Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[THREESCALE-5105] Adding support for mtls when using proxy policy #1499

Merged
merged 4 commits into from
Oct 18, 2024
Merged

[THREESCALE-5105] Adding support for mtls when using proxy policy #1499

merged 4 commits into from
Oct 18, 2024

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Oct 10, 2024
edited
Loading

What

Fix https://issues.redhat.com/browse/THREESCALE-5105

NOTE

Please ignore codecov report. I will move tls.lua to apicast-nginx-module in the future commit.

Verification steps:

  • Build runtime image
make runtime-image IMAGE_NAME=apicast-test
  • Get into the dev-environments
cd dev-environments/https-proxy-upstream-tlsv1.3
  • Update apicast-config.json file as follow
diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json 
index 5227c5aa..09fb1ab9 100644                                                                                                                    
--- a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json                                                                            
+++ b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json                                                                            
@@ -11,6 +11,15 @@                                                                                                                                 
           "host": "backend"                                                                                                                       
         },                                                                                                                                        
         "policy_chain": [                                                                                                                         
+          {                                                                                                                                       
+            "name": "apicast.policy.upstream_mtls",                                                                                               
+            "configuration": {                                                                                                                    
+                "certificate": "/tmp/example.com.crt",                                                                                            
+                "certificate_type": "path",                                                                                                       
+                "certificate_key": "/tmp/example.com.key",                                                                                        
+                "certificate_key_type": "path"                                                                                                    
+            }                                                                                                                                     
+          },                                                                                                                                      
           {                                                                                                                                       
             "name": "apicast.policy.http_proxy",                                                                                                  
             "configuration": {
  • Update docker-compose file as follow
diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml b/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml
index af418aca..b5b42341 100644
--- a/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml
+++ b/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml
@@ -24,6 +24,9 @@ services:
       - "8090:8090"
     volumes:
       - ./apicast-config.json:/tmp/config.json
+      - ./cert/example.com.crt:/tmp/example.com.crt
+      - ./cert/example.com.key:/tmp/example.com.key
+      - ./cert/rootCA.pem:/tmp/rootCA.pem
   proxy:
     build:
       dockerfile: ./tinyproxy.Dockerfile
@@ -35,12 +38,13 @@ services:
   example.com:
     image: alpine/socat:1.7.4.4
     container_name: example.com
-    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
+    command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,cafile=/etc/pki/rootCA.pem,verify=1,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
     expose:
       - "443"
     restart: unless-stopped
     volumes:
       - ./cert/example.com.pem:/etc/pki/example.com.pem
+      - ./cert/rootCA.pem:/etc/pki/rootCA.pem
   two.upstream:
     image: kennethreitz/httpbin
     expose:
  • Start APIcast gateway
make certs
make gateway IMAGE_NAME=apicast-test
  • Send a request to APIcast
curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"

...
< HTTP/1.1 200 OK                        
< Content-Type: application/json         
< Transfer-Encoding: chunked             
< Connection: keep-alive                 
< Server: gunicorn/19.9.0                
< Access-Control-Allow-Credentials: true 
< Access-Control-Allow-Origin: *

@tkan145 tkan145 requested a review from a team as a code owner October 10, 2024 05:23
@tkan145 tkan145 force-pushed the THREESCALE-5105-proxy-mtls branch 2 times, most recently from 177e243 to 2da00ed Compare October 16, 2024 01:42
@tkan145 tkan145 force-pushed the THREESCALE-5105-proxy-mtls branch from 2da00ed to a708c22 Compare October 16, 2024 02:38
@tkan145 tkan145 changed the title [WIP] [THREESCALE-5105] Adding support for mtls when using proxy policy [THREESCALE-5105] Adding support for mtls when using proxy policy Oct 16, 2024
eguzki
eguzki reviewed Oct 16, 2024
View reviewed changes
Copy link
Member

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent job 🎖️

Few comments, but overall LGTM

gateway/src/resty/tls.lua
@@ -0,0 +1,91 @@
local base = require "resty.core.base"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please ignore codecov report. I will move tls.lua to apicast-nginx-module in the future commit.

Do we plan to move this file (and content) to the apicast-nginx-module??

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'm planing to replace https://github.com/3scale/apicast-nginx-module/blob/master/lib/resty/mtls.lua with the content of this tls.lua file. This makes it easier to test for patches, memory leaks...etc.

t/apicast-policy-http-proxy.t
"name": "apicast.policy.apicast"
},
{
"name": "apicast.policy.http_proxy",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: shouldn't be the apicast policy the last one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They run at different phases so the order is not important. But I updated the PR 😄

@eguzki
Copy link
Member

eguzki commented Oct 16, 2024

Verification steps working like a charm

@tkan145 tkan145 force-pushed the THREESCALE-5105-proxy-mtls branch from a708c22 to d0c557a Compare October 17, 2024 01:58
@tkan145 tkan145 merged commit 7fe7ac6 into 3scale:master Oct 18, 2024
13 of 14 checks passed
@tkan145 tkan145 deleted the THREESCALE-5105-proxy-mtls branch October 18, 2024 03:36
@tkan145 tkan145 mentioned this pull request Nov 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tkan145 @eguzki