Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate revocation list (CRL) support for the mTLS authentication #3021

Open
SudhakarNandigam-TomTom opened this issue Mar 26, 2024 · 4 comments
Open

Certificate revocation list (CRL) support for the mTLS authentication #3021

SudhakarNandigam-TomTom opened this issue Mar 26, 2024 · 4 comments
Labels
area/api API-related issues help wanted Extra attention is needed
Milestone
v1.4.0-rc.1

Comments

@SudhakarNandigam-TomTom
Copy link

Description:
Add Certificate revocation list (CRL) support for the mTLS based authentication between external clients and the Gateway.
@arkodg arkodg added help wanted Extra attention is needed area/api API-related issues and removed triage labels Mar 26, 2024
@arkodg
Copy link
Contributor

arkodg commented Mar 26, 2024

ClientTrafficPolicy.spec.tls.clientValidation is a good home for this feature

gateway/api/v1alpha1/tls_types.go

Line 112 in decd878

type ClientValidationContext struct {

@guydc
Copy link
Contributor

guydc commented Mar 26, 2024

Hi @SudhakarNandigam-TomTom - can you elaborate on the expected UX here? Many proxies require the operator/control-plane to provide a CRL file (see examples here: nginx, haproxy, envoy), while CRL processing specs typically expect proxies to fetch CRLs online based on the CDP extension of certificates and cache them.

In your case, do you intend to provide the CRL as an input to Envoy Gateway?

@SudhakarNandigam-TomTom
Copy link
Author

Hi @SudhakarNandigam-TomTom - can you elaborate on the expected UX here? Many proxies require the operator/control-plane to provide a CRL file (see examples here: nginx, haproxy, envoy), while CRL processing specs typically expect proxies to fetch CRLs online based on the CDP extension of certificates and cache them.

In your case, do you intend to provide the CRL as an input to Envoy Gateway?

Hi, My requirement is Envoy gateway fetch the CRL file from the URL and use it for mTLS. But most proxies does not support it. So I am also okay to provide the CRL file to the Envoy gateway.

@arkodg arkodg added this to the v1.1.0-rc1 milestone May 23, 2024
@arkodg arkodg modified the milestones: v1.1.0-rc1, Backlog Jun 25, 2024
@arkodg arkodg modified the milestones: Backlog, v1.2.0-rc1 Jul 31, 2024
@arkodg arkodg modified the milestones: v1.2.0-rc1, Backlog Sep 19, 2024
@saj235
Copy link

saj235 commented Feb 5, 2025

Hi @SudhakarNandigam-TomTom - can you elaborate on the expected UX here? Many proxies require the operator/control-plane to provide a CRL file (see examples here: nginx, haproxy, envoy), while CRL processing specs typically expect proxies to fetch CRLs online based on the CDP extension of certificates and cache them.
In your case, do you intend to provide the CRL as an input to Envoy Gateway?

Hi, My requirement is Envoy gateway fetch the CRL file from the URL and use it for mTLS. But most proxies does not support it. So I am also okay to provide the CRL file to the Envoy gateway.

+1
I have the exact same requirement.

@arkodg arkodg modified the milestones: Backlog, v1.4.0-rc.1 Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api API-related issues help wanted Extra attention is needed
Projects
None yet
Milestone
v1.4.0-rc.1
Development

No branches or pull requests
4 participants
@arkodg @guydc @SudhakarNandigam-TomTom @saj235