ingress-controller icon indicating copy to clipboard operation
ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon pomerium

Implement client-side mTLS support settings

Open andsens opened this issue 1 year ago • 9 comments

See #696

This is far from done. I tested it and quickly ran into issues with cert-manager:

{"level":"error","time":"2023-07-19T13:12:34Z","msg":"looking up info for HTTP challenge","service":"autocert","host":"test.example.com","error":"no information found to solve challenge for identifier: test.example.com"}
{"level":"error","error":"a valid client certificate is required to access this page","status":495,"status-text":"a valid client certificate is required to access this page","request-id":"c28412c5-e6c5-429e-a062-47ab3ad0585d","time":"2023-07-19T13:12:34Z","message":"httputil: error"}
{"level":"info","service":"authorize","request-id":"c28412c5-e6c5-429e-a062-47ab3ad0585d","check-request-id":"c28412c5-e6c5-429e-a062-47ab3ad0585d","method":"GET","path":"/.well-known/acme-challenge/i2K0F783PCrFnPkXh2jk2njfSn4GASGPhBOPnX0wvhk","host":"test.example.com","query":"","ip":"100.103.219.130","allow":true,"allow-why-true":["accept"],"deny":true,"deny-why-true":["invalid-client-certificate"],"user":"","email":"","time":"2023-07-19T13:12:34Z","message":"authorize check"}
{"level":"info","service":"envoy","upstream-cluster":"","method":"GET","authority":"test.example.com","path":"/.well-known/acme-challenge/i2K0F783PCrFnPkXh2jk2njfSn4GASGPhBOPnX0wvhk","user-agent":"cert-manager-challenges/v1.9.1 (linux/amd64) cert-manager/4486c01f726f17d2790a8a563ae6bc6e98465505","referer":"http://test.example.com/.well-known/acme-challenge/i2K0F783PCrFnPkXh2jk2njfSn4GASGPhBOPnX0wvhk","forwarded-for":"100.103.219.130","request-id":"c28412c5-e6c5-429e-a062-47ab3ad0585d","duration":4.265011,"size":1560,"response-code":495,"response-code-details":"ext_authz_denied","time":"2023-07-19T13:12:34Z","message":"http-request"}

The autocert thing is a bit concering, I thought that was disabled in Kubernetes? I also tried setting ingress.pomerium.io/allow_any_authenticated_user: 'true' on the acme solver ingress, but that gave the same errors. It would seem that the client cert requirement kicks in before the authentication check is performed?

andsens avatar Jul 19 '23 13:07 andsens