filtering mTLS connections based on the subject name from Caller #4081
Conversation
ZetaoZhuang
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR adds TLS client certificate subject name filtering functionality to the CNS service. It introduces a new configuration field AllowedClientSubjectName that allows filtering TLS connections based on the subject name from the client certificate in mutual TLS connections.
- Added
AllowedClientSubjectNameconfiguration field to control client certificate validation - Implemented custom certificate verification logic using
VerifyPeerCertificatecallback - Updated tests to verify both allowed and disallowed client subject names
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| server/tls/tlscertificate_retriever.go | Added AllowedClientSubjectName field to TlsSettings struct |
| cns/service.go | Implemented verifyPeerCertificate function and integrated it into TLS configurations |
| cns/service/main.go | Wired up the new configuration field from CNS config to TLS settings |
| cns/configuration/configuration.go | Added AllowedClientSubjectName field to CNSConfig struct |
| cns/configuration/configuration_test.go | Updated tests to include the new configuration field |
| cns/configuration/cns_config.json | Added default empty value for the new configuration field |
| cns/service_test.go | Enhanced mutual TLS tests to verify client subject name filtering |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Reason for Change:
filter mTLS connections based on SANs from client cert with the mtls client subject name from cns config. If client subject name does not match with any client cert SAN, then fall back to common name match. This is pre-requisite to isolate CNS in separate infra virtual networks.
Issue Fixed:
Requirements:
Notes: