nginx-gateway-fabric
nginx-gateway-fabric copied to clipboard
nginxinc
Add support for backend tls config for Gateways
Proposed changes
Write a clear and concise description that helps reviewers understand the purpose and impact of your changes. Use the following format:
Problem: Users want to be able to specify their gateway's identity when communicating to the backend pods.
Solution: Add a field to provide a secret name that stores that gateways cert and key to be used when doing TLS handshake with backend pods
NOTE: I refactored this test because it was not easy to debug in such large tests as part of this PR.
Ran unit tests multiple times to avoid data race situations.
- Some fields conform to the Gateway API 1.3. They need to be updated once Gateway API release 1.4 -- depending how far that is i'll decide if i should wait for merging or merge now , update it later
Testing: Unit tests added as needed , No IPv6 testing done for this (not related with ports or in container network)
Manual tests
Tested with Securing backend traffic by additionally requiring client certificates from backend and ensuring they are signed by the right CN to verify identity
my secure-app config
server {
listen 8443 ssl;
listen [::]:8443 ssl;
server_name secure-app.example.com;
default_type text/plain;
ssl_certificate /etc/nginx/ssl/secret/tls.crt;
ssl_certificate_key /etc/nginx/ssl/secret/tls.key;
ssl_client_certificate /etc/nginx/ssl/ca-cert/ca.crt;
ssl_verify_client on;
# Enable access logging
access_log /var/log/nginx/access.log ssl_log;
location / {
return 200 "hello from pod secure-app\n";
}
}
NGF config
# Gateway Certificate
proxy_ssl_certificate /etc/nginx/secrets/ssl_keypair_default_gateway-presents-this-cert-for-validation.pem;
proxy_ssl_certificate_key /etc/nginx/secrets/ssl_keypair_default_gateway-presents-this-cert-for-validation.pem;
js_preload_object matches from /etc/nginx/conf.d/matches.json;
server {
listen 80 default_server;
listen [::]:80 default_server;
default_type text/html;
return 404;
}
server {
listen 80;
listen [::]:80;
server_name secure-app.example.com;
location / {
proxy_http_version 1.1;
proxy_set_header Host "$gw_api_compliant_host";
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
proxy_set_header X-Real-IP "$remote_addr";
proxy_set_header X-Forwarded-Proto "$scheme";
proxy_set_header X-Forwarded-Host "$host";
proxy_set_header X-Forwarded-Port "$server_port";
proxy_set_header Upgrade "$http_upgrade";
proxy_set_header Connection "$connection_upgrade";
proxy_pass https://default_secure-app_8443$request_uri;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_name secure-app.example.com;
proxy_ssl_trusted_certificate /etc/nginx/secrets/cert_bundle_default_backend-cert.crt;
}
}
Curl and logs to verify client -- I signed CA with gateway CN so that's what we should see get logged in the backend
curl -v --resolve secure-app.example.com:$GW_PORT:$GW_IP http://secure-app.example.com:$GW_PORT/
hello from pod secure-app
k logs secure-app-69c558d9d9-lwcjl
10.244.0.117 ssl_client_verify=SUCCESS ssl_client_subject=CN=gateway
10.244.0.117 ssl_client_verify=SUCCESS ssl_client_subject=CN=gateway
Please focus on (optional): If you any specific areas where you would like reviewers to focus their attention or provide specific feedback, add them here.
Closes #3153
Checklist
Before creating a PR, run through this checklist and mark each as complete.
- [x] I have read the CONTRIBUTING doc
- [x] I have added tests that prove my fix is effective or that my feature works
- [x] I have checked that all unit tests pass after adding my changes
- [x] I have updated necessary documentation
- [x] I have rebased my branch onto main
- [x] I will ensure my PR is targeting the main branch and pulling from my branch from my own fork
Release notes
If this PR introduces a change that affects users and needs to be mentioned in the release notes, please add a brief note that summarizes the change.
Added support for configuring backend TLS on Gateways to enable secure communication between the gateway and pods.
