Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: clarify ExtensionTLS type #5154

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

docs: clarify ExtensionTLS type #5154

wants to merge 4 commits into from

Conversation

nareddyt
Copy link

Current document says to mount a secret that has a TLS private key. This is incorrect - Envoy Gateway acting as a client should not receive any private key.

Envoy Gateway doesn't support mTLS when connecting to extension server, so there is no need for private key today. This is verified by reading the code. EG is only looking for tls.crt

gateway/internal/extension/registry/extension_manager.go

Lines 265 to 276 in 28e1a48

certRef := ext.Service.TLS.CertificateRef
secret, secretNamespace, err := kubernetes.ValidateSecretObjectReference(ctx, client, &certRef, namespace)
if err != nil {
return nil, err
}
cp, err := parseCA(secret)
if err != nil {
return nil, fmt.Errorf("error parsing cert in Secret %s in namespace %s", string(certRef.Name), secretNamespace)
}
creds = credentials.NewClientTLSFromCert(cp, "")

Cert-manager docs explain this concept concisely, so link directly to it.

Release Notes: No

@nareddyt
Fix docs for ExtensionTLS type
50a974d 
Current document says to mount a secret that has a TLS private key. This is incorrect - Envoy Gateway acting as a client should not receive any private key.

Envoy Gateway doesn't support mTLS when connecting to extension server, so there is no need for private key today. This is verified by reading the code. EG is only looking for `tls.crt`
 https://github.com/envoyproxy/gateway/blob/28e1a485fad395291dd633e3d472f130455de0e8/internal/extension/registry/extension_manager.go#L265-L276

Cert-manager docs explain this concept concisely, so link directly to it.

Signed-off-by: Teju Nareddy <tejunareddy@gmail.com>
@nareddyt nareddyt requested a review from a team as a code owner January 26, 2025 17:23
@guydc
Copy link
Contributor

guydc commented Jan 26, 2025

The implementation right now is a bit confusing. tls.crt should usually be a certificate to be used by the process as either a client or a server certificate, not as a trusted CA. ca.crt, also as seen in the referenced docs, is more appropriate here.

I propose that we adopt something similar to GW-API caCertificateRefs here to avoid the confusion.

Regarding the change at hand: I would avoid linking cert-manager here, and keep it more concise, like:

CertificateRef is a reference to a Kubernetes Secret with a CA certificate in a key named tls.crt. The CA certificate is used by Envoy Gateway the verify the server certificate presented by the extension server. At this time, Envoy Gateway does not support Client Certificate authentication of Envoy Gateway towards the extension server"

@guydc guydc mentioned this pull request Jan 26, 2025
Open
@nareddyt
review comments
a92876b 
Signed-off-by: Teju Nareddy <tejunareddy@gmail.com>
@nareddyt
Merge branch 'main' into patch-1
3df927e
@nareddyt
Copy link
Author

Thanks for the quick review @guydc ! Overall agree with what you said. Updated docs to match current state

@codecov Codecov
Copy link

codecov bot commented Jan 30, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.90%. Comparing base (45804e2) to head (cd628e6).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5154   +/-   ##
=======================================
  Coverage   66.89%   66.90%           
=======================================
  Files         210      210           
  Lines       32979    32979           
=======================================
+ Hits        22061    22064    +3     
+ Misses       9583     9580    -3     
  Partials     1335     1335

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zirain
Copy link
Member

zirain commented Feb 2, 2025

@nareddyt can you run make -k gen-check to make CI happy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guydc guydc guydc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nareddyt @guydc @zirain