feat: adding support for ext auth and backend mtls#3441
feat: adding support for ext auth and backend mtls#3441guydc merged 6 commits intoenvoyproxy:mainfrom alexwo:upstream_mtls
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3441 +/- ##
==========================================
+ Coverage 67.15% 67.18% +0.02%
==========================================
Files 166 166
Lines 19463 19544 +81
==========================================
+ Hits 13071 13131 +60
- Misses 5447 5469 +22
+ Partials 945 944 -1 ☔ View full report in Codecov by Sentry. |
Hi @zhaohuabing , Sure, I have added the e2e tests as part of this PR. |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
There was a problem hiding this comment.
According to the API comment, should the namespace of the client secret be the same as the EnvoyProxy resource?
This secret should be located within the same namespace as the Envoy proxy resource that references it.
There was a problem hiding this comment.
| ns := ptr.Deref(resources.EnvoyProxy.Spec.BackendTLS.ClientCertificateRef.Namespace, "") | |
| ns := ptr.Deref(resources.EnvoyProxy.Spec.BackendTLS.ClientCertificateRef.Namespace, "") |
Yes, was actually unsure if we should restrict this, perhaps the we should just allow any namespace. For now i have removed this comment. let me know incase you think thats interesting.
There was a problem hiding this comment.
IMO, It makes sense to create the secret in the same namespace because it's only used by the EnvoyProxy resource, and the other EG API does the similar.
There was a problem hiding this comment.
Great, I had similar thoughts. I have just added it back, with a restriction.
|
/retest |
4 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
|
/retest |
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
|
/retest |
| } | ||
| } | ||
|
|
||
| // process envoy gateway secret refs |
There was a problem hiding this comment.
Should we also update predicates.go, indexers.go to make sure that a change in the secret triggers a reconcile and lookup is efficient?
| ConformanceTests = append(ConformanceTests, UpstreamTLSSettingsTest) | ||
| } | ||
|
|
||
| var UpstreamTLSSettingsTest = suite.ConformanceTest{ |
There was a problem hiding this comment.
nit: maybe use Backend instead of Upstream for all names here??
| port: 443 | ||
| targetPort: 8443 | ||
| --- | ||
| apiVersion: apps/v1 |
There was a problem hiding this comment.
maybe use a different name for the deployment, secrets, etc. to make sure that this doesn't conflict with other tests from conformance/e2e suites
| certificateRefs: | ||
| - group: "" | ||
| kind: Secret | ||
| name: backend-tls-certificate |
There was a problem hiding this comment.
Do we really need this? We can have HTTP => HTTPS upgrade in backend TLS tests..
| MaxVersion: ptr.To(v1alpha1.TLSv12), | ||
| Ciphers: []string{"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}, | ||
| } | ||
| err = UpdateProxyConfig(suite.Client, proxyNN, config) |
There was a problem hiding this comment.
Can we maybe create multiple EP resources as part of the test data and just change the reference from the GWC?
| t.Error(err) | ||
| } | ||
| expectedRes.TLS.Version = "TLSv1.2" | ||
| expectedRes.TLS.CipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" |
There was a problem hiding this comment.
maybe another yaml here for the expected result?
| TLS TLSInfo `json:"tls"` | ||
| } | ||
|
|
||
| type TLSInfo struct { |
There was a problem hiding this comment.
Can we somehow reuse the gateway-api test util structs by extending them here?
| return hasAllFieldsAndValuesRecursive(reflect.ValueOf(obj1), reflect.ValueOf(obj2)) | ||
| } | ||
|
|
||
| func hasAllFieldsAndValuesRecursive(v1, v2 reflect.Value) (bool, error) { |
There was a problem hiding this comment.
can we use go-cmp here to make these comparisons?
| gatewayapi.KindEnvoyProxy, | ||
| *certRef); err != nil { | ||
| r.log.Error(err, | ||
| "failed to process TLS SecretRef for gateway", |
| return tlsBundle, policy | ||
| } | ||
|
|
||
| func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsBundle *ir.TLSUpstreamConfig, resources *Resources, parent gwapiv1a2.ParentReference) *ir.TLSUpstreamConfig { |
There was a problem hiding this comment.
nit: maybe rename tlsBundle to tlsConfig here? It used to be just a cert bundle, but now contains much more settings,
|
@alexwo - can you maybe make some of the suggested test improvements in a follow-up PR? |
yes sounds good! , thanks for the quick review & feedback. |
What this PR does / why we need it:
This enables the use of a shared client certificate with Envoy proxies when accessing external services or backends.
Approach:
We introduce the capability to associate a TLS client certificate with the global configuration of an Envoy proxy. When configured, this client certificate will be used by the proxies when connecting to specified backends or external services.
Which issue(s) this PR fixes:
#2536