Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configurable Cert Header #57

Open
SchulzeStTSI opened this issue May 15, 2023 · 0 comments
Open

Configurable Cert Header #57

SchulzeStTSI opened this issue May 15, 2023 · 0 comments

Comments

@SchulzeStTSI
Copy link
Collaborator

To improve the compatibility with ingress controllers, please insert in the gateway authentication a option to use for auth a PEM header instead of sending the country flag and the hash. For instance:

Config: DGC_AUTH_HEADER: ssl-client-cert
Content: ------ BEGIN Certificate---- MII..... ---- END ... -----

Similiar to this here in the nginx ingress configuration:

https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication

The behavior should be like this:

  1. Check if Header is present, if yes use him
  2. If header is not present, process with other headers.

Alternativly this could be activated with an profile.

Note: This is the internal auth for the service and should not be conflicting with the mtls profile, because mtls can be still enabled, but the internal auth information are from a http header. Example: the ingress connects internally via mtls to the gateway with an certificate XY, but the auth header is from certificate YYY because the ingress has extracted it from the TLS offloading. (Ingress can not pass forward the MTLS Handshake to upstream servers)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant