Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow External Auth when Fallback Certificate is used #6512

Closed
erikflores7 opened this issue Jun 14, 2024 · 1 comment · Fixed by #6558
Closed

Allow External Auth when Fallback Certificate is used #6512

erikflores7 opened this issue Jun 14, 2024 · 1 comment · Fixed by #6558
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@erikflores7
Copy link
Contributor

Currently, you cannot configure both a Fallback Certificate and Authorization which means you lose Authorization if you do not have SNI available. In our specific use case, we cannot guarantee DNS records in our air-gapped, edge deployments and have to resort to using the IPs of our machines, at least initially. Since we use IPs, Chrome does not send the SNI and we have to resort to using the Fallback Certificate. This creates an issue since we can no longer authorize the requests that are coming in through our own auth service.
We also cannot easily terminate TLS at the LB level since we do not have access to AWS or other LBs in these edge deployments. We would have to put something like Nginx Ingress Controller in front of Contour which we do not want to do. This is a requirement for deploying in edge deployments where there is a long process for obtaining DNS records/domains.

@erikflores7 erikflores7 added kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Jun 14, 2024
Copy link

Hey @erikflores7! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

erikflores7 pushed a commit to erikflores7/contour that referenced this issue Jul 16, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 \n Signed-off-by: Erik Flores eflores@anduril.com
@skriss skriss removed the lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. label Jul 16, 2024
erikflores7 pushed a commit to erikflores7/contour that referenced this issue Jul 25, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512

Signed-off-by: Erik Flores <eflores@anduril.com>
erikflores7 pushed a commit to erikflores7/contour that referenced this issue Jul 25, 2024
…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512

Signed-off-by: Erik Flores <eflores@anduril.com>
@skriss skriss closed this as completed in 19626e9 Jul 25, 2024
geomacy pushed a commit to chaosbox/contour that referenced this issue Aug 22, 2024
Enables the ExtAuthz filter on the fallback cert
filter chain when configuring global external auth,
to support external auth for requests without SNI.

Fixes projectcontour#6512.

Signed-off-by: Erik Flores <eflores@anduril.com>
Signed-off-by: Geoff Macartney <geoff.macartney@sky.uk>
SamMHD pushed a commit to SamMHD/contour that referenced this issue Sep 8, 2024
Enables the ExtAuthz filter on the fallback cert
filter chain when configuring global external auth,
to support external auth for requests without SNI.

Fixes projectcontour#6512.

Signed-off-by: Erik Flores <eflores@anduril.com>
Signed-off-by: Saman Mahdanian <saman@mahdanian.xyz>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants