Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kong / Kuma Community / 13 Jul 2022
Kong / Kuma Community / 13 Jul 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kuma Community Call - July 13, 2022

Description

In this call, we discussed the following:
- Upcoming release Kuma 1.7.1
- New policy matching MADR is finally merged

A

So hello, everyone welcome to the Kumo Community call, uh please add your name to that and the list and also feel free to submit any agenda topics you'd like to discuss today.

A

um Yeah. We will start with a upcoming release. We want to release patch Kuma 1.7.1 uh that fixes some issues. I think this is timeout policy problem. If you apply timeout with external service, it didn't actually worked well and also, if you deleted timeout I think there were some crash happened in the control plane for Gateway, so yeah this box, fixed and I think something else.

A

The Channel, Do You Remember anything else.

B

uh From the top of my head, no.

A

Yeah, so some bug fixes we're going to release it soon. I guess next week, probably and another thing to discuss today, not discuss just announced that a new policy matching uh was finally merged. It's been a long time. We uh we had a lot of iterations on this document and we finally agreed on something. So you can. You can read it if you haven't done it yet so yeah, please get familiar with the document and I think this is it from from my site.

A

um We can start with the questions from people. We have a lot of people today on the golf. So please ask your questions.

B

Okay, Greg I think you had a bunch of questions about tokens right. We we talked a little bit about.

C

This.

B

Foreign.

D

Yeah I had I had a few questions randomly around token management, um specifically like the data plane, tokens um I'm, I'm, working on a side project where I am um in the process of um developing a plug-in for for Vault. That will for has your Vault that will be able to manage the tokens.

D

Essentially, you would take the root token and and uh register it in this plugin the configuration and point it to your your uh control, plane, API, and then it would be able to use the different Vault off methods to then be able to manage those tokens and the TTL times on those tokens. So a user could request a token based off of their policies uh and then the root token would issue that to them, but then also for services we could.

D

We could do the same thing for services where we could use something like IAM or or a different. You know method where the service could then request access to the data plane, but one of the things is I was digging into the documentation it does. Although the tokens are drop tokens and have a lifetime, they they don't, uh it doesn't appear that they currently um that's just for joining the data plane.

D

So once you're joining the data plane once your token expires, you're still in the data plane so um and I was talking to Jacob on that and there there appears to be um some like an issue up there, where it was talking about essentially how to handle the revocation of and expiration of those um those tokens and kind of where that is, and how that that looks in the current state of of Kuma.

B

Yeah, so that is correct that right now, if you, if your data playing proxy token expires, then well like we do the authentication only on the first discovery request, and then we check, if you did not change your authentication data right, just to kind of save this uh process, which is especially expensive from kubernetes with a service account token, because you need to do the top in the review and so on.

B

uh But yes, that is true that we could improve this one workaround for this one is that you can always like restart your control planes or.

D

That's.

B

What I was going to ask you? How can you go.

D

The control plane, like the so like, if I'm running the the side container well yeah, trying to figure out how could I like bump that that refresh.

B

Yeah um so I think it's not about pre-fresh, it's about um forcing that the data playing proxy to reconnect to the control plane right because right the data plane proxy reconnects to the control plane. Then we need to go over this authentication process. So um yeah, one of the uh things you can do is just restart the control right, which is, of course not ideal, but it is a work at home and this thinking with replication, so replication is check.

B

Tell me when we do the authentication on the first DS request right so uh which I think is documented that you need to restart the data plane. If not, we need to uh improve this talk but yeah again, you add the token to a revocation link and then, while you need to force VP to drop this connection,.

D

So right now, currently, if I revoke a token, will it disconnect that that service from the data plane or no yeah.

B

No not at this moment, so you tap this to a revocation list and then you restart the control plane. So again, okay, it's partially the reconnection and then.

D

Can you do that via the API well, see, can I do that by the API? Can I add them to a revocation list and then bounce it like can I do that through a call.

B

Well, you can use the API to add the talking to other vocation leads, but um if you want to force the reconnection of the data plane proxy, then you need to restart CP rfdp if you like, if you can right so like it's up to you, which option is more suitable, if you are a mesh operator um yeah, so there's a current approach. Of course, the better idea would be to be more Dynamic about this change right to actually drop the and serve the connection Whenever.

B

There is a change on the revocation list, so there is an issue open. um If you have a little bit of time, we would be very happy for this contribution. We can. We can also help with this.

D

Yeah.

A

What if we um limit the duration of the connection between proxy and control plane to react from time to time, yeah.

B

I was also thinking about this because it's um beneficial for the load balancing perspective right. So let's say you have like three instances of the CP right and then you want to scale this up, so we scale to four instances, but you know all DPS are already connected via this one grpc channel. So they just want to recommend right to this fourth instance. So you either kill all control.

B

Planes or well are only rely on the fact that the new connections will be around dropping to all the instances, including the fourth one, so yeah, that's also one of the solutions to kind of drop the connection every now and then there is well no traffic right, so we won't disrupt any Exchange and then this would in a way solve this problem of revocation and token exploration, because every now and then we would have to trigger this authentication again right.

D

Yeah, because, like one of the things that I that I want to drive with kind of this, this provider is the ability to have shorter, lived service tokens and, have you know the agent be able to request a new one when the TTL of the existing one gets there so then be able to kind of swap the tokens within the next time.

D

It would kind of re-initialize, with the newer token right, like that, that's kind of the the way that I'm I'm looking to drive that aspect of it, but then also if for some reason like the plugin itself can make could manually, you know tell the service like. If you revoke the token I want to be able to also kind of revoke the token by uh you know. If I want to, like close all the leases on the token involved, I want to be able to make a call into Kuma.

D

That would then do the same thing add the token to the ramification list, and then it would when it went to go re-up, I, guess in that frequency you were talking about. It would then kind of be disconnected from the uh the data plane.

B

Mm-Hmm.

B

Yes, yeah, that's uh that's one option. Yeah.

B

Okay, uh one question to this: one: have you thought maybe about uh doing this in um other fashion, which means that the Bold plugin would um issue new data plane tokens right, but the CP would only verify those tokens, so uh the Bank coupling proxy tokens and user tokens are signed with the RSA right. So you have a public in the private key.

B

So technically, uh if we were to make an assumption that CP is only responsible for verifying the tokens right, you just only need to have the public key and not the private key, which is again a win for the security right, because there is not have a private key and then the Vault plugin would have both or yes yeah.

D

Yeah yeah.

B

um Yeah so right now we kind of like we did not Implement any like logic to explicitly handle this right. But since the token is signed with the RSA 256, uh it is a potential the an option to kind of implement this, which is again uh I. Think a bit nicer right, yeah.

D

Because there offloads that aspect of all, which is what it does best and then it lets the control plane just verify and kind of relieves it of that responsibility. Yeah I like that as well, um so.

B

Okay, okay, so I don't know! If you are writing this plugin, we could um like I, think it's a little bit more work, probably to go in this way right, but at the same time it is a nicer way. So I don't know. We could also draft some ah proposal or whatever how to how to implement this right so um yeah. So we would have this option.

D

Yeah I think I mean I. Think that sounds like a great idea like right now, with the current workflow, when I was attempting to kind of. Do is still kind of again offload.

D

um Try to keep secrets in our secret storage. So, like put, the I was looking at us potentially putting the root token, putting the Kumo root token right inside of Vault and then having Vault be able to rotate that token on its own. So then it's the only one who knows that token right, so it's completely hidden for many users and then you still but have to uh I think that's a decent approach right now with the current workflow.

D

But if we could completely offload the um the certificate or the token generation interval and then just have the private, the public key be in the control plane um I like that and then so. Then, how would we then we would still have to implement the the data plan checking right because the data plane well. How would we then Implement how we would revoke access to the Token to the um to the control to the control plane at that point in time,.

B

Okay, so if we would do this separation, then the control plane would have to be configured with the public key of with yeah, with the public key of a signing key of token right, because right now like we have a signing key, that we sign every single token right, yeah, yeah and then well so right now we have a private key in the public in the control, but right in the in the command secret.

B

But if we provide just the public key, this can be even like a static, plain text configuration in the control plane, config, because it is just a public key right right.

B

um So then, um so then you kind of bootstrap that control plane with your own signing key. So the like the bootstrapping phase is a little bit different, because right now is that you start the control pane. You extract the admin token, and then you do all the operations right. If you have your own signing key, that's that's slightly inconvenient, because you need to replay the signing key somehow right and uh with this approach that we can provide the public key.

B

um Only it's very easy to just start. The control the call the control plane with the static configuration right, correct.

D

So.

B

Then then, then, the assumption is that the Vault has that private key, which is a power of this party, key right and then you kind of accept the the tokens that are generated involved.

D

Right yeah, so then it is so I guess at that point in time you would just create even shorter live tokens that would need to be refreshed more often because you would just validate that. The token was had a current Lifetime and invalid data's accuracy. All right.

B

Yeah and for the revocation, the process is the same, then that you need to have an access to um manage this revocation correct right. So we need to be a napping and then well then you add this token ID in revocation list.

D

Yeah yeah I gotcha, yeah, yeah, okay, what you just block it until it expired and then once it expired, it could be purged from the revocation list. Yeah right all right. Yeah I, like that.

D

So how much? What does that entail? How much work does that entail on the kuma side,.

B

Okay,.

D

On the.

B

Kuma side, to be honest, it's pretty um pretty straightforward when we did changes to a data plane token we sort of had this thought uh in our head, but we didn't kind of implement this right. Okay, we um we would need to um introduce new configuration in the comma STP right right to provide the list of the public uh to a public keys to a data plane token and user token, and then we would need to implement um an interface called uh called validator in the in the token package. So that would be like a.

B

Like a validator that uses this public key and not the private key right, yeah and also uh probably a good idea, would be to sort of block the creation of uh of the private key in the control plane and block the apis to generate the tokens. So it's uh kind of explicit.

D

Yeah, it's.

B

Like in a full read-only.

D

Mode right, yeah,.

B

Yeah yeah yeah.

D

Yeah gotcha, this all right, all right, so that would handle that and then for but then also we would. We still need to add the piece into the data plane right. That would be um that rechecks that constantly rejects its ability to connect to the great or.

C

Trying to think of.

D

Is there anything you need to change in the in the data plane to handle the um like when you're no longer valid like when you get added to the revocation list? That terminates your session or is that all in the control plane.

B

uh That's in the control plane so, regardless of the option, you'll implement this uh okay. If this will be an online signing or offline signing right. The application problem is like a separate thing too. Yeah yeah yeah right to implement.

D

Correct all right, yeah I, mean in this use case, is leveraging like Vault for this, but really this opens up for any sort of other uh key gym. You know pki type of solution.

B

Right, yeah I remember: we talked uh in the pr somewhere I, don't remember where a long time ago that we could also do like a token signing like offline token signing from kumakato right so Kuma cattle generate data plane. Token would somehow accept the private signing key and then just generate token, without even going to the control right.

D

All right, well, that was my kind of big thing, I'd like to love to sync up with you guys um on this, um so.

A

Yeah, okay, um do we have anything else, uh questions.

A

Foreign.

B

We have a new people with um Daniel and Via slack I'm. Sorry, if I, if I destroy your first names, um do you do you mind, sharing a little bit what you're trying to do with Kuma? It's always useful for us to know.

C

uh Yeah hi guys nice to meet you so today, today, the very first time we joined your meeting and yes, uh we're doing some kind of multi-service mesh integration using our network service mesh and we integrated it with Kuma and maybe in August would like to share a demo uh to you and for sure it will be useful to get your thoughts about this, and maybe we could uh have some kind of collaboration based on it later.

C

So it's at this moment, it's more likely to start up in our company uh and yes, so if you don't mind, we will join. Maybe next meetings just to meet you closer and maybe I also could be Health uh helpful later.

B

Yeah yeah you're free to join again, if you want and if you have a like, if you want a specific slot for a demo, we usually have time, but it's always better. If you it's a bit of a heads up anyway, um so we can make sure we build super space and we put you in the agenda.

C

Yep sure.

C

Don't have something to add.

B

No I think you described everything but hello. Everyone.

C

Okay, great, so we just laugh with more involved in technical details and just having a general review.

C

Okay, that's an.

B

Escalator yeah can I, can I ask how is it going so far or did you just start uh with the project.

C

uh Which love could you share where we are now yeah.

B

uh It's kind of working but I think it needs a little bit more polishing before uh showing it to you, because I think it could be improved before uh doing edema, so I think maybe in August I believe at least it will be done. So uh it will work even better than now.

B

Okay, okay, cool cool I'm. Looking forward to seeing this integration.

A

Yeah, by the way, do we have integration with the other service managers.

C

Yet uh honestly, we have Integrations with uh console is still and another variation of console, which is mostly in progress. This moment.

A

Yeah, by the way you can reach out to me directly, we used to work together on the network service mesh, so feel free to write me about the demo and we yeah. Surely.

C

Nice to meet you again.

A

Do are you in the community slot.

C

uh Not yet.

A

Yeah I think there is a link from the website. You can.

A

You can find it I think it's community and there is common workspace, so yeah you can go here and ask.

C

Yeah.

B

Thank.

C

You.

A

Two minutes left anything else. Any questions.

A

If there are no more questions, I think we can wrap this up. So thank you, everyone and see you see you in a month on this community call thanks, bye. Okay, thanks! Thank you.