-
Notifications
You must be signed in to change notification settings - Fork 682
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Host support choosing cleartext or TLS #2279
Conversation
Ambassador 1.1.1 prep
…xts _and_ no Hosts (and we're running in Edge Stack)
… TLS: just look at whether there's a secret.
…f no other '*' is present.
if not os.environ.get('AMBASSADOR_NO_TLS_REDIRECT', None): | ||
new_ctx['redirect_cleartext_from'] = 8080 | ||
# if not os.environ.get('AMBASSADOR_NO_TLS_REDIRECT', None): | ||
# new_ctx['redirect_cleartext_from'] = 8080 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What was that ever for? Just as a hack for KAT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many of the KAT tests did a poor job of handling the automagic redirect on 8080 that used to be there. This was a crutch that I expect to be deleting shortly (I have to do a full test run to make sure it's really no longer used).
I'm having a hard time understanding what's going on in a63b529. Perhaps it will make more sense after I put some food in me. |
An important note for a63b529 is that |
… a `VHost` that's already present.
Fix Host support choosing cleartext or TLS
Fix Host support choosing cleartext or TLS (cherry picked from commit fd2c0e4)
CHANGELOG: Properly support using a
Host
to specify cleartext or non-ACME TLS.CHANGELOG: Be more forgiving about mismatched SNI connections.
This is probably best reviewable commit-by-commit. There are several small changes here that add up to substantial effects:
(commit abf295f) Edge Stack was creating the fallback
TLSContext
whenever no termination contexts were present, irrespective of what anyHost
s said. If you think this through you'll realize that it means that there would always be a termination context present, preventing running a cleartext-only Edge Stack.We now only create the fallback context if there are no termination contexts and no
Host
s, which is to say, when Edge Stack is running basically unconfigured. If aHost
is present that says to run cleartext, it will be honored.(commit 2182353) Don't look at the
acmeProvider
when deciding whether or not to enable TLS termination for aHost
-- instead, only look at whether atlsSecret
is present. The effect here is that if you sayacmeProvider.authority: none
but manually provide atlsSecret
, you'll still get TLS termination.(When Edge Stack ACME is in use, the ACME client will fill in the
tlsSecret
for you if you don't set it, so there will always be atlsSecret
if termination should happen. If you do set atlsSecret
with Edge Stack ACME in use, the ACME client will happily use the secret name you provide.)(commits cd50960 and a63b529) Rationalize Envoy
VHost
entries such that we'll always have aVHost
for*
. If the configuration specifies aHost
withhostname: "*"
, we'll use that -- otherwise, grab the firstVHost
entry and make it havehostname: "*"
.This seems odd, but is probably the least surprising thing to do: if you connect to a port and offer a strange SNI domain, it's probably less surprising to people to get back a certificate for something that should be listening there, rather than having Envoy simply drop the connection with a TLS error. If need be, we can create a setting that allows disabling this more forgiving behavior later.
Still to come: doc tweaks, and the port-override mechanism suggested by @nbkrause to fully support L4 split LBs. Those will be separate PRs.
Testing: KAT passes for both API Gateway and Edge Stack, including dropping the XFail for
HostCleartext
.