Skip to content

Commit

Permalink
api: downstream client CACert validation (envoyproxy#2483)
Browse files Browse the repository at this point in the history
* api: downstream client CACert validation

Relates to envoyproxy#88

Signed-off-by: Arko Dasgupta <[email protected]>

* docs

Signed-off-by: Arko Dasgupta <[email protected]>

* lint

Signed-off-by: Arko Dasgupta <[email protected]>

* charts

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
  • Loading branch information
arkodg authored and soulxu committed Jan 23, 2024
1 parent 673b36f commit 4e83a5d
Show file tree
Hide file tree
Showing 4 changed files with 155 additions and 0 deletions.
30 changes: 30 additions & 0 deletions api/v1alpha1/tls_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@

package v1alpha1

import (
corev1 "k8s.io/api/core/v1"
)

// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == '1.3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3"
// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && has(self.maxVersion) ? {\"Auto\":0,\"1.0\":1,\"1.1\":2,\"1.2\":3,\"1.3\":4}[self.minVersion] <= {\"1.0\":1,\"1.1\":2,\"1.2\":3,\"1.3\":4,\"Auto\":5}[self.maxVersion] : !has(self.minVersion) && has(self.maxVersion) ? 3 <= {\"1.0\":1,\"1.1\":2,\"1.2\":3,\"1.3\":4,\"Auto\":5}[self.maxVersion] : true", message="minVersion must be smaller or equal to maxVersion"
type TLSSettings struct {
Expand Down Expand Up @@ -62,6 +66,11 @@ type TLSSettings struct {
//
// +optional
ALPNProtocols []ALPNProtocol `json:"alpnProtocols,omitempty"`

// ClientValidation specifies the configuration to validate the client
// initiating the TLS connection to the Gateway listener.
// +optional
ClientValidation *ClientValidationContext `json:"clientValidation,omitempty"`
}

// ALPNProtocol specifies the protocol to be negotiated using ALPN
Expand Down Expand Up @@ -96,3 +105,24 @@ const (
// TLSv1.3 specifies TLS version 1.3
TLSv13 TLSVersion = "1.3"
)

// ClientValidationContext holds configuration that can be used to validate the client initiating the TLS connection
// to the Gateway.
// By default, no client specific configuration is validated.
type ClientValidationContext struct {
// CACertificateRefs contains one or more references to
// Kubernetes objects that contain TLS certificates of
// the Certificate Authorities that can be used
// as a trust anchor to validate the certificates presented by the client.
//
// A single reference to a Kubernetes ConfigMap,
// with the CA certificate in a key named `ca.crt` is currently supported.
//
// References to a resource in different namespace are invalid UNLESS there
// is a ReferenceGrant in the target namespace that allows the certificate
// to be attached.
//
// +kubebuilder:validation:MaxItems=8
// +optional
CACertificateRefs []corev1.ObjectReference `json:"caCertificateRefs,omitempty"`
}
25 changes: 25 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,89 @@ spec:
items:
type: string
type: array
clientValidation:
description: ClientValidation specifies the configuration to validate
the client initiating the TLS connection to the Gateway listener.
properties:
caCertificateRefs:
description: "CACertificateRefs contains one or more references
to Kubernetes objects that contain TLS certificates of the
Certificate Authorities that can be used as a trust anchor
to validate the certificates presented by the client. \n
A single reference to a Kubernetes ConfigMap, with the CA
certificate in a key named `ca.crt` is currently supported.
\n References to a resource in different namespace are invalid
UNLESS there is a ReferenceGrant in the target namespace
that allows the certificate to be attached."
items:
description: "ObjectReference contains enough information
to let you inspect or modify the referred object. ---
New uses of this type are discouraged because of difficulty
describing its usage when embedded in APIs. 1. Ignored
fields. It includes many fields which are not generally
honored. For instance, ResourceVersion and FieldPath
are both very rarely valid in actual usage. 2. Invalid
usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are
particular restrictions like, \"must refer only to types
A and B\" or \"UID not honored\" or \"name must be restricted\".
Those cannot be well described when embedded. 3. Inconsistent
validation. Because the usages are different, the validation
rules are different by usage, which makes it hard for
users to predict what will happen. 4. The fields are both
imprecise and overly precise. Kind is not a precise mapping
to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency
is on the group,resource tuple and the version of the
actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations,
updates to this type will affect numerous schemas. Don't
make new APIs embed an underspecified API type they do
not control. \n Instead of using this type, create a locally
provided and used type that is well-focused on your reference.
For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a
valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container
within a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container
that triggered the event) or if no container name
is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to
have some well-defined way of referencing a part of
an object. TODO: this design is not final and this
field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info:
https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this
reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
maxItems: 8
type: array
type: object
ecdhCurves:
description: 'ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are: - X25519
Expand Down
17 changes: 17 additions & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,22 @@ _Appears in:_



#### ClientValidationContext



ClientValidationContext holds configuration that can be used to validate the client initiating the TLS connection to the Gateway. By default, no client specific configuration is validated.

_Appears in:_
- [TLSSettings](#tlssettings)

| Field | Description |
| --- | --- |
| `caCertificateRefs` _[ObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectreference-v1-core) array_ | CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client.
A single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt` is currently supported.
References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. |


#### ConsistentHash


Expand Down Expand Up @@ -2074,6 +2090,7 @@ _Appears in:_
| `ecdhCurves` _string array_ | ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256 In builds using BoringSSL FIPS the default curve is: - P-256 |
| `signatureAlgorithms` _string array_ | SignatureAlgorithms specifies which signature algorithms the listener should support. |
| `alpnProtocols` _[ALPNProtocol](#alpnprotocol) array_ | ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener. By default h2 and http/1.1 are enabled. Supported values are: - http/1.0 - http/1.1 - h2 |
| `clientValidation` _[ClientValidationContext](#clientvalidationcontext)_ | ClientValidation specifies the configuration to validate the client initiating the TLS connection to the Gateway listener. |


#### TLSVersion
Expand Down

0 comments on commit 4e83a5d

Please sign in to comment.