Merge pull request #4247 from emissary-ingress/alexgervais/dev/crl-v2.3

Allow Host and TLSContext to configure a CRL (v2.3)
emissary-ingress · May 26, 2022 · 4db1262 · 4db1262
2 parents ea05c49 + be24f95
commit 4db1262
Show file tree

Hide file tree

Showing 25 changed files with 772 additions and 89 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -97,11 +97,15 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
 - Feature: It is now possible to set `propagation_modes` in the `TracingService` config when using
   lightstep as the driver. (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!) ([#4179])
 
+- Feature: It is now possible to set `crl_secret` in `Host` and `TLSContext` resources to check peer
+  certificates against a certificate revocation list. ([#1743])
+
 - Bugfix: When CORS is specified (either in a `Mapping` or in the `Ambassador` `Module`), CORS
   processing will happen before authentication. This corrects a problem where XHR to authenticated
   endpoints would fail.
 
 [#4179]: https://github.com/emissary-ingress/emissary/pull/4179
+[#1743]: https://github.com/emissary-ingress/emissary/issues/1743
 
 ## [2.2.2] February 25, 2022
 [2.2.2]: https://github.com/emissary-ingress/emissary/compare/v2.2.1...v2.2.2

diff --git a/cmd/entrypoint/secrets.go b/cmd/entrypoint/secrets.go
@@ -326,6 +326,10 @@ func findSecretRefs(ctx context.Context, resource kates.Object, secretNamespacin
 		if r.Spec.TLS != nil {
 			// Host.spec.tls.caSecret is the thing to worry about here.
 			secretRef(r.GetNamespace(), r.Spec.TLS.CASecret, secretNamespacing, action)
+
+			if r.Spec.TLS.CRLSecret != "" {
+				secretRef(r.GetNamespace(), r.Spec.TLS.CRLSecret, secretNamespacing, action)
+			}
 		}
 
 		// Host.spec.tlsSecret and Host.spec.acmeProvider.privateKeySecret are native-Kubernetes-style
@@ -359,6 +363,13 @@ func findSecretRefs(ctx context.Context, resource kates.Object, secretNamespacin
 			secretRef(r.GetNamespace(), r.Spec.CASecret, secretNamespacing, action)
 		}
 
+		if r.Spec.CRLSecret != "" {
+			if r.Spec.SecretNamespacing != nil {
+				secretNamespacing = *r.Spec.SecretNamespacing
+			}
+			secretRef(r.GetNamespace(), r.Spec.CRLSecret, secretNamespacing, action)
+		}
+
 	case *amb.Module:
 		// This whole thing is a hack. We probably _should_ check to make sure that
 		// this is an Ambassador Module or a TLS Module, but, well, those're the only

diff --git a/docker/test-auth/authsvc.crt b/docker/test-auth/authsvc.crt
@@ -12,12 +12,12 @@ GB+YhUDeevxHXoJxavlw3sgIZ+TL/sHcnCMkNZ1bdwmoTwzQnbkwftYm9pO69hyx
 egPYgNFLaIkLrpZAQxwijZuQU/obFF10CRI6lp5qxJPiSxAR05fiH7FneUlTeSp1
 ui1h3RbrQjiLZuDxy+MuTgJSWLXm/PagrTdZTAm9QTyefgDy8vdWXxi/lwu+Kumq
 ql/Vp5Lxf56x01CizbKvUq6eZ+fePkCdWg+7uTOYMJc9j5CTjMDvAgMBAAGjVTBT
-MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
+MA4GA1UdDwEB/wQEAwIBojATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
 AjAAMB4GA1UdEQQXMBWCE2F1dGhzdmMuZGF0YXdpcmUuaW8wDQYJKoZIhvcNAQEL
-BQADggEBAIjG4MPc+zGTML29gnlbLeEEeKF2pq68pCuVwGhLiU0/dJhkzx+1wg5E
-VvVzqik0nshgUwL5v4rn4slR5Sgs4EF94oXdiVNDW53eHBIPLtJabP6KJRkVUiGp
-+H0c/BlAfES3x8uVuUgGtqPmPxQwTSLqTDYuV/p+qFmzV7GjQQy81cUcpgyyVrWz
-YJ/S/Hm5ZSasxP+RJ5mFKrsqKknMpJ944oP8BRQEU4FuYzQSKHBCIUEFmCVuF9+7
-40UdZbk1zRJOhNISl4DAgR9O/AR+/kEWfFs5co8yt7Dwr9mwdlLWvibEq1uVnzBS
-Uv+GJjyLZ6V6rgUSPknETZHlYC+RYpE=
+BQADggEBAHlnt5o2nvSPezGzhU1MuqSDBR2y6tRsnj6VxY9OWwjUSXQXxgQuT0HE
+3B5m82+JjVXVoePIdbVO98An6nbVZcWUCZ6tjUbyvCoDdAckrxyHxZ2LqoA1ZTFE
+InC374n/RXIPVkk67HzN6f0qdwSPRn/SzWCyuMF7AN/tRmu43c+pMO2IF13BMPj4
+sVnASI+lUrQRt0Evuvu1G04HDI3lq2qaFMENxkiY4z5tFCTzWLSP8Jto89dHpK1q
+eGJ+HccWHuT3RAV1OZrQt6S0P7mUOz1CiWoQI4ZO/pYdaWLsNa9KuYQCU5D+q1GD
+QeOLLqbE0KvdvgD7tfJ45wkFQk3LUEo=
 -----END CERTIFICATE-----
diff --git a/docker/test-shadow/shadowsvc.crt b/docker/test-shadow/shadowsvc.crt
@@ -12,12 +12,12 @@ SiobAd2ELGo552Ux9piiBq8tS+uz7dOOTagmAusaQayJ2sMMNP8Y5tZQjIevyGIr
 AsDfEY7Cg/jLH559omS4TAbvvfhwMV2pYIVloBKky2/EvD1Okb4ROg/WdjLrrabx
 Uys3bNoz6xHq/QJ1+he+39c8kHo/xolp37ia5EQ8NI6wNBqWexRCNKZUOsdQ0w+2
 2cb+maRm0N2bZSodAe9kWrvjmddGtYNSt0oh91SovEMEnq87JWgzAgMBAAGjVTBT
-MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
+MA4GA1UdDwEB/wQEAwIBojATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
 AjAAMB4GA1UdEQQXMBWCE2RlbW9zdmMuZGF0YXdpcmUuaW8wDQYJKoZIhvcNAQEL
-BQADggEBAMt3Qc0Fo/p1HYoqULyACilHT/Z9/Z62ud0QmTmYUP+fS3z3Ueo63AEr
-4nafFzYEGQ7jOwGEl+873/iXSzDZnO+BqK3B12H9Du4qPMsnxKkpnu5PvB5/GUIH
-3sRJYw2FQdYXx+3t6uaBRGnzLjzMv+c64kw0+06Vb9DPgPH6Rjr4ocYteD4aOFGe
-7xBsiXjUnYkPnJljyeNVawe2o8TO/mG5/AIAjNfcgh7E1cHeaufWiLeCpwIu6rn3
-dB+VLpTaLw13O1cIw27wIOV8VNAOy7JG9jbDSW9xIWnHiax3ho8+5EOGmLGvTq9r
-ExWQ06LjeSmeKyqvgymG4MVYhVygaeU=
+BQADggEBAKqV1OKgP4YnVfC0SGerYWEe5dYRdUZ9ggcd+Kw1jInC86wEgjvLoq62
+4wZqf0w5FDkZM7jhFoncsXhOGsmkNUAAIuKCOp6ur5J4pD3v391QgPnnm3mAyTBQ
+yfP6wHG3dWtBQfuGq4ocpWCjC/qiOSnnbCh45k4a+5JomilQiDsigKX6Fib9j+gN
+2aEaECG281MTTOsENA5lMDlsKNTzDDzMVNcB+8duu3/Rknlt8qmiVF/+93zmRiZM
+HId9BPPt6ymBOGEkfPnbedAAse2aMPCkQ1n7U9ZTrlwFW3DRjHeviKWzE3/Y+paD
+lcNjs7N19NQYn1S5t98Op5uj3V3cU48=
 -----END CERTIFICATE-----
diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml
@@ -48,6 +48,14 @@ items:
         github:
           - title: "#4179"
             link: https://github.com/emissary-ingress/emissary/pull/4179
+      - title: Added support for TLS certificate revocation list
+        type: feature
+        body: >-
+          It is now possible to set `crl_secret` in `Host` and `TLSContext` resources
+          to check peer certificates against a certificate revocation list.
+        github:
+          - title: "#1743"
+            link: https://github.com/emissary-ingress/emissary/issues/1743
       - title: CORS now happens before auth
         type: bugfix
         body: >-

diff --git a/manifests/emissary/emissary-crds.yaml.in b/manifests/emissary/emissary-crds.yaml.in
@@ -896,6 +896,8 @@ spec:
                     type: integer
                   sni:
                     type: string
+                  v3CRLSecret:
+                    type: string
                 type: object
               tlsContext:
                 description: "Name of the TLSContext the Host resource is linked with.
@@ -1212,6 +1214,8 @@ spec:
                     items:
                       type: string
                     type: array
+                  crl_secret:
+                    type: string
                   ecdh_curves:
                     items:
                       type: string
@@ -3529,6 +3533,8 @@ spec:
                 type: boolean
               sni:
                 type: string
+              v3CRLSecret:
+                type: string
             type: object
             x-kubernetes-preserve-unknown-fields: true
         type: object
@@ -3577,6 +3583,8 @@ spec:
                 items:
                   type: string
                 type: array
+              crl_secret:
+                type: string
               ecdh_curves:
                 items:
                   type: string

diff --git a/pkg/api/getambassador.io/crds.yaml b/pkg/api/getambassador.io/crds.yaml
@@ -902,6 +902,8 @@ spec:
                     type: integer
                   sni:
                     type: string
+                  v3CRLSecret:
+                    type: string
                 type: object
               tlsContext:
                 description: "Name of the TLSContext the Host resource is linked with.
@@ -1217,6 +1219,8 @@ spec:
                     items:
                       type: string
                     type: array
+                  crl_secret:
+                    type: string
                   ecdh_curves:
                     items:
                       type: string
@@ -3592,6 +3596,8 @@ spec:
                 type: boolean
               sni:
                 type: string
+              v3CRLSecret:
+                type: string
             type: object
         type: object
     served: true
@@ -3639,6 +3645,8 @@ spec:
                 items:
                   type: string
                 type: array
+              crl_secret:
+                type: string
               ecdh_curves:
                 items:
                   type: string

diff --git a/pkg/api/getambassador.io/v2/crd_host.go b/pkg/api/getambassador.io/v2/crd_host.go
@@ -152,6 +152,9 @@ type TLSConfig struct {
 	ECDHCurves            []string `json:"ecdh_curves,omitempty"`
 	RedirectCleartextFrom *int     `json:"redirect_cleartext_from,omitempty"`
 	SNI                   string   `json:"sni,omitempty"`
+
+	// +k8s:conversion-gen:rename=CRLSecret
+	V3CRLSecret string `json:"v3CRLSecret,omitempty"`
 }
 
 // The first value listed in the Enum marker becomes the "zero" value,

diff --git a/pkg/api/getambassador.io/v2/crd_tlscontext.go b/pkg/api/getambassador.io/v2/crd_tlscontext.go
@@ -44,6 +44,9 @@ type TLSContextSpec struct {
 	SecretNamespacing     *bool    `json:"secret_namespacing,omitempty"`
 	RedirectCleartextFrom *int     `json:"redirect_cleartext_from,omitempty"`
 	SNI                   string   `json:"sni,omitempty"`
+
+	// +k8s:conversion-gen:rename=CRLSecret
+	V3CRLSecret string `json:"v3CRLSecret,omitempty"`
 }
 
 // TLSContext is the Schema for the tlscontexts API

diff --git a/pkg/api/getambassador.io/v2/zz_generated.conversion.go b/pkg/api/getambassador.io/v2/zz_generated.conversion.go
diff --git a/pkg/api/getambassador.io/v3alpha1/crd_host.go b/pkg/api/getambassador.io/v3alpha1/crd_host.go
@@ -141,6 +141,7 @@ type TLSConfig struct {
 	PrivateKeyFile        string   `json:"private_key_file,omitempty"`
 	CASecret              string   `json:"ca_secret,omitempty"`
 	CAcertChainFile       string   `json:"cacert_chain_file,omitempty"`
+	CRLSecret             string   `json:"crl_secret,omitempty"`
 	AlpnProtocols         string   `json:"alpn_protocols,omitempty"`
 	CertRequired          *bool    `json:"cert_required,omitempty"`
 	MinTLSVersion         string   `json:"min_tls_version,omitempty"`

diff --git a/pkg/api/getambassador.io/v3alpha1/crd_tlscontext.go b/pkg/api/getambassador.io/v3alpha1/crd_tlscontext.go
@@ -33,6 +33,7 @@ type TLSContextSpec struct {
 	PrivateKeyFile  string   `json:"private_key_file,omitempty"`
 	CASecret        string   `json:"ca_secret,omitempty"`
 	CACertChainFile string   `json:"cacert_chain_file,omitempty"`
+	CRLSecret       string   `json:"crl_secret,omitempty"`
 	ALPNProtocols   string   `json:"alpn_protocols,omitempty"`
 	CertRequired    *bool    `json:"cert_required,omitempty"`
 	// +kubebuilder:validation:Enum={"v1.0", "v1.1", "v1.2", "v1.3"}

diff --git a/python/ambassador/envoy/v3/v3tls.py b/python/ambassador/envoy/v3/v3tls.py
@@ -127,6 +127,7 @@ def add_context(self, ctx: IRTLSContext) -> None:
             ( 'cert_chain_file', self.update_cert_zero, 'certificate_chain' ),
             ( 'private_key_file', self.update_cert_zero, 'private_key' ),
             ( 'cacert_chain_file', self.update_validation, 'trusted_ca' ),
+            ( 'crl_file', self.update_validation, 'crl' ),
         ]:
             if secretinfokey in ctx['secret_info']:
                 handler(hkey, ctx['secret_info'][secretinfokey])

diff --git a/python/ambassador/fetch/secret.py b/python/ambassador/fetch/secret.py
@@ -27,6 +27,7 @@ class SecretProcessor (ManagedKubernetesProcessor):
         'cert-chain.pem',  # type="istio.io/key-and-cert"
         'key.pem',         # type="istio.io/key-and-cert"
         'root-cert.pem',   # type="istio.io/key-and-cert"
+        'crl.pem',         # type="Opaque", used for TLS CRL
     ]
 
     def __init__(self, manager: ResourceManager) -> None: