HTTPProxy: Configuring/disabling sending Envoy client cert to upstream services

[sunjayBhatia]

trafficstars

Please describe the problem you have Contour currently allows configuration of a global client certificate Envoy will present to upstream services: https://projectcontour.io/docs/v1.24.1/configuration/#envoy-client-certificate

This is a global configuration that cannot be overridden for a particular service. Users may want to override or disable sending the client certificate for a particular application in a multi-tenant scenario to prevent changing the global client cert and impacting the rest of the cluster.

Some options here:

• Add to the UpstreamValidation struct: https://projectcontour.io/docs/v1.24.1/config/api/#projectcontour.io/v1.UpstreamValidation
  • add options to disable sending client cert, customizing a particular client cert, etc.
  • since this type is used in a few places, have to be sure any changes are applicable in those uses
• rather add a top-level field on the Service?

Relevant code:

• https://github.com/projectcontour/contour/blob/fea8d13050727f2d488573f1f985eeae3ba8bb14/internal/dag/httpproxy_processor.go#L919-L927
• https://github.com/projectcontour/contour/blob/fea8d13050727f2d488573f1f985eeae3ba8bb14/internal/envoy/v3/auth.go#L29-L35

[tsaarni]

+1 I've also heard requests at my organization for an option to set different client certs per target service. If interpreting very strictly, client authentication related parameters does not fit into services.validation since it is not about validation. For symmetry against downstream, it could have been services.tls.secretName but since we already have services.validation it probably would look strange too :)

[sunjayBhatia]

moving to 1.27.0 as 1.26.0 is coming up soon