config: support client certificate SAN match #4453
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add a new
match_subject_alt_names
option to thedownstream_mtls
settings group. This setting can be used to further constrain the allowed client certificates by requiring that certificates contain a Subject Alternative Name of a particular type, matching a particular regex.When set, populate the corresponding
match_typed_subject_alt_names
setting within Envoy, and also implement a corresponding check in the authorize service (owing to #4396).Related issues
#4353
User Explanation
Add a new
match_subject_alt_names
option to the downstream mTLS settings, which accepts a list of Subject Alternative Name (SAN) match conditions. This can be used to further constrain the set of trusted client certificates. Each SAN match condition consists of a SAN type (one ofdns
,email
,ip_address
, oruri
) and a regular expression match pattern (using RE2 syntax). When this option is set, Pomerium will additionally require that client certificates contain at least one SAN entry that satisfies any one of the match conditions.Checklist
improvement
/bug
/ etc)