feat(kuma-cp) Improve certificate verification #779
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lobkovilya
approved these changes
May 27, 2020
pkg/xds/envoy/tls.go
Outdated
| @@ -27,11 +35,17 @@ func CreateDownstreamTlsContext(ctx xds_context.Context, metadata *core_xds.Data | |||
| }, nil | |||
| } | |||
|
|
|||
| func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_auth.UpstreamTlsContext, error) { | |||
| // CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections | |||
| // It verifies that the client has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} | |||
There was a problem hiding this comment.
If UpstreamTlsContext is configured on the cluster of the client-side, why it verifies that "client" has TLS certificate? I'm not sure here, but it feels like it verifies "server", doesn't it?
pkg/xds/envoy/tls.go
Outdated
| func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_auth.UpstreamTlsContext, error) { | ||
| // CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections | ||
| // It verifies that the client has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} | ||
| // Server exposes for the the clients cert with multiple URI SANs, which means that if client DP has inbound with services "web" and "web-api" and communicates with "backend" |
nickolaev
reviewed
May 27, 2020
| @@ -55,7 +55,7 @@ resources: | |||
| safeRegexMatch: | |||
| googleRe2: | |||
| maxProgramSize: 500 | |||
| regex: '.*&service=[^&]*frontend[,&].*' | |||
| regex: .*&service=[^&]*frontend[,&].* | |||
There was a problem hiding this comment.
Do we want to remove the single quotes here?
jakubdyszkiewicz
force-pushed
the
feat/multiple-san-uri-verification
branch
from
ccd7512
to
4d9c2fa
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Improve certificate verification by checking URI SANs.