-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow External Auth when Fallback Certificate is used #6512
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
erikflores7
added
kind/feature
Categorizes issue or PR as related to a new feature.
lifecycle/needs-triage
Indicates that an issue needs to be triaged by a project contributor.
labels
Jun 14, 2024
Hey @erikflores7! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace |
erikflores7
pushed a commit
to erikflores7/contour
that referenced
this issue
Jul 16, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 \n Signed-off-by: Erik Flores eflores@anduril.com
skriss
removed
the
lifecycle/needs-triage
Indicates that an issue needs to be triaged by a project contributor.
label
Jul 16, 2024
erikflores7
pushed a commit
to erikflores7/contour
that referenced
this issue
Jul 25, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 Signed-off-by: Erik Flores <eflores@anduril.com>
erikflores7
pushed a commit
to erikflores7/contour
that referenced
this issue
Jul 25, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 Signed-off-by: Erik Flores <eflores@anduril.com>
geomacy
pushed a commit
to chaosbox/contour
that referenced
this issue
Aug 22, 2024
Enables the ExtAuthz filter on the fallback cert filter chain when configuring global external auth, to support external auth for requests without SNI. Fixes projectcontour#6512. Signed-off-by: Erik Flores <eflores@anduril.com> Signed-off-by: Geoff Macartney <geoff.macartney@sky.uk>
SamMHD
pushed a commit
to SamMHD/contour
that referenced
this issue
Sep 8, 2024
Enables the ExtAuthz filter on the fallback cert filter chain when configuring global external auth, to support external auth for requests without SNI. Fixes projectcontour#6512. Signed-off-by: Erik Flores <eflores@anduril.com> Signed-off-by: Saman Mahdanian <saman@mahdanian.xyz>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, you cannot configure both a Fallback Certificate and Authorization which means you lose Authorization if you do not have SNI available. In our specific use case, we cannot guarantee DNS records in our air-gapped, edge deployments and have to resort to using the IPs of our machines, at least initially. Since we use IPs, Chrome does not send the SNI and we have to resort to using the Fallback Certificate. This creates an issue since we can no longer authorize the requests that are coming in through our own auth service.
We also cannot easily terminate TLS at the LB level since we do not have access to AWS or other LBs in these edge deployments. We would have to put something like Nginx Ingress Controller in front of Contour which we do not want to do. This is a requirement for deploying in edge deployments where there is a long process for obtaining DNS records/domains.
The text was updated successfully, but these errors were encountered: