Skip to content

Commit

Permalink
add config options for min max tls version on upstream connections
Browse files Browse the repository at this point in the history 
Signed-off-by: Clay Kauzlaric <[email protected]>
  • Loading branch information
@KauzClay
KauzClay committed Oct 13, 2023
1 parent d09bba1 commit ef36ebd
Show file tree
Hide file tree
Showing 26 changed files with 610 additions and 29 deletions.
5 changes: 5 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,11 @@ type ClusterParameters struct {
// +kubebuilder:validation:Minimum=1
// +optional
PerConnectionBufferLimitBytes *uint32 `json:"per-connection-buffer-limit-bytes,omitempty"`

// UpstreamTLS contains the TLS policy parameters for upstream connections
//
// +optional
UpstreamTLS *EnvoyTLS `json:"upstream-tls,omitempty"`
}

// HTTPProxyConfig defines parameters on HTTPProxy.
Expand Down
5 changes: 5 additions & 0 deletions apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cmd/contour/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,7 @@ func (s *Server) doServe() error {
globalRateLimitService: contourConfiguration.RateLimitService,
maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection,
perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes,
upstreamTLS: contourConfiguration.Envoy.Cluster.UpstreamTLS,
})

// Build the core Kubernetes event handler.
Expand Down Expand Up @@ -1082,6 +1083,7 @@ type dagBuilderConfig struct {
maxRequestsPerConnection *uint32
perConnectionBufferLimitBytes *uint32
globalRateLimitService *contour_api_v1alpha1.RateLimitServiceConfig
upstreamTLS *contour_api_v1alpha1.EnvoyTLS
}

func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
Expand Down Expand Up @@ -1174,6 +1176,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
GlobalRateLimitService: dbc.globalRateLimitService,
PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes,
SetSourceMetadataOnRoutes: true,
UpstreamTLS: dbc.upstreamTLS,
},
}

Expand Down
5 changes: 5 additions & 0 deletions cmd/contour/servecontext.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -570,6 +570,11 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
DNSLookupFamily: dnsLookupFamily,
MaxRequestsPerConnection: ctx.Config.Cluster.MaxRequestsPerConnection,
PerConnectionBufferLimitBytes: ctx.Config.Cluster.PerConnectionBufferLimitBytes,
UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: ctx.Config.Cluster.UpstreamTLS.MinimumProtocolVersion,
MaximumProtocolVersion: ctx.Config.Cluster.UpstreamTLS.MaximumProtocolVersion,
CipherSuites: ctx.Config.Cluster.UpstreamTLS.CipherSuites,
},
},
Network: &contour_api_v1alpha1.NetworkParameters{
XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
Expand Down
88 changes: 88 additions & 0 deletions examples/contour/01-crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,48 @@ spec:
format: int32
minimum: 1
type: integer
upstream-tls:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers to
be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should only
be used by advanced users. Note that these will be ignored
when TLS 1.3 is in use. \n This field is optional; when
it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
\n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" -
\"AES256-SHA\" \n Contour recommends leaving this undefined
unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock
Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum TLS
version this vhost should negotiate. \n Values: `1.2`,
`1.3`(default). \n Other values will produce an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum TLS
version this vhost should negotiate. \n Values: `1.2`
(default), `1.3`. \n Other values will produce an error."
type: string
type: object
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set of HTTPS
Expand Down Expand Up @@ -3547,6 +3589,52 @@ spec:
format: int32
minimum: 1
type: integer
upstream-tls:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers
to be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should
only be used by advanced users. Note that these
will be ignored when TLS 1.3 is in use. \n This
field is optional; when it is undefined, a Contour-managed
ciphersuite list will be used, which may be updated
to keep it secure. \n Contour's default list is:
- \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\"
- \"AES256-SHA\" \n Contour recommends leaving this
undefined unless you are sure you must. \n See:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for
stock Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum
TLS version this vhost should negotiate. \n Values:
`1.2`, `1.3`(default). \n Other values will produce
an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum
TLS version this vhost should negotiate. \n Values:
`1.2` (default), `1.3`. \n Other values will produce
an error."
type: string
type: object
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set
Expand Down
88 changes: 88 additions & 0 deletions examples/render/contour-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,48 @@ spec:
format: int32
minimum: 1
type: integer
upstream-tls:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers to
be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should only
be used by advanced users. Note that these will be ignored
when TLS 1.3 is in use. \n This field is optional; when
it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
\n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" -
\"AES256-SHA\" \n Contour recommends leaving this undefined
unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock
Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum TLS
version this vhost should negotiate. \n Values: `1.2`,
`1.3`(default). \n Other values will produce an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum TLS
version this vhost should negotiate. \n Values: `1.2`
(default), `1.3`. \n Other values will produce an error."
type: string
type: object
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set of HTTPS
Expand Down Expand Up @@ -3766,6 +3808,52 @@ spec:
format: int32
minimum: 1
type: integer
upstream-tls:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers
to be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should
only be used by advanced users. Note that these
will be ignored when TLS 1.3 is in use. \n This
field is optional; when it is undefined, a Contour-managed
ciphersuite list will be used, which may be updated
to keep it secure. \n Contour's default list is:
- \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\"
- \"AES256-SHA\" \n Contour recommends leaving this
undefined unless you are sure you must. \n See:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for
stock Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum
TLS version this vhost should negotiate. \n Values:
`1.2`, `1.3`(default). \n Other values will produce
an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum
TLS version this vhost should negotiate. \n Values:
`1.2` (default), `1.3`. \n Other values will produce
an error."
type: string
type: object
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set
Expand Down
Loading

0 comments on commit ef36ebd

Please sign in to comment.