transitengineapi: mTLS with client authorization by workloadSecret #1348
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jmxnzo
force-pushed
the
meshapi/workloadSecretExt
branch
from
ffd1e49 to
ee94f99
Compare
jmxnzo
changed the base branch from
meshapi/workloadSecretExt
to
transitapi/tls-authentication
jmxnzo
force-pushed
the
transitapi/tls-authorization
branch
from
38a3913 to
7453d2c
Compare
jmxnzo
force-pushed
the
transitapi/tls-authorization
branch
from
7453d2c to
d300fc9
Compare
burgerdev
reviewed
Apr 8, 2025
jmxnzo
force-pushed
the
transitapi/tls-authentication
branch
from
7d585df to
b5249b5
Compare
jmxnzo
force-pushed
the
transitapi/tls-authorization
branch
from
d300fc9 to
b99cf83
Compare
jmxnzo
force-pushed
the
transitapi/tls-authorization
branch
from
7e8140e to
5755b22
Compare
jmxnzo
force-pushed
the
transitapi/tls-authentication
branch
from
b5249b5 to
a1eaded
Compare
jmxnzo
force-pushed
the
transitapi/tls-authorization
branch
from
5755b22 to
7c3c5de
Compare
The worklaodSecretID send in the client cert extension is compared to the requested workloadSecretID of the name parameter using an authorization middleware. Thus clients are only authorized for the key set corresponding to the workloadSecretID set in the manifest.
The transit engine API holds a persistent ecdsa private key which is used in getCertificate to create a valid mesh cert based on the current state for the for the transit engine API.
jmxnzo
force-pushed
the
transitapi/tls-authorization
branch
from
7c3c5de to
e0be4c2
Compare
burgerdev
approved these changes
Apr 14, 2025
This was referenced Apr 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces mTLS to the transit engine API to secure connections based on Contrast mesh certs.
The client is only authorized to the transit key set of the workloadSecretID in the received meshCert extension. As prior we handle the
<name>parameter of existing Vault implementations as our workloadSecretID.On initialization the transit engine API derives a private ecdsa key. For each incoming TLS connection of the transit engine API, the coordinator issues itself a fresh mesh cert for this private key of the transit engine API, which is therefore valid for the current state.
The logging mechanism introduced in #1345 and the new authorizationMiddleware is bypassed during testing using a mock transitengine API.