Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow configuration of upstream TLS connection settings #5828

Merged
merged 35 commits into from
Dec 20, 2023
Merged
Show file tree
Hide file tree
Changes from 29 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
5077619
add config options for min max tls version on upstream connections
KauzClay Oct 12, 2023
4334900
add changelog
KauzClay Oct 13, 2023
9c388ea
internal: default empty when upstreamTLS not set
KauzClay Oct 13, 2023
c4837cd
internal: refactor addition of upstreamTLS to commonTlsContext
KauzClay Oct 13, 2023
1c467d3
internal: return nil in cluster if upstreamTLS is nil
KauzClay Oct 13, 2023
7c03d37
test: update default value with empty upstreamtls
KauzClay Oct 13, 2023
2c070df
internal: add test for changing upstreamTLS config
KauzClay Oct 13, 2023
9667fb1
improve test coverage
KauzClay Oct 13, 2023
3544aae
update changelog
KauzClay Oct 23, 2023
8f607a4
use upstreamtls config in extension and dns clusters
KauzClay Oct 23, 2023
89206ad
sanitize cipher suites
KauzClay Oct 23, 2023
3a78791
update configuration docs
KauzClay Oct 23, 2023
95bdc52
fix typo in configuration doc
KauzClay Oct 23, 2023
4f3f8c5
add backend tls protocol version e2e test
KauzClay Nov 15, 2023
f532ff5
run backend tls protocol version in httpproxy e2e tests
KauzClay Nov 15, 2023
b47cafe
remove unecessary optional tag
KauzClay Nov 15, 2023
b84aef0
change variable name to please linter
KauzClay Nov 15, 2023
7edfb8d
use correct field for tls version
KauzClay Nov 15, 2023
12c91ff
split tls version test into separaten namespaced test
KauzClay Nov 15, 2023
b593a20
use correct string to configure tls version
KauzClay Nov 15, 2023
cdad7ae
set test configs correctly
KauzClay Nov 16, 2023
c20f67d
make sure cluster parameters defaults don't get overwritten
KauzClay Nov 16, 2023
ccd8b46
add dnslookup family to configmap case
KauzClay Nov 16, 2023
381f66f
Update apis/projectcontour/v1alpha1/contourconfig.go
KauzClay Dec 8, 2023
2177ee7
set upstream tls for extension and dnsname clusters
KauzClay Dec 8, 2023
de87dce
address nits in changelog
KauzClay Dec 14, 2023
edc6550
use casting instead of helper function
KauzClay Dec 14, 2023
1baae55
config: break tls protocol params into own struct
KauzClay Dec 14, 2023
c5230ab
test: combine contexts
KauzClay Dec 14, 2023
c9b4c92
config: embed protocolparameters into tlsconfig
KauzClay Dec 14, 2023
7719cd3
feed upstream tls into ingress and gatewayapi processors
KauzClay Dec 15, 2023
732d47d
test: add featuretest for upstream tls
KauzClay Dec 15, 2023
7d64501
don't use upstreamTLS in gatewayAPI processor
KauzClay Dec 15, 2023
5e3f18e
featuretest: add case for ingress in upstreamtls test
KauzClay Dec 15, 2023
c7dddae
use dag upstreamtls struct in processors
KauzClay Dec 20, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions apis/projectcontour/v1alpha1/contourconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -688,6 +688,11 @@ type ClusterParameters struct {
// +kubebuilder:validation:Minimum=1
// +optional
PerConnectionBufferLimitBytes *uint32 `json:"per-connection-buffer-limit-bytes,omitempty"`

// UpstreamTLS contains the TLS policy parameters for upstream connections
//
// +optional
UpstreamTLS *EnvoyTLS `json:"upstreamTLS,omitempty"`
}

// HTTPProxyConfig defines parameters on HTTPProxy.
Expand Down
5 changes: 5 additions & 0 deletions apis/projectcontour/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions changelogs/unreleased/5828-KauzClay-minor.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
## Allow Configuration of Upstream TLS Options

In a similar way to how Contour users can configure Min/Max TLS version and
Cipher Suites for Envoy's listeners, this change allows users to specify the
same information for upstream connections. In the ContourConfiguration, this is
available under `spec.envoy.cluster.upstreamTLS`. The equivalent config file
parameter is `cluster.upstream-tls` .This change also defaults the Max TLS
version for upstream connections to 1.3, instead of the Envoy default of 1.2.
8 changes: 8 additions & 0 deletions cmd/contour/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -560,6 +560,11 @@
globalRateLimitService: contourConfiguration.RateLimitService,
maxRequestsPerConnection: contourConfiguration.Envoy.Cluster.MaxRequestsPerConnection,
perConnectionBufferLimitBytes: contourConfiguration.Envoy.Cluster.PerConnectionBufferLimitBytes,
upstreamTLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MinimumProtocolVersion, "1.2"),
MaximumProtocolVersion: annotation.TLSVersion(contourConfiguration.Envoy.Cluster.UpstreamTLS.MaximumProtocolVersion, "1.3"),
CipherSuites: contourConfiguration.Envoy.Cluster.UpstreamTLS.SanitizedCipherSuites(),
},

Check warning on line 567 in cmd/contour/serve.go

View check run for this annotation

Codecov / codecov/patch

cmd/contour/serve.go#L563-L567

Added lines #L563 - L567 were not covered by tests
skriss marked this conversation as resolved.
Show resolved Hide resolved
})

// Build the core Kubernetes event handler.
Expand Down Expand Up @@ -1117,6 +1122,7 @@
maxRequestsPerConnection *uint32
perConnectionBufferLimitBytes *uint32
globalRateLimitService *contour_api_v1alpha1.RateLimitServiceConfig
upstreamTLS *contour_api_v1alpha1.EnvoyTLS
}

func (s *Server) getDAGBuilder(dbc dagBuilderConfig) *dag.Builder {
Expand Down Expand Up @@ -1194,6 +1200,7 @@
FieldLogger: s.log.WithField("context", "ExtensionServiceProcessor"),
ClientCertificate: dbc.clientCert,
ConnectTimeout: dbc.connectTimeout,
UpstreamTLS: dbc.upstreamTLS,
skriss marked this conversation as resolved.
Show resolved Hide resolved
},
&dag.HTTPProxyProcessor{
EnableExternalNameService: dbc.enableExternalNameService,
Expand All @@ -1209,6 +1216,7 @@
GlobalRateLimitService: dbc.globalRateLimitService,
PerConnectionBufferLimitBytes: dbc.perConnectionBufferLimitBytes,
SetSourceMetadataOnRoutes: true,
UpstreamTLS: dbc.upstreamTLS,
},
}

Expand Down
11 changes: 8 additions & 3 deletions cmd/contour/servecontext.go
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
}

var cipherSuites []string
for _, suite := range ctx.Config.TLS.CipherSuites {
for _, suite := range ctx.Config.TLS.ProtocolParameters.CipherSuites {
cipherSuites = append(cipherSuites, suite)
}

Expand Down Expand Up @@ -531,8 +531,8 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
MaxRequestsPerIOCycle: ctx.Config.Listener.MaxRequestsPerIOCycle,
HTTP2MaxConcurrentStreams: ctx.Config.Listener.HTTP2MaxConcurrentStreams,
TLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
MinimumProtocolVersion: ctx.Config.TLS.ProtocolParameters.MinimumProtocolVersion,
MaximumProtocolVersion: ctx.Config.TLS.ProtocolParameters.MaximumProtocolVersion,
CipherSuites: cipherSuites,
},
SocketOptions: &contour_api_v1alpha1.SocketOptions{
Expand Down Expand Up @@ -572,6 +572,11 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
DNSLookupFamily: dnsLookupFamily,
MaxRequestsPerConnection: ctx.Config.Cluster.MaxRequestsPerConnection,
PerConnectionBufferLimitBytes: ctx.Config.Cluster.PerConnectionBufferLimitBytes,
UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: ctx.Config.Cluster.UpstreamTLS.MinimumProtocolVersion,
MaximumProtocolVersion: ctx.Config.Cluster.UpstreamTLS.MaximumProtocolVersion,
CipherSuites: ctx.Config.Cluster.UpstreamTLS.CipherSuites,
},
},
Network: &contour_api_v1alpha1.NetworkParameters{
XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
Expand Down
4 changes: 4 additions & 0 deletions cmd/contour/servecontext_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -474,6 +474,10 @@ func TestConvertServeContext(t *testing.T) {
},
Cluster: &contour_api_v1alpha1.ClusterParameters{
DNSLookupFamily: contour_api_v1alpha1.AutoClusterDNSFamily,
UpstreamTLS: &contour_api_v1alpha1.EnvoyTLS{
MinimumProtocolVersion: "",
MaximumProtocolVersion: "",
},
},
Network: &contour_api_v1alpha1.NetworkParameters{
EnvoyAdminPort: ref.To(9001),
Expand Down
88 changes: 88 additions & 0 deletions examples/contour/01-crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,48 @@ spec:
format: int32
minimum: 1
type: integer
upstreamTLS:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers to
be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should only
be used by advanced users. Note that these will be ignored
when TLS 1.3 is in use. \n This field is optional; when
it is undefined, a Contour-managed ciphersuite list
will be used, which may be updated to keep it secure.
\n Contour's default list is: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\" -
\"AES256-SHA\" \n Contour recommends leaving this undefined
unless you are sure you must. \n See: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for stock
Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum TLS
version this vhost should negotiate. \n Values: `1.2`,
`1.3`(default). \n Other values will produce an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum TLS
version this vhost should negotiate. \n Values: `1.2`
(default), `1.3`. \n Other values will produce an error."
type: string
type: object
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set of HTTPS
Expand Down Expand Up @@ -3579,6 +3621,52 @@ spec:
format: int32
minimum: 1
type: integer
upstreamTLS:
description: UpstreamTLS contains the TLS policy parameters
for upstream connections
properties:
cipherSuites:
description: "CipherSuites defines the TLS ciphers
to be supported by Envoy TLS listeners when negotiating
TLS 1.2. Ciphers are validated against the set that
Envoy supports by default. This parameter should
only be used by advanced users. Note that these
will be ignored when TLS 1.3 is in use. \n This
field is optional; when it is undefined, a Contour-managed
ciphersuite list will be used, which may be updated
to keep it secure. \n Contour's default list is:
- \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES256-GCM-SHA384\" - \"ECDHE-RSA-AES256-GCM-SHA384\"
\n Ciphers provided are validated against the following
list: - \"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]\"
- \"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]\"
- \"ECDHE-ECDSA-AES128-GCM-SHA256\" - \"ECDHE-RSA-AES128-GCM-SHA256\"
- \"ECDHE-ECDSA-AES128-SHA\" - \"ECDHE-RSA-AES128-SHA\"
- \"AES128-GCM-SHA256\" - \"AES128-SHA\" - \"ECDHE-ECDSA-AES256-GCM-SHA384\"
- \"ECDHE-RSA-AES256-GCM-SHA384\" - \"ECDHE-ECDSA-AES256-SHA\"
- \"ECDHE-RSA-AES256-SHA\" - \"AES256-GCM-SHA384\"
- \"AES256-SHA\" \n Contour recommends leaving this
undefined unless you are sure you must. \n See:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters
Note: This list is a superset of what is valid for
stock Envoy builds and those using BoringSSL FIPS."
items:
type: string
type: array
maximumProtocolVersion:
description: "MaximumProtocolVersion is the maximum
TLS version this vhost should negotiate. \n Values:
`1.2`, `1.3`(default). \n Other values will produce
an error."
type: string
minimumProtocolVersion:
description: "MinimumProtocolVersion is the minimum
TLS version this vhost should negotiate. \n Values:
`1.2` (default), `1.3`. \n Other values will produce
an error."
type: string
type: object
type: object
defaultHTTPVersions:
description: "DefaultHTTPVersions defines the default set
Expand Down
Loading