gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

Implementation GEP-91: Client Certificate Validation for TLS

Open zufardhiyaulhaq opened this issue 1 year ago • 9 comments

What type of PR is this? Implementation of https://github.com/envoyproxy/gateway/issues/3316 https://gateway-api.sigs.k8s.io/geps/gep-91/

What this PR does / why we need it: full filling https://gateway-api.sigs.k8s.io/geps/gep-91/

Which issue(s) this PR fixes: https://github.com/envoyproxy/gateway/issues/3316

Fixes # N/A

zufardhiyaulhaq avatar Jun 05 '24 15:06 zufardhiyaulhaq

hey @zufardhiyaulhaq any update on this one, would be great to get this into v1.1

arkodg avatar Jun 25 '24 16:06 arkodg

Hi @arkodg sorry little bit busy in the last month and I forgot to push the changes to git and lost some code change, will try to get the initial code done by this week

zufardhiyaulhaq avatar Jun 28 '24 17:06 zufardhiyaulhaq

np thanks for the update @zufardhiyaulhaq !

arkodg avatar Jun 28 '24 23:06 arkodg

Codecov Report

Attention: Patch coverage is 1.09890% with 90 lines in your changes missing coverage. Please review.

Project coverage is 68.52%. Comparing base (2a86997) to head (c532aab). Report is 1245 commits behind head on main.

Files with missing lines Patch % Lines
internal/gatewayapi/validate.go 0.00% 83 Missing and 2 partials :warning:
internal/gatewayapi/listener.go 25.00% 2 Missing and 1 partial :warning:
internal/gatewayapi/contexts.go 0.00% 2 Missing :warning:

:x: Your patch status has failed because the patch coverage (1.09%) is below the target coverage (60.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3548      +/-   ##
==========================================
- Coverage   68.55%   68.52%   -0.03%     
==========================================
  Files         170      175       +5     
  Lines       20690    21616     +926     
==========================================
+ Hits        14183    14812     +629     
- Misses       5492     5724     +232     
- Partials     1015     1080      +65

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Jun 30 '24 16:06 codecov[bot]

todo: add test

zufardhiyaulhaq avatar Jun 30 '24 16:06 zufardhiyaulhaq

@zufardhiyaulhaq Thanks for working on this!

Looks like the ClientTrafficPolicy.Spec.TLS.ClientValidation.CACertificateRefs will overwrite the listener.TLS.FrontendValidation.CACertificateRefs? I think those CAs in both places should be used in the IR listener TLS for back compatibility.

Additionally, it would be nice to have a test covering the scenario where both ClientTrafficPolicy.Spec.TLS.ClientValidation.CACertificateRefs and listener.TLS.FrontendValidation.CACertificateRefs are used for the listener's client CA configuration.

zhaohuabing avatar Jul 25 '24 05:07 zhaohuabing

hey @zufardhiyaulhaq can you address the comments ?

arkodg avatar Aug 12 '24 20:08 arkodg

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions!

github-actions[bot] avatar Sep 12 '24 00:09 github-actions[bot]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions!

github-actions[bot] avatar Oct 12 '24 04:10 github-actions[bot]

closing this PR since its become inactive, feel free to reopen if you're still working on it

arkodg avatar May 23 '25 02:05 arkodg