Skip to content

TLS fingerprinting enablement #7325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gtriggiano wants to merge 3 commits into
base: main
Choose a base branch
from
Open

TLS fingerprinting enablement #7325

gtriggiano wants to merge 3 commits into from

Conversation

@gtriggiano
Copy link

@gtriggiano gtriggiano commented Dec 2, 2025
edited
Loading

Add TLS Fingerprinting Support (JA3/JA4)

Enables TLS fingerprinting in Envoy's TLS Inspector listener filter for security monitoring, analytics, and bot detection. Provides independent control over JA3 and JA4 fingerprinting methods.

Configuration

ContourConfig CRD fields (under spec.envoy.listener.tls):

  • enableJA3Fingerprinting: Enable JA3 fingerprinting (requires Envoy 1.21.0+)
  • enableJA4Fingerprinting: Enable JA4 fingerprinting (requires Envoy 1.35.0+)

Command-line flags:

  • --enable-ja3-fingerprinting: Enable JA3 fingerprinting
  • --enable-ja4-fingerprinting: Enable JA4 fingerprinting

Both settings default to false.

Implements: #7307

@github-actions
Copy link

github-actions bot commented Dec 2, 2025

Hi @gtriggiano! Welcome to our community and thank you for opening your first Pull Request. Someone will review it soon. Thank you for committing to making Contour better. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

@gtriggiano
Enable TLS Fingerprinting
40bf1ce 
This commit modifies the TLS Inspector instantiation to support an optional parameter for enabling JA3/JA4 fingerprinting. The following changes were made:

- Updated the TLS Inspector instantiation across multiple test files to use the new parameter, defaulting to false.
- Introduced a new field `EnableTLSFingerprinting` in the ListenerConfig struct to manage this feature.
- Adjusted the secureProxyProtocol function to accept the new parameter and pass it to the TLS Inspector.
- Updated documentation to reflect the new `enableFingerprinting` option in the API reference.

Signed-off-by: Giacomo Triggiano <[email protected]>
@gtriggiano
refactor: simplify parameters in secureProxyProtocol function
39885d7 
Signed-off-by: Giacomo Triggiano <[email protected]>
@gtriggiano gtriggiano force-pushed the feature/tls-fingerprinting-enablement branch from 6609e06 to 39885d7 Compare December 2, 2025 12:18
@gtriggiano gtriggiano marked this pull request as ready for review December 2, 2025 12:25
@gtriggiano gtriggiano requested a review from a team as a code owner December 2, 2025 12:25
@gtriggiano gtriggiano requested review from sunjayBhatia and tsaarni and removed request for a team December 2, 2025 12:25
@sunjayBhatia sunjayBhatia requested review from a team, clayton-gonsalves and wilsonwu and removed request for a team December 2, 2025 12:25
@gtriggiano gtriggiano mentioned this pull request Dec 2, 2025
Open
@codecov
Copy link

codecov bot commented Dec 3, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 87.50000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.60%. Comparing base (84e88d9) to head (0ba5900).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
cmd/contour/serve.go 50.00% 2 Missing ⚠️
internal/envoy/v3/listener.go 85.71% 0 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #7325      +/-   ##
==========================================
- Coverage   81.85%   80.60%   -1.25%     
==========================================
  Files         130      130              
  Lines       15747    15791      +44     
==========================================
- Hits        12889    12728     -161     
- Misses       2574     2607      +33     
- Partials      284      456     +172
Files with missing lines Coverage Δ
cmd/contour/servecontext.go 73.91% <100.00%> (-12.72%) ⬇️
internal/contourconfig/contourconfiguration.go 93.54% <100.00%> (-5.15%) ⬇️
internal/xdscache/v3/listener.go 75.67% <100.00%> (-16.26%) ⬇️
internal/envoy/v3/listener.go 85.25% <85.71%> (-12.92%) ⬇️
cmd/contour/serve.go 21.88% <50.00%> (-1.73%) ⬇️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

tsaarni
tsaarni reviewed Dec 5, 2025
View reviewed changes
cmd/contour/serve.go
Comment on lines +141 to +142
serve.Flag("enable-ja3-fingerprinting", "Enable JA3 fingerprinting in the TLS Inspector filter (requires Envoy 1.21.0+).").BoolVar(&ctx.enableJA3Fingerprinting)
serve.Flag("enable-ja4-fingerprinting", "Enable JA4 fingerprinting in the TLS Inspector filter (requires Envoy 1.35.0+).").BoolVar(&ctx.enableJA4Fingerprinting)
Copy link
Member

@tsaarni tsaarni Dec 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @gtriggiano for your contribution!

I haven’t had a chance to look into this topic yet, but one quick note, something you’ve probably noticed yourself also since I saw you added config file and CRD support: we now generally avoid adding new command-line switches unless absolutely necessary, and we prefer using the config file and ContourConfiguration instead. I think we don't need to add command line flags for this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tsaarni tsaarni tsaarni left review comments

@sunjayBhatia sunjayBhatia Awaiting requested review from sunjayBhatia sunjayBhatia is a code owner automatically assigned from projectcontour/maintainers

@wilsonwu wilsonwu Awaiting requested review from wilsonwu wilsonwu was automatically assigned from projectcontour/contour-reviewers

@clayton-gonsalves clayton-gonsalves Awaiting requested review from clayton-gonsalves clayton-gonsalves was automatically assigned from projectcontour/contour-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gtriggiano @tsaarni