[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fwd: a proposal to add support for client certificate authentication in OpenShift Routes

Hi Aleksandar,

Yes, i think annotation is probably the best place to store the CCA options. However, the challenge for any developer wants to enable CCA is really about the changes required to the HAproxy config template. In this case, the single frontend/backend to handle all SSL connections is not enough, a new pair of them is needed to handle each route that requires CCA. So my proposal is really about get template changes into default one, to make it as easy as possible for developers to enable CCA. 

At the minimum, it will be good to have detailed docs to explain how to enable CCA with customised template and annotations, which I can't find any at the moment.


On 23 Nov 2017 11:04 p.m., "Aleksandar Lazic" <openshift-dev me2digital com> wrote:
Hi Wei.

just for my curiosity was this described solution not a possible solution?


Best Regards

------ Originalnachricht ------
Von: "Wei Li" <weil redhat com>
An: dev lists openshift redhat com
Gesendet: 23.11.2017 18:05:28
Betreff: Fwd: a proposal to add support for client certificate authentication in OpenShift Routes

Sorry for sending this again, but forgot to add formatting last time. Should look better this time :)


Recently we have a requirement to support client certificate authentication for an application that is deployed on OpenShift. I get it working using the “Passthrough” mode with the OpenShift router. However, the downside is that I also have to manage SSL inside my application, rather than taking advantage of the OpenShift routes.

But given that OpenShift routers are based on HAProxy, and HAProxy does support client certification authentication, I did a small POC to prove that OpenShift routers can perform client certificate authentication as well, and here is what I did:

I modified the original haproxy-config.template file, added the following sections:

https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L200-L202 https://gist.github.com/wei-lee/1dc94ec67fa2a30115a416614dcce750#file-haproxy-config-template-L254-L287
The idea is quite simple: A new mapping file is used to save all the hosts that require CCA. When a match is found for a given request, a new frontend/backend pair will be used. The new frontend/backend pair is similar to the existing be_sni/fe_sni pair, with a few small changes. The first is to add the following new options to the bind statement:

verify optional ca-file /var/lib/haproxy/conf/custom/ca/trust.pem

This will tell HAProxy to perform client certificate authentication.
Then the client cert info will be passed to the backend application via a header:

# Set client certificate info
http-request set-header x-ssl-client-cert %{+Q}[ssl_c_der,base64]

I then created a few configmaps to save the new template file, the new mapping file mentioned above (see this example <https://gist.github.com/wei-lee/756e6afcb4f3778df016d6c56e81206f>), and the CA file for client verification. At last, I attached the configmaps to the router container as PVs, and set the container to use the new HAProxy template.
After redeploy the router, I created a new “Edge” route in OpenShift for my application (see route_config.png <https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-route_config-png>). When I navigate to the route in the browser, I got prompted to select the client certificate to use (see select_cert.png <https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-select_cert-png>). Once the right cert is selected, the request is proxied to my backend application, and my backend application can still access the client cert info (see client_cert.png <https://gist.github.com/wei-lee/3951ebba7b2c96507d5857efce1a3228#file-client_cert-png>).

So based on the POC, I think we can add support for CCA in OpenShift routes, and here is the proposal for how to implement it:

In the route config page, a few new fields can be added. These fields will allow developers to config if they want to enable CCA, and upload the CA file to client verification The backend model represents the route configuration should be updated as well to persist the new CCA info. When updating the HAproxy config file, new files should be created, including: a mapping file to record what routes requires CCA each CCA CA file should be written to a single file on disk For each of the route that requires CCA, a new backend/frontend pair should be added to the HAproxy config template file. Each frontend will be bound to a new port, and use CA file that is specified for the route to perform CCA.
So am I on the right track here, or is there a better way to do it? If I want to implement this feature, where is best place to start? Also who is the best person to ask questions around routers? Any other suggestions/feedbacks/thoughts?

Thank you!



Red Hat Mobile <https://www.redhat.com/>

weil redhat com    M: +353862393272 <tel:+353862393272>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]