fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
An Ingress Controller has the following runtime environment specifics:
https://authenticate.localhost.pomerium.io
in a popular Docker Desktop environmentThe authenticate endpoint is essential as it hosts
/.well-known/pomerium/hpke-public-key
which is consumed by Proxy and Authorize components.In order to overcome that limitation, IC sets
authenticate_internal_service_url
tohttps://localhost:8443
.There are two issues this PR addresses:
Current implementation of the WillHaveCert assumed that it was sufficient just to check whether autoTLS is enabled, as in that case there would be a wildcard cert, signed by the derived CA.
The wildcard CA is indeed installed, however, if there are other wildcard certs added to the config, they would be presented instead. I think it might be related to
full_scan_certs_on_tls_mismatch
This PR changes the behaviour of the
WillHaveCertificateForServerName
(which is only currently used by HPKE Key Fetcher) to only promise the.Couple notes:
cfg.AllCertificates()
, moving derived cert generation out of the Envoy Config Builder to Config, and making this function only check the certs returned by thecfg.AllCertificates()
so that it would be deterministic.cryptutil.MatchesServerName
used by tests naturally cannot reflect how the actual Envoy would perform TLS matching. We may want to do something about it as well.Related issues
Fixes pomerium/ingress-controller#629
User Explanation
Checklist
improvement
/bug
/ etc)