Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tlsPassClientCertificates() filter not working in kubernetes #3280

Closed
rickhlx opened this issue Oct 18, 2024 · 3 comments · Fixed by #3281
Closed

tlsPassClientCertificates() filter not working in kubernetes #3280

rickhlx opened this issue Oct 18, 2024 · 3 comments · Fixed by #3281

Comments

@rickhlx
Copy link
Contributor

rickhlx commented Oct 18, 2024

Describe the bug
Client TLS certificates are not being passed through to the X-Forwarded-Tls-Client-Cert header when running Skipper for ingress in Kubernetes.

To Reproduce

  1. Skipper CLI args:
skipper --kubernetes -address=:8443 -kubernetes-enable-tls
  1. Ingress definition with TLS secret termination and tlsPassClientCertificates()
apiVersion: networking.k8s.io/v1                                                                                                       
kind: Ingress                                                                                                                          
metadata:                                                                                                                              
  annotations:                                                                                                                                                                                   
    zalando.org/skipper-filter: tlsPassClientCertificates() -> logHeader("request" , "response")                                                                                                                                                                                                                                                                                                                                                                                            
  name: foobar
  namespace: foobar
spec:                                                                                                                                  
  rules:                                                                                                                               
  - host: foobar.com
    http:                                                                                                                              
      paths:                                                                                                                           
      - backend:                                                                                                                       
          service:                                                                                                                     
            name: foobar
            port:                                                                                                                      
              name: web                                                                                                                
        path: /foo
        pathType: Prefix                                                                                                               
  tls:                                                                                                                                 
  - hosts:                                                                                                                             
    - foobar.com
    secretName: foo-tls
status:                                                                                                                                
  loadBalancer: {}
  1. Request
curl -X POST https://foobar.com/foo/bar--cert cert.crt --key cert.key

Expected behavior

The pod running the foobar application should receive the X-Forwarded-Tls-Client-Cert from Skipper and should be logged by skipper when using the logHeader() filter

Observed behavior

The pod running the application does not get the X-Forwarded-Tls-Client-Cert header with the encoded certificate.

Host: foobar.com
Accept: */*
Content-Length: 79
Content-Type: application/x-www-form-urlencoded
User-Agent: curl/7.81.0
@rickhlx
Copy link
Contributor Author

rickhlx commented Oct 18, 2024
edited
Loading

We've been able to debug this issue and found that without the tls.Config.ClientAuth set to tls.RequestClientCert (instead of the default tls.NoClientCert setting), the client certificates are not loaded into the TLS context.

After we set tls.Config.ClientAuth to tls.RequestClientCert we are able to see the correctly forwarded header:

Host: foobar.com
Accept: */*
Content-Length: 79
Content-Type: application/x-www-form-urlencoded
X-Forwarded-Tls-Client-Cert: REDACTED

For reference we configured ClientAuth here in our tests:

skipper/skipper.go

Lines 1199 to 1201 in 1b4b204

config := &tls.Config{
MinVersion: o.TLSMinVersion,
}

Should this be set by default or via a flag to enable client certificates to be passed through?

@webframp
Copy link

@szuecs this is another of our team with a slightly different environment. I mentioned it briefly in slack. Let us know how we can help debug/report. Happy to contribute fixes if we can

AlexanderYastrebov added a commit that referenced this issue Oct 18, 2024
@AlexanderYastrebov
skipper: add TLS client authentication config
9c9ac38 
Add an option and a flag to configure TLS Client Authentication
policy of the Server.

Fixes #3280

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
@AlexanderYastrebov AlexanderYastrebov mentioned this issue Oct 18, 2024
Merged
@AlexanderYastrebov
Copy link
Member

AlexanderYastrebov commented Oct 18, 2024
edited
Loading

Hello, thank you for investigating. I've created #3281 to add an option and a flag to configure TLS client authentication policy in backwards-compatible way.

AlexanderYastrebov added a commit that referenced this issue Oct 21, 2024
@AlexanderYastrebov
skipper: add TLS client authentication config
37aa1f8 
Add an option and a flag to configure TLS Client Authentication
policy of the Server.

Fixes #3280

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
RomanZavodskikh pushed a commit that referenced this issue Oct 21, 2024
@AlexanderYastrebov
skipper: add TLS client authentication config (#3281)
262c326 
Add an option and a flag to configure TLS Client Authentication
policy of the Server.

Fixes #3280

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

skipper: add TLS client authentication config zalando/skipper
3 participants
@AlexanderYastrebov @webframp @rickhlx