Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: clarify ExtensionTLS type #5154

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

docs: clarify ExtensionTLS type #5154

wants to merge 8 commits into from
+9 −10

Conversation

nareddyt
Copy link

Current document says to mount a secret that has a TLS private key. This is incorrect - Envoy Gateway acting as a client should not receive any private key.

Envoy Gateway doesn't support mTLS when connecting to extension server, so there is no need for private key today. This is verified by reading the code. EG is only looking for tls.crt

gateway/internal/extension/registry/extension_manager.go

Lines 265 to 276 in 28e1a48

certRef := ext.Service.TLS.CertificateRef
secret, secretNamespace, err := kubernetes.ValidateSecretObjectReference(ctx, client, &certRef, namespace)
if err != nil {
return nil, err
}
cp, err := parseCA(secret)
if err != nil {
return nil, fmt.Errorf("error parsing cert in Secret %s in namespace %s", string(certRef.Name), secretNamespace)
}
creds = credentials.NewClientTLSFromCert(cp, "")

Cert-manager docs explain this concept concisely, so link directly to it.

Release Notes: No

@nareddyt
Fix docs for ExtensionTLS type
50a974d 
Current document says to mount a secret that has a TLS private key. This is incorrect - Envoy Gateway acting as a client should not receive any private key.

Envoy Gateway doesn't support mTLS when connecting to extension server, so there is no need for private key today. This is verified by reading the code. EG is only looking for `tls.crt`
 https://github.com/envoyproxy/gateway/blob/28e1a485fad395291dd633e3d472f130455de0e8/internal/extension/registry/extension_manager.go#L265-L276

Cert-manager docs explain this concept concisely, so link directly to it.

Signed-off-by: Teju Nareddy <[email protected]>
@nareddyt nareddyt requested a review from a team as a code owner January 26, 2025 17:23
@guydc
Copy link
Contributor

guydc commented Jan 26, 2025

The implementation right now is a bit confusing. tls.crt should usually be a certificate to be used by the process as either a client or a server certificate, not as a trusted CA. ca.crt, also as seen in the referenced docs, is more appropriate here.

I propose that we adopt something similar to GW-API caCertificateRefs here to avoid the confusion.

Regarding the change at hand: I would avoid linking cert-manager here, and keep it more concise, like:

CertificateRef is a reference to a Kubernetes Secret with a CA certificate in a key named tls.crt. The CA certificate is used by Envoy Gateway the verify the server certificate presented by the extension server. At this time, Envoy Gateway does not support Client Certificate authentication of Envoy Gateway towards the extension server"

@guydc guydc mentioned this pull request Jan 26, 2025
Open
@nareddyt
Copy link
Author

Thanks for the quick review @guydc ! Overall agree with what you said. Updated docs to match current state

guydc
guydc previously approved these changes Jan 30, 2025
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Jan 30, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.94%. Comparing base (6022624) to head (449d9f3).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5154   +/-   ##
=======================================
  Coverage   67.94%   67.94%           
=======================================
  Files         214      214           
  Lines       33522    33522           
=======================================
+ Hits        22776    22777    +1     
+ Misses       9358     9357    -1     
  Partials     1388     1388

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zirain
Copy link
Member

zirain commented Feb 2, 2025

@nareddyt can you run make -k gen-check to make CI happy?

@nareddyt
gen-check
c88d568 
Signed-off-by: Teju Nareddy <[email protected]>
@nareddyt
remove tmpCharts
449d9f3 
Signed-off-by: Teju Nareddy <[email protected]>
@nareddyt
Copy link
Author

Sorry for the delay @zirain . Can I get another +1 @guydc ?

@nareddyt nareddyt requested a review from guydc February 13, 2025 00:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zirain zirain zirain approved these changes

@guydc guydc Awaiting requested review from guydc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nareddyt @guydc @zirain @Xunzhuo