feat: Extended Root CA for client TLS connections (#181) #744
Conversation
|
@christian-roggia marking this as a draft because you said it's WIP on slack :) |
christian-roggia
changed the title
|
@aeneasr this PR should be cleaned up and ready for review. I deployed this version to our cluster and works like a charm with self-signed TLS certificates. As soon as this is merged I will open a PR also for the Helm charts. |
This allows for appending a certificate file to the Root CA without altering the system Root CA. This is useful for allowing self-signed certificates on the upstream connections
This adds support for appending certificates to the Root CA of the proxy process on upstreams. This does not alter the entire system.
* Adds cacheing of UpstreamTransport to avoid excessive IO ops at scale * Adds configuration option `ca_refresh_frequency` for periodic checks of certificate file changes * Adds new Upstream Configuration section
christian-roggia
force-pushed
the
fix_issue_118_trust_selfsigend_certs
branch
from
e49e6b3
to
c1110d1
Compare
|
Thank you, this looks great! The CI is failing because some files are formatted incorrectly. To format them, run: Thank you! |
|
As I wrote on Slack, I run the command before but I didn't commit the two CHANGELOG files as I didn't touch them and the number of changed lines was huge. Looks like it worked tough now that I committed also those two files, I guess the linter was recently updated? Thank you anyway for the help! |
|
The problem was that I changed something in the CI which pushed an unformatted commit to master. Your PR includes those changes thus had issues in the linter. The issue is resolved in the CI but since then no update was triggered on Ory Oathkeeper. I'll be reviewing your PR shortly! |
| "github.com/ory/oathkeeper/driver/configuration" | ||
| ) | ||
|
|
||
| type CertManager struct { |
There was a problem hiding this comment.
Could you please add some tests to the certmanager? Also, what should we take care of here. For example, test different cert pools? How would this look like on Windows? :)
I haven't worked with x509 cert pools before. We should also generally ensure that:
- The cache is used
- The cache is invalidated properly
- No untrusted certs are being used
- The OS cert store is being used appropriately on the different OS'es (could be difficult for mac as we don't have a pipeline for that...)
| serve: | ||
| proxy: | ||
| client_tls: | ||
| trusted_certificates: |
There was a problem hiding this comment.
If this is used for other upstream services (authenticators, ...) I think it would make sense to have client_tls as a root level config item
| ProxyServeClientTLSTrustedCerts() []string | ||
| ProxyServeClientTLSCacheRefreshFrequency() int | ||
| ProxyServeClientTLSCacheTimeToLive() time.Duration |
There was a problem hiding this comment.
If we move the config to the root level we need to change this
| ViperKeyProxyClientTLSTrustedCerts = "serve.proxy.client_tls.trusted_certificates" | ||
| ViperKeyProxyClientTLSCacheRefreshFrequency = "serve.proxy.client_tls.cache.refresh_frequency" | ||
| ViperKeyProxyClientTLSCacheTimeToLive = "serve.proxy.client_tls.cache.ttl" |
There was a problem hiding this comment.
If we move the config to the root level we need to change this
| tr *http.Transport | ||
| } | ||
|
|
||
| func NewRoundTripper(cm *CertManager) *RoundTripper { |
There was a problem hiding this comment.
Some tests would be great here as well
| @@ -8,9 +8,11 @@ import ( | |||
| "github.com/tidwall/gjson" | |||
There was a problem hiding this comment.
Could we ensure in all the authenticators that the new TLS config is actually being used by adding tests for that case?
| @@ -429,6 +431,61 @@ func TestConfigureBackendURL(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestUpstreamAppendCaCertToRootCa(t *testing.T) { | |||
There was a problem hiding this comment.
I think we could make this a generic test helper which could then be used in the different relevant places (authenticators, mutators, proxy, authorizers)
|
Just checking in if you need help with the tests :) |
|
I will be updating the configuration path to be at the root level but I will most definitely need help setting up tests! |
|
Ok! Ping me when you're ready to work on it :) Meanwhile I will mark it as a draft. That declutters our review backlog :) Once you're done with your changes and would like someone to review them, mark the PR as ready and request a review from one of the maintainers. Thank you! |
|
As there has not been an update in the past 6 month, we'll consider this one stale and I'll close the PR. But please, do not feel discouraged in continuing the work if you have some time, the change is still appreciated! :) |
See #706.