Fixes as per @simo5 review comments.

openshift · May 31, 2018 · 567e915 · 567e915
1 parent d3894ad
commit 567e915
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -233,8 +233,11 @@ frontend fe_sni
 
   {{- if ne (env "ROUTER_MUTUAL_TLS_AUTH" "none") "none" }}
     {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CN") }}
-  # If a mutual TLS auth CN is set, we deny requests if the common name doesn't
-  # match. A custom template can change this behavior (e.g. set custom headers).
+  # If a mutual TLS auth CN environment variable is set, we deny requests if the
+  # common name field in the client certificate doesn't match that environment
+  # variable value. Please note this match is a subset (substring) match.
+  # A custom template can customize this behavior as desired - as an example,
+  # it may want to set custom headers rather than deny requests.
   acl cert_cn_matches ssl_c_s_dn(CN) -m sub {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}
@@ -250,6 +253,7 @@ frontend fe_sni
   http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
   http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
   http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
+  http-request set-header X-SSL-Client-DER       %{+Q}[ssl_c_der,base64]
   {{- end }}
 
   # map to backend
@@ -292,8 +296,11 @@ frontend fe_no_sni
 
   {{- if ne (env "ROUTER_MUTUAL_TLS_AUTH" "none") "none" }}
     {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CN") }}
-  # If a mutual TLS auth CN is set, we deny requests if the common name doesn't
-  # match. A custom template can change this behavior (e.g. set custom headers).
+  # If a mutual TLS auth CN environment variable is set, we deny requests if the
+  # common name field in the client certificate doesn't match that environment
+  # variable value. Please note this match is a subset (substring) match.
+  # A custom template can customize this behavior as desired - as an example,
+  # it may want to set custom headers rather than deny requests.
   acl cert_cn_matches ssl_c_s_dn(CN) -m sub {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}
@@ -309,6 +316,7 @@ frontend fe_no_sni
   http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
   http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
   http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
+  http-request set-header X-SSL-Client-DER       %{+Q}[ssl_c_der,base64]
   {{- end }}
 
   # map to backend

diff --git a/pkg/oc/admin/router/router.go b/pkg/oc/admin/router/router.go
@@ -347,7 +347,7 @@ func generateMutualTLSSecretName(prefix string) string {
 
 // generateSecretsConfig generates any Secret and Volume objects, such
 // as SSH private keys, that are necessary for the router container.
-func generateSecretsConfig(cfg *RouterConfig, namespace string, certName string, defaultCert, mtlsAuthCA, mtlsAuthCRL []byte) ([]*kapi.Secret, []kapi.Volume, []kapi.VolumeMount, error) {
+func generateSecretsConfig(cfg *RouterConfig, namespace, certName string, defaultCert, mtlsAuthCA, mtlsAuthCRL []byte) ([]*kapi.Secret, []kapi.Volume, []kapi.VolumeMount, error) {
 	var secrets []*kapi.Secret
 	var volumes []kapi.Volume
 	var mounts []kapi.VolumeMount