Listener Missing TLS Client Auth #2218
Description
Describe the bug
From the Listener spec.tlsCredentials documentation:
The name of a bundle of TLS certificates used for secure client-to-router communication. The bundle contains the server certificate and key. It optionally includes the trusted client certificate (usually a CA) for mutual TLS.
Client TLS Auth is presently never enforced on a Listener (except for passthrough.) The skupper router has a configuration for this that skupper never sets (tcpListener.authenticatePeer.)
How To Reproduce
---
apiVersion: skupper.io/v2alpha1
kind: Connector
metadata:
name: firefox-host
spec:
host: detectportal.firefox.com
port: 80
routingKey: firefox
type: tcp
---
apiVersion: skupper.io/v2alpha1
kind: Listener
metadata:
name: firefox
spec:
host: firefox-tls
port: 443
routingKey: firefox
tlsCredentials: firefox-tls
type: tcp
---
apiVersion: skupper.io/v2alpha1
kind: Certificate
metadata:
name: firefox-tls
spec:
ca: skupper-site-ca
hosts:
- firefox-tls
server: true
subject: firefox-tls
- Add some valid connector (chosen a static http endpoint for example.)
- Add a Listener for that connector with tlsCredentails set to a valid Secret with certs. Used a Skupper Certificate to generate that Secret for example.
- Observe there is not an option to specify client tls auth (mTLS) on the Listener.
- Observe the Secret can contain a ca.crt field.
- Access the listener service using https (without providing client certificates.)
Expected behavior
The documentation indicates to me that this choice should be inferred from the presence of a CA in the tlsCredentials. I am a little wary of that approach, and suspect we could want a more explicit opt-in. For example, some PKIs unconditionally include the issuing certificate along with the serving certificate as a CA: which would force users to introduce some step to duplicate the credentials for Listeners without mTLS.
Environment details
- Skupper Operator: 2.x
- Platform: all