Support Client Cert Auth for Extension Sever

[guydc]

Description:
@nareddyt writes in #5154:

Current document says to mount a secret that has a TLS private key. This is incorrect - Envoy Gateway acting as a client should not receive any private key.
Envoy Gateway doesn't support mTLS when connecting to extension server, so there is no need for private key today.

Envoy Gateway should make it possible to use client cert authentication towards the extension server.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[DeeBi9]

Hi @guydc I'd like to work on this issue
I was going through the code base in envoygateway_types.go and I have already started to refactor the ExtensionTLS struct by removing the CertificateRef and adding the:

1. CACertificateRef which refers to ca.crt to verify extension server certificate
2. ClientCertificateRef which contains the tls.crt and tls.key for client certificate

and in extension_manager.go, should we explicitly handle the case where ClientCertificateRef is not provided? Right now the implementation assumes that mutual TLS is optional, but do we need a separate validation check for this?

Thanks

[guydc]

Hi @DeeBi9!

Thanks for picking this up! I assigned you to the issue.
I think that both TLS and MTLS should remain optional, so we should allow for ClientCertificateRef to remain empty.

I propose that you raise an API pull request so that other maintainers and reviewers can chime-in on the API proposal. We can also discuss if we want to deprecate CertificateRef in 1.4 and remove it entirely in 1.5, or if we remove it already in 1.4.

[nareddyt]

Hi @DeeBi9 , are you still working on this? I am happy to pick up this PR if not

[DeeBi9]

Hi @nareddyt, I’m not working on this issue right now.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.