Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy Client Certs for Ext Auth and Backend TLS #2536

Closed
arkodg opened this issue Jan 30, 2024 · 13 comments
Closed

Envoy Client Certs for Ext Auth and Backend TLS #2536

arkodg opened this issue Jan 30, 2024 · 13 comments
Assignees
@alexwo
Labels
kind/decision A record of a decision made by the community.
Milestone
v1.1.0-rc1

Comments

@arkodg
Copy link
Contributor

arkodg commented Jan 30, 2024

Description:

Describe the issue.

Raising this PR to make a decision on which client certs to use when originating a TLS connection to ext Auth and Backend TLS (relates to kubernetes-sigs/gateway-api#2743)

Option 1
Reuse Listener (Downstream) certs

Option 2
Define a common proxy cert in the EnvoyProxy config

Option 3 (not possible today)
Define certs in each config

  • within the SecurityPolicy.ExtAuth.TLS field
  • not possible in BackendTLS, since its a upstream API
@arkodg arkodg added the triage label Jan 30, 2024
@arkodg
Copy link
Contributor Author

arkodg commented Jan 30, 2024

ptal @envoyproxy/gateway-maintainers

@arkodg arkodg added kind/decision A record of a decision made by the community. road-to-ga and removed triage labels Jan 30, 2024
@zhaohuabing
Copy link
Member

zhaohuabing commented Jan 30, 2024
edited
Loading

EG doesn't use a global root ca like Istio does. So the problem of the first two approaches is that existing ext auth and jwt services may not be able to verify the client certs.

@arkodg arkodg added this to the v1.0.0-rc1 milestone Jan 30, 2024
@arkodg
Copy link
Contributor Author

arkodg commented Jan 30, 2024

EG doesn't use a global root ca like Istio does. So the problem of the first two approaches is that existing ext auth and jwt services may not be able to verify the client certs.

@zhaohuabing imo its a matter of sharing the CA (which is meant to be shared for validating trust anchor) with those entities (ext auth svc and backend)

@arkodg arkodg mentioned this issue Feb 1, 2024
Closed
@arkodg arkodg removed the road-to-ga label Feb 8, 2024
@arkodg arkodg modified the milestones: v1.0.0-rc1, Backlog Feb 8, 2024
@arkodg arkodg mentioned this issue Feb 15, 2024
Merged
@guydc
Copy link
Contributor

guydc commented Feb 15, 2024

Option 1: it's possible (not 100% sure) that a server cert cannot always be used as a client cert, e.g. if it doesn't have the appropriate extended key usage TLS WWW client authentication. For example, see here.

Option 2 limits flexibility and option 3 creates a bit of duplication. I think that they're ok as mid-term mitigations.

I think that in one of the community meetings, we discussed the following option as well:

  • Extend BackendTrafficPolicy to support a TLS section, like we do in ClientTrafficPolicy, which will also include client certs.
  • Allow BTP to attach to K8s Services. Order of precedence for applying configuration is: xRoute > Gateway > Service.
  • ExtAuth, RL, ExtProc can use a Service-level BTP to define TLS behaviors (and possibly other cluster-level settings [circuit breakers, timeouts, ... ]).
  • xRoute/Gateway-attached BTP is used to set client certs for upstream backend connections.

@arkodg
Copy link
Contributor Author

arkodg commented Feb 16, 2024
edited
Loading

another option is defining the envoy certs within the EnvoyProxy API which is in line with the upstream discussion
kubernetes-sigs/gateway-api#2743

@guydc guydc mentioned this issue Mar 13, 2024
Closed
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Mar 17, 2024
@zhaohuabing zhaohuabing mentioned this issue Mar 20, 2024
Closed
@zhaohuabing zhaohuabing removed the stale label Mar 20, 2024
@arkodg
Copy link
Contributor Author

arkodg commented Mar 29, 2024

suggest waiting for upstream to align on naming kubernetes-sigs/gateway-api#2910

@guydc
Copy link
Contributor

guydc commented Apr 9, 2024

suggest waiting for upstream to align on naming kubernetes-sigs/gateway-api#2910

With the merge of the above, should we proceed with for something like:

@guydc guydc modified the milestones: Backlog, v1.1.0-rc1 Apr 10, 2024
@arkodg
Copy link
Contributor Author

arkodg commented May 8, 2024

Fixed with #3218

@arkodg arkodg closed this as completed May 8, 2024
@guydc
Copy link
Contributor

guydc commented May 8, 2024

Hi @arkodg . I think that #3218 only included TLS params, not client certs. I think that @alexwo intends to pick up client certs in the future. Should we keep this open for now?

@arkodg
Copy link
Contributor Author

arkodg commented May 8, 2024

my bad, reopening this one

@arkodg arkodg reopened this May 8, 2024
@alexwo
Copy link
Contributor

alexwo commented May 9, 2024

/assign

@alexwo alexwo mentioned this issue May 20, 2024
Merged
@shawnh2
Copy link
Contributor

shawnh2 commented May 24, 2024

closed in favor of #3441

@shawnh2 shawnh2 closed this as completed May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexwo alexwo

Labels
kind/decision A record of a decision made by the community.
Projects
No open projects
Envoy Gateway: The Road to GA
Status: Done
Milestone
v1.1.0-rc1
Development

No branches or pull requests
5 participants
@zhaohuabing @alexwo @arkodg @guydc @shawnh2