feat(auth-proxy): add custom CA and mTLS support#655
Open
Saad Farooq (saad-supports-langchain) wants to merge 1 commit intomainfrom
Open
feat(auth-proxy): add custom CA and mTLS support#655Saad Farooq (saad-supports-langchain) wants to merge 1 commit intomainfrom
Saad Farooq (saad-supports-langchain) wants to merge 1 commit intomainfrom
Conversation
Add customCa for upstream TLS verification with private/internal CAs and mtls for client certificate presentation to upstream services. mTLS requires customCa — the chart fails validation without it because Envoy would send client certificates without verifying the server's identity, which is not mutual authentication. - Helm helpers for secret mounting, rollout hashing, and Envoy TLS context - validate.yaml with all-or-nothing field checks and mtls-requires-customCa - Rollout checksums for automatic pod restart on cert changes - 19 new unit tests across 4 test files - README documentation for both features with examples Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Saad Farooq (saad-supports-langchain)
requested a review
from a team
as a code owner
Saad Farooq (saad-supports-langchain)
requested a review
from Brian Vander Schaaf (bvs-langchain)
Brian Vander Schaaf (bvs-langchain)
approved these changes
Mar 27, 2026
| Use `customCa.secretName` and `customCa.secretKey` to mount a CA bundle that Envoy should trust for outbound HTTPS connections. | ||
|
|
||
| This bundle is applied to every HTTPS peer Envoy validates in this chart: | ||
| - The main upstream cluster defined by `authProxy.upstream` |
Contributor
There was a problem hiding this comment.
Is upstream always https?
|
|
||
| - Provide the full CA bundle Envoy should trust, not just a single private root. If your upstream or JWKS endpoint chains to public roots as well, include those certificates in the bundle. | ||
| - `customCa.secretName` and `customCa.secretKey` must either both be set or both be left empty. | ||
| - Envoy reads the CA bundle from a mounted Secret volume. To make trust changes deterministic, roll the pod when the bundle changes. |
Contributor
There was a problem hiding this comment.
Isn't pod rolling automatic?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
customCafor upstream TLS verification with private/internal CAs (Envoy uses BoringSSL and does not trust the system CA store)mtlsfor client certificate presentation when upstream requires mutual TLScustomCa— chart fails validation without it, preventing an insecure deployment where Envoy sends client certs without verifying the server's identityvalidate.yamlwith all-or-nothing field checks and cross-feature dependency enforcementTest plan
helm unittest .— 69 tests passingcustomCaonly and verify upstream TLS verificationcustomCa+mtlsand verify mutual TLS handshakehelm templatefails whenmtlsis set withoutcustomCahelm templatefails on partialcustomCaormtlsconfig🤖 Generated with Claude Code