This document contains manual test steps for PR openbao#2863.
All required files are attached in this gist.
1. Create test certificates.
cat <<EOF >certs.yaml
subject: cn=server-ca
---
subject: cn=client-ca
---
subject: cn=envoy
issuer: cn=server-ca
sans:
- DNS:localhost
---
subject: cn=client, o=example\, inc\;
issuer: cn=client-ca
ext_key_usages:
- ClientAuth
sans:
- DNS:client.example.com
- URI:spiffe://example.com/client
EOF
mkdir -p certs
certyaml -d certs
chmod +r certs/*.pem # make readable for the process in envoy containerFor installation instructions for certyaml see here.
2. Start OpenBao
cat <<EOF >openbao-config.hcl
listener "tcp" {
address = "127.0.0.1:18200"
tls_disable = true
x_forwarded_for_reject_not_authorized = true
x_forwarded_for_reject_not_present = true
x_forwarded_for_authorized_addrs = "127.0.0.1"
x_forwarded_for_client_cert_header = "X-Forwarded-Client-Cert"
x_forwarded_for_client_cert_decoders = ["Envoy", "PEM"]
}
EOF
bao server -dev -config=openbao-config.hcl3. Configure authentication
export BAO_ADDR=http://127.0.0.1:8200
bao auth enable cert
bao write auth/cert/certs/envoy-test \
display_name=envoy-test \
certificate=@certs/client-ca.pem \
token_policies=default4. Download Envoy configuration file from this gist
curl --output envoy-xfcc.yaml \
https://gist.githubusercontent.com/tsaarni/df84d55f2953707de7f5543f30554b32/raw/b4a090c74ddde477d75d67bc10e150b402853b9c/envoy-xfcc.yamlStart Envoy within docker, use host networking, and mount current directory into container so that it can read the certificates
docker run --rm \
--network host \
--volume "$PWD:/host:ro" \
--volume "$PWD/envoy-xfcc.yaml:/etc/envoy/envoy.yaml:ro" \
envoyproxy/envoy:v1.37-latest5. Authenticate by forwarded client certificate in XFCC header
curl --silent \
--cacert certs/server-ca.pem \
--cert certs/client.pem \
--key certs/client-key.pem \
--request POST https://localhost:8443/v1/auth/cert/login | jq .Optional: To see the header in action you can use wireshark:
wireshark -i lo -f "tcp port 18200" -k -Y httpWith the example envoy config that enables all cert details, the header is
x-forwarded-client-cert: Hash=5e71338740504102028950cece8f39b9b7e210c0455a3dcc2dca01311db9ebf3;Cert="-----BEGIN%20CERTIFICATE-----%0AMIIBujCCAV%2BgAwIBAgIIGKXbNaXOu6UwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ%0AY2xpZW50LWNhMB4XDTI2MDQxMzA3NTA1MVoXDTI3MDQxMzA3NTA1MVowKTEWMBQG%0AA1UECgwNZXhhbXBsZSwgaW5jOzEPMA0GA1UEAxMGY2xpZW50MFkwEwYHKoZIzj0C%0AAQYIKoZIzj0DAQcDQgAEuZzIPl6w3hMB6ND9JeXZtkXkn7AtbrM5fVsgB95Mr0ga%0AmplOz%2Biv46SAL6WHrKppxhd00GSsUmxZBftZJAgZmaOBhTCBgjAOBgNVHQ8BAf8E%0ABAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUIvljS43QMTS8%0AM7g9iPgxbKTx6d4wOgYDVR0RBDMwMYISY2xpZW50LmV4YW1wbGUuY29thhtzcGlm%0AZmU6Ly9leGFtcGxlLmNvbS9jbGllbnQwCgYIKoZIzj0EAwIDSQAwRgIhANICYQkr%0AI%2F5D6F%2BUkTyA6RNrKZsTatzGG%2FY5L7K3nMtCAiEAkXhjbmumxl%2BFJc4snyCPu%2F%2FC%0APkit2QRxGZ21mKUEwQA%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIIBujCCAV%2BgAwIBAgIIGKXbNaXOu6UwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ%0AY2xpZW50LWNhMB4XDTI2MDQxMzA3NTA1MVoXDTI3MDQxMzA3NTA1MVowKTEWMBQG%0AA1UECgwNZXhhbXBsZSwgaW5jOzEPMA0GA1UEAxMGY2xpZW50MFkwEwYHKoZIzj0C%0AAQYIKoZIzj0DAQcDQgAEuZzIPl6w3hMB6ND9JeXZtkXkn7AtbrM5fVsgB95Mr0ga%0AmplOz%2Biv46SAL6WHrKppxhd00GSsUmxZBftZJAgZmaOBhTCBgjAOBgNVHQ8BAf8E%0ABAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUIvljS43QMTS8%0AM7g9iPgxbKTx6d4wOgYDVR0RBDMwMYISY2xpZW50LmV4YW1wbGUuY29thhtzcGlm%0AZmU6Ly9leGFtcGxlLmNvbS9jbGllbnQwCgYIKoZIzj0EAwIDSQAwRgIhANICYQkr%0AI%2F5D6F%2BUkTyA6RNrKZsTatzGG%2FY5L7K3nMtCAiEAkXhjbmumxl%2BFJc4snyCPu%2F%2FC%0APkit2QRxGZ21mKUEwQA%3D%0A-----END%20CERTIFICATE-----%0A";Subject="CN=client,O=example\, inc\;";URI=spiffe://example.com/client;DNS=client.example.com