Sorry for sending this again, but forgot to add formatting last time.
Should look better this time :)
Hi,
Recently we have a requirement to support client certificate authentication
for an application that is deployed on OpenShift. I get it working using
the “Passthrough” mode with the OpenShift router. However, the downside is
that I also have to manage SSL inside my application, rather than taking
advantage of the OpenShift routes.
But given that OpenShift routers are based on HAProxy, and HAProxy does
support client certification authentication, I did a small POC to prove
that OpenShift routers can perform client certificate authentication as
well, and here is what I did:
1.
I modified the original haproxy-config.template file, added the
following sections:
-
https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L200-L202
-
https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L254-L287
The idea is quite simple: A new mapping file is used to save all the
hosts that require CCA. When a match is found for a given request, a new
frontend/backend pair will be used. The new frontend/backend pair is
similar to the existing be_sni/fe_sni pair, with a few small changes. The
first is to add the following new options to the bind statement:
verify optional ca-file /var/lib/haproxy/conf/custom/ca/trust.pem
This will tell HAProxy to perform client certificate authentication.
Then the client cert info will be passed to the backend application via
a header:
# Set client certificate info
http-request set-header x-ssl-client-cert %{+Q}[ssl_c_der,base64]
2. I then created a few configmaps to save the new template file, the
new mapping file mentioned above (see this example
<https://gist.github.com/wei-lee/756e6afcb4f3778df016d6c56e81206f>), and
the CA file for client verification.
3. At last, I attached the configmaps to the router container as PVs,
and set the container to use the new HAProxy template.
After redeploy the router, I created a new “Edge” route in OpenShift for my
application (see route_config.png
<https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-route_config-png>).
When I navigate to the route in the browser, I got prompted to select the
client certificate to use (see select_cert.png
<https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-select_cert-png>).
Once the right cert is selected, the request is proxied to my backend
application, and my backend application can still access the client cert
info (see client_cert.png
<https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-client_cert-png>
).
So based on the POC, I think we can add support for CCA in OpenShift
routes, and here is the proposal for how to implement it:
1. In the route config page, a few new fields can be added. These fields
will allow developers to config if they want to enable CCA, and upload the
CA file to client verification
2. The backend model represents the route configuration should be
updated as well to persist the new CCA info.
3. When updating the HAproxy config file, new files should be created,
including:
- a mapping file to record what routes requires CCA
- each CCA CA file should be written to a single file on disk
4. For each of the route that requires CCA, a new backend/frontend pair
should be added to the HAproxy config template file. Each frontend will be
bound to a new port, and use CA file that is specified for the route to
perform CCA.
So am I on the right track here, or is there a better way to do it? If I
want to implement this feature, where is best place to start? Also who is
the best person to ask questions around routers? Any other
suggestions/feedbacks/thoughts?
Thank you!
—
WEI LI
SENIOR SOFTWARE ENGINEER
Red Hat Mobile <https://www.redhat.com/>
[email protected] M: +353862393272
<https://red.ht/sig>
_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
