Skip to content

Commit b6a8d27

Browse files
zhaohuabingzhaohuabing
authored
feat: support per backend client cert (#7113)
* API for per bacend client cert Signed-off-by: Huabing Zhao <[email protected]> provider Signed-off-by: Huabing Zhao <[email protected]> Gateway API translator Signed-off-by: Huabing Zhao <[email protected]> * add e2e test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add release note Signed-off-by: Huabing Zhao <[email protected]> * fix gen check Signed-off-by: Huabing Zhao <[email protected]> * minor change Signed-off-by: Huabing Zhao <[email protected]> * embed BackendTLSConfig as inline field Signed-off-by: Huabing Zhao <[email protected]> * embed BackendTLSConfig as inline field Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]>
1 parent 20cac51 commit b6a8d27

23 files changed

+1195
-163
lines changed

api/v1alpha1/backend_types.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,13 @@ type BackendTLSSettings struct {
215215
//
216216
// +optional
217217
SNI *gwapiv1.PreciseHostname `json:"sni,omitempty"`
218+
219+
// BackendTLSConfig defines the client certificate/key as well as TLS protocol parameters such as ciphers, TLS versions,
220+
// and ALPN that the Envoy uses when connecting to the backend.
221+
// When omitted, Envoy will fall back to the EnvoyProxy BackendTLS defaults, if any.
222+
//
223+
// +optional
224+
*BackendTLSConfig `json:",inline"`
218225
}
219226

220227
// BackendType defines the type of the Backend.

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,27 @@ spec:
168168
be a merge of both configurations. In case of overlapping fields, the values defined in the BackendTLSPolicy will
169169
take precedence.
170170
properties:
171+
alpnProtocols:
172+
description: |-
173+
ALPNProtocols supplies the list of ALPN protocols that should be
174+
exposed by the listener or used by the proxy to connect to the backend.
175+
Defaults:
176+
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
177+
2. Other Routes: ALPN is disabled.
178+
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
179+
When an empty list is provided, the ALPN TLS extension is disabled.
180+
181+
Defaults to [h2, http/1.1] if not specified.
182+
183+
Typical Supported values are:
184+
- http/1.0
185+
- http/1.1
186+
- h2
187+
items:
188+
description: ALPNProtocol specifies the protocol to be negotiated
189+
using ALPN
190+
type: string
191+
type: array
171192
caCertificateRefs:
172193
description: |-
173194
CACertificateRefs contains one or more references to Kubernetes objects that
@@ -217,12 +238,114 @@ spec:
217238
type: object
218239
maxItems: 8
219240
type: array
241+
ciphers:
242+
description: |-
243+
Ciphers specifies the set of cipher suites supported when
244+
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
245+
In non-FIPS Envoy Proxy builds the default cipher list is:
246+
- [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
247+
- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
248+
- ECDHE-ECDSA-AES256-GCM-SHA384
249+
- ECDHE-RSA-AES256-GCM-SHA384
250+
In builds using BoringSSL FIPS the default cipher list is:
251+
- ECDHE-ECDSA-AES128-GCM-SHA256
252+
- ECDHE-RSA-AES128-GCM-SHA256
253+
- ECDHE-ECDSA-AES256-GCM-SHA384
254+
- ECDHE-RSA-AES256-GCM-SHA384
255+
items:
256+
type: string
257+
type: array
258+
clientCertificateRef:
259+
description: |-
260+
ClientCertificateRef defines the reference to a Kubernetes Secret that contains
261+
the client certificate and private key for Envoy to use when connecting to
262+
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
263+
This secret should be located within the same namespace as the Envoy proxy resource that references it.
264+
properties:
265+
group:
266+
default: ""
267+
description: |-
268+
Group is the group of the referent. For example, "gateway.networking.k8s.io".
269+
When unspecified or empty string, core API group is inferred.
270+
maxLength: 253
271+
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
272+
type: string
273+
kind:
274+
default: Secret
275+
description: Kind is kind of the referent. For example "Secret".
276+
maxLength: 63
277+
minLength: 1
278+
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
279+
type: string
280+
name:
281+
description: Name is the name of the referent.
282+
maxLength: 253
283+
minLength: 1
284+
type: string
285+
namespace:
286+
description: |-
287+
Namespace is the namespace of the referenced object. When unspecified, the local
288+
namespace is inferred.
289+
290+
Note that when a namespace different than the local namespace is specified,
291+
a ReferenceGrant object is required in the referent namespace to allow that
292+
namespace's owner to accept the reference. See the ReferenceGrant
293+
documentation for details.
294+
295+
Support: Core
296+
maxLength: 63
297+
minLength: 1
298+
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
299+
type: string
300+
required:
301+
- name
302+
type: object
303+
ecdhCurves:
304+
description: |-
305+
ECDHCurves specifies the set of supported ECDH curves.
306+
In non-FIPS Envoy Proxy builds the default curves are:
307+
- X25519
308+
- P-256
309+
In builds using BoringSSL FIPS the default curve is:
310+
- P-256
311+
items:
312+
type: string
313+
type: array
220314
insecureSkipVerify:
221315
default: false
222316
description: |-
223317
InsecureSkipVerify indicates whether the upstream's certificate verification
224318
should be skipped. Defaults to "false".
225319
type: boolean
320+
maxVersion:
321+
description: |-
322+
Max specifies the maximal TLS protocol version to allow
323+
The default is TLS 1.3 if this is not specified.
324+
enum:
325+
- Auto
326+
- "1.0"
327+
- "1.1"
328+
- "1.2"
329+
- "1.3"
330+
type: string
331+
minVersion:
332+
description: |-
333+
Min specifies the minimal TLS protocol version to allow.
334+
The default is TLS 1.2 if this is not specified.
335+
enum:
336+
- Auto
337+
- "1.0"
338+
- "1.1"
339+
- "1.2"
340+
- "1.3"
341+
type: string
342+
signatureAlgorithms:
343+
description: |-
344+
SignatureAlgorithms specifies which signature algorithms the listener should
345+
support.
346+
items:
347+
type: string
348+
type: array
226349
sni:
227350
description: |-
228351
SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
@@ -260,6 +383,15 @@ spec:
260383
&& ((has(self.caCertificateRefs) && size(self.caCertificateRefs)
261384
> 0) || (has(self.wellKnownCACertificates) && self.wellKnownCACertificates
262385
!= "")))'
386+
- message: setting ciphers has no effect if the minimum possible TLS
387+
version is 1.3
388+
rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
389+
: true'
390+
- message: minVersion must be smaller or equal to maxVersion
391+
rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
392+
<= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
393+
: !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
394+
: true'
263395
type:
264396
default: Endpoints
265397
description: Type defines the type of the backend. Defaults to "Endpoints"

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,27 @@ spec:
167167
be a merge of both configurations. In case of overlapping fields, the values defined in the BackendTLSPolicy will
168168
take precedence.
169169
properties:
170+
alpnProtocols:
171+
description: |-
172+
ALPNProtocols supplies the list of ALPN protocols that should be
173+
exposed by the listener or used by the proxy to connect to the backend.
174+
Defaults:
175+
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
176+
2. Other Routes: ALPN is disabled.
177+
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
178+
When an empty list is provided, the ALPN TLS extension is disabled.
179+
180+
Defaults to [h2, http/1.1] if not specified.
181+
182+
Typical Supported values are:
183+
- http/1.0
184+
- http/1.1
185+
- h2
186+
items:
187+
description: ALPNProtocol specifies the protocol to be negotiated
188+
using ALPN
189+
type: string
190+
type: array
170191
caCertificateRefs:
171192
description: |-
172193
CACertificateRefs contains one or more references to Kubernetes objects that
@@ -216,12 +237,114 @@ spec:
216237
type: object
217238
maxItems: 8
218239
type: array
240+
ciphers:
241+
description: |-
242+
Ciphers specifies the set of cipher suites supported when
243+
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
244+
In non-FIPS Envoy Proxy builds the default cipher list is:
245+
- [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
246+
- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
247+
- ECDHE-ECDSA-AES256-GCM-SHA384
248+
- ECDHE-RSA-AES256-GCM-SHA384
249+
In builds using BoringSSL FIPS the default cipher list is:
250+
- ECDHE-ECDSA-AES128-GCM-SHA256
251+
- ECDHE-RSA-AES128-GCM-SHA256
252+
- ECDHE-ECDSA-AES256-GCM-SHA384
253+
- ECDHE-RSA-AES256-GCM-SHA384
254+
items:
255+
type: string
256+
type: array
257+
clientCertificateRef:
258+
description: |-
259+
ClientCertificateRef defines the reference to a Kubernetes Secret that contains
260+
the client certificate and private key for Envoy to use when connecting to
261+
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
262+
This secret should be located within the same namespace as the Envoy proxy resource that references it.
263+
properties:
264+
group:
265+
default: ""
266+
description: |-
267+
Group is the group of the referent. For example, "gateway.networking.k8s.io".
268+
When unspecified or empty string, core API group is inferred.
269+
maxLength: 253
270+
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
271+
type: string
272+
kind:
273+
default: Secret
274+
description: Kind is kind of the referent. For example "Secret".
275+
maxLength: 63
276+
minLength: 1
277+
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
278+
type: string
279+
name:
280+
description: Name is the name of the referent.
281+
maxLength: 253
282+
minLength: 1
283+
type: string
284+
namespace:
285+
description: |-
286+
Namespace is the namespace of the referenced object. When unspecified, the local
287+
namespace is inferred.
288+
289+
Note that when a namespace different than the local namespace is specified,
290+
a ReferenceGrant object is required in the referent namespace to allow that
291+
namespace's owner to accept the reference. See the ReferenceGrant
292+
documentation for details.
293+
294+
Support: Core
295+
maxLength: 63
296+
minLength: 1
297+
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
298+
type: string
299+
required:
300+
- name
301+
type: object
302+
ecdhCurves:
303+
description: |-
304+
ECDHCurves specifies the set of supported ECDH curves.
305+
In non-FIPS Envoy Proxy builds the default curves are:
306+
- X25519
307+
- P-256
308+
In builds using BoringSSL FIPS the default curve is:
309+
- P-256
310+
items:
311+
type: string
312+
type: array
219313
insecureSkipVerify:
220314
default: false
221315
description: |-
222316
InsecureSkipVerify indicates whether the upstream's certificate verification
223317
should be skipped. Defaults to "false".
224318
type: boolean
319+
maxVersion:
320+
description: |-
321+
Max specifies the maximal TLS protocol version to allow
322+
The default is TLS 1.3 if this is not specified.
323+
enum:
324+
- Auto
325+
- "1.0"
326+
- "1.1"
327+
- "1.2"
328+
- "1.3"
329+
type: string
330+
minVersion:
331+
description: |-
332+
Min specifies the minimal TLS protocol version to allow.
333+
The default is TLS 1.2 if this is not specified.
334+
enum:
335+
- Auto
336+
- "1.0"
337+
- "1.1"
338+
- "1.2"
339+
- "1.3"
340+
type: string
341+
signatureAlgorithms:
342+
description: |-
343+
SignatureAlgorithms specifies which signature algorithms the listener should
344+
support.
345+
items:
346+
type: string
347+
type: array
225348
sni:
226349
description: |-
227350
SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
@@ -259,6 +382,15 @@ spec:
259382
&& ((has(self.caCertificateRefs) && size(self.caCertificateRefs)
260383
> 0) || (has(self.wellKnownCACertificates) && self.wellKnownCACertificates
261384
!= "")))'
385+
- message: setting ciphers has no effect if the minimum possible TLS
386+
version is 1.3
387+
rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
388+
: true'
389+
- message: minVersion must be smaller or equal to maxVersion
390+
rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
391+
<= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
392+
: !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
393+
: true'
262394
type:
263395
default: Endpoints
264396
description: Type defines the type of the backend. Defaults to "Endpoints"

0 commit comments

Comments
 (0)