Skip to content

Feature: mtls filters#4044

Open
szuecs wants to merge 17 commits into
masterfrom
feature/mTLS-filters
Open

Feature: mtls filters#4044
szuecs wants to merge 17 commits into
masterfrom
feature/mTLS-filters

Conversation

@szuecs
Copy link
Copy Markdown
Member

@szuecs szuecs commented Jun 1, 2026
edited
Loading

feature: mtlsSAN(), mtlsSanCIDR(), mtlsSanDNS(), mtlsSanIP(), mtlsSanURI() filters
feature: mtlsIssuerDN() filter
feature: mtlsCN() filter
feature: mtlsAuthn() filter
doc: document mtls authnz filters
test: benchmarks

ref: closing #3295

@szuecs szuecs force-pushed the feature/mTLS-filters branch from 878795b to d35f4f6 Compare June 2, 2026 11:32
@szuecs
feature: mtlsSAN() filter
144a2b8 
feature: mtlsIssuerDN() filter
feature: mtlsCN() filter
feature: mtlsAuthn() filter
doc: document mtls authnz filters

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs szuecs force-pushed the feature/mTLS-filters branch from e07710c to 144a2b8 Compare June 2, 2026 20:22
@szuecs szuecs added the major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs label Jun 2, 2026
@szuecs szuecs marked this pull request as ready for review June 2, 2026 20:23
@szuecs
fix merge conflict errors
b44bc2a 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs szuecs mentioned this pull request Jun 3, 2026
Open
szuecs added 4 commits June 3, 2026 10:54
@szuecs
fix: copy audit log flag from spec to filter
79a559c 
fix: linter finding in test

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
make sure agents run linter
86db1a5 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
feature: mtlsSAN() support URI lookup that we need for SPIFFE/SPIRE i…
c0dc74d 
…ntegration

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
feature: SPIFFE/SPIRE authz filter mtlsSAN()
aa7e7f4 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@vlktna vlktna self-requested a review June 3, 2026 16:28
shyamz-22
shyamz-22 reviewed Jun 3, 2026
View reviewed changes
Comment thread filters/tls/mtls.go Outdated
vlktna
vlktna reviewed Jun 3, 2026
View reviewed changes
Comment thread filters/tls/mtls.go Outdated
shyamz-22
shyamz-22 reviewed Jun 3, 2026
View reviewed changes
Comment thread filters/tls/mtls.go
Comment thread filters/tls/mtls.go
Comment thread filters/tls/mtls.go Outdated
MustafaSaber
MustafaSaber reviewed Jun 3, 2026
View reviewed changes
Comment thread docs/reference/filters.md
Comment thread filters/tls/mtls.go
Comment thread filters/tls/mtls.go
Comment thread docs/reference/filters.md
szuecs added 4 commits June 3, 2026 20:08
@szuecs
fix: mtlsAuthn() filter is able to load an *x509.CertPool tht will be…
a31f45c 
… used to validate in coming client certificates.

Configuration is able to load system CAs first and append given PEM encoded CA files or we load only given PEM encoded CA files or if nil we load system CAs.

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
fix: review finding: we should not check issuer but subject of a cert…
1cb6f47 
…, because we care about the identity of the client and not the identity of the CA

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
fix: use only leaf cet to validate mtls authnz filters
2b37804 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
fix: no peer certs respond with 401
5b1b092 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
Copy link
Copy Markdown
Member Author

szuecs commented Jun 3, 2026

Given that auth should be fast, I will also provide 4 more filters for mtlsSAN to have them special, for example if you use SPIFFE/SPIRE, you do not want to check DNS or IP in SAN.

@szuecs
split mtlsSAN() filters into 4 specialized filters mtlsSanCIDR(), mtl…
e634e6e 
…sSanDNS(), mtlsSanIP(), mtlsSandURI()

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
Copy link
Copy Markdown
Member Author

szuecs commented Jun 3, 2026

e634e6e has the 4 new filters

@szuecs
fix: config tests
e0371d5 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
Copy link
Copy Markdown
Member Author

szuecs commented Jun 3, 2026
edited
Loading

Local test without CA loaded, so empty pool it can not validate certs:

% ./bin/skipper -inline-routes='r: * -> mtlsAuthn() -> status(201) -> <shunt>' -address :9002                                                                     feature/mTLS-filters
[APP]INFO[0000] Expose metrics in format: "codahale"
[APP]INFO[0000] enable swarm: false
[APP]INFO[0000] Replacing tee filter specification
[APP]INFO[0000] Replacing teenf filter specification
[APP]INFO[0000] Replacing teeResponse filter specification
[APP]INFO[0000] route settings, reset, route: r: * -> mtlsAuthn() -> status(201) -> <shunt>
[APP]INFO[0000] route settings received, id: 1
[APP]INFO[0000] support listener on :9911
[APP]INFO[0000] route settings applied, id: 1
[APP]INFO[0000] Dataclients are updated once, first load complete
[APP]INFO[0000] Listen on :9002
[APP]INFO[0000] TLS settings not found, defaulting to HTTP
::1 - - [03/Jun/2026:22:10:26 +0200] "GET /foo HTTP/1.1" 401 0 "-" "curl/7.49.0" 0 localhost:9002 - -

client call sent with no cert:

% curl http://localhost:9002/foo -v
*   Trying ::1...
* Connected to localhost (::1) port 9002 (#0)
> GET /foo HTTP/1.1
> Host: localhost:9002
> User-Agent: curl/7.49.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Skipper
< Www-Authenticate: localhost:9002
< Date: Wed, 03 Jun 2026 20:10:26 GMT
< Transfer-Encoding: chunked
<
* Connection #0 to host localhost left intact

We can see good default behaviour and no panic, so integration seems also fine

szuecs added 2 commits June 3, 2026 23:25
@szuecs
fix: tests in proxy, because of the changed behavior of mtlsSAN()
0e413c5 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
comment unused
a41cc71 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
a4180p
a4180p reviewed Jun 4, 2026
View reviewed changes
Comment thread filters/tls/mtls.go Outdated
Comment thread filters/tls/mtls.go Outdated
Comment thread filters/tls/mtls.go Outdated
a4180p
a4180p reviewed Jun 4, 2026
View reviewed changes
Comment thread config/config.go Outdated
a4180p
a4180p reviewed Jun 4, 2026
View reviewed changes
Comment thread config/config.go Outdated
a4180p
a4180p reviewed Jun 4, 2026
View reviewed changes
Comment thread filters/tls/mtls.go
a4180p
a4180p reviewed Jun 4, 2026
View reviewed changes
Comment thread filters/tls/mtls.go Outdated
MustafaSaber
MustafaSaber reviewed Jun 4, 2026
View reviewed changes
Comment thread docs/reference/filters.md
Example:

```
* -> mtlsAuthn() -> mtlsSAN("spiffe://my-service.example/app1") -> "http://10.2.5.21:8080";
Copy link
Copy Markdown
Member

@MustafaSaber MustafaSaber Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrong filter example

Comment thread docs/reference/filters.md
* -> mtlsAuthn() -> mtlsCN("My CA") -> "http://10.2.5.21:8080";
```

### mtlsSAN
Copy link
Copy Markdown
Member

@MustafaSaber MustafaSaber Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this should be removed and use other filters

Copy link
Copy Markdown
Member Author

@szuecs szuecs Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends, if someone wants to allow a mix of it, but yeah we could also argue to use a filter chain instead.
I agree will delete it later.

Comment thread filters/tls/mtls.go Outdated
szuecs added 2 commits June 5, 2026 09:39
@szuecs
fix: use map[] instead of sync.Map
87a836b 
fix: support multiple CA files in config

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
refactor: remove mtlsSAN() and fix all tests and benchmarls related t…
63b7f13 
…o it

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
@szuecs
Copy link
Copy Markdown
Member Author

szuecs commented Jun 5, 2026

@MustafaSaber I can't reply to your message directly so doing it here:
it's fixed

@szuecs
fix: build
129d3ed 
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@a4180p a4180p a4180p left review comments

@shyamz-22 shyamz-22 shyamz-22 left review comments

@MustafaSaber MustafaSaber MustafaSaber left review comments

@vlktna vlktna vlktna left review comments

Assignees

No one assigned

Labels

documentation enhancement major moderate risk, for example new API, small filter changes that have no risk like refactoring or logs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@szuecs @a4180p @shyamz-22 @MustafaSaber @vlktna