Skip to content

feat: support crls in client traffic policies #7199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: support crls in client traffic policies #7199

wants to merge 1 commit into from

Conversation

rudrakhp
Copy link
Member

What type of PR is this?

feat: support crls in client traffic policies

What this PR does / why we need it:

Implement #6955

Which issue(s) this PR fixes:

Fixes #3021

Release Notes: Yes

@rudrakhp rudrakhp requested a review from a team as a code owner October 11, 2025 10:27
@codecov
Copy link

codecov bot commented Oct 11, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 66.10169% with 40 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.06%. Comparing base (7768139) to head (eeca2fe).

Files with missing lines Patch % Lines
internal/gatewayapi/clienttrafficpolicy.go 41.30% 25 Missing and 2 partials ⚠️
internal/gatewayapi/tls.go 68.29% 10 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7199      +/-   ##
==========================================
- Coverage   71.14%   71.06%   -0.09%     
==========================================
  Files         228      228              
  Lines       40827    40896      +69     
==========================================
+ Hits        29047    29061      +14     
- Misses      10076    10128      +52     
- Partials     1704     1707       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rudrakhp rudrakhp force-pushed the feat_crl branch 3 times, most recently from 451c9ed to 353110f Compare October 13, 2025 19:38
rudrakhp
rudrakhp commented Oct 13, 2025
View reviewed changes
internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml
conditions:
- lastTransitionTime: null
message: |-
TLS: caCertificateRef secret [tls-secret-1] not found
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this error was incorrect since I do see tls-secret-1:

gateway/internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.in.yaml

Line 271 in 481a2ca

name: tls-secret-1

rudrakhp
rudrakhp commented Oct 13, 2025
View reviewed changes
internal/gatewayapi/tls.go
}

func validateCertificate(data []byte) error {
block, _ := pem.Decode(data)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a partial way to decode cert that was leading to inconsistency in parsing certificate depending on which block was being decoded first.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm understanding the code right, decodePemForBlockType only returns the first block matching blockType. In the case of multiple concatenated CA certificates or CRLs, won't validateCertificate and validateCrl only validate the first one and ignore the rest?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, we were validating only one block earlier so maintained the same behavior. But we should ideally be validating all the blocks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@crinjes updated the method to decode and append all certs before parsing

@rudrakhp rudrakhp force-pushed the feat_crl branch 2 times, most recently from ea2e484 to 8311467 Compare October 13, 2025 20:04
@rudrakhp rudrakhp requested review from a team and removed request for a team October 14, 2025 04:17
@jukie
Copy link
Contributor

jukie commented Oct 14, 2025

/retest

@rudrakhp rudrakhp force-pushed the feat_crl branch 5 times, most recently from 2ac7d7c to 1a81709 Compare October 17, 2025 05:12
arkodg
arkodg reviewed Oct 22, 2025
View reviewed changes
internal/gatewayapi/clienttrafficpolicy.go

if tlsParams.ClientValidation.Crl != nil {
for _, crlRef := range tlsParams.ClientValidation.Crl.Refs {
crlRefKind := string(ptr.Deref(crlRef.Kind, resource.KindSecret))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to dedup this logic and caCert data logic using a common func ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkodg arkodg arkodg left review comments

+1 more reviewer

@crinjes crinjes crinjes left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Certificate revocation list (CRL) support for the mTLS authentication

4 participants

@rudrakhp @jukie @arkodg @crinjes