Created
March 18, 2020 07:13
-
-
Save tsaarni/973b23fdce66cd635d0c8e0b2cd327b1 to your computer and use it in GitHub Desktop.
disabling external client cert validation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go | |
index 2c7a323d..5ee30820 100644 | |
--- a/apis/projectcontour/v1/httpproxy.go | |
+++ b/apis/projectcontour/v1/httpproxy.go | |
@@ -120,12 +120,12 @@ type TLS struct { | |
// backing cluster. | |
// +optional | |
Passthrough bool `json:"passthrough,omitempty"` | |
- // ClientValidation defines how to verify the client certificate. This setting: | |
- // 1. Enables TLS client certificate validation. | |
- // 2. Requires clients to present a TLS certificate (i.e. not optional validation). | |
- // 3. Specifies how the client certificate will be validated. | |
- // +optional | |
- ClientValidation *DownstreamValidation `json:"clientValidation,omitempty"` | |
+ // // ClientValidation defines how to verify the client certificate. This setting: | |
+ // // 1. Enables TLS client certificate validation. | |
+ // // 2. Requires clients to present a TLS certificate (i.e. not optional validation). | |
+ // // 3. Specifies how the client certificate will be validated. | |
+ // // +optional | |
+ // ClientValidation *DownstreamValidation `json:"clientValidation,omitempty"` | |
} | |
// Route contains the set of routes for a virtual host. | |
@@ -380,13 +380,13 @@ type UpstreamValidation struct { | |
} | |
// DownstreamValidation defines how to verify the client certificate. | |
-type DownstreamValidation struct { | |
- // Name of a Kubernetes secret that contains a CA certificate bundle. | |
- // The client certificate must validate against the certificates in the bundle. | |
- // +kubebuilder:validation:Required | |
- // +kubebuilder:validation:MinLength=1 | |
- CACertificate string `json:"caSecret"` | |
-} | |
+// type DownstreamValidation struct { | |
+// // Name of a Kubernetes secret that contains a CA certificate bundle. | |
+// // The client certificate must validate against the certificates in the bundle. | |
+// // +kubebuilder:validation:Required | |
+// // +kubebuilder:validation:MinLength=1 | |
+// CACertificate string `json:"caSecret"` | |
+// } | |
// Status reports the current state of the HTTPProxy. | |
type Status struct { | |
diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go | |
index 180c6433..e933751a 100644 | |
--- a/apis/projectcontour/v1/zz_generated.deepcopy.go | |
+++ b/apis/projectcontour/v1/zz_generated.deepcopy.go | |
@@ -66,22 +66,6 @@ func (in *Condition) DeepCopy() *Condition { | |
return out | |
} | |
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. | |
-func (in *DownstreamValidation) DeepCopyInto(out *DownstreamValidation) { | |
- *out = *in | |
- return | |
-} | |
- | |
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownstreamValidation. | |
-func (in *DownstreamValidation) DeepCopy() *DownstreamValidation { | |
- if in == nil { | |
- return nil | |
- } | |
- out := new(DownstreamValidation) | |
- in.DeepCopyInto(out) | |
- return out | |
-} | |
- | |
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. | |
func (in *HTTPHealthCheckPolicy) DeepCopyInto(out *HTTPHealthCheckPolicy) { | |
*out = *in | |
@@ -544,11 +528,6 @@ func (in *TCPProxyInclude) DeepCopy() *TCPProxyInclude { | |
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. | |
func (in *TLS) DeepCopyInto(out *TLS) { | |
*out = *in | |
- if in.ClientValidation != nil { | |
- in, out := &in.ClientValidation, &out.ClientValidation | |
- *out = new(DownstreamValidation) | |
- **out = **in | |
- } | |
return | |
} | |
@@ -683,7 +662,7 @@ func (in *VirtualHost) DeepCopyInto(out *VirtualHost) { | |
if in.TLS != nil { | |
in, out := &in.TLS, &out.TLS | |
*out = new(TLS) | |
- (*in).DeepCopyInto(*out) | |
+ **out = **in | |
} | |
return | |
} | |
diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml | |
index d97f0f78..61175f7d 100644 | |
--- a/examples/contour/01-crds.yaml | |
+++ b/examples/contour/01-crds.yaml | |
@@ -311,22 +311,6 @@ spec: | |
that will be matched on are described in fqdn, the tls.secretName | |
secret must contain a matching certificate | |
properties: | |
- clientValidation: | |
- description: 'ClientValidation defines how to verify the client | |
- certificate. This setting: 1. Enables TLS client certificate | |
- validation. 2. Requires clients to present a TLS certificate | |
- (i.e. not optional validation). 3. Specifies how the client | |
- certificate will be validated.' | |
- properties: | |
- caSecret: | |
- description: Name of a Kubernetes secret that contains a | |
- CA certificate bundle. The client certificate must validate | |
- against the certificates in the bundle. | |
- minLength: 1 | |
- type: string | |
- required: | |
- - caSecret | |
- type: object | |
minimumProtocolVersion: | |
description: Minimum TLS version this vhost should negotiate | |
type: string | |
@@ -1110,22 +1094,6 @@ spec: | |
that will be matched on are described in fqdn, the tls.secretName | |
secret must contain a matching certificate | |
properties: | |
- clientValidation: | |
- description: 'ClientValidation defines how to verify the client | |
- certificate. This setting: 1. Enables TLS client certificate | |
- validation. 2. Requires clients to present a TLS certificate | |
- (i.e. not optional validation). 3. Specifies how the client | |
- certificate will be validated.' | |
- properties: | |
- caSecret: | |
- description: Name of a Kubernetes secret that contains a | |
- CA certificate bundle. The client certificate must validate | |
- against the certificates in the bundle. | |
- minLength: 1 | |
- type: string | |
- required: | |
- - caSecret | |
- type: object | |
minimumProtocolVersion: | |
description: Minimum TLS version this vhost should negotiate | |
type: string | |
diff --git a/internal/dag/builder.go b/internal/dag/builder.go | |
index 8cb23fa7..b1f19c23 100644 | |
--- a/internal/dag/builder.go | |
+++ b/internal/dag/builder.go | |
@@ -490,14 +490,14 @@ func (b *Builder) computeHTTPProxy(proxy *projcontour.HTTPProxy) { | |
svhost.MinProtoVersion = MinProtoVersion(proxy.Spec.VirtualHost.TLS.MinimumProtocolVersion) | |
// Fill in DownstreamValidation when external client validation is enabled. | |
- if tls.ClientValidation != nil { | |
- dv, err := b.lookupDownstreamValidation(tls.ClientValidation, proxy.Namespace) | |
- if err != nil { | |
- sw.SetInvalid("TLS client validation policy error: %s", err) | |
- return | |
- } | |
- svhost.DownstreamValidation = dv | |
- } | |
+ // if tls.ClientValidation != nil { | |
+ // dv, err := b.lookupDownstreamValidation(tls.ClientValidation, proxy.Namespace) | |
+ // if err != nil { | |
+ // sw.SetInvalid("TLS client validation policy error: %s", err) | |
+ // return | |
+ // } | |
+ // svhost.DownstreamValidation = dv | |
+ // } | |
} | |
if sec == nil && !tls.Passthrough { | |
@@ -1103,22 +1103,22 @@ func (b *Builder) lookupUpstreamValidation(uv *projcontour.UpstreamValidation, n | |
}, nil | |
} | |
-func (b *Builder) lookupDownstreamValidation(vc *projcontour.DownstreamValidation, namespace string) (*PeerValidationContext, error) { | |
- if vc == nil { | |
- // No downstream validation requested, nothing to do. | |
- return nil, nil | |
- } | |
- | |
- cacert := b.lookupSecret(Meta{name: vc.CACertificate, namespace: namespace}, validCA) | |
- if cacert == nil { | |
- // ValidationContext is requested, but cert is missing or not configured. | |
- return nil, fmt.Errorf("secret not found or misconfigured") | |
- } | |
- | |
- return &PeerValidationContext{ | |
- CACertificate: cacert, | |
- }, nil | |
-} | |
+// func (b *Builder) lookupDownstreamValidation(vc *projcontour.DownstreamValidation, namespace string) (*PeerValidationContext, error) { | |
+// if vc == nil { | |
+// // No downstream validation requested, nothing to do. | |
+// return nil, nil | |
+// } | |
+ | |
+// cacert := b.lookupSecret(Meta{name: vc.CACertificate, namespace: namespace}, validCA) | |
+// if cacert == nil { | |
+// // ValidationContext is requested, but cert is missing or not configured. | |
+// return nil, fmt.Errorf("secret not found or misconfigured") | |
+// } | |
+ | |
+// return &PeerValidationContext{ | |
+// CACertificate: cacert, | |
+// }, nil | |
+// } | |
func (b *Builder) processIngressRouteTCPProxy(sw *ObjectStatusWriter, ir *ingressroutev1.IngressRoute, visited []*ingressroutev1.IngressRoute, host string) { | |
visited = append(visited, ir) | |
diff --git a/internal/dag/builder_test.go b/internal/dag/builder_test.go | |
index 9fdae96e..374e33b3 100644 | |
--- a/internal/dag/builder_test.go | |
+++ b/internal/dag/builder_test.go | |
@@ -2187,32 +2187,32 @@ func TestDAGInsert(t *testing.T) { | |
}, | |
} | |
- proxy18 := &projcontour.HTTPProxy{ | |
- ObjectMeta: metav1.ObjectMeta{ | |
- Name: "example-com", | |
- Namespace: "default", | |
- }, | |
- Spec: projcontour.HTTPProxySpec{ | |
- VirtualHost: &projcontour.VirtualHost{ | |
- Fqdn: "example.com", | |
- TLS: &projcontour.TLS{ | |
- SecretName: sec1.Name, | |
- ClientValidation: &projcontour.DownstreamValidation{ | |
- CACertificate: cert1.Name, | |
- }, | |
- }, | |
- }, | |
- Routes: []projcontour.Route{{ | |
- Conditions: []projcontour.Condition{{ | |
- Prefix: "/", | |
- }}, | |
- Services: []projcontour.Service{{ | |
- Name: "kuard", | |
- Port: 8080, | |
- }}, | |
- }}, | |
- }, | |
- } | |
+ // proxy18 := &projcontour.HTTPProxy{ | |
+ // ObjectMeta: metav1.ObjectMeta{ | |
+ // Name: "example-com", | |
+ // Namespace: "default", | |
+ // }, | |
+ // Spec: projcontour.HTTPProxySpec{ | |
+ // VirtualHost: &projcontour.VirtualHost{ | |
+ // Fqdn: "example.com", | |
+ // TLS: &projcontour.TLS{ | |
+ // SecretName: sec1.Name, | |
+ // ClientValidation: &projcontour.DownstreamValidation{ | |
+ // CACertificate: cert1.Name, | |
+ // }, | |
+ // }, | |
+ // }, | |
+ // Routes: []projcontour.Route{{ | |
+ // Conditions: []projcontour.Condition{{ | |
+ // Prefix: "/", | |
+ // }}, | |
+ // Services: []projcontour.Service{{ | |
+ // Name: "kuard", | |
+ // Port: 8080, | |
+ // }}, | |
+ // }}, | |
+ // }, | |
+ // } | |
// proxy10 has a websocket route | |
proxy10 := &projcontour.HTTPProxy{ | |
@@ -5315,41 +5315,41 @@ func TestDAGInsert(t *testing.T) { | |
}, | |
), | |
}, | |
- "insert httpproxy with downstream verification": { | |
- objs: []interface{}{ | |
- cert1, proxy18, s1, sec1, | |
- }, | |
- want: listeners( | |
- &Listener{ | |
- Port: 80, | |
- VirtualHosts: virtualhosts( | |
- virtualhost("example.com", routeUpgrade("/", service(s1))), | |
- ), | |
- }, &Listener{ | |
- Port: 443, | |
- VirtualHosts: virtualhosts( | |
- &SecureVirtualHost{ | |
- VirtualHost: VirtualHost{ | |
- Name: "example.com", | |
- routes: routes( | |
- routeUpgrade("/", service(s1))), | |
- }, | |
- MinProtoVersion: envoy_api_v2_auth.TlsParameters_TLSv1_1, | |
- Secret: secret(sec1), | |
- DownstreamValidation: &PeerValidationContext{ | |
- CACertificate: &Secret{Object: cert1}, | |
- }, | |
- }, | |
- ), | |
- }, | |
- ), | |
- }, | |
- "insert httpproxy with downstream verification, missing ca certificate": { | |
- objs: []interface{}{ | |
- proxy18, s1, sec1, | |
- }, | |
- want: listeners(), | |
- }, | |
+ // "insert httpproxy with downstream verification": { | |
+ // objs: []interface{}{ | |
+ // cert1, proxy18, s1, sec1, | |
+ // }, | |
+ // want: listeners( | |
+ // &Listener{ | |
+ // Port: 80, | |
+ // VirtualHosts: virtualhosts( | |
+ // virtualhost("example.com", routeUpgrade("/", service(s1))), | |
+ // ), | |
+ // }, &Listener{ | |
+ // Port: 443, | |
+ // VirtualHosts: virtualhosts( | |
+ // &SecureVirtualHost{ | |
+ // VirtualHost: VirtualHost{ | |
+ // Name: "example.com", | |
+ // routes: routes( | |
+ // routeUpgrade("/", service(s1))), | |
+ // }, | |
+ // MinProtoVersion: envoy_api_v2_auth.TlsParameters_TLSv1_1, | |
+ // Secret: secret(sec1), | |
+ // DownstreamValidation: &PeerValidationContext{ | |
+ // CACertificate: &Secret{Object: cert1}, | |
+ // }, | |
+ // }, | |
+ // ), | |
+ // }, | |
+ // ), | |
+ // }, | |
+ // "insert httpproxy with downstream verification, missing ca certificate": { | |
+ // objs: []interface{}{ | |
+ // proxy18, s1, sec1, | |
+ // }, | |
+ // want: listeners(), | |
+ // }, | |
"insert httpproxy with invalid tcpproxy": { | |
objs: []interface{}{proxy37, s1}, | |
want: listeners(), | |
diff --git a/internal/featuretests/downstreamvalidation_test.go b/internal/featuretests/downstreamvalidation_test.go | |
index c8aba5f0..f2beea63 100644 | |
--- a/internal/featuretests/downstreamvalidation_test.go | |
+++ b/internal/featuretests/downstreamvalidation_test.go | |
@@ -13,127 +13,112 @@ | |
package featuretests | |
-import ( | |
- "testing" | |
+// func TestDownstreamTLSCertificateValidation(t *testing.T) { | |
+// rh, c, done := setup(t) | |
+// defer done() | |
- v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2" | |
- envoy_api_v2_auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" | |
- envoy_api_v2_listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" | |
- projcontour "github.com/projectcontour/contour/apis/projectcontour/v1" | |
- "github.com/projectcontour/contour/internal/dag" | |
- "github.com/projectcontour/contour/internal/envoy" | |
- "github.com/projectcontour/contour/internal/k8s" | |
- v1 "k8s.io/api/core/v1" | |
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |
- "k8s.io/apimachinery/pkg/util/intstr" | |
-) | |
+// serverTLSSecret := &v1.Secret{ | |
+// ObjectMeta: metav1.ObjectMeta{ | |
+// Name: "serverTLSSecret", | |
+// Namespace: "default", | |
+// }, | |
+// Type: v1.SecretTypeTLS, | |
+// Data: secretdata(CERTIFICATE, RSA_PRIVATE_KEY), | |
+// } | |
+// rh.OnAdd(serverTLSSecret) | |
-func TestDownstreamTLSCertificateValidation(t *testing.T) { | |
- rh, c, done := setup(t) | |
- defer done() | |
+// clientCASecret := &v1.Secret{ | |
+// ObjectMeta: metav1.ObjectMeta{ | |
+// Name: "clientCASecret", | |
+// Namespace: "default", | |
+// }, | |
+// Data: map[string][]byte{ | |
+// dag.CACertificateKey: []byte(CERTIFICATE), | |
+// }, | |
+// } | |
+// rh.OnAdd(clientCASecret) | |
- serverTLSSecret := &v1.Secret{ | |
- ObjectMeta: metav1.ObjectMeta{ | |
- Name: "serverTLSSecret", | |
- Namespace: "default", | |
- }, | |
- Type: v1.SecretTypeTLS, | |
- Data: secretdata(CERTIFICATE, RSA_PRIVATE_KEY), | |
- } | |
- rh.OnAdd(serverTLSSecret) | |
+// service := &v1.Service{ | |
+// ObjectMeta: metav1.ObjectMeta{ | |
+// Name: "kuard", | |
+// Namespace: "default", | |
+// }, | |
+// Spec: v1.ServiceSpec{ | |
+// Ports: []v1.ServicePort{{ | |
+// Name: "http", | |
+// Protocol: "TCP", | |
+// Port: 8080, | |
+// TargetPort: intstr.FromInt(8080), | |
+// }}, | |
+// }, | |
+// } | |
+// rh.OnAdd(service) | |
- clientCASecret := &v1.Secret{ | |
- ObjectMeta: metav1.ObjectMeta{ | |
- Name: "clientCASecret", | |
- Namespace: "default", | |
- }, | |
- Data: map[string][]byte{ | |
- dag.CACertificateKey: []byte(CERTIFICATE), | |
- }, | |
- } | |
- rh.OnAdd(clientCASecret) | |
+// proxy := &projcontour.HTTPProxy{ | |
+// ObjectMeta: metav1.ObjectMeta{ | |
+// Name: "example.com", | |
+// Namespace: "default", | |
+// }, | |
+// Spec: projcontour.HTTPProxySpec{ | |
+// VirtualHost: &projcontour.VirtualHost{ | |
+// Fqdn: "example.com", | |
+// TLS: &projcontour.TLS{ | |
+// SecretName: serverTLSSecret.Name, | |
+// ClientValidation: &projcontour.DownstreamValidation{ | |
+// CACertificate: clientCASecret.Name, | |
+// }, | |
+// }, | |
+// }, | |
+// Routes: []projcontour.Route{{ | |
+// Services: []projcontour.Service{{ | |
+// Name: "kuard", | |
+// Port: 8080, | |
+// }}, | |
+// }}, | |
+// }, | |
+// } | |
+// rh.OnAdd(proxy) | |
- service := &v1.Service{ | |
- ObjectMeta: metav1.ObjectMeta{ | |
- Name: "kuard", | |
- Namespace: "default", | |
- }, | |
- Spec: v1.ServiceSpec{ | |
- Ports: []v1.ServicePort{{ | |
- Name: "http", | |
- Protocol: "TCP", | |
- Port: 8080, | |
- TargetPort: intstr.FromInt(8080), | |
- }}, | |
- }, | |
- } | |
- rh.OnAdd(service) | |
+// ingress_http := &v2.Listener{ | |
+// Name: "ingress_http", | |
+// Address: envoy.SocketAddress("0.0.0.0", 8080), | |
+// FilterChains: envoy.FilterChains( | |
+// envoy.HTTPConnectionManager("ingress_http", envoy.FileAccessLogEnvoy("/dev/stdout"), 0), | |
+// ), | |
+// } | |
- proxy := &projcontour.HTTPProxy{ | |
- ObjectMeta: metav1.ObjectMeta{ | |
- Name: "example.com", | |
- Namespace: "default", | |
- }, | |
- Spec: projcontour.HTTPProxySpec{ | |
- VirtualHost: &projcontour.VirtualHost{ | |
- Fqdn: "example.com", | |
- TLS: &projcontour.TLS{ | |
- SecretName: serverTLSSecret.Name, | |
- ClientValidation: &projcontour.DownstreamValidation{ | |
- CACertificate: clientCASecret.Name, | |
- }, | |
- }, | |
- }, | |
- Routes: []projcontour.Route{{ | |
- Services: []projcontour.Service{{ | |
- Name: "kuard", | |
- Port: 8080, | |
- }}, | |
- }}, | |
- }, | |
- } | |
- rh.OnAdd(proxy) | |
+// ingress_https := &v2.Listener{ | |
+// Name: "ingress_https", | |
+// Address: envoy.SocketAddress("0.0.0.0", 8443), | |
+// ListenerFilters: envoy.ListenerFilters( | |
+// envoy.TLSInspector(), | |
+// ), | |
+// FilterChains: []*envoy_api_v2_listener.FilterChain{ | |
+// envoy.FilterChainTLS( | |
+// "example.com", | |
+// envoy.DownstreamTLSContext( | |
+// &dag.Secret{Object: serverTLSSecret}, | |
+// envoy_api_v2_auth.TlsParameters_TLSv1_1, | |
+// &dag.PeerValidationContext{ | |
+// CACertificate: &dag.Secret{ | |
+// Object: clientCASecret, | |
+// }, | |
+// }, | |
+// "h2", "http/1.1"), | |
+// envoy.Filters(envoy.HTTPConnectionManager("ingress_https", envoy.FileAccessLogEnvoy("/dev/stdout"), 0)), | |
+// ), | |
+// }, | |
+// } | |
- ingress_http := &v2.Listener{ | |
- Name: "ingress_http", | |
- Address: envoy.SocketAddress("0.0.0.0", 8080), | |
- FilterChains: envoy.FilterChains( | |
- envoy.HTTPConnectionManager("ingress_http", envoy.FileAccessLogEnvoy("/dev/stdout"), 0), | |
- ), | |
- } | |
+// c.Request(listenerType).Equals(&v2.DiscoveryResponse{ | |
+// Resources: resources(t, | |
+// ingress_http, | |
+// ingress_https, | |
+// staticListener(), | |
+// ), | |
+// TypeUrl: listenerType, | |
+// }).Status(proxy).Like( | |
+// projcontour.Status{CurrentStatus: k8s.StatusValid}, | |
+// ) | |
- ingress_https := &v2.Listener{ | |
- Name: "ingress_https", | |
- Address: envoy.SocketAddress("0.0.0.0", 8443), | |
- ListenerFilters: envoy.ListenerFilters( | |
- envoy.TLSInspector(), | |
- ), | |
- FilterChains: []*envoy_api_v2_listener.FilterChain{ | |
- envoy.FilterChainTLS( | |
- "example.com", | |
- envoy.DownstreamTLSContext( | |
- &dag.Secret{Object: serverTLSSecret}, | |
- envoy_api_v2_auth.TlsParameters_TLSv1_1, | |
- &dag.PeerValidationContext{ | |
- CACertificate: &dag.Secret{ | |
- Object: clientCASecret, | |
- }, | |
- }, | |
- "h2", "http/1.1"), | |
- envoy.Filters(envoy.HTTPConnectionManager("ingress_https", envoy.FileAccessLogEnvoy("/dev/stdout"), 0)), | |
- ), | |
- }, | |
- } | |
- | |
- c.Request(listenerType).Equals(&v2.DiscoveryResponse{ | |
- Resources: resources(t, | |
- ingress_http, | |
- ingress_https, | |
- staticListener(), | |
- ), | |
- TypeUrl: listenerType, | |
- }).Status(proxy).Like( | |
- projcontour.Status{CurrentStatus: k8s.StatusValid}, | |
- ) | |
- | |
-} | |
+// } | |
diff --git a/site/docs/master/api-reference.html b/site/docs/master/api-reference.html | |
index fdb53262..0e1c95d7 100644 | |
--- a/site/docs/master/api-reference.html | |
+++ b/site/docs/master/api-reference.html | |
@@ -332,38 +332,6 @@ HeaderCondition | |
</tr> | |
</tbody> | |
</table> | |
-<h3 id="projectcontour.io/v1.DownstreamValidation">DownstreamValidation | |
-</h3> | |
-<p> | |
-(<em>Appears on:</em> | |
-<a href="#projectcontour.io/v1.TLS">TLS</a>) | |
-</p> | |
-<p> | |
-<p>DownstreamValidation defines how to verify the client certificate.</p> | |
-</p> | |
-<table class="table table-striped table-borderless" style="border:none"> | |
-<thead class="border-bottom"> | |
-<tr> | |
-<th>Field</th> | |
-<th>Description</th> | |
-</tr> | |
-</thead> | |
-<tbody class="border-top"> | |
-<tr> | |
-<td style="white-space:nowrap"> | |
-<code>caSecret</code> | |
-<br> | |
-<em> | |
-string | |
-</em> | |
-</td> | |
-<td> | |
-<p>Name of a Kubernetes secret that contains a CA certificate bundle. | |
-The client certificate must validate against the certificates in the bundle.</p> | |
-</td> | |
-</tr> | |
-</tbody> | |
-</table> | |
<h3 id="projectcontour.io/v1.HTTPHealthCheckPolicy">HTTPHealthCheckPolicy | |
</h3> | |
<p> | |
@@ -1586,24 +1554,6 @@ and the encrypted handshake will be passed through to the | |
backing cluster.</p> | |
</td> | |
</tr> | |
-<tr> | |
-<td style="white-space:nowrap"> | |
-<code>clientValidation</code> | |
-<br> | |
-<em> | |
-<a href="#projectcontour.io/v1.DownstreamValidation"> | |
-DownstreamValidation | |
-</a> | |
-</em> | |
-</td> | |
-<td> | |
-<em>(Optional)</em> | |
-<p>ClientValidation defines how to verify the client certificate. This setting: | |
-1. Enables TLS client certificate validation. | |
-2. Requires clients to present a TLS certificate (i.e. not optional validation). | |
-3. Specifies how the client certificate will be validated.</p> | |
-</td> | |
-</tr> | |
</tbody> | |
</table> | |
<h3 id="projectcontour.io/v1.TLSCertificateDelegationSpec">TLSCertificateDelegationSpec |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment