Add authentication to gRPC for Helm based Execution Environments (Stage 1)
Proposers
- Gabriel Cuba (Whitestack)
- Gianpietro Lavado (Whitestack)
Description
Currently gRPC is not supporting TLS authentication.
This feature proposes adding TLS to gRPC channels on both sides (LCM and Execution Environment). Certificates should be managed by an external manager (e.g. cert-manager).
Backwards compatibility is considered by falling back to plain text gRPC, with an optional configuration flag to enforce the use of TLS.
As this implies multiple changes, the proposal is to separate this feature in 2 stages:
- Stage 1: Creation of CA and TLS keys in LCM (using an external certificate manager) and adaptation of gRPC server to use TLS
- Stage 2: Adaptation of LCM to use client side TLS
This feature will cover stage 1.
Demo or definition of done
- Certificate Manager is deployed with OSM installation
- gRPC traffic capture from EE pods is encrypted
- EE certificates are managed automatically
A new robot test will be created to do the following:
- Create a Helm based EE
- Instance an external gRPC client
- Attempt to connect to the EE without TLS
- The connection attempt should fail