feat: move xfcc configuration to tls.clientvalidation & group into 1 …

…struct Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
envoyproxy · Apr 20, 2024 · ca813a4 · ca813a4
1 parent cc85e7b
commit ca813a4
Show file tree

Hide file tree

Showing 35 changed files with 2,974 additions and 1,235 deletions.
diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -104,14 +104,6 @@ type HeaderSettings struct {
 	// is encountered. The default action is to reject the request.
 	// +optional
 	WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
-
-	// configure Envoy proxy to forward x-forwarded-client-cert (XFCC) HTTP header
-	// +optional
-	ForwardClientCertDetails *ForwardClientCertDetails `json:"forwardClientCertDetails,omitempty"`
-
-	// specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
-	// +optional
-	ClientCertDetailsConfiguration *ClientCertDetailsConfiguration `json:"clientCertDetailsConfiguration,omitempty"`
 }
 
 // WithUnderscoresAction configures the action to take when an HTTP header with underscores
@@ -131,41 +123,6 @@ const (
 	WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
 )
 
-// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
-type ForwardClientCertDetails string
-
-const (
-	// Do not send the XFCC header to the next hop. This is the default value.
-	ForwardClientCertDetailsSanitize ForwardClientCertDetails = "Sanitize"
-	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
-	// in the request.
-	ForwardClientCertDetailsForwardOnly ForwardClientCertDetails = "ForwardOnly"
-	// When the client connection is mTLS, append the client certificate
-	// information to the request’s XFCC header and forward it.
-	ForwardClientCertDetailsAppendForward ForwardClientCertDetails = "AppendForward"
-	// When the client connection is mTLS, reset the XFCC header with the client
-	// certificate information and send it to the next hop.
-	ForwardClientCertDetailsSanitizeSet ForwardClientCertDetails = "SanitizeSet"
-	// Always forward the XFCC header in the request, regardless of whether the
-	// client connection is mTLS.
-	ForwardClientCertDetailsAlwaysForwardOnly ForwardClientCertDetails = "AlwaysForwardOnly"
-)
-
-type ClientCertDetailsConfiguration struct {
-	// Whether to forward the subject of the client cert.
-	ForwardSubject bool `json:"forwardSubject,omitempty"`
-	// Whether to forward the entire client cert in URL encoded PEM format.
-	// This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”.
-	ForwardCert bool `json:"forwardCert,omitempty"`
-	// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format.
-	// This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”.
-	ForwardChain bool `json:"forwardChain,omitempty"`
-	// Whether to forward the DNS type Subject Alternative Names of the client cert.
-	ForwardDNS bool `json:"forwardDNS,omitempty"`
-	// Whether to forward the URI type Subject Alternative Name of the client cert.
-	ForwardURI bool `json:"forwardURI,omitempty"`
-}
-
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"

diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go
@@ -115,6 +115,10 @@ type ClientValidationContext struct {
 	// +optional
 	Optional bool `json:"optional,omitempty"`
 
+	// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+	// +optional
+	ForwardClientCert *ForwardClientCert `json:"forwardClientCert,omitempty"`
+
 	// CACertificateRefs contains one or more references to
 	// Kubernetes objects that contain TLS certificates of
 	// the Certificate Authorities that can be used
@@ -131,3 +135,56 @@ type ClientValidationContext struct {
 	// +optional
 	CACertificateRefs []gwapiv1.SecretObjectReference `json:"caCertificateRefs,omitempty"`
 }
+
+// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+type ForwardClientCert struct {
+	// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+	// +optional
+	Mode *ForwardMode `json:"mode,omitempty"`
+
+	// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
+	// +kubebuilder:validation:UniqueItems=true
+	// +kubebuilder:validation:MaxItems=5
+	// +optional
+	Set []ClientCertData `json:"set,omitempty"`
+}
+
+// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
+// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
+type ForwardMode string
+
+const (
+	// Do not send the XFCC header to the next hop. This is the default value.
+	ForwardModeSanitize ForwardMode = "Sanitize"
+	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
+	// in the request.
+	ForwardModeForwardOnly ForwardMode = "ForwardOnly"
+	// When the client connection is mTLS, append the client certificate
+	// information to the request’s XFCC header and forward it.
+	ForwardModeAppendForward ForwardMode = "AppendForward"
+	// When the client connection is mTLS, reset the XFCC header with the client
+	// certificate information and send it to the next hop.
+	ForwardModeSanitizeSet ForwardMode = "SanitizeSet"
+	// Always forward the XFCC header in the request, regardless of whether the
+	// client connection is mTLS.
+	ForwardModeAlwaysForwardOnly ForwardMode = "AlwaysForwardOnly"
+)
+
+// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
+// +kubebuilder:validation:Enum=subject;cert;chain;dns;uri
+type ClientCertData string
+
+const (
+	// Whether to forward the subject of the client cert.
+	ClientCertDataSubject ClientCertData = "subject"
+	// Whether to forward the entire client cert in URL encoded PEM format.
+	// This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”.
+	ClientCertDataCert ClientCertData = "cert"
+	// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format.
+	// This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”.
+	ClientCertDataChain ClientCertData = "chain"
+	// Whether to forward the DNS type Subject Alternative Names of the client cert.
+	ClientCertDataDNS ClientCertData = "dns"
+	// Whether to forward the URI type Subject Alternative Name of the client cert.
+	ClientCertDataURI ClientCertData = "uri"
+)
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -145,48 +145,11 @@ spec:
               headers:
                 description: HeaderSettings provides configuration for header management.
                 properties:
-                  clientCertDetailsConfiguration:
-                    description: specifies the fields in the client certificate to
-                      be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
-                    properties:
-                      forwardCert:
-                        description: |-
-                          Whether to forward the entire client cert in URL encoded PEM format.
-                          This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”.
-                        type: boolean
-                      forwardChain:
-                        description: |-
-                          Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format.
-                          This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”.
-                        type: boolean
-                      forwardDNS:
-                        description: Whether to forward the DNS type Subject Alternative
-                          Names of the client cert.
-                        type: boolean
-                      forwardSubject:
-                        description: Whether to forward the subject of the client
-                          cert.
-                        type: boolean
-                      forwardURI:
-                        description: Whether to forward the URI type Subject Alternative
-                          Name of the client cert.
-                        type: boolean
-                    type: object
                   enableEnvoyHeaders:
                     description: |-
                       EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
                       and responses.
                     type: boolean
-                  forwardClientCertDetails:
-                    description: configure Envoy proxy to forward x-forwarded-client-cert
-                      (XFCC) HTTP header
-                    enum:
-                    - Sanitize
-                    - ForwardOnly
-                    - AppendForward
-                    - SanitizeSet
-                    - AlwaysForwardOnly
-                    type: string
                   withUnderscoresAction:
                     description: |-
                       WithUnderscoresAction configures the action to take when an HTTP header with underscores
@@ -475,6 +438,39 @@ spec:
                           type: object
                         maxItems: 8
                         type: array
+                      forwardClientCert:
+                        description: Configure Envoy proxy how to handle the x-forwarded-client-cert
+                          (XFCC) HTTP header.
+                        properties:
+                          mode:
+                            description: Envoy Proxy mode how to handle the x-forwarded-client-cert
+                              (XFCC) HTTP header.
+                            enum:
+                            - Sanitize
+                            - ForwardOnly
+                            - AppendForward
+                            - SanitizeSet
+                            - AlwaysForwardOnly
+                            type: string
+                          set:
+                            description: Specifies the fields in the client certificate
+                              to be forwarded on the x-forwarded-client-cert (XFCC)
+                              HTTP header
+                            items:
+                              description: Specifies the fields in the client certificate
+                                to be forwarded on the x-forwarded-client-cert (XFCC)
+                                HTTP header
+                              enum:
+                              - subject
+                              - cert
+                              - chain
+                              - dns
+                              - uri
+                              type: string
+                            maxItems: 5
+                            type: array
+                            uniqueItems: true
+                        type: object
                       optional:
                         description: |-
                           Optional set to true accepts connections even when a client doesn't present a certificate.

diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go
@@ -539,13 +539,8 @@ func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, http
 		return
 	}
 	httpIR.Headers = &ir.HeaderSettings{
-		EnableEnvoyHeaders:       ptr.Deref(headerSettings.EnableEnvoyHeaders, false),
-		WithUnderscoresAction:    ir.WithUnderscoresAction(ptr.Deref(headerSettings.WithUnderscoresAction, egv1a1.WithUnderscoresActionRejectRequest)),
-		ForwardClientCertDetails: ir.ForwardClientCertDetails(ptr.Deref(headerSettings.ForwardClientCertDetails, egv1a1.ForwardClientCertDetailsSanitize)),
-	}
-
-	if httpIR.Headers.ForwardClientCertDetails == ir.ForwardClientCertDetailsAppendForward || httpIR.Headers.ForwardClientCertDetails == ir.ForwardClientCertDetailsSanitizeSet {
-		httpIR.Headers.ClientCertDetailsConfiguration = ir.ClientCertDetailsConfiguration(ptr.Deref(headerSettings.ClientCertDetailsConfiguration, egv1a1.ClientCertDetailsConfiguration{}))
+		EnableEnvoyHeaders:    ptr.Deref(headerSettings.EnableEnvoyHeaders, false),
+		WithUnderscoresAction: ir.WithUnderscoresAction(ptr.Deref(headerSettings.WithUnderscoresAction, egv1a1.WithUnderscoresActionRejectRequest)),
 	}
 }
 
@@ -677,9 +672,27 @@ func (t *Translator) translateListenerTLSParameters(policy *egv1a1.ClientTraffic
 			}
 		}
 
+		forwardClientCert := &ir.ForwardClientCert{}
+
+		if tlsParams.ClientValidation.ForwardClientCert != nil {
+			forwardClientCert.Mode = ir.ForwardMode(ptr.Deref(tlsParams.ClientValidation.ForwardClientCert.Mode, egv1a1.ForwardModeSanitize))
+
+			var Set []ir.ClientCertData
+			if forwardClientCert.Mode == ir.ForwardModeAppendForward || forwardClientCert.Mode == ir.ForwardModeSanitizeSet {
+				for _, data := range tlsParams.ClientValidation.ForwardClientCert.Set {
+					Set = append(Set, ir.ClientCertData(data))
+				}
+			}
+
+			forwardClientCert.Set = Set
+		}
+
 		if len(irCACert.Certificate) > 0 {
 			httpIR.TLS.CACertificate = irCACert
 			httpIR.TLS.RequireClientCertificate = !tlsParams.ClientValidation.Optional
+			if tlsParams.ClientValidation.ForwardClientCert != nil {
+				httpIR.TLS.ForwardClientCert = forwardClientCert
+			}
 		}
 	}
 

diff --git a/...rnal/gatewayapi/testdata/clienttrafficpolicy-headers-xfcc-forwardonly-xfcc-config.in.yaml b/...rnal/gatewayapi/testdata/clienttrafficpolicy-headers-xfcc-forwardonly-xfcc-config.in.yaml