Added property to accept certificates for tls termination at tcp router #502
Conversation
|
cf-foundation-community-automation
bot
moved this to Inbox
in Application Runtime Platform Working Group
jobs/tcp_router/templates/tcp_router_frontend_client_cert_and_key.pem.erb
Outdated
Show resolved
Hide resolved
AshishNaware
force-pushed
the
nashish
branch
4 times, most recently
from
a37f8da to
4f76639
Compare
| func certHasSAN(cert *x509.Certificate) bool { | ||
| hasSANExtension := false | ||
| for _, ext := range cert.Extensions { | ||
| if ext.Id.String() == "2.5.29.17" { |
There was a problem hiding this comment.
Some documentation here may help.
Where did this id 2.5.29.17 come from? Is this a well known constant in the go library perhaps? What would happen if this value changes? How do we update this value?
There was a problem hiding this comment.
This is the OID of the SAN field coming from the ASN1 spec. It will never change. https://oidref.com/2.5.29.17
I think that the check that computes hasSANEntries below is sufficient / redundant, but not 100% sure.
There was a problem hiding this comment.
I added this check to be consistent with the gorouter https://github.com/cloudfoundry/routing-release/blob/develop/jobs/gorouter/templates/gorouter.yml.erb#L445
| if bp := os.Getenv("FRONTEND_TLS_BASE_PATH"); bp != "" { | ||
| return bp | ||
| } | ||
| return "/var/vcap/jobs/tcp_router/config/keys/tcp-router/frontend" |
There was a problem hiding this comment.
do we have to worry about proper permissions? Copying the sibling's (backend) permissions:
chown -R root:vcap /var/vcap/jobs/tcp_router/config/certs/tcp-router/frontend
chmod -R 640 /var/vcap/jobs/tcp_router/config/certs/tcp-router/frontend
chmod 750 /var/vcap/jobs/tcp_router/config/certs/tcp-router/frontend
Co-authored-by: Siva Kommuri <[email protected]>
Summary
This PR introduces new property called frontend_tls to accept certs and keys that are used to terminate tls traffic at tcp router.
Backward Compatibility
Breaking Change? Yes/No
No