Skip to content

transitengineapi: tls client cert auth#1346

Merged
jmxnzo merged 1 commit intomainfrom
transitapi/tls-authentication
Apr 14, 2025
Merged

transitengineapi: tls client cert auth#1346
jmxnzo merged 1 commit intomainfrom
transitapi/tls-authentication

Conversation

@jmxnzo
Copy link
Copy Markdown
Contributor

@jmxnzo jmxnzo commented Apr 7, 2025
edited
Loading

Adds the required auth logic to the transit engine API to accomplish the client authentication of the mTLS handshake. A client can be authenticated based on a valid mesh cert issued by the mesh CA of the current state.

  • Add GetMeshCAPool to CA in state

@jmxnzo jmxnzo added the no changelog PRs not listed in the release notes label Apr 7, 2025
@jmxnzo jmxnzo force-pushed the transitapi/tls-authentication branch from a6c588c to e19c325 Compare April 7, 2025 15:09
@katexochen katexochen added this to the v1.9.0 milestone Apr 8, 2025
@jmxnzo jmxnzo marked this pull request as ready for review April 8, 2025 11:18
@jmxnzo jmxnzo requested a review from burgerdev as a code owner April 8, 2025 11:18
burgerdev
burgerdev reviewed Apr 9, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please squash the commits - at least the first one is partially reverted by the last one.

@jmxnzo jmxnzo force-pushed the transitapi/loggingMiddleware branch from 411b59f to 1ce833c Compare April 9, 2025 09:46
@jmxnzo jmxnzo force-pushed the transitapi/tls-authentication branch from 7d585df to b5249b5 Compare April 9, 2025 10:05
@jmxnzo jmxnzo requested a review from katexochen as a code owner April 9, 2025 10:05
@jmxnzo jmxnzo changed the base branch from transitapi/loggingMiddleware to main April 9, 2025 10:06
@jmxnzo jmxnzo requested a review from burgerdev April 9, 2025 10:06
@jmxnzo
transitengineapi: tls client cert auth
a1eaded 
Adds the required auth logic to the transit engine API to accomplish the
client authentication of the mTLS handshake. A client can be
authenticated based on a valid mesh cert issued by the mesh CA of
the current state.

authority: prepare meshCAPool + getter

transitapi: use getMeshCACertPool

getMeshCACertPool uses cert pool, containing the
mesh CA certificate, which is prepared when
constructing the CA, to avoid reparsing the certs.
@jmxnzo jmxnzo force-pushed the transitapi/tls-authentication branch from b5249b5 to a1eaded Compare April 14, 2025 14:10
@jmxnzo jmxnzo merged commit e883521 into main Apr 14, 2025
15 checks passed
@jmxnzo jmxnzo deleted the transitapi/tls-authentication branch April 14, 2025 14:46
@katexochen katexochen modified the milestones: v1.9.0, v1.10.0 May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@burgerdev burgerdev burgerdev approved these changes

@katexochen katexochen Awaiting requested review from katexochen

Assignees

No one assigned

Labels

no changelog PRs not listed in the release notes

Projects

None yet

Milestone

v1.10.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jmxnzo @burgerdev @katexochen