|
1 | | -# GEP-91: Client Certificate Validation for TLS terminating at the Gateway Listener |
| 1 | +# GEP-91: Client Certificate Validation for TLS terminating at the Gateway |
2 | 2 |
|
3 | 3 | * Issue: [#91](https://github.com/kubernetes-sigs/gateway-api/issues/91) |
4 | 4 | * Status: Implementable |
|
8 | 8 | ## TLDR |
9 | 9 |
|
10 | 10 | This GEP proposes a way to validate the TLS certificate presented by the frontend client to the server |
11 | | -(Gateway Listener in this case) during a [TLS Handshake Protocol][]. |
| 11 | +(Gateway in this case) during a [TLS Handshake Protocol][]. |
12 | 12 |
|
13 | 13 | ## Goals |
14 | 14 |
|
15 | | -* Define an API field to specify the CA Certificate within the Gateway Listener configuration that can be used as a trust anchor to validate the certificates presented by the client. This use case has been highlighted in the [TLS Configuration GEP][] under segment 1 and in the [Gateway API TLS Use Cases][] document under point 7. |
| 15 | +* Define an API field to specify the CA Certificate within the Gateway configuration that can be used as a trust anchor to validate the certificates presented by the client. |
| 16 | +This use case has been highlighted in the [TLS Configuration GEP][] under segment 1 and in the [Gateway API TLS Use Cases][] document under point 7. |
| 17 | +* Ensure the configuration mitigates the authentication bypass risks associated with HTTP/2 connection coalesing as described in [GEP-3567](https://gateway-api.sigs.k8s.io/geps/gep-3567/#interaction-with-client-cert-validation). |
| 18 | +* Supporting a mode where validating client certificates is optional, useful for debugging and migrating to strict TLS. |
16 | 19 |
|
17 | 20 | ## Non-Goals |
18 | 21 | * Define other fields that can be used to verify the client certificate such as the Certificate Hash. |
19 | 22 |
|
20 | | -## Existing support in Implementations |
21 | | - |
22 | | -This feature is widely supported in implementations that support Gateway API. |
23 | | -This table highlights the support. Please feel free to add any missing implementations not mentioned below. |
24 | | - |
25 | | -| Implementation | Support | |
26 | | -|----------------|------------| |
27 | | -| Apache APISIX | [ApisixTls.Client.CASecret](https://apisix.apache.org/docs/ingress-controller/tutorials/mtls/#mutual-authentication) | |
28 | | -| Contour | [HTTPProxy.Spec.VirtualHost.Tls.ClientValidation.CASecret](https://projectcontour.io/docs/v1.17.1/config/tls-termination/) | |
29 | | -| Emissary Ingress| [TlSContext.Spec.Secret](https://www.getambassador.io/docs/emissary/latest/topics/running/tls/mtls) | |
30 | | -| Gloo Edge | [VirtualService.Spec.SSLConfig.SecretRef](https://docs.solo.io/gloo-edge/latest/guides/security/tls/server_tls/#configuring-downstream-mtls-in-a-virtual-service) | |
31 | | -| Istio | [Gateway.Spec.Servers.TLS.Mode](https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway) | |
32 | | -| Kong | [mTLS Plugin](https://docs.konghq.com/hub/kong-inc/mtls-auth/) | |
33 | | -| Traefik | [TLSOption.Spec.ClientAuth](https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls) | |
34 | | -| NGINX Ingress Controller | [ingressMTLS](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#ingressmtls) | |
35 | | - |
36 | 23 | ### API |
37 | 24 |
|
38 | 25 | * Introduce a `FrontendValidation` field of type `FrontendTLSValidation` within [GatewayTLSConfig][] that can be used to validate the peer (frontend) with which the TLS connection is being made. |
@@ -151,10 +138,50 @@ spec: |
151 | 138 | This section highlights use cases that may be covered in a future iteration of this GEP |
152 | 139 |
|
153 | 140 | * Using system CA certificates as the trust anchor to validate the certificates presented by the frontend client. |
154 | | -* Supporting a mode where validating client certificates is optional, useful for debugging and migrating to strict TLS. |
155 | 141 | * Supporting an optional `subjectAltNames` field within `FrontendTLSValidation` that can be used to specify one or more alternate names to verify the subject identity in the certificate presented by the client. This field falls under Authorization, the initial focus here is on Client Authentication and will be revisited when Authorization is tackled as a whole in the project. |
156 | 142 | * Specifying the verification depth in the client certificate chain. This is being deferred because the default verification depth differs across implementations. |
157 | 143 |
|
| 144 | +## Existing support in Implementations |
| 145 | + |
| 146 | +This feature is already widely supported by implementations that conform to the Gateway API. |
| 147 | +The table below summarizes current support. Please feel free to add any implementations that are missing. |
| 148 | +This GEP aims to standardize this behavior as an official part of the upstream specification. |
| 149 | + |
| 150 | +| Implementation | Support | Granularity | Inline vs Policy | |
| 151 | +|------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|------------------| |
| 152 | +| Acnodal EPIC | | | | |
| 153 | +| Airlock Microgateway | [SidecarGateway.spec.applications[].downstream.tls.clientCertificate](https://docs.airlock.com/microgateway/latest/index/api/crds/sidecar-gateway/v1alpha1/index.html#sidecargatewayspecapplicationsdownstreamtls) | Per Listener | Inline | |
| 154 | +| Amazon Elastic Kubernetes Service | | | | |
| 155 | +| Apache APISIX | [ApisixTls.Client.CASecret](https://apisix.apache.org/docs/ingress-controller/tutorials/mtls/#mutual-authentication) | Per SNI | | |
| 156 | +| Avi Kubernetes Operator | | | | |
| 157 | +| Azure Application Gateway for Containers | [FrontendTLSPolicy](https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/api-specification-kubernetes#alb.networking.azure.io/v1.FrontendTLSPolicy) | Per Gateway & Per Listener | Policy | |
| 158 | +| Cilium | | | | |
| 159 | +| Contour | [HTTPProxy.Spec.VirtualHost.Tls.ClientValidation.CASecret](https://projectcontour.io/docs/v1.17.1/config/tls-termination/) | Per SNI | Inline | |
| 160 | +| Easegress | | | | |
| 161 | +| Emissary Ingress | [TlSContext.Spec.CASecret](https://www.getambassador.io/docs/emissary/latest/howtos/client-cert-validation) | Per SNI | Policy | |
| 162 | +| Envoy Gateway | [ClientTrafficPolicy.Spec.TLS.ClientValidation](https://gateway.envoyproxy.io/docs/api/extension_types/#clientvalidationcontext) | Per Gateway & Per Listener | Policy | |
| 163 | +| Flomesh Service Mesh | | | | |
| 164 | +| Gloo Gateway | [VirtualService.Spec.SSLConfig.SecretRef](https://docs.solo.io/gloo-edge/latest/guides/security/tls/server_tls/#configuring-downstream-mtls-in-a-virtual-service) | Per SNI | Inline | |
| 165 | +| Google Cloud Service Mesh | | | | |
| 166 | +| Google Kubernetes Engine | | | | |
| 167 | +| HAProxy Ingress | | | | |
| 168 | +| HAProxy Kubernetes Ingress Controller | [ca-file](https://www.haproxy.com/documentation/haproxy-configuration-tutorials/security/authentication/client-certificate-authentication/#sidebar) | Per SNI | Inline | |
| 169 | +| HashiCorp Consul | [file-system-certificate](https://developer.hashicorp.com/consul/docs/north-south/api-gateway/secure-traffic/encrypt) | Per Listener | Policy | |
| 170 | +| Istio | [Gateway.Spec.Servers.TLS.Mode](https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway) | Per Server | Inline | |
| 171 | +| kgateway | | | | |
| 172 | +| Kong Kubernetes Ingress Controller | [mTLS Plugin](https://docs.konghq.com/hub/kong-inc/mtls-auth/) | Per HTTP Proxy (Host/Port) | Policy | |
| 173 | +| Kong Gateway Operator | [mTLS Plugin](https://docs.konghq.com/hub/kong-inc/mtls-auth/) | Per HTTP Proxy (Host/Port) | Policy | |
| 174 | +| Kuma | | | | |
| 175 | +| Linkerd | | | | |
| 176 | +| LiteSpeed Ingress Controller | | | | |
| 177 | +| LoxiLB | | | | |
| 178 | +| NGINX Gateway Fabric | [ingressMTLS](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#ingressmtls) | Per Listener | Policy | |
| 179 | +| ngrok Kubernetes Operator | [TrafficPolicy.Terminate-TLS.Config.MutualTLSCertificateAuthorities](https://ngrok.com/docs/traffic-policy/actions/terminate-tls/#configuration-reference) | Per Endpoint (Host:Port) | Policy | |
| 180 | +| STUNner | | | | |
| 181 | +| Traefik Proxy | [TLSOption.Spec.ClientAuth](https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls) | Per EntryPoint | Inline | |
| 182 | +| Tyk | [Enable Client Certificate](https://tyk.io/docs/basic-config-and-security/security/mutual-tls/client-mtls/#why-use-mutual-tls) | Per Gateway | Policy | |
| 183 | +| WSO2 APK | [Authentication.Spec.Default.AuthTypes.MTLS](https://apk.docs.wso2.com/en/latest/catalogs/crds/authentication_types/#dp.wso2.com/v1alpha2.MutualSSLConfig) | Per API | Policy | |
| 184 | +| Ingress-NGINX | [nginx.ingress.kubernetes.io/auth-tls-verify-client](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication) | Per Ingress | Inline | |
158 | 185 |
|
159 | 186 | ## References |
160 | 187 |
|
|
0 commit comments