From f09bcc929990531d3f567a681c6b3570114a1000 Mon Sep 17 00:00:00 2001
From: Clay Kauzlaric <ckauzlaric@vmware.com>
Date: Fri, 8 Dec 2023 13:20:29 -0500
Subject: [PATCH] set upstream tls for extension and dnsname clusters

Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
---
 cmd/contour/serve.go                | 1 +
 internal/dag/extension_processor.go | 5 +++++
 internal/dag/httpproxy_processor.go | 1 +
 3 files changed, 7 insertions(+)

diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
index 735a7a2376e..825dff7457b 100644
--- a/cmd/contour/serve.go
+++ b/cmd/contour/serve.go
@@ -1200,6 +1200,7 @@ func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
 			FieldLogger:       s.log.WithField("context", "ExtensionServiceProcessor"),
 			ClientCertificate: dbc.clientCert,
 			ConnectTimeout:    dbc.connectTimeout,
+			UpstreamTLS:       dbc.upstreamTLS,
 		},
 		&dag.HTTPProxyProcessor{
 			EnableExternalNameService:     dbc.enableExternalNameService,
diff --git a/internal/dag/extension_processor.go b/internal/dag/extension_processor.go
index f8ae3df1abd..ef4b741ce2d 100644
--- a/internal/dag/extension_processor.go
+++ b/internal/dag/extension_processor.go
@@ -39,6 +39,10 @@ type ExtensionServiceProcessor struct {
 
 	// ConnectTimeout defines how long the proxy should wait when establishing connection to upstream service.
 	ConnectTimeout time.Duration
+
+	// UpstreamTLS defines the TLS settings like min/max version
+	// and cipher suites for upstream connections.
+	UpstreamTLS *contour_api_v1alpha1.EnvoyTLS
 }
 
 var _ Processor = &ExtensionServiceProcessor{}
@@ -114,6 +118,7 @@ func (p *ExtensionServiceProcessor) buildExtensionService(
 		ClusterTimeoutPolicy: ctp,
 		SNI:                  "",
 		ClientCertificate:    clientCertSecret,
+		UpstreamTLS:          (*UpstreamTLS)(p.UpstreamTLS),
 	}
 
 	lbPolicy := loadBalancerPolicy(ext.Spec.LoadBalancerPolicy)
diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go
index 635cdb4b1c3..d3357aa843e 100644
--- a/internal/dag/httpproxy_processor.go
+++ b/internal/dag/httpproxy_processor.go
@@ -493,6 +493,7 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) {
 							Port:               port,
 							DNSLookupFamily:    dnsLookupFamily,
 							UpstreamValidation: uv,
+							UpstreamTLS:        (*UpstreamTLS)(p.UpstreamTLS),
 						},
 						CacheDuration: cacheDuration,
 					},