application-connectivity-validator

module
v0.0.0-...-7d69bf5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 20, 2022 License: Apache-2.0

README

Application Connectivity Validator

Overview

The Application Connectivity Validator validates client certificate subjects. It proxies the requests to the Eventing Publisher and the Application Registry.

A single instance of the component is deployed for an Application and uses these parameters:

  • proxyPort is the port on which the reverse proxy is exposed. The default port is 8081.
  • externalAPIPort is the port on which the external API is exposed. The default port is 8080.
  • tenant is the tenant of the Application for which the proxy is deployed. Omitted if empty.
  • group is the group of the Application for which the proxy is deployed. Omitted if empty.
  • eventingPathPrefixV1 is the path prefix for which requests are forwarded to the Eventing Publisher V1 API. The default value is /v1/events.
  • eventingPathPrefixV2 is the path prefix for which requests are forwarded to the Eventing Publisher V2 API. The default value is /v2/events.
  • eventingPublisherHost is the host and the port of the Eventing Publisher. The default value is events-api:8080.
  • eventingDestinationPath is the destination path for the requests coming to the Eventing. The default value is /.
  • appRegistryPathPrefix is the path prefix for which requests are forwarded to the Application Registry. The default value is /v1/metadata.
  • appRegistryHost is the host and the port of the Eventing Publisher. The default value is application-registry-external-api:8081.
  • kubeConfig is the path to a cluster kubeconfig. Used for running the service outside of the cluster.
  • apiServerURL is the address of the Kubernetes API server. Overrides any value in kubeconfig. Used for running the service outside of the cluster.
  • syncPeriod is the period of time, in seconds, after which the controller should reconcile the Application resource. The default value is 120 seconds.

Details

The certificate subjects are validated using the X-Forwarded-Client-Cert header. After successful client certificate verification defined in the Istio Gateway, the Envoy Proxy adds the header to the request. The service to which the header is added must have mutual TLS between Istio sidecar Pods enabled. This is an example X-Forwarded-Client-Cert header:

Hash=f4cf22fb633d4df500e371daf703d4b4d14a0ea9d69cd631f95f9e6ba840f8ad;Subject="CN=test-application,OU=OrgUnit,O=Organization,L=Waldorf,ST=Waldorf,C=DE";URI=,By=spiffe://cluster.local/ns/kyma-integration/sa/default;Hash=6d1f9f3a6ac94ff925841aeb9c15bb3323014e3da2c224ea7697698acf413226;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account

The header contains information about multiple certificates because of the client certificate used in mTLS-secure communication between sidecars of a service.

The Application Connectivity Validator forwards only the requests with the X-Forwarded-Client-Cert header that contains Subject with the following fields corresponding to the Application custom resource:

  • CommonName is the name of the Application custom resource.
  • (Optional) Organization is the tenant.
  • (Optional) OrganizationalUnit is the group.

Development

Generate mocks

Prerequisites:

To generate mocks, run:

go generate ./...

When adding a new interface to be mocked or when a mock of an existing interface is not being generated, add the following line directly above the interface declaration:

//go:generate mockery --name {INTERFACE_NAME}

Directories

Path Synopsis
cmd
applicationconnectivityvalidator
internal
apperrors
controller
controller/signals
externalapi
httpconsts
httperrors
httptools
validationproxy
validationproxy/mocks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.