internal: Initial support for external client cert validation

[tsaarni]

internal: Initial support for external client cert validation

Adds initial support for authentication of external clients (downstream) by
validating their client certificates against trusted CA certificate.

The feature is not yet exposed in the API.

Signed-off-by: Tero Saarni tero.saarni@est.tech

[codecov]

Codecov Report

Merging #2250 into master will increase coverage by 0.12%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #2250      +/-   ##
==========================================
+ Coverage   77.97%   78.10%   +0.12%     
==========================================
  Files          60       60              
  Lines        5204     5225      +21     
==========================================
+ Hits         4058     4081      +23     
+ Misses       1058     1057       -1     
+ Partials       88       87       -1     

Impacted Files	Coverage Δ
internal/contour/listener.go	92.45% <100.00%> (+0.29%)	⬆️
internal/dag/builder.go	92.69% <100.00%> (ø)
internal/dag/dag.go	93.15% <100.00%> (+0.84%)	⬆️
internal/envoy/auth.go	100.00% <100.00%> (ø)
internal/envoy/cluster.go	100.00% <100.00%> (ø)
internal/envoy/listener.go	95.06% <100.00%> (-0.07%)	⬇️
internal/featuretests/envoy.go	100.00% <100.00%> (ø)
internal/dag/cache.go	96.14% <0.00%> (+0.70%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d09d414...a5e9a96. Read the comment docs.

[tsaarni]

This PR replaces #1226 by @uablrek.

I'm submitting this as a draft in order to ask for direction. @jpeach: in design doc review #1233 you mentioned

LGTM, with the proviso that in the final implementation, the upstream and downstream validation fields should use the same struct (i.e. the one currently named "UpstreamValidation").

In the UpstreamValidation we have validation of both CA and subjectName (or rather: Subject Alt Name). The latter is not included in design/tls-client-verification.md since we wanted to minimize the feature as much possible. I think I need two separate types in apis/projectcontour/v1/httpproxy.go: UpstreamValidation with subjectName and DownstreamValidation without?

I have however combined these into single ValidationContext in internal/dag/dag.go.

Another alternative could be to include subjectName validation also for downstream, but from usage perspective it should rather be a list of 0-N client subjectNames, instead of single mandatory one, like it is for upstream.

If we agree to keep two different types in httpproxy.go, I will then add similar test cases for DownstreamValidation everywhere I find tests for UpstreamValidation. For now the test coverage dropped because of this.

Obviously any other comments are of course welcome too!

[jpeach]

Thanks @tsaarni; I'll review, but will need a few days to block out the time :)

[davecheney]

Thank you all for your discussion. With my tech lead hat on I do need to remind everyone that the policy of this project is to talk, then code. We should not be designing features by duking it out in PR comments, that is not how we work on this project.

Thank you

[jpeach]

On 20 Feb 2020, at 1:00 pm, Dave Cheney ***@***.***> wrote: Thank you all for your discussion. With my tech lead hat on I do need to remind everyone that the policy of this project is to talk, then code. We should not be designing features by duking it out in PR comments, that is not how we work on this project.

Dave, this was previously discussed and a design doc was merged :) #1233 https://github.com/projectcontour/contour/blob/master/design/tls-client-verification.md

[davecheney]

Oops, I am terribly sorry I mistook the discussion for the other auth discussions in fly at the moment. Please ignore me

[jpeach]

On 20 Feb 2020, at 1:07 pm, Dave Cheney ***@***.***> wrote: Oops, I am terribly sorry I mistook the discussion for the other auth discussions in fly at the moment. Please ignore me

Yeh I can't find the PR for that, Github is making me terribly confused!

[tsaarni]

I wonder if you would have time to provide any feedback for me? Thank you! :)

[jpeach]

Sorry, I intended to review and then didn’t. I will review first thing next week.

…

On Feb 28, 2020, at 6:15 PM, Tero Saarni ***@***.***> wrote: I wonder if you would have time to provide any feedback for me? Thank you! :)

[jpeach]

Overall, I think this is pretty solid. I had a number of comments about style and so forth, so it might be easier to address some of those in small, separate PRs. I expect probably 2 more review passes. We can land docs towards the end of the review, or file a separate issue for that if you prefer.

[jpeach]

This PR is in good shape, I just had a few small comments around style and improving documentation and so forth.

The last main thing that I think we need to do is add a test into internal/featuretests/. Using one of the existing files as a stating point, you can add a new file downstreamvalidation_test.go. These tests let you simulate updating Kubernetes objects and assert that the final envoy configuration is what you expect. You can also verify Kubernetes object status (valid or invalid).

[jpeach]

@tsaarni The lint check failure should go away if you rebase to pick up the tooling script changes.

[tsaarni]

I have prepared a commit that removes the API parts until #2347 is resolved. In case you would still like to review this PR as "complete", I will not add that commit here in this PR until you confirm it is OK.

[jpeach]

I have prepared a commit that removes the API parts until #2347 is resolved. In case you would still like to review this PR as "complete", I will not add that commit here in this PR until you confirm it is OK.

Please go ahead and apply the commit to remove the API. Then, please squash commits, remove the "WIP" tag and update the PR subject to describe the current content of the commit. I'll commit the result.

Don't forget to rebase :)

[tsaarni]

Thanks! API removed, commits squashed, rebased and renamed!

Just as a reference in case needed, the API changes are stored on this unsquashed fork/branch https://github.com/Nordix/contour/tree/client-authentication-no-squash