Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-11798: Set APIGateway TLSConfig if unset or empty #21984

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

NET-11798: Set APIGateway TLSConfig if unset or empty #21984

wants to merge 4 commits into from
+219 −4

Conversation

NiniOak
Copy link
Contributor

@NiniOak NiniOak commented Dec 2, 2024
edited
Loading

Description

The API Gateway TLS.{Min,Max}Versions and TLS.CipherSuites settings are not applied to API Gateway Listeners. To fix this:

  • Create a dedicated function setAPIGatewayTLSConfig that handles the logic for setting TLS configuration for APIGateway
  • Check if those values are empty and sets them accordingly

Testing & Reproduction steps

Tested manually, as follows:

Using this config file config.hcl

  bootstrap = [
    {
      Kind = "proxy-defaults"
      Name = "global"
      Config = {
        protocol = "http"
      }
    },
    {
      Kind      = "api-gateway"
      Name      = "my-gateway"
      Namespace = "default"
      Partition = "default"
      Listeners = [
        {
          Port     = 8443
          Name     = "my-http-listener"
          Protocol = "HTTP"
          TLS = {
            Certificates = [
              {
                Kind      = "inline-certificate"
                Name      = "my-certificate"
                Namespace = "default"
                Partition = "default"
              }
            ]
            MinVersion = "TLSv1_3"
          }
        }
      ]
    },
    {
      Kind      = "http-route"
      Name      = "my-http-route"
      Namespace = "default"
      Partition = "default"
      Rules = [
        {
          Matches = [
            {
              Path = {
                Match = "prefix"
                Value = "/api"
              }
            }
          ]
          Services = [
            {
              Name = "api"
            }
          ]
        }
      ]
      Parents = [
        {
          Kind        = "api-gateway"
          Name        = "my-gateway"
          Namespace   = "default"
          Partition   = "default"
          SectionName = "my-http-listener"
        }
      ]
    },
    {
      Kind      = "inline-certificate"
      Name      = "my-certificate"
      Namespace = "default"
      Partition = "default"
      Certificate = ""
      PrivateKey  = ""
    }
  ]
}
  1. Build Consul binary locally
    make dev-build
  2. Run dev agent with attached config file
    consul agent -dev -config-file consul.hcl
  3. Start API Gateway
    consul connect envoy -gateway api -service my-gateway -register
  4. Check the config_dump for "tls_minimum_protocol_version": "TLSv1_3"
    curl -s 0:19000/config_dump | grep tls_minimum

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@NiniOak NiniOak requested a review from a team as a code owner December 2, 2024 23:56
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Dec 2, 2024
@NiniOak NiniOak added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.18 This release series is longer active on CE, use backport/ent/1.18 backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/1.20 Changes are backported to 1.20 backport/ent/1.19 Changes are backported to 1.19 ent and removed backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/1.18 This release series is longer active on CE, use backport/ent/1.18 labels Dec 3, 2024
@NiniOak NiniOak requested a review from blake December 3, 2024 00:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blake blake Awaiting requested review from blake

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent backport/1.20 Changes are backported to 1.20 theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@NiniOak