consul/agent/xds
Mike Morris 1b1a97e8f9
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576)
* xds: refactor ingress listener SDS configuration

* xds: update resolveListenerSDS call args in listeners_test

* ingress: add TLS min, max and cipher suites to GatewayTLSConfig

* xds: implement envoyTLSVersions and envoyTLSCipherSuites

* xds: merge TLS config

* xds: configure TLS parameters with ingress TLS context from leaf

* xds: nil check in resolveListenerTLSConfig validation

* xds: nil check in makeTLSParameters* functions

* changelog: add entry for TLS params on ingress config entries

* xds: remove indirection for TLS params in TLSConfig structs

* xds: return tlsContext, nil instead of ambiguous err

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* xds: switch zero checks to types.TLSVersionUnspecified

* ingress: add validation for ingress config entry TLS params

* ingress: validate listener TLS config

* xds: add basic ingress with TLS params tests

* xds: add ingress listeners mixed TLS min version defaults precedence test

* xds: add more explicit tests for ingress listeners inheriting gateway defaults

* xds: add test for single TLS listener on gateway without TLS defaults

* xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test

* types/tls: change TLSVersion to string

* types/tls: update TLSCipherSuite to string type

* types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private

* api: add TLS params to GatewayTLSConfig, add tests

* api: add TLSMinVersion to ingress gateway config entry test JSON

* xds: switch to Envoy TLS cipher suite encoding from types package

* xds: fixup validation for TLSv1_3 min version with cipher suites

* add some kitchen sink tests and add a missing struct tag

* xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites

* xds: update connectTLSEnabled comment

* xds: remove unsued resolveGatewayServiceTLSConfig function

 * xds: add makeCommonTLSContextFromLeafWithoutParams

* types/tls: add LessThan comparator function for concrete values

* types/tls: change tlsVersions validation map from string to TLSVersion keys

* types/tls: remove unused envoyTLSCipherSuites

* types/tls: enable chacha20 cipher suites for Consul agent

* types/tls: remove insecure cipher suites from allowed config

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source.

Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330

* types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private

* types/tls: return all unmatched cipher suites in validation errors

* xds: check that Envoy API value matching TLS version is found when building TlsParameters

* types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings

* types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String()

* xds: add TLSVersionUnspecified to list of configurable cipher suites

* structs: update note about config entry warning

* xds: remove TLS min version cipher suite unconfigurable test placeholder

* types/tls: update tests to remove assumption about private map values

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-01-11 11:46:42 -05:00
..
proxysupport connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
testdata ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
clusters.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
clusters_test.go additional test fixes 2021-12-13 18:56:44 -07:00
config.go
config_test.go
delta.go
delta_test.go acl: remove id and revision from Policy constructors 2021-11-05 15:45:08 -04:00
endpoints.go Validate chains are associated with upstreams 2021-12-13 18:56:13 -07:00
endpoints_test.go additional test fixes 2021-12-13 18:56:44 -07:00
envoy_versioning.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
envoy_versioning_test.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
failover_math.go
failover_math_test.go
golden_test.go
listeners.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
listeners_ingress.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
listeners_test.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
naming.go
net_fallback.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
net_linux.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
protocol_trace.go
rbac.go
rbac_test.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
resources.go
response.go
routes.go Validate chains are associated with upstreams 2021-12-13 18:56:13 -07:00
routes_test.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
server.go Merge branch 'main' into serve-panic-recovery 2021-11-06 16:12:06 +01:00
server_oss.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
testing.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
xds.go
xds_protocol_helpers_test.go connect: Remove support for Envoy 1.16 (#11354) 2021-10-27 18:51:35 -07:00
z_xds_packages.go
z_xds_packages_test.go