Skip to content

feat: add proxy client certificate support #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
scotwells merged 1 commit into from
Dec 23, 2025
Merged

feat: add proxy client certificate support #463

scotwells merged 1 commit into from
Dec 23, 2025

Conversation

@scotwells
Copy link
Contributor

@scotwells scotwells commented Dec 23, 2025

Summary

Add --proxy-client-cert-file and --proxy-client-key-file flags to enable mTLS authentication when proxying requests to aggregated API servers.

This allows aggregated API servers to trust authentication headers (X-Remote-User, X-Remote-Group, etc.) forwarded by Milo, resolving system:anonymous user issues.

Detail

As I was working through deploying the activity-apiserver as an aggregated API on Milo's platform, I ran into issues where the activity apiserver was receiving requests with the system:anonymous user instead of the end-user I was authenticating as.

I was able to trace this down to being caused by Milo not having a proxy client certificate issued that it uses to communicate with aggregated apiservers.

Causes https://github.com/datum-cloud/engineering/issues/90#issuecomment-3687933423

@scotwells
feat: add proxy client certificate support
74de18c 
Add --proxy-client-cert-file and --proxy-client-key-file flags to enable
mTLS authentication when proxying requests to aggregated API servers.

This allows aggregated API servers to trust authentication headers
(X-Remote-User, X-Remote-Group, etc.) forwarded by Milo, resolving
system:anonymous user issues.
@joggrbot
Copy link
Contributor

joggrbot bot commented Dec 23, 2025
edited
Loading

📝 Documentation Analysis

All docs are up to date! 🎉

✅ Latest commit analyzed: 74de18c | Powered by Joggr

@scotwells scotwells merged commit 7280d5f into main Dec 23, 2025
6 of 7 checks passed
@scotwells scotwells deleted the feat/configure-proxy-client-certificate branch December 23, 2025 22:01
zachsmith1
zachsmith1 approved these changes Dec 23, 2025
View reviewed changes
Copy link
Contributor

@zachsmith1 zachsmith1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this affect the identity sessions aggregated api server? I thought we ran into this issue back when that work was done

@scotwells
Copy link
Contributor Author

scotwells commented Dec 23, 2025

@zachsmith1 no, that's configured separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ecv ecv ecv approved these changes

@zachsmith1 zachsmith1 zachsmith1 approved these changes

@JoseSzycho JoseSzycho JoseSzycho approved these changes

@drewr drewr Awaiting requested review from drewr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@scotwells @ecv @zachsmith1 @JoseSzycho