Implement client-side mTLS support settings

Author: andsens

apis/ingress/v1/pomerium_types.go

@@ -243,6 +243,11 @@ type PomeriumSpec struct {
 	// +optional
 	CASecrets []string `json:"caSecrets"`
 
+	// ClientCASecret is a list of secrets of type Opaque to use for client-side mTLS.
+	// Specify the corresponding CRL with the ca.crl key
+	// +optional
+	ClientCASecrets []string `json:"clientCASecrets"`
+
 	// Secrets references a Secret with Pomerium bootstrap parameters.
 	//
 	// <p>

apis/ingress/v1/zz_generated.deepcopy.go

@@ -76,6 +76,13 @@ spec:
                 items:
                   type: string
                 type: array
+              clientCASecrets:
+                description: Client CAs is a list of secrets of type Opaque to use
+                  for client-side mTLS. Specify the corresponding CRL with the ca.crl
+                  key
+                items:
+                  type: string
+                type: array
               cookie:
                 description: Cookie defines Pomerium session cookie options.
                 properties:

config/crd/bases/ingress.pomerium.io_pomerium.yaml

@@ -111,6 +111,16 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
 			}
 			return nil
 		},
+		func() error {
+			for _, clientCASecret := range s.ClientCASecrets {
+				secret, err := get(clientCASecret)()
+				if err != nil {
+					return fmt.Errorf("ca: %w", err)
+				}
+				cfg.ClientCASecrets = append(cfg.ClientCASecrets, secret)
+			}
+			return nil
+		},
 		func() error {
 			if s.IdentityProvider == nil {
 				return nil

controllers/settings/fetch.go

@@ -45,6 +45,8 @@ const (
 	StorageConnectionStringKey = "connection"
 	// CAKey is certificate authority secret key
 	CAKey = "ca.crt"
+	// CAKey is certificate authority CRL
+	CRLKey = "ca.crl"
 )
 
 // StorageSecrets is a convenience grouping of storage-related secrets
@@ -84,6 +86,8 @@ type Config struct {
 	CASecrets []*corev1.Secret
 	// Certs are fetched certs from settings.Certificates
 	Certs map[types.NamespacedName]*corev1.Secret
+	// ClientCASecrets are fetched certs and crls from settings.ClientCASecrets
+	ClientCASecrets []*corev1.Secret
 	// RequestParams is a secret from Settings.IdentityProvider.RequestParams
 	RequestParams *corev1.Secret
 	// IdpSecret is Settings.IdentityProvider.Secret

model/ingress_config.go

@@ -34,6 +34,7 @@ func applyConfig(ctx context.Context, p *pb.Config, c *model.Config) error {
 
 	opts := []applyOpt{
 		{"ca", applyCertificateAuthority},
+		{"client ca", applyClientCertificate},
 		{"certs", applyCerts},
 		{"authenticate", applyAuthenticate},
 		{"cookie", applyCookie},
@@ -132,6 +133,26 @@ func applyCertificateAuthority(_ context.Context, p *pb.Config, c *model.Config)
 	return nil
 }
 
+func applyClientCertificate(_ context.Context, p *pb.Config, c *model.Config) error {
+	if len(c.ClientCASecrets) == 0 {
+		return nil
+	}
+
+	var crtBuf bytes.Buffer
+	var crlBuf bytes.Buffer
+
+	for _, secret := range c.ClientCASecrets {
+		crtBuf.Write(secret.Data[model.CAKey])
+		crtBuf.WriteRune('\n')
+		crlBuf.Write(secret.Data[model.CRLKey])
+		crlBuf.WriteRune('\n')
+	}
+
+	p.Settings.ClientCa = proto.String(base64.StdEncoding.EncodeToString(crtBuf.Bytes()))
+	p.Settings.ClientCrl = proto.String(base64.StdEncoding.EncodeToString(crlBuf.Bytes()))
+	return nil
+}
+
 func applyCerts(_ context.Context, p *pb.Config, c *model.Config) error {
 	if len(c.Certs) != len(c.Spec.Certificates) {
 		return fmt.Errorf("expected %d cert secrets, only %d was fetched. this is a bug", len(c.Spec.Certificates), len(c.Certs))

pomerium/config.go

@@ -75,6 +75,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
             </td>
         </tr>
 
+        <tr>
+            <td>
+                <p>
+                <code>clientCASecrets</code>&#160;&#160;
+
+                    <strong>[]string</strong>&#160;
+
+                </p>
+                <p>
+
+                    Client CAs is a list of secrets of type TLS to use for client-side mTLS. Specify the corresponding CRL with the ca.crl key
+                </p>
+
+            </td>
+        </tr>
+
         <tr>
             <td>
                 <p>