[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fwd: a proposal to add support for client certificate authentication in OpenShift Routes



Sorry for sending this again, but forgot to add formatting last time. Should look better this time :)

Hi,

Recently we have a requirement to support client certificate authentication for an application that is deployed on OpenShift. I get it working using the “Passthrough” mode with the OpenShift router. However, the downside is that I also have to manage SSL inside my application, rather than taking advantage of the OpenShift routes.

But given that OpenShift routers are based on HAProxy, and HAProxy does support client certification authentication, I did a small POC to prove that OpenShift routers can perform client certificate authentication as well, and here is what I did:

  1. I modified the original haproxy-config.template file, added the following sections:

    The idea is quite simple: A new mapping file is used to save all the hosts that require CCA. When a match is found for a given request, a new frontend/backend pair will be used. The new frontend/backend pair is similar to the existing be_sni/fe_sni pair, with a few small changes. The first is to add the following new options to the bind statement:

    verify optional ca-file /var/lib/haproxy/conf/custom/ca/trust.pem
    

    This will tell HAProxy to perform client certificate authentication.
    Then the client cert info will be passed to the backend application via a header:

    # Set client certificate info
    http-request set-header x-ssl-client-cert %{+Q}[ssl_c_der,base64]
    
  2. I then created a few configmaps to save the new template file, the new mapping file mentioned above (see this example), and the CA file for client verification.
  3. At last, I attached the configmaps to the router container as PVs, and set the container to use the new HAProxy template.

After redeploy the router, I created a new “Edge” route in OpenShift for my application (see route_config.png). When I navigate to the route in the browser, I got prompted to select the client certificate to use (see select_cert.png). Once the right cert is selected, the request is proxied to my backend application, and my backend application can still access the client cert info (see client_cert.png).

So based on the POC, I think we can add support for CCA in OpenShift routes, and here is the proposal for how to implement it:

  1. In the route config page, a few new fields can be added. These fields will allow developers to config if they want to enable CCA, and upload the CA file to client verification
  2. The backend model represents the route configuration should be updated as well to persist the new CCA info.
  3. When updating the HAproxy config file, new files should be created, including:
    • a mapping file to record what routes requires CCA
    • each CCA CA file should be written to a single file on disk
  4. For each of the route that requires CCA, a new backend/frontend pair should be added to the HAproxy config template file. Each frontend will be bound to a new port, and use CA file that is specified for the route to perform CCA.

So am I on the right track here, or is there a better way to do it? If I want to implement this feature, where is best place to start? Also who is the best person to ask questions around routers? Any other suggestions/feedbacks/thoughts?

Thank you!

WEI LI

SENIOR SOFTWARE ENGINEER

Red Hat Mobile

weil redhat com M: +353862393272


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]