Feature: mtls filters#4044

Merged

szuecs merged 24 commits into

feature/mTLS-filters

Jun 18, 2026

szuecs commented Jun 1, 2026 •

edited

Loading

Member

feature: mtlsSanCIDR(), mtlsSanDNS(), mtlsSanIP(), mtlsSanURI() filters
feature: mtlsIssuerDN() filter
feature: mtlsCN() filter
feature: mtlsAuthn() filter
doc: document mtls authnz filters
doc: mTLS operations guide
test: benchmarks

ref: closing #3295

github-actions Bot added the enhancement label

szuecs force-pushed the feature/mTLS-filters branch from 878795b to d35f4f6 Compare

June 2, 2026 11:32

github-actions Bot added the documentation label

szuecs force-pushed the feature/mTLS-filters branch from e07710c to 144a2b8 Compare

June 2, 2026 20:22

szuecs added the major label

szuecs marked this pull request as ready for review

June 2, 2026 20:23

szuecs mentioned this pull request

Skipper mTLS support #1780

Open

vlktna self-requested a review

June 3, 2026 16:28

shyamz-22 reviewed

View reviewed changes

filters/tls/mtls.go Outdated

vlktna reviewed

View reviewed changes

filters/tls/mtls.go Outdated

shyamz-22 reviewed

View reviewed changes

filters/tls/mtls.go

filters/tls/mtls.go

filters/tls/mtls.go Outdated

MustafaSaber reviewed

View reviewed changes

docs/reference/filters.md

filters/tls/mtls.go

filters/tls/mtls.go

docs/reference/filters.md

szuecs commented Jun 3, 2026

Member Author

Given that auth should be fast, I will also provide 4 more filters for mtlsSAN to have them special, for example if you use SPIFFE/SPIRE, you do not want to check DNS or IP in SAN.

szuecs commented Jun 3, 2026

Member Author

e634e6e has the 4 new filters

szuecs commented Jun 3, 2026 •

edited

Loading

Member Author

Local test without CA loaded, so empty pool it can not validate certs:

% ./bin/skipper -inline-routes='r: * -> mtlsAuthn() -> status(201) -> <shunt>' -address :9002                                                                     feature/mTLS-filters
[APP]INFO[0000] Expose metrics in format: "codahale"
[APP]INFO[0000] enable swarm: false
[APP]INFO[0000] Replacing tee filter specification
[APP]INFO[0000] Replacing teenf filter specification
[APP]INFO[0000] Replacing teeResponse filter specification
[APP]INFO[0000] route settings, reset, route: r: * -> mtlsAuthn() -> status(201) -> <shunt>
[APP]INFO[0000] route settings received, id: 1
[APP]INFO[0000] support listener on :9911
[APP]INFO[0000] route settings applied, id: 1
[APP]INFO[0000] Dataclients are updated once, first load complete
[APP]INFO[0000] Listen on :9002
[APP]INFO[0000] TLS settings not found, defaulting to HTTP
::1 - - [03/Jun/2026:22:10:26 +0200] "GET /foo HTTP/1.1" 401 0 "-" "curl/7.49.0" 0 localhost:9002 - -

client call sent with no cert:

% curl http://localhost:9002/foo -v
*   Trying ::1...
* Connected to localhost (::1) port 9002 (#0)
> GET /foo HTTP/1.1
> Host: localhost:9002
> User-Agent: curl/7.49.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Skipper
< Www-Authenticate: localhost:9002
< Date: Wed, 03 Jun 2026 20:10:26 GMT
< Transfer-Encoding: chunked
<
* Connection #0 to host localhost left intact

We can see good default behaviour and no panic, so integration seems also fine

a4180p reviewed

View reviewed changes

filters/tls/mtls.go Outdated

filters/tls/mtls.go Outdated

filters/tls/mtls.go Outdated

a4180p reviewed

View reviewed changes

config/config.go Outdated

a4180p reviewed

View reviewed changes

config/config.go Outdated

a4180p reviewed

View reviewed changes

filters/tls/mtls.go

a4180p reviewed

View reviewed changes

filters/tls/mtls.go Outdated

MustafaSaber reviewed

View reviewed changes

docs/reference/filters.md Outdated

docs/reference/filters.md Outdated

filters/tls/mtls.go Outdated

szuecs commented Jun 5, 2026

Member Author

@MustafaSaber I can't reply to your message directly so doing it here:
it's fixed

szuecs commented Jun 8, 2026

Member Author

@MustafaSaber fixed your comments

szuecs added 7 commits

June 15, 2026 20:56


          feature: mtlsSAN() filter

52e3d39

feature: mtlsIssuerDN() filter
feature: mtlsCN() filter
feature: mtlsAuthn() filter
doc: document mtls authnz filters

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix merge conflict errors

572e245

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: copy audit log flag from spec to filter

8a64118

fix: linter finding in test

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          make sure agents run linter

f8d3d83

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          feature: mtlsSAN() support URI lookup that we need for SPIFFE/SPIRE i…

4e9896c

…ntegration

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          feature: SPIFFE/SPIRE authz filter mtlsSAN()

703720e

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: mtlsAuthn() filter is able to load an *x509.CertPool tht will be…

fd567e9

… used to validate in coming client certificates.

Configuration is able to load system CAs first and append given PEM encoded CA files or we load only given PEM encoded CA files or if nil we load system CAs.

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>

szuecs added 12 commits

June 15, 2026 20:56


          fix: review finding: we should not check issuer but subject of a cert…

c7a6ef4

…, because we care about the identity of the client and not the identity of the CA

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: use only leaf cet to validate mtls authnz filters

850e850

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: no peer certs respond with 401

99e35c4

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          split mtlsSAN() filters into 4 specialized filters mtlsSanCIDR(), mtl…

…sSanDNS(), mtlsSanIP(), mtlsSandURI()

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: config tests

87a03cf

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: tests in proxy, because of the changed behavior of mtlsSAN()

34a7392

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          comment unused

bd5f860

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: use map[] instead of sync.Map

8a9724a

fix: support multiple CA files in config

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          refactor: remove mtlsSAN() and fix all tests and benchmarls related t…

66c4aa1

…o it

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix: build

d57aa17

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          doc: fix filter docs

a7561d4

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          fix etcd install for test deps

fee0a26

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>

szuecs force-pushed the feature/mTLS-filters branch from c8db630 to fee0a26 Compare

June 15, 2026 18:56

a4180p commented Jun 16, 2026

Collaborator

👍

MustafaSaber approved these changes

View reviewed changes

shyamz-22 reviewed

View reviewed changes

filters/tls/mtls.go

filters/tls/mtls.go

filters/tls/mtls.go Outdated

filters/tls/mtls.go

szuecs added 2 commits

June 17, 2026 14:24


          feature: handle intermediate CAs

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          test: empty CN is ok for mtlsCN("") filter

9057c2c

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>

shyamz-22 reviewed

View reviewed changes

filters/tls/mtls.go

filters/tls/mtls.go

filters/tls/mtls.go Outdated

skipper.go

szuecs added 3 commits

June 17, 2026 19:05


          doc: add operations docs for mTLS

422770d

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          benchmark passing intermediate to the filter spec (static loading) an…

f9750a2

…d without (dynamic loading)

goos: linux
goarch: amd64
pkg: github.com/zalando/skipper/filters/tls
cpu: AMD Ryzen 7 PRO 4750U with Radeon Graphics
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate            	    5022	    222590 ns/op	    2834 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate            	    5409	    220001 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate            	    5341	    219619 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-2          	    5449	    221375 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-2          	    5460	    199491 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-2          	    8589	    138819 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-4          	    7521	    133728 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-4          	    7918	    133322 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-4          	    7702	    134525 ns/op	    2832 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-8          	    7489	    134389 ns/op	    2833 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-8          	    7936	    134130 ns/op	    2833 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-8          	    7844	    136407 ns/op	    2833 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-16         	    9087	    133932 ns/op	    2834 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-16         	    7815	    134132 ns/op	    2834 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/with_intermediate-16         	    7556	    135460 ns/op	    2834 B/op	      58 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate         	    7386	    138940 ns/op	    3691 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate         	    8871	    133471 ns/op	    3688 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate         	    8928	    133752 ns/op	    3688 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-2       	    7479	    134304 ns/op	    3688 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-2       	    8996	    133722 ns/op	    3688 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-2       	    8937	    134236 ns/op	    3688 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-4       	    8936	    134183 ns/op	    3689 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-4       	    7634	    134876 ns/op	    3689 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-4       	    8473	    135427 ns/op	    3689 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-8       	    7560	    137636 ns/op	    3690 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-8       	    7602	    137134 ns/op	    3690 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-8       	    8935	    135769 ns/op	    3689 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-16      	    8604	    135190 ns/op	    3691 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-16      	    7954	    135384 ns/op	    3691 B/op	      68 allocs/op
BenchmarkMtlsAuthnCaIntermediateLeaf/without_intermediate-16      	    7665	    135775 ns/op	    3691 B/op	      68 allocs/op
PASS
ok  	github.com/zalando/skipper/filters/tls	33.323s

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>


          drop constraints after reviewing a comment and Go code I think we sho…

24c3a02

…uld not add this

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>

shyamz-22 commented Jun 18, 2026

Collaborator

👍🏽

1 similar comment

szuecs commented Jun 18, 2026

Member Author

👍

szuecs merged commit 9f512f7 into master

17 of 18 checks passed

szuecs deleted the feature/mTLS-filters branch

June 18, 2026 15:12

This was referenced Jun 18, 2026

skipper: Update to version v0.27.7 zalando-incubator/kubernetes-on-aws#11364

Open

skipper-internal: Update to version v0.27.7-1461 zalando-incubator/kubernetes-on-aws#11393

Closed

skipper-internal: Update to version v0.27.7-1461 zalando-incubator/kubernetes-on-aws#11456

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation enhancement major