-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry #12601
Conversation
This replaces #12589 |
@@ -70,6 +70,18 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e | |||
return snap, err | |||
} | |||
|
|||
// Get information about the entire service mesh. | |||
err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously this was only needed for tproxy, now it's for everything except mesh-gateways.
} | ||
|
||
func (c *configSnapshotConnectProxy) IsEmpty() bool { | ||
// isEmpty is a test helper | ||
func (c *configSnapshotConnectProxy) isEmpty() bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I opportunistically made this change after getting confused for the third time if changing this method's behavior was bad.
@@ -519,3 +531,32 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert { | |||
return nil | |||
} | |||
} | |||
|
|||
func (s *ConfigSnapshot) MeshConfig() *structs.MeshConfigEntry { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These 3 methods are siblings of the other cross-kind helper Leaf()
return validateTLSConfig(cfg.TLSMinVersion, cfg.TLSMaxVersion, cfg.CipherSuites) | ||
} | ||
|
||
func validateTLSConfig( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just pushed around from the existing code used by ingress-gateway
.
@@ -1662,3 +1671,66 @@ func makeCommonTLSContextFromFiles(caFile, certFile, keyFile string) *envoy_tls_ | |||
|
|||
return &ctx | |||
} | |||
|
|||
func validateListenerTLSConfig(tlsMinVersion types.TLSVersion, cipherSuites []types.TLSCipherSuite) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Much of the rest of this file is just pushed around from the existing code used by ingress-gateway
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Non-blocking]
I wrote basically the same check as this over in
consul/agent/config/builder.go
Lines 1995 to 2002 in f8a2ae2
// validateTLSVersionCipherSuitesCompat checks that the specified TLS version supports | |
// specifying cipher suites | |
func validateTLSVersionCipherSuitesCompat(tlsMinVersion types.TLSVersion) error { | |
if tlsMinVersion == types.TLSv1_3 { | |
return fmt.Errorf("TLS 1.3 cipher suites are not configurable") | |
} | |
return nil | |
} |
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMinimumProtocolVersion": "TLSv1_3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMinimumProtocolVersion": "TLSv1_3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMinimumProtocolVersion": "TLSv1_3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the single change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"cipherSuites": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMaximumProtocolVersion": "TLSv1_2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMinimumProtocolVersion": "TLSv1_3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMinimumProtocolVersion": "TLSv1_3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", | ||
"commonTlsContext": { | ||
"tlsParams": { | ||
"tlsMinimumProtocolVersion": "TLSv1_3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noting the change
…suites from the mesh config entry - tls.incoming: applies to the inbound mTLS targeting the public listener on connect-proxy and terminating-gateway envoy instances - tls.outgoing: applies to the outbound mTLS dialing upstreams from connect-proxy and ingress-gateway envoy instances Fixes #11966
5d6dac4
to
998f7cc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just fixups on the website docs, rest LGTM
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/618424. |
tls.incoming
: applies to the inbound mTLS targeting the publiclistener on
connect-proxy
andterminating-gateway
envoy instancestls.outgoing
: applies to the outbound mTLS dialing upstreams fromconnect-proxy
andingress-gateway
envoy instancesFixes #11966
TODO:
mesh