Certificate revocation list (CRL) support for the mTLS authentication

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway

https://gateway.envoyproxy.io

Apache License 2.0

1.49k stars 320 forks source link

Certificate revocation list (CRL) support for the mTLS authentication #3021

Open SudhakarNandigam-TomTom opened 5 months ago

SudhakarNandigam-TomTom commented 5 months ago

Description: Add Certificate revocation list (CRL) support for the mTLS based authentication between external clients and the Gateway.

arkodg commented 5 months ago

ClientTrafficPolicy.spec.tls.clientValidation is a good home for this feature https://github.com/envoyproxy/gateway/blob/decd8787c3c1ffd8f56c4938ce5af2489991a370/api/v1alpha1/tls_types.go#L112

guydc commented 5 months ago

Hi @SudhakarNandigam-TomTom - can you elaborate on the expected UX here? Many proxies require the operator/control-plane to provide a CRL file (see examples here: nginx, haproxy, envoy), while CRL processing specs typically expect proxies to fetch CRLs online based on the CDP extension of certificates and cache them.

In your case, do you intend to provide the CRL as an input to Envoy Gateway?

SudhakarNandigam-TomTom commented 5 months ago

Hi @SudhakarNandigam-TomTom - can you elaborate on the expected UX here? Many proxies require the operator/control-plane to provide a CRL file (see examples here: nginx, haproxy, envoy), while CRL processing specs typically expect proxies to fetch CRLs online based on the CDP extension of certificates and cache them.

In your case, do you intend to provide the CRL as an input to Envoy Gateway?

Hi, My requirement is Envoy gateway fetch the CRL file from the URL and use it for mTLS. But most proxies does not support it. So I am also okay to provide the CRL file to the Envoy gateway.