Implement client certificate subject validation #60
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements client certificate subject validation. The DN fields selected for this initial version are somewhat arbitrary but most likely the most common. This allows configuring the proxy TLS to validate the client cert subject, the Kafka Proxy operator can require specific subject to be present and contain specific values.
I have opted in for a flag per subject field to prevent requiring the user to follow any arbitrary string format. Additionally, all or none of the DN fields are explicitly required.
In a multi-tenant environment, the tenant has the ability to request certificates from a CA. The usual setup is:
For security reasons, the CA operator does not allow tenants to issue an intermediate from the intermediate, this would require that the second stage intermediate allows certificate signing. With such setup, the user of Client certificate Tenant B can connect to Server Tenant A. Being able to additionally validate the subject adds a layer of security on the TLS level.