Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLSContexts require a certificate be provided to be created. #1708

Closed
iNoahNothing opened this issue Jul 25, 2019 · 0 comments
Closed

TLSContexts require a certificate be provided to be created. #1708

iNoahNothing opened this issue Jul 25, 2019 · 0 comments
Assignees
@gsagula
Milestone
santurtzi

Comments

@iNoahNothing
Copy link
Contributor

This mostly plays a role when creating a TLSContext for originating TLS to upstream services where tls certificates need not be provided.

Currently, if I needed to enforce strict minimum tls version for origination to upstream service, I would expect to create a TLSContext like this:

---
apiVersion: ambassador/v1
kind: TLSContext
name: example-upstream
min_tls_version: v1.3

and use it in a Mapping like this:

---
apiVersion: ambassador/v1
kind: Mapping
name: basic-tls-mapping
prefix: /
tls: example-upstream
service: https://example-service

However, checking the logs, it looks like Ambassador rejects any TLSContext that does not provide certificates

2019-07-25 19:00:31 diagd 0.72.0 [P85TAmbassadorEventWatcher] INFO: TLSContext httpbin-tls has no certificate information at all?
2019-07-25 19:00:31 diagd 0.72.0 [P85TAmbassadorEventWatcher] ERROR: httpbin-tls.default.1: <RichStatus BAD error=TLSContext httpbin-tls is missing cert_chain_file hostname=ambassador-78bd586dc9-5rvj4 version=0.72.0>
2019-07-25 19:00:31 diagd 0.72.0 [P85TAmbassadorEventWatcher] ERROR: httpbin-tls.default.1: <RichStatus BAD error=TLSContext httpbin-tls is missing private_key_file hostname=ambassador-78bd586dc9-5rvj4 version=0.72.0>
2019-07-25 19:00:31 diagd 0.72.0 [P85TAmbassadorEventWatcher] ERROR: cluster_https___httpbin_org_otls: <RichStatus BAD error=Originate-TLS context httpbin-tls is not defined hostname=ambassador-78bd586dc9-5rvj4 version=0.72.0>

so you are required to create a certificate just to create the TLSContext to enforce min tls version:

---
apiVersion: ambassador/v1
kind: TLSContext
name: example-upstream
secret: self-signed-cert
min_tls_version: v1.3

While this works, the UX of needing to create a secret that has no use just to create the TLSContext should be improved.

Note:

This is also relevant for verifying client certificates. While you would expect Ambassador to be terminating TLS if it is verifying client certificates, there could be a usecase where you just want client cert verification. TLS certificates must be provided for this usecase as well
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gsagula gsagula

Labels
None yet
Projects
None yet
Milestone
santurtzi
Development

No branches or pull requests
3 participants
@gsagula @kflynn @iNoahNothing