctl install \ --set addonComponents.grafana.enabled=true \ --set meshConfig.disablePolicyChecks=false \ --set values.pilot.policy.enabled=true



* What network driver are you using and what CIDR? i.e. Weave net / Flannel

Whatever k3d uses
Swibon96 commented 3 years ago

I meet this issue ,too.Do you solve it now?

munjalpatel commented 3 years ago

Same here, I replaced Istio Policies with PeerAuthentication as below but the openfaas gateway keeps failing.

Istio PeerAuthentication

# Source: openfaas/templates/istio-mtls.yaml
# enforce mTLS to openfaas control plane
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: openfaas
spec:
  mtls:
    mode: STRICT
---
# Source: openfaas/templates/istio-mtls.yaml
# enforce mTLS to functions
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: openfaas-fn
spec:
  mtls:
    mode: STRICT

openfaas gateway logs

&{0xc00008d1a0}
2020/11/03 17:55:23 HTTP Read Timeout: 1m5s
2020/11/03 17:55:23 HTTP Write Timeout: 1m5s
2020/11/03 17:55:23 Binding to external function provider: http://127.0.0.1:8081/
2020/11/03 17:55:23 Async enabled: Using NATS Streaming.
2020/11/03 17:55:23 Opening connection to nats://nats.openfaas.svc.cluster.local:4222
2020/11/03 17:55:23 Connect: nats://nats.openfaas.svc.cluster.local:4222
2020/11/03 17:55:25 read tcp 10.10.36.117:58768->10.10.10.145:4222: i/o timeout

openfaas queue-worker logs

Loading basic authentication credentials
Starting queue-worker. Version: 0.11.2  Git Commit: de4adf202a38a031701f0bb698c1ea3b202ca93e
Connect: nats://nats.openfaas.svc.cluster.local:4222
can't connect to nats://nats.openfaas.svc.cluster.local:4222: read tcp 10.10.33.254:59962->10.10.10.145:4222: i/o timeout
panic: can't connect to nats://nats.openfaas.svc.cluster.local:4222: read tcp 10.10.33.254:59962->10.10.10.145:4222: i/o timeout
goroutine 1 [running]:
log.Panic(0xc000111da8, 0x1, 0x1)
    /usr/local/go/src/log/log.go:338 +0xac
main.main()
    /go/src/github.com/openfaas/nats-queue-worker/main.go:212 +0x6a3

cc: @stefanprodan @alexellis

alexellis commented 3 years ago

/lock: inactive. Feel free to raise a new issue if this is still required by anyone.