Expand Client Auth Type configuration
This commit is contained in:
Jean-Baptiste Doumenjou
Traefiker Bot
parent
7a4b4c941c
commit
2c7cfd1c68
31 changed files with 304 additions and 151 deletions
|
|
@ -25,17 +25,17 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
snistrict: true
|
||||
ciphersuites:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientca:
|
||||
secretnames:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretUnknown
|
||||
- emptySecret
|
||||
optional: true
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -25,16 +25,16 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
snistrict: true
|
||||
ciphersuites:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientca:
|
||||
secretnames:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
optional: true
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -25,16 +25,16 @@ metadata:
|
|||
namespace: myns
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
snistrict: true
|
||||
ciphersuites:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientca:
|
||||
secretnames:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
optional: true
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
minVersion: VersionTLS12
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
minVersion: VersionTLS12
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -25,17 +25,17 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
snistrict: true
|
||||
ciphersuites:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientca:
|
||||
secretnames:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretUnknown
|
||||
- emptySecret
|
||||
optional: true
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -25,16 +25,16 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
snistrict: true
|
||||
ciphersuites:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientca:
|
||||
secretnames:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
optional: true
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -25,16 +25,16 @@ metadata:
|
|||
namespace: myns
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
snistrict: true
|
||||
ciphersuites:
|
||||
minVersion: VersionTLS12
|
||||
sniStrict: true
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
clientca:
|
||||
secretnames:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- secretCA1
|
||||
- secretCA2
|
||||
optional: true
|
||||
clientAuthType: VerifyClientCertIfGiven
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
minVersion: VersionTLS12
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ metadata:
|
|||
namespace: default
|
||||
|
||||
spec:
|
||||
minversion: VersionTLS12
|
||||
minVersion: VersionTLS12
|
||||
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
|
|
|
|||
|
|
@ -313,7 +313,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
|||
logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace)))
|
||||
var clientCAs []tls.FileOrContent
|
||||
|
||||
for _, secretName := range tlsOption.Spec.ClientCA.SecretNames {
|
||||
for _, secretName := range tlsOption.Spec.ClientAuth.SecretNames {
|
||||
secret, exists, err := client.GetSecret(tlsOption.Namespace, secretName)
|
||||
if err != nil {
|
||||
logger.Errorf("Failed to fetch secret %s/%s: %v", tlsOption.Namespace, secretName, err)
|
||||
|
|
@ -337,9 +337,9 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
|||
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
|
||||
MinVersion: tlsOption.Spec.MinVersion,
|
||||
CipherSuites: tlsOption.Spec.CipherSuites,
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: clientCAs,
|
||||
Optional: tlsOption.Spec.ClientCA.Optional,
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: clientCAs,
|
||||
ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType,
|
||||
},
|
||||
SniStrict: tlsOption.Spec.SniStrict,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -319,12 +319,12 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
},
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: []tls.FileOrContent{
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: []tls.FileOrContent{
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
},
|
||||
Optional: true,
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
},
|
||||
|
|
@ -377,12 +377,12 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
},
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: []tls.FileOrContent{
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: []tls.FileOrContent{
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
},
|
||||
Optional: true,
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
},
|
||||
|
|
@ -435,11 +435,11 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
},
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: []tls.FileOrContent{
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: []tls.FileOrContent{
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
},
|
||||
Optional: true,
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
},
|
||||
|
|
@ -1009,12 +1009,12 @@ func TestLoadIngressRoutes(t *testing.T) {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
},
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: []tls.FileOrContent{
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: []tls.FileOrContent{
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
},
|
||||
Optional: true,
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
},
|
||||
|
|
@ -1067,12 +1067,12 @@ func TestLoadIngressRoutes(t *testing.T) {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
},
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: []tls.FileOrContent{
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: []tls.FileOrContent{
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
},
|
||||
Optional: true,
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
},
|
||||
|
|
@ -1125,11 +1125,11 @@ func TestLoadIngressRoutes(t *testing.T) {
|
|||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
},
|
||||
ClientCA: tls.ClientCA{
|
||||
Files: []tls.FileOrContent{
|
||||
ClientAuth: tls.ClientAuth{
|
||||
CAFiles: []tls.FileOrContent{
|
||||
tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
|
||||
},
|
||||
Optional: true,
|
||||
ClientAuthType: "VerifyClientCertIfGiven",
|
||||
},
|
||||
SniStrict: true,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -19,22 +19,22 @@ type TLSOption struct {
|
|||
|
||||
// TLSOptionSpec configures TLS for an entry point
|
||||
type TLSOptionSpec struct {
|
||||
MinVersion string `json:"minversion"`
|
||||
CipherSuites []string `json:"ciphersuites"`
|
||||
ClientCA ClientCA `json:"clientca"`
|
||||
SniStrict bool `json:"snistrict"`
|
||||
MinVersion string `json:"minVersion,omitempty"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ClientCA defines traefik CA files for an entryPoint
|
||||
// and it indicates if they are mandatory or have just to be analyzed if provided
|
||||
type ClientCA struct {
|
||||
// ClientAuth defines the parameters of the client authentication part of the TLS connection, if any.
|
||||
type ClientAuth struct {
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the
|
||||
// certificate details.
|
||||
SecretNames []string `json:"secretnames"`
|
||||
// Optional indicates if ClientCA are mandatory or have just to be analyzed if provided
|
||||
Optional bool `json:"optional"`
|
||||
SecretNames []string `json:"secretNames"`
|
||||
// ClientAuthType defines the client authentication type to apply.
|
||||
// The available values are: "NoClientCert", "RequestClientCert", "VerifyClientCertIfGiven" and "RequireAndVerifyClientCert".
|
||||
ClientAuthType string `json:"clientAuthType"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ import (
|
|||
)
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ClientCA) DeepCopyInto(out *ClientCA) {
|
||||
func (in *ClientAuth) DeepCopyInto(out *ClientAuth) {
|
||||
*out = *in
|
||||
if in.SecretNames != nil {
|
||||
in, out := &in.SecretNames, &out.SecretNames
|
||||
|
|
@ -43,12 +43,12 @@ func (in *ClientCA) DeepCopyInto(out *ClientCA) {
|
|||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientCA.
|
||||
func (in *ClientCA) DeepCopy() *ClientCA {
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientAuth.
|
||||
func (in *ClientAuth) DeepCopy() *ClientAuth {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(ClientCA)
|
||||
out := new(ClientAuth)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
|
@ -529,7 +529,7 @@ func (in *TLSOptionSpec) DeepCopyInto(out *TLSOptionSpec) {
|
|||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.ClientCA.DeepCopyInto(&out.ClientCA)
|
||||
in.ClientAuth.DeepCopyInto(&out.ClientAuth)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue