agent: convert listener config to TLS types #12522
Conversation
github-actions
bot
added
theme/certificates
mikemorris
changed the base branch from
main
to
boxofrad/per-listener-tls-configuration
|
🤔 This PR has changes in the |
| @@ -6330,8 +6330,8 @@ func TestLoad_FullConfig(t *testing.T) { | |||
| CAPath: "nu4PlHzn", | |||
| CertFile: "1yrhPlMk", | |||
| KeyFile: "1bHapOkL", | |||
| TLSMinVersion: "mK14iOpz", | |||
| CipherSuites: []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256}, | |||
| TLSMinVersion: types.TLSv1_3, | |||
There was a problem hiding this comment.
This should fail, TLS 1.3 cipher suites are not configurable.
There was a problem hiding this comment.
Config combinations like this are being handled as expected now (config builder error when specifying cipher suites alongside or with an inherited TLS min version 1.3, cipher suites omitted from config when they would be inherited by a listener config only specifying a TLS min version of 1.3).
|
The remaining test failures actually look good! Invalid config that was previously being passed through is now being rejected, will update test expectations next, but this looks almost ready! |
|
|
There was a problem hiding this comment.
This is awesome! Thanks so much for taking the time to re-work your changes on top of #12504, @mikemorris 👏🏻 🎉
I've left a few comments for your consideration. Let me know if you'd like to talk any of them through synchronously.
tlsutil/config.go
Outdated
| // FIXME: move cipherSuiteLookup to be called externally, maybe | ||
| // in agent/config/runtime parsing before the tlsutil.Config struct is | ||
| // created? |
There was a problem hiding this comment.
Yep agree, this should be done up-front rather than when we're trying to use the cipher suites.
There was a problem hiding this comment.
Looking at this again, this actually feels like an appropriate place to handle the conversion from types.TLSCipherSuite to crypto/tls values for creating the tls.Config object.
tlsutil: add test for parsing deprecated agent TLS version strings tlsutil: return TLSVersionInvalid with error tlsutil: start moving tlsutil cipher suite lookups over to types/tls tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup agent: attempt to use types in runtime config agent: implement b.tlsVersion validation in config builder agent: fix tlsVersion nil check in builder tlsutil: update to renamed ParseTLSVersion and goTLSVersions tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion tlsutil: disable invalid config parsing tests tlsutil: update tests auto_config: lookup old config strings from base.TLSMinVersion auto_config: update endpoint tests to use TLS types agent: update runtime_test to use TLS types agent: update TestRuntimeCinfig_Sanitize.golden agent: update config runtime tests to expect TLS types
This reverts commit 3858592.
|
@boxofrad I can't quite figure out why these failing Line 81 in a7e5ee0 consul/agent/auto-config/auto_config.go Line 107 in a7e5ee0 It does appear to be appropriately setting consul/agent/config/deprecated.go Lines 226 to 230 in f1a2a87 |
| func validateTLSVersionCipherSuitesCompat(tlsMinVersion types.TLSVersion) error { | ||
| if tlsMinVersion == types.TLSv1_3 { | ||
| return fmt.Errorf("TLS 1.3 cipher suites are not configurable") | ||
| } | ||
| return nil | ||
| } |
There was a problem hiding this comment.
Thanks for adding this validation, it's a great UX improvement 🙌🏻
Co-authored-by: Dan Upton <daniel@floppy.co>
|
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/613317. |
Replaces #11647 after the listener TLS refactoring work in #12504.
I think I've pushed the use of types versus as close to the surface I can -
agent/config/builder.goappears to be a boundary where generic string values capturing user config input that could be invalid can be parsed into types, andpbconfig.TLSappears to be another boundary for autoconfig to avoid breaking backwards compatibility.Reviewer Notes:
ParseTLSVersionandParseCiphersboth implement some logic specific to agent config (the fallback logic to supporttls10etc values and the comma-delimited cipher string) so I don't think these would belong intypes/tls.goCipherStringis only used for generatingpbconfig.TLSautoconfig, should it be renamed for clarity?TODO:
tls_cipher_suitessearch link in website docs