Allow External Auth when Fallback Certificate is used #6512
Assignees
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
erikflores7
added
kind/feature
|
Hey @erikflores7! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace |
erikflores7
pushed a commit
to erikflores7/contour
that referenced
this issue
Jul 16, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 \n Signed-off-by: Erik Flores [email protected]
skriss
removed
the
lifecycle/needs-triage
erikflores7
pushed a commit
to erikflores7/contour
that referenced
this issue
Jul 25, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 Signed-off-by: Erik Flores <[email protected]>
erikflores7
pushed a commit
to erikflores7/contour
that referenced
this issue
Jul 25, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 Signed-off-by: Erik Flores <[email protected]>
geomacy
pushed a commit
to chaosbox/contour
that referenced
this issue
Aug 22, 2024
Enables the ExtAuthz filter on the fallback cert filter chain when configuring global external auth, to support external auth for requests without SNI. Fixes projectcontour#6512. Signed-off-by: Erik Flores <[email protected]> Signed-off-by: Geoff Macartney <[email protected]>
SamMHD
pushed a commit
to SamMHD/contour
that referenced
this issue
Sep 8, 2024
Enables the ExtAuthz filter on the fallback cert filter chain when configuring global external auth, to support external auth for requests without SNI. Fixes projectcontour#6512. Signed-off-by: Erik Flores <[email protected]> Signed-off-by: Saman Mahdanian <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, you cannot configure both a Fallback Certificate and Authorization which means you lose Authorization if you do not have SNI available. In our specific use case, we cannot guarantee DNS records in our air-gapped, edge deployments and have to resort to using the IPs of our machines, at least initially. Since we use IPs, Chrome does not send the SNI and we have to resort to using the Fallback Certificate. This creates an issue since we can no longer authorize the requests that are coming in through our own auth service.
We also cannot easily terminate TLS at the LB level since we do not have access to AWS or other LBs in these edge deployments. We would have to put something like Nginx Ingress Controller in front of Contour which we do not want to do. This is a requirement for deploying in edge deployments where there is a long process for obtaining DNS records/domains.
The text was updated successfully, but these errors were encountered: