envoyconfig: fallback to global custom ca when no policy ca is defined

[calebdoxsey]

Summary

Fallback to the custom ca defined in the global options when no policy ca is defined.

There's a non-trivial chance this may break existing users, since previously we only validated internal connections between pomerium services using this certificate authority, and now we will be validating all upstream services.

Related issues

Fixes https://github.com/pomerium/internal/issues/417

Checklist

• reference any related issues
• updated docs
• updated unit tests
• updated UPGRADING.md
• add appropriate tag (improvement / bug / etc)
• ready for review

[codeclimate]

Code Climate has analyzed commit f5ffc32 and detected 0 issues on this pull request.

View more on Code Climate.

[wasaga]

The code LGTM.

• Please add an explicit warning log entry during that route X will have global CA applied, so that users who run into upstream unavailability could figure out why without reading docs.

[travisgroth]

Discussed with @desimone yesterday and augmenting the system cert pool rather than replacing it makes the most sense for this option. That's how the internal golang grpc and http clients currently function.

Doing something like

pomerium/pkg/cryptutil/tls.go

Line 17 in a1061c5

func GetCertPool(ca, caFile string) (*x509.CertPool, error) {

for building the envoy upstream tls context would be the desired behavior.

[calebdoxsey]

We can't use that function. It has no way of serializing back to PEM.

I guess I'll concatenate the PEM files, though I don't know enough about the format to know if that actually works or not.