Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for optional certificate validation #4796

Merged
merged 3 commits into from
Oct 21, 2022
Merged

Add support for optional certificate validation #4796

merged 3 commits into from
Oct 21, 2022

Conversation

gautierdelorme
Copy link
Contributor

This is required to support optional mTLS so that apps can use different authentication schemes (e.g. mTLS, cookies, tokens, etc...).
I initially named the new option OnlyVerifyClientCertIfGiven but this was confusing when SkipClientCertValidation is also enabled. I decided to go with OnlyRequestClientCert (and not RequireClientCert for example) since all the other option are opt-in by setting them to true so I would like to avoid changing this assumption with this new option. The other problem was at the Go API level DownstreamValidation.RequireClientCert default value would be false since that's the null value for booleans which would change the current behavior and I wanted to avoid implementing it as a pointer.

Signed-off-by: Gautier Delorme gautier.delorme@gmail.com

@gautierdelorme gautierdelorme requested a review from a team as a code owner October 17, 2022 13:20
@gautierdelorme gautierdelorme requested review from tsaarni and stevesloka and removed request for a team October 17, 2022 13:20
@codecov
Copy link

codecov bot commented Oct 17, 2022
edited
Loading

Codecov Report

Merging #4796 (45a2250) into main (3bd6617) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #4796      +/-   ##
==========================================
- Coverage   76.09%   76.09%   -0.01%     
==========================================
  Files         140      140              
  Lines       16895    16896       +1     
==========================================
  Hits        12857    12857              
- Misses       3786     3787       +1     
  Partials      252      252
Impacted Files Coverage Δ
internal/dag/dag.go 96.62% <ø> (ø)
internal/dag/httpproxy_processor.go 93.14% <100.00%> (+<0.01%) ⬆️
internal/envoy/v3/auth.go 100.00% <100.00%> (ø)
internal/sorter/sorter.go 98.46% <0.00%> (-0.52%) ⬇️

@sunjayBhatia sunjayBhatia added the release-note/minor A minor change that needs about a paragraph of explanation in the release notes. label Oct 17, 2022
@gautierdelorme
Copy link
Contributor Author

Do you think this change could make it to the 1.23 release?

tsaarni
tsaarni reviewed Oct 20, 2022
View reviewed changes
Copy link
Member

@tsaarni tsaarni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good to me! 👍 Small comment about the field name

apis/projectcontour/v1/httpproxy.go Outdated Show resolved Hide resolved
@gautierdelorme
Add support for optional certificate validation
dfce8c1 
Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>
@gautierdelorme
OnlyRequestClientCert => OptionalClientCertificate
0f03cb1 
Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>
skriss
skriss requested changes Oct 20, 2022
View reviewed changes
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gautierdelorme nice work, everything looks great to me, just one minor wording suggestion on the changelog. Thanks for the PR!

changelogs/unreleased/4796-gautierdelorme-minor.md Outdated Show resolved Hide resolved
@gautierdelorme
update changelog
45a2250 
Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>
skriss
skriss approved these changes Oct 20, 2022
View reviewed changes
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending CI, will leave for a second maintainer to approve though. Thanks again @gautierdelorme!

tsaarni
tsaarni approved these changes Oct 21, 2022
View reviewed changes
Copy link
Member

@tsaarni tsaarni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great to have this feature, thank you for contributing this @gautierdelorme!

@tsaarni tsaarni merged commit ece8a24 into projectcontour:main Oct 21, 2022
@gautierdelorme gautierdelorme deleted the optional_mtls branch October 21, 2022 06:47
moeyui1 pushed a commit to moeyui1/contour that referenced this pull request Oct 26, 2022
@gautierdelorme @moeyui1
Add support for optional certificate validation (projectcontour#4796)
08b7c5f 
* Add support for optional certificate validation

Signed-off-by: Gautier Delorme <gautier.delorme@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skriss skriss skriss approved these changes

@tsaarni tsaarni tsaarni approved these changes

@stevesloka stevesloka Awaiting requested review from stevesloka stevesloka is a code owner automatically assigned from projectcontour/maintainers

Assignees
No one assigned
Labels
release-note/minor A minor change that needs about a paragraph of explanation in the release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gautierdelorme @tsaarni @skriss @sunjayBhatia