-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mTLS authn method #301
Merged
Merged
mTLS authn method #301
Commits on Jun 10, 2022
-
Implements Mutual Transport Layer Security (mTLS) identity verification in Authorino. Trusted root Certificate Authorities (CA) certificates are stored as Kubernetes TLS Secrets, fetched and cached by Authorino, silimarly to how API key Secrets are handled. Label selectors and namespace/cluster scope are encoraged to be used. It works for both interfaces, i.e. the gRPC Envoy protocol-based authorization interface and the raw HTTP authorization interface. For integrations via Envoy, mTLS authn set as well in Authorino might be seen as redundant and only meaninful for the purpose of combining multiple authentication methods and/or for counting on better structured subject data to apply normalization. For simple use cases, Authorino's 'plain' identity method can be used instead, fetching Envoy-injected principal information (extracted from the client cert) from `context.request.source.principal`.
Configuration menu - View commit details
-
Copy full SHA for a9076aa - Browse repository at this point
Copy the full SHA a9076aaView commit details -
K8s Secret-based identity interface and controller methods renamed so…
… they are less specific about API keys
Configuration menu - View commit details
-
Copy full SHA for 463e93b - Browse repository at this point
Copy the full SHA 463e93bView commit details -
Refactor API key secret identity evaluator
- Modified names of variables, pointers, imports - to have a better base for the implementation of the mTLS identity evaluator with propeor reconciliation of k8s secrets - Fixed label of log values for the name of secret
Configuration menu - View commit details
-
Copy full SHA for 0458d91 - Browse repository at this point
Copy the full SHA 0458d91View commit details -
Reconciliation of trusted mTLS root CA cert k8s secrets
Refreshes the entire list of cached root CA certs by reloading them all again from the cluster at any operation (add, update, delete secret). This is because `x509.CertPool` does not provide a good interface for deleting and updating the list of certificates in the pool, despite its convinient `.AppendCertsFromPEM` function. To allow better management of the cache (i.e., addition, update and deletion of individual k8s secrets to avoid reloading all secrets, using the qualified name `<namespace>/<name>` of the resource as key), another data structure to store the trusted root CA certs must replace the type of `rootCerts: *x509.CertPool`.
Configuration menu - View commit details
-
Copy full SHA for d48785e - Browse repository at this point
Copy the full SHA d48785eView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1b391d0 - Browse repository at this point
Copy the full SHA 1b391d0View commit details
Commits on Jun 12, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 8a8c676 - Browse repository at this point
Copy the full SHA 8a8c676View commit details
Commits on Jun 13, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 6fe79a8 - Browse repository at this point
Copy the full SHA 6fe79a8View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.