Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support forward client cert config XFCC header #3202

Merged
merged 20 commits into from
May 20, 2024
Merged

feat: support forward client cert config XFCC header #3202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
8b806a1
feat: support forward client cert config XFCC headers
zufardhiyaulhaq Apr 15, 2024
6d4824c
feat: add clientCertDetailsConfiguration to configure xfcc header
zufardhiyaulhaq Apr 16, 2024
6d14974
Merge branch 'main' into support-forward-client-details-XFCC
zufardhiyaulhaq Apr 20, 2024
819f9cf
feat: fix sites
zufardhiyaulhaq Apr 20, 2024
cc85e7b
feat: fix unit tests
zufardhiyaulhaq Apr 20, 2024
ca813a4
feat: move xfcc configuration to tls.clientvalidation & group into 1 …
zufardhiyaulhaq Apr 20, 2024
a380bc7
Merge branch 'envoyproxy:main' into support-forward-client-details-XFCC
zufardhiyaulhaq Apr 20, 2024
c19d46b
feat: fix gen-check
zufardhiyaulhaq Apr 20, 2024
dc63165
feat: fix API removing uniqueItems & trailing space on test data
zufardhiyaulhaq Apr 20, 2024
ecb05dd
Merge branch 'main' into support-forward-client-details-XFCC
zufardhiyaulhaq May 12, 2024
f73d19b
fix: API & implementation moving ForwardClientSet to Headers
zufardhiyaulhaq May 12, 2024
e32525b
Merge branch 'main' into support-forward-client-details-XFCC
zufardhiyaulhaq May 18, 2024
162c4a0
feat: move unit tests to headers & fix logic on headers
zufardhiyaulhaq May 18, 2024
0a20704
feat: fix logic on xds listener & unit tests
zufardhiyaulhaq May 18, 2024
c611348
feat: fix gen-check
zufardhiyaulhaq May 19, 2024
4bba6ca
feat: fix gen-check
zufardhiyaulhaq May 19, 2024
562a6b3
feat: fix lint
zufardhiyaulhaq May 19, 2024
a82c4a8
feat: change forwardClientCert to xForwardedClientCert
zufardhiyaulhaq May 20, 2024
de03f58
Merge branch 'main' into support-forward-client-details-XFCC
zufardhiyaulhaq May 20, 2024
812d2c8
fix gen-check job
zufardhiyaulhaq May 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions api/v1alpha1/clienttrafficpolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,11 @@ type HeaderSettings struct {
// +optional
EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`

// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// When enabled, Hash and By is always set
// +optional
XForwardedClientCert *XForwardedClientCert `json:"xForwardedClientCert,omitempty"`

// WithUnderscoresAction configures the action to take when an HTTP header with underscores
// is encountered. The default action is to reject the request.
// +optional
Expand Down Expand Up @@ -134,6 +139,59 @@ const (
WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
)

// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
type XForwardedClientCert struct {
// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// +optional
Mode *ForwardMode `json:"mode,omitempty"`
zufardhiyaulhaq marked this conversation as resolved.
Show resolved Hide resolved

// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// +kubebuilder:validation:MaxItems=5
// +optional
CertDetailsToAdd []ClientCertData `json:"certDetailsToAdd,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we check the uniqueness of its element?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kubebuilder is not supporting checking unique of this elements

}

// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
type ForwardMode string
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ForwardMode might be a bit vague here since it's a package-wide type. Perhaps adding a XFCC prefix could enhance clarity.

Suggested change
type ForwardMode string
type XFCCForwardMode string


const (
// Do not send the XFCC header to the next hop. This is the default value.
ForwardModeSanitize ForwardMode = "Sanitize"
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, and the rest of modes.

Suggested change
ForwardModeSanitize ForwardMode = "Sanitize"
XFCCForwardModeSanitize XFCCForwardMode = "Sanitize"

// When the client connection is mTLS (Mutual TLS), forward the XFCC header
// in the request.
ForwardModeForwardOnly ForwardMode = "ForwardOnly"
// When the client connection is mTLS, append the client certificate
// information to the request’s XFCC header and forward it.
ForwardModeAppendForward ForwardMode = "AppendForward"
// When the client connection is mTLS, reset the XFCC header with the client
// certificate information and send it to the next hop.
ForwardModeSanitizeSet ForwardMode = "SanitizeSet"
// Always forward the XFCC header in the request, regardless of whether the
// client connection is mTLS.
ForwardModeAlwaysForwardOnly ForwardMode = "AlwaysForwardOnly"
)

// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be useful to clarify what is Hash and By in the comment.

// +kubebuilder:validation:Enum=Subject;Cert;Chain;Dns;Uri
type ClientCertData string
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

Suggested change
type ClientCertData string
type XFCCCertData string


const (
// Whether to forward the subject of the client cert.
ClientCertDataSubject ClientCertData = "Subject"
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, and the rest of constants.

Suggested change
ClientCertDataSubject ClientCertData = "Subject"
XFCCCertDataSubject XFCCCertData = "Subject"

// Whether to forward the entire client cert in URL encoded PEM format.
// This will appear in the XFCC header comma separated from other values with the value Cert=”PEM”.
ClientCertDataCert ClientCertData = "Cert"
// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM format.
// This will appear in the XFCC header comma separated from other values with the value Chain=”PEM”.
ClientCertDataChain ClientCertData = "Chain"
// Whether to forward the DNS type Subject Alternative Names of the client cert.
ClientCertDataDNS ClientCertData = "Dns"
// Whether to forward the URI type Subject Alternative Name of the client cert.
ClientCertDataURI ClientCertData = "Uri"
)

// ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
//
// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"
Expand Down
30 changes: 30 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

33 changes: 33 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,39 @@ spec:
- RejectRequest
- DropHeader
type: string
xForwardedClientCert:
description: |-
Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
When enabled, Hash and By is always set
properties:
certDetailsToAdd:
description: Specifies the fields in the client certificate
to be forwarded on the x-forwarded-client-cert (XFCC) HTTP
header
items:
description: |-
Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
By default, x-forwarded-client-cert (XFCC) will always include By and Hash data
enum:
- Subject
- Cert
- Chain
- Dns
- Uri
type: string
maxItems: 5
type: array
mode:
description: Envoy Proxy mode how to handle the x-forwarded-client-cert
(XFCC) HTTP header.
enum:
- Sanitize
- ForwardOnly
- AppendForward
- SanitizeSet
- AlwaysForwardOnly
type: string
type: object
type: object
http1:
description: HTTP1 provides HTTP/1 configuration on the listener.
Expand Down
15 changes: 15 additions & 0 deletions internal/gatewayapi/clienttrafficpolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,21 @@ func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, http
WithUnderscoresAction: ir.WithUnderscoresAction(ptr.Deref(headerSettings.WithUnderscoresAction, egv1a1.WithUnderscoresActionRejectRequest)),
PreserveXRequestID: ptr.Deref(headerSettings.PreserveXRequestID, false),
}

if headerSettings.XForwardedClientCert != nil {
httpIR.Headers.XForwardedClientCert = &ir.XForwardedClientCert{
Mode: ir.ForwardMode(ptr.Deref(headerSettings.XForwardedClientCert.Mode, egv1a1.ForwardModeSanitize)),
}

var certDetailsToAdd []ir.ClientCertData
if httpIR.Headers.XForwardedClientCert.Mode == ir.ForwardModeAppendForward || httpIR.Headers.XForwardedClientCert.Mode == ir.ForwardModeSanitizeSet {
for _, data := range headerSettings.XForwardedClientCert.CertDetailsToAdd {
certDetailsToAdd = append(certDetailsToAdd, ir.ClientCertData(data))
}

httpIR.Headers.XForwardedClientCert.CertDetailsToAdd = certDetailsToAdd
}
}
}

func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTPListener) error {
Expand Down
Loading