Envoy router verifies ate apiserver's serving cert

[Zoe Zhao (zoez7)]

Part of #170
Establishes mutual TLS between the atenet router and ate-apiserver, and updates the certificate plumbing it depends on.

Main changes:

1. The atenet router now verifies ate apiserver' serving certificate, and presents its client cert to ate apiserver. Previously the connection used InsecureSkipVerify.

Minor bug fixes:

1. Prevent servicednssigner from signing a cert with no DNS SANs. Also updated valkey cluster's cert configuration, because it was relying on the cert with empty DNS.

• Tests pass
• Appropriate changes to documentation are included in the PR

[Taahir Ahmed (ahmedtd)]

Can you talk a little bit about the background of splitting out separate CAs / signers for the workerpools and ate-system components?

If at all possible, I would prefer to restrict us to two signers:

• One that issues certs with DNS SANs based on the K8s services that a pod is part of (though opt-in with an annotation or label is fine).
• One that issues SPIFFE certs that encode the k8s service account identity of the pod (and potentially, the pod ID, node ID etc in an additional extension).

The reason is that we can be reasonably confident that signers like these will land in upstream K8s in the near-ish future. The certificates here aren't special or unique to substrate, and they aren't part of the value proposition of the project. So I think we should plan to rebase on native K8s capabilities as they become available. That's easiest if we don't get very custom with the signers.

[Zoe Zhao (zoez7)]

I think the main motivations for splitting out separate CAs / signers was, if I mount the "podidentity" CA bundle as trusted client CAs in ate-system services, workerpool pods (therefore actors) would also be able to connect to ate-system servers like the Valkey cluster and atelet server.

But after typing it out loud - it seems this needs to be solved anyway (probably in a later milestone) by authorization inside servers such as valkey, instead of using separate CAs. Does that make sense to you?

[Taahir Ahmed (ahmedtd)]

I think the main motivations for splitting out separate CAs / signers was, if I mount the "podidentity" CA bundle as trusted client CAs in ate-system services, workerpool pods (therefore actors) would also be able to connect to ate-system servers like the Valkey cluster and atelet server.

But after typing it out loud - it seems this needs to be solved anyway (probably in a later milestone) by authorization inside servers such as valkey, instead of using separate CAs. Does that make sense to you?

Yeah --- we should always draw a bright line between authentication and authorization. Assuming that a given client is authorized just because they were able to get a certificate from a particular CA has caused a lot of security problems in the past.

Unfortunately, for the specific case of Valkey we might be limited by its capabilities, in which case it might require a separate signer. Let me check the docs.

[Taahir Ahmed (ahmedtd)]

It looks like valkey can do it: https://valkey.io/topics/tls/#:~:text=Client%20certificate%20authentication

[Bowei Du (bowei)]

Can we group the cert and auth related config into its own struct? Makes it easier to read:

type AuthConfig struct {...}

[Bowei Du (bowei)]

Do we need this case actually? Empty file will get a does not exist error anyway.

[Bowei Du (bowei)]

not clear we should eat the error if it's not a ENOENT error

[Bowei Du (bowei)]

suggest:

• Move RouterConfig to its own file (config.go)
• Make it not exported (rename to routerConfig)
• make ateAPITransportCreds() a member function
• rename ateAPITransportCreds to apiTransportCredentials

[Bowei Du (bowei)]

suggest: just call stat and return the error. If the file exists, it should stat() with no error anyway.