Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable GatewayInvalidTLSConfiguration conformance test #783

Closed
arkodg opened this issue Dec 8, 2022 · 3 comments · Fixed by #868
Closed

Enable GatewayInvalidTLSConfiguration conformance test #783

arkodg opened this issue Dec 8, 2022 · 3 comments · Fixed by #868
Assignees
@LanceEa
Labels
area/conformance Gateway API Conformance Related Issues area/translator Issues related to Gateway's translation service, e.g. translating Gateway APIs into the IR. good first issue Good for newcomers kind/bug Something isn't working priority/high Label used to express the "high" priority level
Milestone
0.3.0-rc.1

Comments

@arkodg
Copy link
Contributor

arkodg commented Dec 8, 2022
edited
Loading

Seeing this conformance test fail in in #780

Once fixed it should be enabled via https://github.com/envoyproxy/gateway/blob/main/test/conformance/conformance_test.go
@arkodg arkodg added kind/bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed area/translator Issues related to Gateway's translation service, e.g. translating Gateway APIs into the IR. area/conformance Gateway API Conformance Related Issues priority/high Label used to express the "high" priority level labels Dec 8, 2022
@arkodg arkodg added this to the 0.3.0-rc.1 milestone Dec 8, 2022
@arkodg arkodg mentioned this issue Dec 8, 2022
Closed
@LanceEa
Copy link
Contributor

LanceEa commented Jan 4, 2023

@arkodg - I was looking through the milestone for the next release and saw this one. Has anyone picked this one up? Happy to help out on it, unless there is another one like cors support or something that the team would rather be landed first?

@arkodg
Copy link
Contributor Author

arkodg commented Jan 4, 2023

hey @LanceEa feel free to pick this up, and thanks !

@arkodg arkodg removed the help wanted Extra attention is needed label Jan 4, 2023
@LanceEa LanceEa mentioned this issue Jan 6, 2023
Merged
@LanceEa
Copy link
Contributor

LanceEa commented Jan 6, 2023
edited
Loading

Leaving some historical information here for context.

My implementation is based on K8s docs:
https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets

The docs read a little weird in that it implies that it supports der format (binary) but I tested
kubectl create secret tls rsa-pkcs8-tls-secret --cert=./rsa-cert.der --key=./rsa-pkcs8.key --namespace default and K8s will not accept the binary format complaining about not being able to find a cert pem-encoding.

As for the private key, the K8s docs suggest that the private key is in pkcs8 format per this https://datatracker.ietf.org/doc/html/rfc7468#section-11. However, I was able to successfully apply the following:

kubectl create secret tls rsa-pkcs1-tls-secret --cert=./rsa-cert.pem --key=./rsa-pkcs1.key --namespace default
kubectl create secret tls rsa-pkcs8-tls-secret --cert=./rsa-cert.pem --key=./rsa-pkcs8.key --namespace default
kubectl create secret tls ecdsa-p256-tls-secret --cert=./ecdsa-p256-cert.pem --key=./ecdsa-p256.key --namespace default

So, the implementation supports parsing all three types of private keys starting with pkcs8 as the default and falling-back to trying to parse the other formats.

Side-note: conformance doesn't mention whether we should validate anything in the cert. Would be a nice-to-have for a developer dx, where it would also check that the hostname for the listener matches the domains in the cert for sni. This way the platform admin gets feedback before envoy is configured and not working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LanceEa LanceEa

Labels
area/conformance Gateway API Conformance Related Issues area/translator Issues related to Gateway's translation service, e.g. translating Gateway APIs into the IR. good first issue Good for newcomers kind/bug Something isn't working priority/high Label used to express the "high" priority level
Projects
None yet
Milestone
0.3.0-rc.1
Development

Successfully merging a pull request may close this issue.

gatewayapi: validate tls secret in listener certificateRef datawire/envoy-gateway
2 participants
@LanceEa @arkodg