xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry #12601

rboyer · 2022-03-23T15:05:38Z

tls.incoming: applies to the inbound mTLS targeting the public
listener on connect-proxy and terminating-gateway envoy instances
tls.outgoing: applies to the outbound mTLS dialing upstreams from
connect-proxy and ingress-gateway envoy instances

Fixes #11966

TODO:

website update for mesh

rboyer · 2022-03-23T15:05:53Z

This replaces #12589

rboyer · 2022-03-23T15:06:46Z

agent/proxycfg/connect_proxy.go

@@ -70,6 +70,18 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
 		return snap, err
 	}

+	// Get information about the entire service mesh.
+	err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{


Previously this was only needed for tproxy, now it's for everything except mesh-gateways.

rboyer · 2022-03-23T15:07:37Z

agent/proxycfg/snapshot.go

 }

-func (c *configSnapshotConnectProxy) IsEmpty() bool {
+// isEmpty is a test helper
+func (c *configSnapshotConnectProxy) isEmpty() bool {


I opportunistically made this change after getting confused for the third time if changing this method's behavior was bad.

rboyer · 2022-03-23T15:08:17Z

agent/proxycfg/snapshot.go

@@ -519,3 +531,32 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert {
 		return nil
 	}
 }
+
+func (s *ConfigSnapshot) MeshConfig() *structs.MeshConfigEntry {


These 3 methods are siblings of the other cross-kind helper Leaf()

rboyer · 2022-03-23T15:10:40Z

agent/structs/config_entry_mesh.go

+	return validateTLSConfig(cfg.TLSMinVersion, cfg.TLSMaxVersion, cfg.CipherSuites)
+}
+
+func validateTLSConfig(


This is just pushed around from the existing code used by ingress-gateway.

rboyer · 2022-03-23T15:11:03Z

agent/xds/listeners.go

@@ -1662,3 +1671,66 @@ func makeCommonTLSContextFromFiles(caFile, certFile, keyFile string) *envoy_tls_

 	return &ctx
 }
+
+func validateListenerTLSConfig(tlsMinVersion types.TLSVersion, cipherSuites []types.TLSCipherSuite) error {


Much of the rest of this file is just pushed around from the existing code used by ingress-gateway.

[Non-blocking]
I wrote basically the same check as this over in

consul/agent/config/builder.go

Lines 1995 to 2002 in f8a2ae2

// validateTLSVersionCipherSuitesCompat checks that the specified TLS version supports

// specifying cipher suites

func validateTLSVersionCipherSuitesCompat(tlsMinVersion types.TLSVersion) error {

if tlsMinVersion == types.TLSv1_3 {

return fmt.Errorf("TLS 1.3 cipher suites are not configurable")

}

return nil

}

if you have any interest in refactoring for consistency - the only thing to be careful of would be handling the default cases, which may evaluate to different versions in Go versus Envoy.

rboyer · 2022-03-23T15:11:53Z

agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden

+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "tlsParams": {
+              "cipherSuites": [


noting the single change

rboyer · 2022-03-23T15:12:02Z

agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-max-version.envoy-1-20-x.golden

+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "tlsParams": {
+              "tlsMaximumProtocolVersion": "TLSv1_2"


noting the single change

rboyer · 2022-03-23T15:12:09Z

agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version.envoy-1-20-x.golden

+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "tlsParams": {
+              "tlsMinimumProtocolVersion": "TLSv1_3"


noting the single change

rboyer · 2022-03-23T15:12:15Z

agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden

+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "tlsParams": {
+              "cipherSuites": [


noting the single change

rboyer · 2022-03-23T15:12:21Z

agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-max-version.envoy-1-20-x.golden

+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "tlsParams": {
+              "tlsMaximumProtocolVersion": "TLSv1_2"


noting the single change

rboyer · 2022-03-23T15:12:27Z

agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-min-version.envoy-1-20-x.golden

+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "tlsParams": {
+              "tlsMinimumProtocolVersion": "TLSv1_3"


noting the single change

rboyer · 2022-03-23T15:12:45Z

agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-cipher-suites.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "cipherSuites": [


noting the single change

rboyer · 2022-03-23T15:12:54Z

agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-max-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMaximumProtocolVersion": "TLSv1_2"


noting the single change

rboyer · 2022-03-23T15:13:03Z

agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-min-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMinimumProtocolVersion": "TLSv1_3"


noting the single change

rboyer · 2022-03-23T15:13:15Z

...s/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "cipherSuites": [


noting the change

rboyer · 2022-03-23T15:13:22Z

...s/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "cipherSuites": [


noting the change

rboyer · 2022-03-23T15:13:26Z

...s/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "cipherSuites": [


noting the change

rboyer · 2022-03-23T15:13:31Z

...s/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "cipherSuites": [


noting the change

rboyer · 2022-03-23T15:13:48Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMaximumProtocolVersion": "TLSv1_2"


noting the change

rboyer · 2022-03-23T15:13:52Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMaximumProtocolVersion": "TLSv1_2"


noting the change

rboyer · 2022-03-23T15:13:56Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMaximumProtocolVersion": "TLSv1_2"


noting the change

rboyer · 2022-03-23T15:14:00Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMaximumProtocolVersion": "TLSv1_2"


noting the change

rboyer · 2022-03-23T15:14:10Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-min-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMinimumProtocolVersion": "TLSv1_3"


noting the change

rboyer · 2022-03-23T15:14:14Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-min-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMinimumProtocolVersion": "TLSv1_3"


noting the change

rboyer · 2022-03-23T15:14:18Z

...xds/testdata/listeners/terminating-gateway-with-tls-incoming-min-version.envoy-1-20-x.golden

+              "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+              "commonTlsContext": {
+                "tlsParams": {
+                  "tlsMinimumProtocolVersion": "TLSv1_3"


noting the change

…suites from the mesh config entry - tls.incoming: applies to the inbound mTLS targeting the public listener on connect-proxy and terminating-gateway envoy instances - tls.outgoing: applies to the outbound mTLS dialing upstreams from connect-proxy and ingress-gateway envoy instances Fixes #11966

mikemorris

Just fixups on the website docs, rest LGTM

website/content/docs/connect/config-entries/mesh.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

hc-github-team-consul-core · 2022-03-30T18:44:37Z

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/618424.

rboyer requested review from blake and a team March 23, 2022 15:05

rboyer self-assigned this Mar 23, 2022

rboyer requested a review from mikemorris March 23, 2022 15:06

rboyer commented Mar 23, 2022

View reviewed changes

rboyer added 7 commits March 30, 2022 11:16

update website

68541dc

duplicated lines

6bfc518

changelog

41fcb2b

MeshDirectionTLSConfig -> MeshDirectionalTLSConfig

291711d

pr comment

dcb011c

update error

998f7cc

rboyer force-pushed the envoy-mesh-tls-config branch from 5d6dac4 to 998f7cc Compare March 30, 2022 16:19

vercel bot temporarily deployed to Preview – consul-ui-staging March 30, 2022 16:20 Inactive

vercel bot temporarily deployed to Preview – consul March 30, 2022 16:20 Inactive

note

518b690

vercel bot temporarily deployed to Preview – consul-ui-staging March 30, 2022 16:24 Inactive

vercel bot deployed to Preview – consul March 30, 2022 16:24 View deployment

rboyer requested a review from mikemorris March 30, 2022 16:24

add tls auto version test

e51e29a

vercel bot temporarily deployed to Preview – consul-ui-staging March 30, 2022 16:27 Inactive

vercel bot temporarily deployed to Preview – consul March 30, 2022 16:27 Inactive

mikemorris suggested changes Mar 30, 2022

View reviewed changes

rboyer added this to the 1.12.0-beta1 milestone Mar 30, 2022

Apply suggestions from code review

a8d5684

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

vercel bot temporarily deployed to Preview – consul-ui-staging March 30, 2022 16:50 Inactive

vercel bot deployed to Preview – consul March 30, 2022 16:50 View deployment

Apply suggestions from code review

97a89d1

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>

vercel bot temporarily deployed to Preview – consul-ui-staging March 30, 2022 16:51 Inactive

vercel bot deployed to Preview – consul March 30, 2022 16:52 View deployment

rboyer requested a review from mikemorris March 30, 2022 18:31

mikemorris approved these changes Mar 30, 2022

View reviewed changes

rboyer merged commit e79ce8a into main Mar 30, 2022

rboyer deleted the envoy-mesh-tls-config branch March 30, 2022 18:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry #12601

xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry #12601

rboyer commented Mar 23, 2022 •

edited

Loading

rboyer commented Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

mikemorris Mar 24, 2022 •

edited

Loading

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

rboyer Mar 23, 2022

mikemorris left a comment

hc-github-team-consul-core commented Mar 30, 2022

	// validateTLSVersionCipherSuitesCompat checks that the specified TLS version supports
	// specifying cipher suites
	func validateTLSVersionCipherSuitesCompat(tlsMinVersion types.TLSVersion) error {
	if tlsMinVersion == types.TLSv1_3 {
	return fmt.Errorf("TLS 1.3 cipher suites are not configurable")
	}
	return nil
	}

xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry #12601

xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry #12601

Conversation

rboyer commented Mar 23, 2022 • edited Loading

rboyer commented Mar 23, 2022

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

mikemorris Mar 24, 2022 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

mikemorris left a comment

Choose a reason for hiding this comment

hc-github-team-consul-core commented Mar 30, 2022

rboyer commented Mar 23, 2022 •

edited

Loading

mikemorris Mar 24, 2022 •

edited

Loading