[THREESCALE-5105] Adding support for mtls when using proxy policy

[tkan145]

What

Fix https://issues.redhat.com/browse/THREESCALE-5105

NOTE

Please ignore codecov report. I will move tls.lua to apicast-nginx-module in the future commit.

Verification steps:

• Build runtime image

  make runtime-image IMAGE_NAME=apicast-test

• Get into the dev-environments

  cd dev-environments/https-proxy-upstream-tlsv1.3

• Update apicast-config.json file as follow

  
  diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json 
  index 5227c5aa..09fb1ab9 100644                                                                                                                    
  --- a/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json                                                                            
  +++ b/dev-environments/https-proxy-upstream-tlsv1.3/apicast-config.json                                                                            
  @@ -11,6 +11,15 @@                                                                                                                                 
         "host": "backend"                                                                                                                       
       },                                                                                                                                        
       "policy_chain": [                                                                                                                         

• {
• "name": "apicast.policy.upstream_mtls",
• "configuration": {
• "certificate": "/tmp/example.com.crt",
• "certificate_type": "path",
• "certificate_key": "/tmp/example.com.key",
• "certificate_key_type": "path"
• }
• },
  {
  "name": "apicast.policy.http_proxy",
  "configuration": {

• Update docker-compose file as follow

  
  diff --git a/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml b/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml
  index af418aca..b5b42341 100644
  --- a/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml
  +++ b/dev-environments/https-proxy-upstream-tlsv1.3/docker-compose.yml
  @@ -24,6 +24,9 @@ services:
     - "8090:8090"
   volumes:
     - ./apicast-config.json:/tmp/config.json

• • ./cert/example.com.crt:/tmp/example.com.crt
• • ./cert/example.com.key:/tmp/example.com.key
• • ./cert/rootCA.pem:/tmp/rootCA.pem proxy: build: dockerfile: ./tinyproxy.Dockerfile @@ -35,12 +38,13 @@ services: example.com: image: alpine/socat:1.7.4.4 container_name: example.com
• command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,verify=0,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80"
• command: "-v openssl-listen:443,reuseaddr,fork,cert=/etc/pki/example.com.pem,cafile=/etc/pki/rootCA.pem,verify=1,openssl-min-proto-version=TLS1.3,openssl-max-proto-version=TLS1.3 TCP:two.upstream:80" expose:
  • "443" restart: unless-stopped volumes:
  • ./cert/example.com.pem:/etc/pki/example.com.pem
• • ./cert/rootCA.pem:/etc/pki/rootCA.pem two.upstream: image: kennethreitz/httpbin expose:

• Start APIcast gateway

  make certs
  make gateway IMAGE_NAME=apicast-test

• Send a request to APIcast

  
  curl --resolve get.example.com:8080:127.0.0.1 -v "http://get.example.com:8080/?user_key=123"

... < HTTP/1.1 200 OK
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Server: gunicorn/19.9.0
< Access-Control-Allow-Credentials: true < Access-Control-Allow-Origin: *

[eguzki]

Verification steps working like a charm