Hi Aleksandar, Yes, i think annotation is probably the best place to store the CCA options. However, the challenge for any developer wants to enable CCA is really about the changes required to the HAproxy config template. In this case, the single frontend/backend to handle all SSL connections is not enough, a new pair of them is needed to handle each route that requires CCA. So my proposal is really about get template changes into default one, to make it as easy as possible for developers to enable CCA.
At the minimum, it will be good to have detailed docs to explain how to enable CCA with customised template and annotations, which I can't find any at the moment. Thanks. On 23 Nov 2017 11:04 p.m., "Aleksandar Lazic" <[email protected]> wrote: Hi Wei. just for my curiosity was this described solution not a possible solution? https://docs.openshift.org/3.6/install_config/router/customi zed_haproxy_router.html#using-annotations Best Regards aleks ------ Originalnachricht ------ Von: "Wei Li" <[email protected]> An: [email protected] Gesendet: 23.11.2017 18:05:28 Betreff: Fwd: a proposal to add support for client certificate authentication in OpenShift Routes Sorry for sending this again, but forgot to add formatting last time. > Should look better this time :) > > Hi, > > Recently we have a requirement to support client certificate > authentication for an application that is deployed on OpenShift. I get it > working using the “Passthrough” mode with the OpenShift router. However, > the downside is that I also have to manage SSL inside my application, > rather than taking advantage of the OpenShift routes. > > But given that OpenShift routers are based on HAProxy, and HAProxy does > support client certification authentication, I did a small POC to prove > that OpenShift routers can perform client certificate authentication as > well, and here is what I did: > > I modified the original haproxy-config.template file, added the following > sections: > > https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcc > e750#file-haproxy-config-template-L200-L202 https://gist.github.com/wei-le > e/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L254-L287 > The idea is quite simple: A new mapping file is used to save all the hosts > that require CCA. When a match is found for a given request, a new > frontend/backend pair will be used. The new frontend/backend pair is > similar to the existing be_sni/fe_sni pair, with a few small changes. The > first is to add the following new options to the bind statement: > > verify optional ca-file /var/lib/haproxy/conf/custom/ca/trust.pem > > This will tell HAProxy to perform client certificate authentication. > Then the client cert info will be passed to the backend application via a > header: > > # Set client certificate info > http-request set-header x-ssl-client-cert %{+Q}[ssl_c_der,base64] > > I then created a few configmaps to save the new template file, the new > mapping file mentioned above (see this example < > https://gist.github.com/wei-lee/756e6afcb4f3778df016d6c56e81206f>), and > the CA file for client verification. At last, I attached the configmaps to > the router container as PVs, and set the container to use the new HAProxy > template. > After redeploy the router, I created a new “Edge” route in OpenShift for > my application (see route_config.png <https://gist.github.com/wei-l > ee/3951ebba7b2c96507d5857efce1a3228#file-route_config-png>). When I > navigate to the route in the browser, I got prompted to select the client > certificate to use (see select_cert.png <https://gist.github.com/wei-l > ee/3951ebba7b2c96507d5857efce1a3228#file-select_cert-png>). Once the > right cert is selected, the request is proxied to my backend application, > and my backend application can still access the client cert info (see > client_cert.png <https://gist.github.com/wei-l > ee/3951ebba7b2c96507d5857efce1a3228#file-client_cert-png>). > > > So based on the POC, I think we can add support for CCA in OpenShift > routes, and here is the proposal for how to implement it: > > In the route config page, a few new fields can be added. These fields will > allow developers to config if they want to enable CCA, and upload the CA > file to client verification The backend model represents the route > configuration should be updated as well to persist the new CCA info. When > updating the HAproxy config file, new files should be created, including: a > mapping file to record what routes requires CCA each CCA CA file should be > written to a single file on disk For each of the route that requires CCA, a > new backend/frontend pair should be added to the HAproxy config template > file. Each frontend will be bound to a new port, and use CA file that is > specified for the route to perform CCA. > So am I on the right track here, or is there a better way to do it? If I > want to implement this feature, where is best place to start? Also who is > the best person to ask questions around routers? Any other > suggestions/feedbacks/thoughts? > > Thank you! > > — > > WEI LI > > SENIOR SOFTWARE ENGINEER > > Red Hat Mobile <https://www.redhat.com/> > > [email protected] M: +353862393272 <tel:+353862393272> > > <https://red.ht/sig> > > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
