consul/agent/structs
Mike Morris 1b1a97e8f9
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576)
* xds: refactor ingress listener SDS configuration

* xds: update resolveListenerSDS call args in listeners_test

* ingress: add TLS min, max and cipher suites to GatewayTLSConfig

* xds: implement envoyTLSVersions and envoyTLSCipherSuites

* xds: merge TLS config

* xds: configure TLS parameters with ingress TLS context from leaf

* xds: nil check in resolveListenerTLSConfig validation

* xds: nil check in makeTLSParameters* functions

* changelog: add entry for TLS params on ingress config entries

* xds: remove indirection for TLS params in TLSConfig structs

* xds: return tlsContext, nil instead of ambiguous err

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* xds: switch zero checks to types.TLSVersionUnspecified

* ingress: add validation for ingress config entry TLS params

* ingress: validate listener TLS config

* xds: add basic ingress with TLS params tests

* xds: add ingress listeners mixed TLS min version defaults precedence test

* xds: add more explicit tests for ingress listeners inheriting gateway defaults

* xds: add test for single TLS listener on gateway without TLS defaults

* xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test

* types/tls: change TLSVersion to string

* types/tls: update TLSCipherSuite to string type

* types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private

* api: add TLS params to GatewayTLSConfig, add tests

* api: add TLSMinVersion to ingress gateway config entry test JSON

* xds: switch to Envoy TLS cipher suite encoding from types package

* xds: fixup validation for TLSv1_3 min version with cipher suites

* add some kitchen sink tests and add a missing struct tag

* xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites

* xds: update connectTLSEnabled comment

* xds: remove unsued resolveGatewayServiceTLSConfig function

 * xds: add makeCommonTLSContextFromLeafWithoutParams

* types/tls: add LessThan comparator function for concrete values

* types/tls: change tlsVersions validation map from string to TLSVersion keys

* types/tls: remove unused envoyTLSCipherSuites

* types/tls: enable chacha20 cipher suites for Consul agent

* types/tls: remove insecure cipher suites from allowed config

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source.

Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330

* types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private

* types/tls: return all unmatched cipher suites in validation errors

* xds: check that Envoy API value matching TLS version is found when building TlsParameters

* types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings

* types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String()

* xds: add TLSVersionUnspecified to list of configurable cipher suites

* structs: update note about config entry warning

* xds: remove TLS min version cipher suite unconfigurable test placeholder

* types/tls: update tests to remove assumption about private map values

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-01-11 11:46:42 -05:00
..
acl.go acl: remove id and revision from Policy constructors 2021-11-05 15:45:08 -04:00
acl_cache.go acl: remove ACL.GetPolicy endpoint and resolve legacy acls 2021-09-29 14:33:19 -04:00
acl_cache_test.go
acl_oss.go Cross port of ent #1383 (#11726) 2021-12-03 10:20:25 -08:00
acl_test.go acl: remove Policy.ID and Policy.Revision 2021-11-05 15:43:52 -04:00
auto_encrypt.go
autopilot.go
autopilot_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
catalog.go
catalog_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
check_definition.go preload json values in structs to determine defaults 2021-10-10 17:52:26 -04:00
check_definition_test.go
check_type.go preload json values in structs to determine defaults 2021-10-10 17:52:26 -04:00
config_entry.go Rename partition-exports to exported-services 2021-12-03 17:47:31 -07:00
config_entry_discoverychain.go Remove support for failover to partition 2021-12-06 12:32:24 -07:00
config_entry_discoverychain_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
config_entry_discoverychain_test.go Remove support for failover to partition 2021-12-06 12:32:24 -07:00
config_entry_exports.go Rename partition-exports to exported-services 2021-12-03 17:47:31 -07:00
config_entry_gateways.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
config_entry_gateways_test.go Fix some more Enterprise Normalization issues affecting tests 2021-09-23 10:12:37 +01:00
config_entry_intentions.go
config_entry_intentions_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
config_entry_intentions_test.go
config_entry_mesh.go
config_entry_mesh_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
config_entry_oss.go Prevent partition-exports entry from OSS usage 2021-11-29 11:24:16 -07:00
config_entry_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
config_entry_test.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
connect.go
connect_ca.go ca: improve RenewIntermediate tests 2021-12-08 18:42:52 -05:00
connect_ca_test.go add root_cert_ttl option for consul connect, vault ca providers (#11428) 2021-11-02 11:02:10 -07:00
connect_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
connect_proxy_config.go Use ptr receiver in all Upstream methods 2021-12-13 18:56:14 -07:00
connect_proxy_config_oss.go various partition related todos (#11822) 2021-12-13 11:43:33 -06:00
connect_proxy_config_test.go
discovery_chain.go
discovery_chain_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
errors.go
federation_state.go
identity.go
intention.go
intention_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
intention_test.go acl: remove id and revision from Policy constructors 2021-11-05 15:45:08 -04:00
operator.go
prepared_query.go
prepared_query_test.go
protobuf_compat.go Groundwork for exposing when queries are filtered by ACLs (#11569) 2021-12-03 17:11:26 +00:00
sanitize_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
service_definition.go
service_definition_test.go
snapshot.go
structs.go various partition related todos (#11822) 2021-12-13 11:43:33 -06:00
structs_filtering_test.go
structs_oss.go acl: ensure that the agent recovery token is properly partitioned (#11782) 2021-12-08 17:11:55 -06:00
structs_oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
structs_test.go Groundwork for exposing when queries are filtered by ACLs (#11569) 2021-12-03 17:11:26 +00:00
system_metadata.go consul: add virtual IP generation for connect services 2021-12-02 15:42:47 -08:00
testing.go
testing_catalog.go xds: prefer fed state gateway definitions if they're fresher (#11522) 2021-11-09 16:45:36 +00:00
testing_connect_proxy_config.go
testing_intention.go Cleanup unnecessary normalizing method (#11169) 2021-09-28 15:31:12 -04:00
testing_service_definition.go
txn.go