diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index e1632d5ade..dcde14a27f 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -7602,6 +7602,12 @@ spec: a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean + insecureSkipVerify: + description: 'Optional: If set to true, the proxy will try + to validate the certificate, but even if the validation + fails, it will allow the connection through.' + nullable: true + type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. @@ -7877,6 +7883,12 @@ spec: a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean + insecureSkipVerify: + description: 'Optional: If set to true, the proxy will try + to validate the certificate, but even if the validation + fails, it will allow the connection through.' + nullable: true + type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. @@ -8152,6 +8164,12 @@ spec: a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean + insecureSkipVerify: + description: 'Optional: If set to true, the proxy will try + to validate the certificate, but even if the validation + fails, it will allow the connection through.' + nullable: true + type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. @@ -9817,6 +9835,12 @@ spec: a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean + insecureSkipVerify: + description: 'Optional: If set to true, the proxy will try + to validate the certificate, but even if the validation + fails, it will allow the connection through.' + nullable: true + type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. @@ -10432,6 +10456,12 @@ spec: a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean + insecureSkipVerify: + description: 'Optional: If set to true, the proxy will try + to validate the certificate, but even if the validation + fails, it will allow the connection through.' + nullable: true + type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. @@ -11047,6 +11077,12 @@ spec: a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean + insecureSkipVerify: + description: 'Optional: If set to true, the proxy will try + to validate the certificate, but even if the validation + fails, it will allow the connection through.' + nullable: true + type: boolean maxProtocolVersion: description: |- Optional: Maximum TLS protocol version. diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index fceec3c2c0..598558dc6c 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -198,6 +198,7 @@ package v1alpha3 import ( + wrappers "github.com/golang/protobuf/ptypes/wrappers" _ "google.golang.org/genproto/googleapis/api/annotations" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" @@ -836,9 +837,17 @@ type ServerTLSSettings struct { // * `AES128-SHA` // * `AES256-SHA` // * `DES-CBC3-SHA` - CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"` + // Optional: If set to true, the proxy will try to validate the certificate, but even if the + // validation fails, it will allow the connection through. + // + // It's needed to implement Gateway API AllowInsecureFallback feature. The different between + // AllowInsecureFallback and not verifying client certificate at all is that Gateway is able + // to pass the client certificate to the backend in the x-forwarded-client-cert HTTP header and + // backend can verify the certificate. + InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,17,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *ServerTLSSettings) Reset() { @@ -983,6 +992,13 @@ func (x *ServerTLSSettings) GetCipherSuites() []string { return nil } +func (x *ServerTLSSettings) GetInsecureSkipVerify() *wrappers.BoolValue { + if x != nil { + return x.InsecureSkipVerify + } + return nil +} + // TLSCertificate describes the server's TLS certificate. type ServerTLSSettings_TLSCertificate struct { state protoimpl.MessageState `protogen:"open.v1"` @@ -1057,7 +1073,7 @@ var File_networking_v1alpha3_gateway_proto protoreflect.FileDescriptor const file_networking_v1alpha3_gateway_proto_rawDesc = "" + "\n" + - "!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\"\xd1\x01\n" + + "!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xd1\x01\n" + "\aGateway\x12;\n" + "\aservers\x18\x01 \x03(\v2!.istio.networking.v1alpha3.ServerR\aservers\x12L\n" + "\bselector\x18\x02 \x03(\v20.istio.networking.v1alpha3.Gateway.SelectorEntryR\bselector\x1a;\n" + @@ -1076,7 +1092,8 @@ const file_networking_v1alpha3_gateway_proto_rawDesc = "" + "\bprotocol\x18\x02 \x01(\tB\x04\xe2A\x01\x02R\bprotocol\x12\x18\n" + "\x04name\x18\x03 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12#\n" + "\vtarget_port\x18\x04 \x01(\rB\x02\x18\x01R\n" + - "targetPort\"\xee\t\n" + + "targetPort\"\xbc\n" + + "\n" + "\x11ServerTLSSettings\x12%\n" + "\x0ehttps_redirect\x18\x01 \x01(\bR\rhttpsRedirect\x12H\n" + "\x04mode\x18\x02 \x01(\x0e24.istio.networking.v1alpha3.ServerTLSSettings.TLSmodeR\x04mode\x12-\n" + @@ -1095,7 +1112,8 @@ const file_networking_v1alpha3_gateway_proto_rawDesc = "" + "\x17verify_certificate_hash\x18\f \x03(\tR\x15verifyCertificateHash\x12j\n" + "\x14min_protocol_version\x18\a \x01(\x0e28.istio.networking.v1alpha3.ServerTLSSettings.TLSProtocolR\x12minProtocolVersion\x12j\n" + "\x14max_protocol_version\x18\b \x01(\x0e28.istio.networking.v1alpha3.ServerTLSSettings.TLSProtocolR\x12maxProtocolVersion\x12#\n" + - "\rcipher_suites\x18\t \x03(\tR\fcipherSuites\x1a\x89\x01\n" + + "\rcipher_suites\x18\t \x03(\tR\fcipherSuites\x12L\n" + + "\x14insecure_skip_verify\x18\x11 \x01(\v2\x1a.google.protobuf.BoolValueR\x12insecureSkipVerify\x1a\x89\x01\n" + "\x0eTLSCertificate\x12-\n" + "\x12server_certificate\x18\x01 \x01(\tR\x11serverCertificate\x12\x1f\n" + "\vprivate_key\x18\x02 \x01(\tR\n" + @@ -1140,6 +1158,7 @@ var file_networking_v1alpha3_gateway_proto_goTypes = []any{ (*ServerTLSSettings)(nil), // 5: istio.networking.v1alpha3.ServerTLSSettings nil, // 6: istio.networking.v1alpha3.Gateway.SelectorEntry (*ServerTLSSettings_TLSCertificate)(nil), // 7: istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate + (*wrappers.BoolValue)(nil), // 8: google.protobuf.BoolValue } var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{ 3, // 0: istio.networking.v1alpha3.Gateway.servers:type_name -> istio.networking.v1alpha3.Server @@ -1150,11 +1169,12 @@ var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{ 7, // 5: istio.networking.v1alpha3.ServerTLSSettings.tls_certificates:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol 1, // 7: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol - 8, // [8:8] is the sub-list for method output_type - 8, // [8:8] is the sub-list for method input_type - 8, // [8:8] is the sub-list for extension type_name - 8, // [8:8] is the sub-list for extension extendee - 0, // [0:8] is the sub-list for field type_name + 8, // 8: istio.networking.v1alpha3.ServerTLSSettings.insecure_skip_verify:type_name -> google.protobuf.BoolValue + 9, // [9:9] is the sub-list for method output_type + 9, // [9:9] is the sub-list for method input_type + 9, // [9:9] is the sub-list for extension type_name + 9, // [9:9] is the sub-list for extension extendee + 0, // [0:9] is the sub-list for field type_name } func init() { file_networking_v1alpha3_gateway_proto_init() } diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html index d8297a7347..aa165eaf0f 100644 --- a/networking/v1alpha3/gateway.pb.html +++ b/networking/v1alpha3/gateway.pb.html @@ -620,6 +620,20 @@

ServerTLSSettings

  • DES-CBC3-SHA
    • + + + +
    insecureSkipVerify
    +
    BoolValue
    +
    + +

    If set to true, the proxy will try to validate the certificate, but even if the +validation fails, it will allow the connection through.

    +

    It’s needed to implement Gateway API AllowInsecureFallback feature. The different between +AllowInsecureFallback and not verifying client certificate at all is that Gateway is able +to pass the client certificate to the backend in the x-forwarded-client-cert HTTP header and +backend can verify the certificate.

    + diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto index cc289ac982..985f0bfa8d 100644 --- a/networking/v1alpha3/gateway.proto +++ b/networking/v1alpha3/gateway.proto @@ -193,6 +193,7 @@ syntax = "proto3"; package istio.networking.v1alpha3; import "google/api/field_behavior.proto"; +import "google/protobuf/wrappers.proto"; option go_package = "istio.io/api/networking/v1alpha3"; @@ -577,4 +578,13 @@ message ServerTLSSettings { // * `AES256-SHA` // * `DES-CBC3-SHA` repeated string cipher_suites = 9; + + // Optional: If set to true, the proxy will try to validate the certificate, but even if the + // validation fails, it will allow the connection through. + // + // It's needed to implement Gateway API AllowInsecureFallback feature. The different between + // AllowInsecureFallback and not verifying client certificate at all is that Gateway is able + // to pass the client certificate to the backend in the x-forwarded-client-cert HTTP header and + // backend can verify the certificate. + google.protobuf.BoolValue insecure_skip_verify = 17; } diff --git a/releasenotes/notes/3727.yaml b/releasenotes/notes/3727.yaml new file mode 100644 index 0000000000..436d8bbabc --- /dev/null +++ b/releasenotes/notes/3727.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: security +releaseNotes: +- | + **Added** `insecure_skip_verify` field to `ServerTLSSettings`. When set to `true`, this will tell the gateway to allow the + incoming connection even if the client certificate does not pass the checks. It will be used to implement Gateway API + `AllowInsecureFallback` feature in Istio.