Skip to content

Commit

Permalink
Implement client-side mTLS support settings
Browse files Browse the repository at this point in the history
  • Loading branch information
andsens committed Jul 19, 2023
1 parent b4b1322 commit ced0601
Show file tree
Hide file tree
Showing 7 changed files with 68 additions and 0 deletions.
5 changes: 5 additions & 0 deletions apis/ingress/v1/pomerium_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ type PomeriumSpec struct {
// +optional
CASecrets []string `json:"caSecrets"`

// Client CAs is a list of secrets of type Opaque to use for client-side mTLS.
// Specify the corresponding CRL with the ca.crl key
// +optional
ClientCASecrets []string `json:"clientCASecrets"`

// Secrets references a Secret with Pomerium bootstrap parameters.
//
// <p>
Expand Down
5 changes: 5 additions & 0 deletions apis/ingress/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions config/crd/bases/ingress.pomerium.io_pomerium.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,13 @@ spec:
items:
type: string
type: array
clientCASecrets:
description: Client CAs is a list of secrets of type Opaque to use
for client-side mTLS. Specify the corresponding CRL with the ca.crl
key
items:
type: string
type: array
cookie:
description: Cookie defines Pomerium session cookie options.
properties:
Expand Down
10 changes: 10 additions & 0 deletions controllers/settings/fetch.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,16 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
}
return nil
},
func() error {
for _, clientCASecret := range s.ClientCASecrets {
secret, err := get(clientCASecret)()
if err != nil {
return fmt.Errorf("ca: %w", err)
}
cfg.ClientCASecrets = append(cfg.ClientCASecrets, secret)
}
return nil
},
func() error {
if s.IdentityProvider == nil {
return nil
Expand Down
4 changes: 4 additions & 0 deletions model/ingress_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ const (
StorageConnectionStringKey = "connection"
// CAKey is certificate authority secret key
CAKey = "ca.crt"
// CAKey is certificate authority CRL
CRLKey = "ca.crl"
)

// StorageSecrets is a convenience grouping of storage-related secrets
Expand Down Expand Up @@ -84,6 +86,8 @@ type Config struct {
CASecrets []*corev1.Secret
// Certs are fetched certs from settings.Certificates
Certs map[types.NamespacedName]*corev1.Secret
// ClientCASecrets are fetched certs and crls from settings.ClientCASecrets
ClientCASecrets []*corev1.Secret
// RequestParams is a secret from Settings.IdentityProvider.RequestParams
RequestParams *corev1.Secret
// IdpSecret is Settings.IdentityProvider.Secret
Expand Down
21 changes: 21 additions & 0 deletions pomerium/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ func applyConfig(ctx context.Context, p *pb.Config, c *model.Config) error {

opts := []applyOpt{
{"ca", applyCertificateAuthority},
{"client_ca", applyClientCertificate},
{"certs", applyCerts},
{"authenticate", applyAuthenticate},
{"cookie", applyCookie},
Expand Down Expand Up @@ -132,6 +133,26 @@ func applyCertificateAuthority(_ context.Context, p *pb.Config, c *model.Config)
return nil
}

func applyClientCertificate(_ context.Context, p *pb.Config, c *model.Config) error {
if len(c.ClientCASecrets) == 0 {
return nil
}

var crtBuf bytes.Buffer
var crlBuf bytes.Buffer

for _, secret := range c.ClientCASecrets {
crtBuf.Write(secret.Data[model.CAKey])
crtBuf.WriteRune('\n')
crlBuf.Write(secret.Data[model.CRLKey])
crlBuf.WriteRune('\n')
}

p.Settings.ClientCa = proto.String(base64.StdEncoding.EncodeToString(crtBuf.Bytes()))
p.Settings.ClientCrl = proto.String(base64.StdEncoding.EncodeToString(crlBuf.Bytes()))
return nil
}

func applyCerts(_ context.Context, p *pb.Config, c *model.Config) error {
if len(c.Certs) != len(c.Spec.Certificates) {
return fmt.Errorf("expected %d cert secrets, only %d was fetched. this is a bug", len(c.Spec.Certificates), len(c.Certs))
Expand Down
16 changes: 16 additions & 0 deletions reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
</td>
</tr>

<tr>
<td>
<p>
<code>clientCASecrets</code>&#160;&#160;

<strong>[]string</strong>&#160;

</p>
<p>

Client CAs is a list of secrets of type TLS to use for client-side mTLS. Specify the corresponding CRL with the ca.crl key
</p>

</td>
</tr>

<tr>
<td>
<p>
Expand Down

0 comments on commit ced0601

Please sign in to comment.