We're interested in having downstream cert details (OUs, CNs, SANs) be included in the gRPC access log. We'd be interested in both sides of the TLS handshake, so we want details about both the client cert used to establish the connection and details about the server cert that was used by Envoy.
To accomplish this, we'd probably have to expose either the Ssl::Connection or some smaller data structure containing the necessary data on StreamInfo. This would allow any access log to include this information, including the gRPC access log.
The access log would have to be extended. Here's a suggestion:
message CommonCertDetails {
string ou = 1;
string cn = 2;
repeated san = 3;
}
message CertDetails {
// Details about client cert.
CommonCertDetails peer_certificate = 1;
// Details about local server cert.
CommonCertDetails local_certificate = 2;
}
This could then be included on the data.accesslog.v2.AccessLogCommon proto with a downstream_cert_details field.
cc @worldwise001 (let me know if i forgot anything)
We're interested in having downstream cert details (OUs, CNs, SANs) be included in the gRPC access log. We'd be interested in both sides of the TLS handshake, so we want details about both the client cert used to establish the connection and details about the server cert that was used by Envoy.
To accomplish this, we'd probably have to expose either the
Ssl::Connectionor some smaller data structure containing the necessary data onStreamInfo. This would allow any access log to include this information, including the gRPC access log.The access log would have to be extended. Here's a suggestion:
This could then be included on the
data.accesslog.v2.AccessLogCommonproto with adownstream_cert_detailsfield.cc @worldwise001 (let me know if i forgot anything)