CP/DP split: Secure connection (#3244)

Problem: We want to ensure that the connection between the control plane and data plane is authenticated and secure.

Solution:

1. Configure agent to send the kubernetes service token in the request. The control plane validates this token using the TokenReview API to ensure the agent is authenticated.
2. Configure TLS certificates for both the control and data planes. By default, a Job will run when installing NGF that creates self-signed certificates in the nginx-gateway namespace. The server Secret is mounted to the control plane, and the control plane copies the client Secret when deploying nginx resources. This Secret is mounted to the agent.

The control plane will reset the agent connection if it detects that its own certs have changed.

For production environments, we'll recommend a user configures TLS using cert-manager instead, for better security and certificate rotation.

Author: sjberman

charts/nginx-gateway-fabric/README.md

@@ -258,6 +258,12 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
+| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"agentTLSSecretName":"agent-tls","annotations":{},"overwrite":false,"serverTLSSecretName":"server-tls"}` |
+| `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` |
+| `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` |
+| `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` |
+| `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` |
+| `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. | object | `{}` |
 | `nginx.container` | The container configuration for the NGINX container. | object | `{}` |

charts/nginx-gateway-fabric/templates/certs-job.yaml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "nginx-gateway.fullname" . }}-cert-generator
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+{{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}
+  - name: {{ .Values.nginxGateway.serviceAccount.imagePullSecret }}
+  {{- end }}
+  {{- if .Values.nginxGateway.serviceAccount.imagePullSecrets }}
+  {{- range .Values.nginxGateway.serviceAccount.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "nginx-gateway.fullname" . }}-cert-generator
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - update
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "nginx-gateway.fullname" . }}-cert-generator
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "nginx-gateway.fullname" . }}-cert-generator
+subjects:
+- kind: ServiceAccount
+  name: {{ include "nginx-gateway.fullname" . }}-cert-generator
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "nginx-gateway.fullname" . }}-cert-generator
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "nginx-gateway.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.certGenerator.annotations -}}
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+    "helm.sh/hook": pre-install, pre-upgrade
+spec:
+  template:
+    metadata:
+      annotations:
+      {{- with .Values.certGenerator.annotations -}}
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      containers:
+      - args:
+        - generate-certs
+        - --service={{ include "nginx-gateway.fullname" . }}
+        - --cluster-domain={{ .Values.clusterDomain }}
+        - --server-tls-secret={{ .Values.certGenerator.serverTLSSecretName }}
+        - --agent-tls-secret={{ .Values.certGenerator.agentTLSSecretName }}
+        {{- if .Values.certGenerator.overwrite }}
+        - --overwrite
+        {{- end }}
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: {{ .Values.nginxGateway.image.repository }}:{{ default .Chart.AppVersion .Values.nginxGateway.image.tag }}
+        imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }}
+        name: cert-generator
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 101
+          runAsGroup: 1001
+      restartPolicy: Never
+      serviceAccountName: {{ include "nginx-gateway.fullname" . }}-cert-generator
+      securityContext:
+        fsGroup: 1001
+        runAsNonRoot: true
+  ttlSecondsAfterFinished: 0

charts/nginx-gateway-fabric/templates/clusterrole.yaml

@@ -59,6 +59,12 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 - apiGroups:
   - gateway.networking.k8s.io
   resources:

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -36,6 +36,7 @@ spec:
         - --gatewayclass={{ .Values.nginxGateway.gatewayClassName }}
         - --config={{ include "nginx-gateway.config-name" . }}
         - --service={{ include "nginx-gateway.fullname" . }}
+        - --agent-tls-secret={{ .Values.certGenerator.agentTLSSecretName }}
         {{- if .Values.nginx.imagePullSecret }}
         - --nginx-docker-secret={{ .Values.nginx.imagePullSecret }}
         {{- end }}
@@ -149,6 +150,9 @@ spec:
           readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
+        volumeMounts:
+        - name: nginx-agent-tls
+          mountPath: /var/run/secrets/ngf
         {{- with .Values.nginxGateway.extraVolumeMounts -}}
         {{ toYaml . | nindent 8 }}
         {{- end }}
@@ -173,6 +177,10 @@ spec:
       nodeSelector:
       {{- toYaml .Values.nginxGateway.nodeSelector | nindent 8 }}
       {{- end }}
+      volumes:
+      - name: nginx-agent-tls
+        secret:
+          secretName: {{ .Values.certGenerator.serverTLSSecretName }}
       {{- with .Values.nginxGateway.extraVolumes -}}
       {{ toYaml . | nindent 6 }}
       {{- end }}

charts/nginx-gateway-fabric/templates/scc.yaml

@@ -34,4 +34,6 @@ users:
 - {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "nginx-gateway.serviceAccountName" .) }}
 requiredDropCapabilities:
 - ALL
+volumes:
+- secret
 {{- end }}

charts/nginx-gateway-fabric/values.schema.json

@@ -1,6 +1,48 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "properties": {
+    "certGenerator": {
+      "description": "The certGenerator section contains the configuration for the cert-generator Job.",
+      "properties": {
+        "agentTLSSecretName": {
+          "default": "agent-tls",
+          "description": "The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely\ncommunicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the\nNGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).",
+          "required": [],
+          "title": "agentTLSSecretName",
+          "type": "string"
+        },
+        "annotations": {
+          "description": "The annotations of the cert-generator Job.",
+          "required": [],
+          "title": "annotations",
+          "type": "object"
+        },
+        "overwrite": {
+          "default": false,
+          "description": "Overwrite existing TLS Secrets on startup.",
+          "required": [],
+          "title": "overwrite",
+          "type": "boolean"
+        },
+        "serverTLSSecretName": {
+          "default": "server-tls",
+          "description": "The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane\nto securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric\ncontrol plane is running in (default namespace: nginx-gateway).",
+          "required": [],
+          "title": "serverTLSSecretName",
+          "type": "string"
+        }
+      },
+      "required": [],
+      "title": "certGenerator",
+      "type": "object"
+    },
+    "clusterDomain": {
+      "default": "cluster.local",
+      "description": "The DNS cluster domain of your Kubernetes cluster.",
+      "required": [],
+      "title": "clusterDomain",
+      "type": "string"
+    },
     "global": {
       "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
       "required": [],

charts/nginx-gateway-fabric/values.yaml

@@ -1,5 +1,8 @@
 # yaml-language-server: $schema=values.schema.json
 
+# -- The DNS cluster domain of your Kubernetes cluster.
+clusterDomain: cluster.local
+
 # -- The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment.
 nginxGateway:
   # FIXME(lucacome): https://github.com/nginx/nginx-gateway-fabric/issues/2490
@@ -426,3 +429,21 @@ nginx:
 
   # -- Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource.
   debug: false
+
+# -- The certGenerator section contains the configuration for the cert-generator Job.
+certGenerator:
+  # -- The annotations of the cert-generator Job.
+  annotations: {}
+
+  # -- The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane
+  # to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric
+  # control plane is running in (default namespace: nginx-gateway).
+  serverTLSSecretName: server-tls
+
+  # -- The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely
+  # communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the
+  # NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).
+  agentTLSSecretName: agent-tls
+
+  # -- Overwrite existing TLS Secrets on startup.
+  overwrite: false