Use mTLS client cert for Authorization

[fmsolana]

Hi Envoy comunity,

I want to apply authorization to client certificated, If I do only with subjectAltNames I got a early fail and is not register as 401 on access_log then I though about apply later with authorization checking the X-Forwarded-Client-Cert header, but doesn't work

Even with X-Forwarded-Client-Cert could be hard because add the Hash and I would like to allow pass only with CN or SAN

The header it suppose be added before authorization happens but I saw probably is later, at least is on my upstream request.

another point is that headers it seems it is not allowed to use regex only exact.

There are some way to do this. I let my configuration here:

--- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy metadata: name: enable-mtls spec: targetRefs: - group: gateway.networking.k8s.io kind: Gateway name: mtls-envoy-gateway headers: xForwardedClientCert: mode: SanitizeSet certDetailsToAdd: - DNS tls: clientValidation: optional: true # subjectAltNames: # dnsNames: # - type: Exact # Exact | Prefix | Suffix | RegularExpression # value: "consumer-one.domain.com" caCertificateRefs: - kind: "Secret" group: "" name: "my-ca"

apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: name: acl-admin-security-policy-by-label spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: backend #ACLs authorization: defaultAction: Deny rules: - name: allow-with-mtls action: Allow principal: #https://gateway.envoyproxy.io/docs/api/extension_types/#principal headers: # Version 1.5 - name: X-Forwarded-Client-Cert values: - Hash=<hasvalue>;DNS=consumer-one.domain.com 

[fmsolana]

I think I made a mistake on my test. Because this work as expected. The only annoying thing is the Hash.

It will be good if headermatchtype could be applied over the headers on authorization.

 authorization: defaultAction: Deny rules: - name: allow-with-mtls action: Allow principal: #https://gateway.envoyproxy.io/docs/api/extension_types/#principal headers: # Version 1.5 - name: X-Forwarded-Client-Cert values: - Hash=<hasvalue>;DNS=consumer-one.domain.com 

In a environment with automatic certificate generated every hour the hash can no be there to be use as authorization.