Skip to content

Instantly share code, notes, and snippets.

@tsaarni

tsaarni/make-client-auth-invisible.patch

Created March 18, 2020 07:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tsaarni/973b23fdce66cd635d0c8e0b2cd327b1 to your computer and use it in GitHub Desktop.
Save tsaarni/973b23fdce66cd635d0c8e0b2cd327b1 to your computer and use it in GitHub Desktop.
Download ZIP
disabling external client cert validation
Raw
make-client-auth-invisible.patch
diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go
index 2c7a323d..5ee30820 100644
--- a/apis/projectcontour/v1/httpproxy.go
+++ b/apis/projectcontour/v1/httpproxy.go
@@ -120,12 +120,12 @@ type TLS struct {
// backing cluster.
// +optional
Passthrough bool `json:"passthrough,omitempty"`
- // ClientValidation defines how to verify the client certificate. This setting:
- // 1. Enables TLS client certificate validation.
- // 2. Requires clients to present a TLS certificate (i.e. not optional validation).
- // 3. Specifies how the client certificate will be validated.
- // +optional
- ClientValidation *DownstreamValidation `json:"clientValidation,omitempty"`
+ // // ClientValidation defines how to verify the client certificate. This setting:
+ // // 1. Enables TLS client certificate validation.
+ // // 2. Requires clients to present a TLS certificate (i.e. not optional validation).
+ // // 3. Specifies how the client certificate will be validated.
+ // // +optional
+ // ClientValidation *DownstreamValidation `json:"clientValidation,omitempty"`
}
// Route contains the set of routes for a virtual host.
@@ -380,13 +380,13 @@ type UpstreamValidation struct {
}
// DownstreamValidation defines how to verify the client certificate.
-type DownstreamValidation struct {
- // Name of a Kubernetes secret that contains a CA certificate bundle.
- // The client certificate must validate against the certificates in the bundle.
- // +kubebuilder:validation:Required
- // +kubebuilder:validation:MinLength=1
- CACertificate string `json:"caSecret"`
-}
+// type DownstreamValidation struct {
+// // Name of a Kubernetes secret that contains a CA certificate bundle.
+// // The client certificate must validate against the certificates in the bundle.
+// // +kubebuilder:validation:Required
+// // +kubebuilder:validation:MinLength=1
+// CACertificate string `json:"caSecret"`
+// }
// Status reports the current state of the HTTPProxy.
type Status struct {
diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go
index 180c6433..e933751a 100644
--- a/apis/projectcontour/v1/zz_generated.deepcopy.go
+++ b/apis/projectcontour/v1/zz_generated.deepcopy.go
@@ -66,22 +66,6 @@ func (in *Condition) DeepCopy() *Condition {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DownstreamValidation) DeepCopyInto(out *DownstreamValidation) {
- *out = *in
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownstreamValidation.
-func (in *DownstreamValidation) DeepCopy() *DownstreamValidation {
- if in == nil {
- return nil
- }
- out := new(DownstreamValidation)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HTTPHealthCheckPolicy) DeepCopyInto(out *HTTPHealthCheckPolicy) {
*out = *in
@@ -544,11 +528,6 @@ func (in *TCPProxyInclude) DeepCopy() *TCPProxyInclude {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLS) DeepCopyInto(out *TLS) {
*out = *in
- if in.ClientValidation != nil {
- in, out := &in.ClientValidation, &out.ClientValidation
- *out = new(DownstreamValidation)
- **out = **in
- }
return
}
@@ -683,7 +662,7 @@ func (in *VirtualHost) DeepCopyInto(out *VirtualHost) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLS)
- (*in).DeepCopyInto(*out)
+ **out = **in
}
return
}
diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml
index d97f0f78..61175f7d 100644
--- a/examples/contour/01-crds.yaml
+++ b/examples/contour/01-crds.yaml
@@ -311,22 +311,6 @@ spec:
that will be matched on are described in fqdn, the tls.secretName
secret must contain a matching certificate
properties:
- clientValidation:
- description: 'ClientValidation defines how to verify the client
- certificate. This setting: 1. Enables TLS client certificate
- validation. 2. Requires clients to present a TLS certificate
- (i.e. not optional validation). 3. Specifies how the client
- certificate will be validated.'
- properties:
- caSecret:
- description: Name of a Kubernetes secret that contains a
- CA certificate bundle. The client certificate must validate
- against the certificates in the bundle.
- minLength: 1
- type: string
- required:
- - caSecret
- type: object
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
@@ -1110,22 +1094,6 @@ spec:
that will be matched on are described in fqdn, the tls.secretName
secret must contain a matching certificate
properties:
- clientValidation:
- description: 'ClientValidation defines how to verify the client
- certificate. This setting: 1. Enables TLS client certificate
- validation. 2. Requires clients to present a TLS certificate
- (i.e. not optional validation). 3. Specifies how the client
- certificate will be validated.'
- properties:
- caSecret:
- description: Name of a Kubernetes secret that contains a
- CA certificate bundle. The client certificate must validate
- against the certificates in the bundle.
- minLength: 1
- type: string
- required:
- - caSecret
- type: object
minimumProtocolVersion:
description: Minimum TLS version this vhost should negotiate
type: string
diff --git a/internal/dag/builder.go b/internal/dag/builder.go
index 8cb23fa7..b1f19c23 100644
--- a/internal/dag/builder.go
+++ b/internal/dag/builder.go
@@ -490,14 +490,14 @@ func (b *Builder) computeHTTPProxy(proxy *projcontour.HTTPProxy) {
svhost.MinProtoVersion = MinProtoVersion(proxy.Spec.VirtualHost.TLS.MinimumProtocolVersion)
// Fill in DownstreamValidation when external client validation is enabled.
- if tls.ClientValidation != nil {
- dv, err := b.lookupDownstreamValidation(tls.ClientValidation, proxy.Namespace)
- if err != nil {
- sw.SetInvalid("TLS client validation policy error: %s", err)
- return
- }
- svhost.DownstreamValidation = dv
- }
+ // if tls.ClientValidation != nil {
+ // dv, err := b.lookupDownstreamValidation(tls.ClientValidation, proxy.Namespace)
+ // if err != nil {
+ // sw.SetInvalid("TLS client validation policy error: %s", err)
+ // return
+ // }
+ // svhost.DownstreamValidation = dv
+ // }
}
if sec == nil && !tls.Passthrough {
@@ -1103,22 +1103,22 @@ func (b *Builder) lookupUpstreamValidation(uv *projcontour.UpstreamValidation, n
}, nil
}
-func (b *Builder) lookupDownstreamValidation(vc *projcontour.DownstreamValidation, namespace string) (*PeerValidationContext, error) {
- if vc == nil {
- // No downstream validation requested, nothing to do.
- return nil, nil
- }
-
- cacert := b.lookupSecret(Meta{name: vc.CACertificate, namespace: namespace}, validCA)
- if cacert == nil {
- // ValidationContext is requested, but cert is missing or not configured.
- return nil, fmt.Errorf("secret not found or misconfigured")
- }
-
- return &PeerValidationContext{
- CACertificate: cacert,
- }, nil
-}
+// func (b *Builder) lookupDownstreamValidation(vc *projcontour.DownstreamValidation, namespace string) (*PeerValidationContext, error) {
+// if vc == nil {
+// // No downstream validation requested, nothing to do.
+// return nil, nil
+// }
+
+// cacert := b.lookupSecret(Meta{name: vc.CACertificate, namespace: namespace}, validCA)
+// if cacert == nil {
+// // ValidationContext is requested, but cert is missing or not configured.
+// return nil, fmt.Errorf("secret not found or misconfigured")
+// }
+
+// return &PeerValidationContext{
+// CACertificate: cacert,
+// }, nil
+// }
func (b *Builder) processIngressRouteTCPProxy(sw *ObjectStatusWriter, ir *ingressroutev1.IngressRoute, visited []*ingressroutev1.IngressRoute, host string) {
visited = append(visited, ir)
diff --git a/internal/dag/builder_test.go b/internal/dag/builder_test.go
index 9fdae96e..374e33b3 100644
--- a/internal/dag/builder_test.go
+++ b/internal/dag/builder_test.go
@@ -2187,32 +2187,32 @@ func TestDAGInsert(t *testing.T) {
},
}
- proxy18 := &projcontour.HTTPProxy{
- ObjectMeta: metav1.ObjectMeta{
- Name: "example-com",
- Namespace: "default",
- },
- Spec: projcontour.HTTPProxySpec{
- VirtualHost: &projcontour.VirtualHost{
- Fqdn: "example.com",
- TLS: &projcontour.TLS{
- SecretName: sec1.Name,
- ClientValidation: &projcontour.DownstreamValidation{
- CACertificate: cert1.Name,
- },
- },
- },
- Routes: []projcontour.Route{{
- Conditions: []projcontour.Condition{{
- Prefix: "/",
- }},
- Services: []projcontour.Service{{
- Name: "kuard",
- Port: 8080,
- }},
- }},
- },
- }
+ // proxy18 := &projcontour.HTTPProxy{
+ // ObjectMeta: metav1.ObjectMeta{
+ // Name: "example-com",
+ // Namespace: "default",
+ // },
+ // Spec: projcontour.HTTPProxySpec{
+ // VirtualHost: &projcontour.VirtualHost{
+ // Fqdn: "example.com",
+ // TLS: &projcontour.TLS{
+ // SecretName: sec1.Name,
+ // ClientValidation: &projcontour.DownstreamValidation{
+ // CACertificate: cert1.Name,
+ // },
+ // },
+ // },
+ // Routes: []projcontour.Route{{
+ // Conditions: []projcontour.Condition{{
+ // Prefix: "/",
+ // }},
+ // Services: []projcontour.Service{{
+ // Name: "kuard",
+ // Port: 8080,
+ // }},
+ // }},
+ // },
+ // }
// proxy10 has a websocket route
proxy10 := &projcontour.HTTPProxy{
@@ -5315,41 +5315,41 @@ func TestDAGInsert(t *testing.T) {
},
),
},
- "insert httpproxy with downstream verification": {
- objs: []interface{}{
- cert1, proxy18, s1, sec1,
- },
- want: listeners(
- &Listener{
- Port: 80,
- VirtualHosts: virtualhosts(
- virtualhost("example.com", routeUpgrade("/", service(s1))),
- ),
- }, &Listener{
- Port: 443,
- VirtualHosts: virtualhosts(
- &SecureVirtualHost{
- VirtualHost: VirtualHost{
- Name: "example.com",
- routes: routes(
- routeUpgrade("/", service(s1))),
- },
- MinProtoVersion: envoy_api_v2_auth.TlsParameters_TLSv1_1,
- Secret: secret(sec1),
- DownstreamValidation: &PeerValidationContext{
- CACertificate: &Secret{Object: cert1},
- },
- },
- ),
- },
- ),
- },
- "insert httpproxy with downstream verification, missing ca certificate": {
- objs: []interface{}{
- proxy18, s1, sec1,
- },
- want: listeners(),
- },
+ // "insert httpproxy with downstream verification": {
+ // objs: []interface{}{
+ // cert1, proxy18, s1, sec1,
+ // },
+ // want: listeners(
+ // &Listener{
+ // Port: 80,
+ // VirtualHosts: virtualhosts(
+ // virtualhost("example.com", routeUpgrade("/", service(s1))),
+ // ),
+ // }, &Listener{
+ // Port: 443,
+ // VirtualHosts: virtualhosts(
+ // &SecureVirtualHost{
+ // VirtualHost: VirtualHost{
+ // Name: "example.com",
+ // routes: routes(
+ // routeUpgrade("/", service(s1))),
+ // },
+ // MinProtoVersion: envoy_api_v2_auth.TlsParameters_TLSv1_1,
+ // Secret: secret(sec1),
+ // DownstreamValidation: &PeerValidationContext{
+ // CACertificate: &Secret{Object: cert1},
+ // },
+ // },
+ // ),
+ // },
+ // ),
+ // },
+ // "insert httpproxy with downstream verification, missing ca certificate": {
+ // objs: []interface{}{
+ // proxy18, s1, sec1,
+ // },
+ // want: listeners(),
+ // },
"insert httpproxy with invalid tcpproxy": {
objs: []interface{}{proxy37, s1},
want: listeners(),
diff --git a/internal/featuretests/downstreamvalidation_test.go b/internal/featuretests/downstreamvalidation_test.go
index c8aba5f0..f2beea63 100644
--- a/internal/featuretests/downstreamvalidation_test.go
+++ b/internal/featuretests/downstreamvalidation_test.go
@@ -13,127 +13,112 @@
package featuretests
-import (
- "testing"
+// func TestDownstreamTLSCertificateValidation(t *testing.T) {
+// rh, c, done := setup(t)
+// defer done()
- v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2"
- envoy_api_v2_auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"
- envoy_api_v2_listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener"
- projcontour "github.com/projectcontour/contour/apis/projectcontour/v1"
- "github.com/projectcontour/contour/internal/dag"
- "github.com/projectcontour/contour/internal/envoy"
- "github.com/projectcontour/contour/internal/k8s"
- v1 "k8s.io/api/core/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/util/intstr"
-)
+// serverTLSSecret := &v1.Secret{
+// ObjectMeta: metav1.ObjectMeta{
+// Name: "serverTLSSecret",
+// Namespace: "default",
+// },
+// Type: v1.SecretTypeTLS,
+// Data: secretdata(CERTIFICATE, RSA_PRIVATE_KEY),
+// }
+// rh.OnAdd(serverTLSSecret)
-func TestDownstreamTLSCertificateValidation(t *testing.T) {
- rh, c, done := setup(t)
- defer done()
+// clientCASecret := &v1.Secret{
+// ObjectMeta: metav1.ObjectMeta{
+// Name: "clientCASecret",
+// Namespace: "default",
+// },
+// Data: map[string][]byte{
+// dag.CACertificateKey: []byte(CERTIFICATE),
+// },
+// }
+// rh.OnAdd(clientCASecret)
- serverTLSSecret := &v1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: "serverTLSSecret",
- Namespace: "default",
- },
- Type: v1.SecretTypeTLS,
- Data: secretdata(CERTIFICATE, RSA_PRIVATE_KEY),
- }
- rh.OnAdd(serverTLSSecret)
+// service := &v1.Service{
+// ObjectMeta: metav1.ObjectMeta{
+// Name: "kuard",
+// Namespace: "default",
+// },
+// Spec: v1.ServiceSpec{
+// Ports: []v1.ServicePort{{
+// Name: "http",
+// Protocol: "TCP",
+// Port: 8080,
+// TargetPort: intstr.FromInt(8080),
+// }},
+// },
+// }
+// rh.OnAdd(service)
- clientCASecret := &v1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Name: "clientCASecret",
- Namespace: "default",
- },
- Data: map[string][]byte{
- dag.CACertificateKey: []byte(CERTIFICATE),
- },
- }
- rh.OnAdd(clientCASecret)
+// proxy := &projcontour.HTTPProxy{
+// ObjectMeta: metav1.ObjectMeta{
+// Name: "example.com",
+// Namespace: "default",
+// },
+// Spec: projcontour.HTTPProxySpec{
+// VirtualHost: &projcontour.VirtualHost{
+// Fqdn: "example.com",
+// TLS: &projcontour.TLS{
+// SecretName: serverTLSSecret.Name,
+// ClientValidation: &projcontour.DownstreamValidation{
+// CACertificate: clientCASecret.Name,
+// },
+// },
+// },
+// Routes: []projcontour.Route{{
+// Services: []projcontour.Service{{
+// Name: "kuard",
+// Port: 8080,
+// }},
+// }},
+// },
+// }
+// rh.OnAdd(proxy)
- service := &v1.Service{
- ObjectMeta: metav1.ObjectMeta{
- Name: "kuard",
- Namespace: "default",
- },
- Spec: v1.ServiceSpec{
- Ports: []v1.ServicePort{{
- Name: "http",
- Protocol: "TCP",
- Port: 8080,
- TargetPort: intstr.FromInt(8080),
- }},
- },
- }
- rh.OnAdd(service)
+// ingress_http := &v2.Listener{
+// Name: "ingress_http",
+// Address: envoy.SocketAddress("0.0.0.0", 8080),
+// FilterChains: envoy.FilterChains(
+// envoy.HTTPConnectionManager("ingress_http", envoy.FileAccessLogEnvoy("/dev/stdout"), 0),
+// ),
+// }
- proxy := &projcontour.HTTPProxy{
- ObjectMeta: metav1.ObjectMeta{
- Name: "example.com",
- Namespace: "default",
- },
- Spec: projcontour.HTTPProxySpec{
- VirtualHost: &projcontour.VirtualHost{
- Fqdn: "example.com",
- TLS: &projcontour.TLS{
- SecretName: serverTLSSecret.Name,
- ClientValidation: &projcontour.DownstreamValidation{
- CACertificate: clientCASecret.Name,
- },
- },
- },
- Routes: []projcontour.Route{{
- Services: []projcontour.Service{{
- Name: "kuard",
- Port: 8080,
- }},
- }},
- },
- }
- rh.OnAdd(proxy)
+// ingress_https := &v2.Listener{
+// Name: "ingress_https",
+// Address: envoy.SocketAddress("0.0.0.0", 8443),
+// ListenerFilters: envoy.ListenerFilters(
+// envoy.TLSInspector(),
+// ),
+// FilterChains: []*envoy_api_v2_listener.FilterChain{
+// envoy.FilterChainTLS(
+// "example.com",
+// envoy.DownstreamTLSContext(
+// &dag.Secret{Object: serverTLSSecret},
+// envoy_api_v2_auth.TlsParameters_TLSv1_1,
+// &dag.PeerValidationContext{
+// CACertificate: &dag.Secret{
+// Object: clientCASecret,
+// },
+// },
+// "h2", "http/1.1"),
+// envoy.Filters(envoy.HTTPConnectionManager("ingress_https", envoy.FileAccessLogEnvoy("/dev/stdout"), 0)),
+// ),
+// },
+// }
- ingress_http := &v2.Listener{
- Name: "ingress_http",
- Address: envoy.SocketAddress("0.0.0.0", 8080),
- FilterChains: envoy.FilterChains(
- envoy.HTTPConnectionManager("ingress_http", envoy.FileAccessLogEnvoy("/dev/stdout"), 0),
- ),
- }
+// c.Request(listenerType).Equals(&v2.DiscoveryResponse{
+// Resources: resources(t,
+// ingress_http,
+// ingress_https,
+// staticListener(),
+// ),
+// TypeUrl: listenerType,
+// }).Status(proxy).Like(
+// projcontour.Status{CurrentStatus: k8s.StatusValid},
+// )
- ingress_https := &v2.Listener{
- Name: "ingress_https",
- Address: envoy.SocketAddress("0.0.0.0", 8443),
- ListenerFilters: envoy.ListenerFilters(
- envoy.TLSInspector(),
- ),
- FilterChains: []*envoy_api_v2_listener.FilterChain{
- envoy.FilterChainTLS(
- "example.com",
- envoy.DownstreamTLSContext(
- &dag.Secret{Object: serverTLSSecret},
- envoy_api_v2_auth.TlsParameters_TLSv1_1,
- &dag.PeerValidationContext{
- CACertificate: &dag.Secret{
- Object: clientCASecret,
- },
- },
- "h2", "http/1.1"),
- envoy.Filters(envoy.HTTPConnectionManager("ingress_https", envoy.FileAccessLogEnvoy("/dev/stdout"), 0)),
- ),
- },
- }
-
- c.Request(listenerType).Equals(&v2.DiscoveryResponse{
- Resources: resources(t,
- ingress_http,
- ingress_https,
- staticListener(),
- ),
- TypeUrl: listenerType,
- }).Status(proxy).Like(
- projcontour.Status{CurrentStatus: k8s.StatusValid},
- )
-
-}
+// }
diff --git a/site/docs/master/api-reference.html b/site/docs/master/api-reference.html
index fdb53262..0e1c95d7 100644
--- a/site/docs/master/api-reference.html
+++ b/site/docs/master/api-reference.html
@@ -332,38 +332,6 @@ HeaderCondition
</tr>
</tbody>
</table>
-<h3 id="projectcontour.io/v1.DownstreamValidation">DownstreamValidation
-</h3>
-<p>
-(<em>Appears on:</em>
-<a href="#projectcontour.io/v1.TLS">TLS</a>)
-</p>
-<p>
-<p>DownstreamValidation defines how to verify the client certificate.</p>
-</p>
-<table class="table table-striped table-borderless" style="border:none">
-<thead class="border-bottom">
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody class="border-top">
-<tr>
-<td style="white-space:nowrap">
-<code>caSecret</code>
-<br>
-<em>
-string
-</em>
-</td>
-<td>
-<p>Name of a Kubernetes secret that contains a CA certificate bundle.
-The client certificate must validate against the certificates in the bundle.</p>
-</td>
-</tr>
-</tbody>
-</table>
<h3 id="projectcontour.io/v1.HTTPHealthCheckPolicy">HTTPHealthCheckPolicy
</h3>
<p>
@@ -1586,24 +1554,6 @@ and the encrypted handshake will be passed through to the
backing cluster.</p>
</td>
</tr>
-<tr>
-<td style="white-space:nowrap">
-<code>clientValidation</code>
-<br>
-<em>
-<a href="#projectcontour.io/v1.DownstreamValidation">
-DownstreamValidation
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>ClientValidation defines how to verify the client certificate. This setting:
-1. Enables TLS client certificate validation.
-2. Requires clients to present a TLS certificate (i.e. not optional validation).
-3. Specifies how the client certificate will be validated.</p>
-</td>
-</tr>
</tbody>
</table>
<h3 id="projectcontour.io/v1.TLSCertificateDelegationSpec">TLSCertificateDelegationSpec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment