Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-11798: Set APIGateway TLSConfig if unset or empty #21984

Merged
merged 8 commits into from
Jan 15, 2025
Merged

NET-11798: Set APIGateway TLSConfig if unset or empty #21984

merged 8 commits into from
Jan 15, 2025
+639 −4

Conversation

NiniOak
Copy link
Contributor

@NiniOak NiniOak commented Dec 2, 2024
edited
Loading

Description

The API Gateway TLS.{Min,Max}Versions and TLS.CipherSuites settings are not applied to API Gateway Listeners. To fix this:

  • Create a dedicated function setAPIGatewayTLSConfig that handles the logic for setting TLS configuration for APIGateway
  • Check if those values are empty and sets them accordingly

Testing & Reproduction steps

Tested manually, as follows:

Using this config file config.hcl

  bootstrap = [
    {
      Kind = "proxy-defaults"
      Name = "global"
      Config = {
        protocol = "http"
      }
    },
    {
      Kind      = "api-gateway"
      Name      = "my-gateway"
      Namespace = "default"
      Partition = "default"
      Listeners = [
        {
          Port     = 8443
          Name     = "my-http-listener"
          Protocol = "HTTP"
          TLS = {
            Certificates = [
              {
                Kind      = "inline-certificate"
                Name      = "my-certificate"
                Namespace = "default"
                Partition = "default"
              }
            ]
            MinVersion = "TLSv1_3"
          }
        }
      ]
    },
    {
      Kind      = "http-route"
      Name      = "my-http-route"
      Namespace = "default"
      Partition = "default"
      Rules = [
        {
          Matches = [
            {
              Path = {
                Match = "prefix"
                Value = "/api"
              }
            }
          ]
          Services = [
            {
              Name = "api"
            }
          ]
        }
      ]
      Parents = [
        {
          Kind        = "api-gateway"
          Name        = "my-gateway"
          Namespace   = "default"
          Partition   = "default"
          SectionName = "my-http-listener"
        }
      ]
    },
    {
      Kind      = "inline-certificate"
      Name      = "my-certificate"
      Namespace = "default"
      Partition = "default"
      Certificate = ""
      PrivateKey  = ""
    }
  ]
}
  1. Build Consul binary locally
    make dev-build
  2. Run dev agent with attached config file
    consul agent -dev -config-file consul.hcl
  3. Start API Gateway
    consul connect envoy -gateway api -service my-gateway -register
  4. Check the config_dump for "tls_minimum_protocol_version": "TLSv1_3"
    curl -s 0:19000/config_dump | grep tls_minimum
  5. Should return
    "tls_minimum_protocol_version": "TLSv1_3"

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@NiniOak NiniOak requested a review from a team as a code owner December 2, 2024 23:56
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Dec 2, 2024
@NiniOak NiniOak added backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.18 This release series is longer active on CE, use backport/ent/1.18 backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/1.20 Changes are backported to 1.20 backport/ent/1.19 Changes are backported to 1.19 ent and removed backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. backport/1.19 This release series is longer active on CE, use backport/ent/1.19 backport/1.18 This release series is longer active on CE, use backport/ent/1.18 labels Dec 3, 2024
@NiniOak NiniOak requested a review from blake December 3, 2024 00:12
nathancoleman
nathancoleman reviewed Jan 14, 2025
View reviewed changes
Copy link
Member

@nathancoleman nathancoleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Just a couple of questions

.changelog/21984.txt Outdated Show resolved Hide resolved
agent/xds/listeners_apigateway.go Outdated Show resolved Hide resolved
agent/xds/listeners_apigateway.go Outdated Show resolved Hide resolved
agent/xds/listeners_apigateway.go Outdated Show resolved Hide resolved
@NiniOak NiniOak requested a review from nathancoleman January 14, 2025 23:17
@NiniOak NiniOak merged commit 88539f1 into main Jan 15, 2025
94 checks passed
@NiniOak NiniOak deleted the NET-11798_API_Gateway_TLS_Max_Min_Versions_and_CipherSuites_settings_not_respected branch January 15, 2025 17:13
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Jan 15, 2025
Merged
4 tasks
NiniOak added a commit that referenced this pull request Jan 15, 2025
@NiniOak @nathancoleman
NET-11798: Set APIGateway TLSConfig if unset or empty (#21984)
28d04f4 
* NET-11798: Set APIGateway TLSConfig if unset or empty

* add changelog

* update golden file tests

* add missing golden files

* Update .changelog/21984.txt

Co-authored-by: Nathan Coleman <[email protected]>

* remove use of reflect library and check if object is empty instead

---------

Co-authored-by: Nathan Coleman <[email protected]>
@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @NiniOak! a backport is missing for this PR [21984] for versions [1.15,1.18,1.19,1.20] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@NiniOak NiniOak added backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent and removed backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent labels Jan 16, 2025
NiniOak added a commit that referenced this pull request Jan 16, 2025
@hc-github-team-consul-core @NiniOak @nathancoleman
Backport of NET-11798: Set APIGateway TLSConfig if unset or empty int…
4ad72ff 
…o release/1.20.x (#22076)

* backport of commit 30bc9b5

* backport of commit 02efb33

* backport of commit 7045225

* Update 21984.txt

* NET-11798: Set APIGateway TLSConfig if unset or empty (#21984)

* NET-11798: Set APIGateway TLSConfig if unset or empty

* add changelog

* update golden file tests

* add missing golden files

* Update .changelog/21984.txt

Co-authored-by: Nathan Coleman <[email protected]>

* remove use of reflect library and check if object is empty instead

---------

Co-authored-by: Nathan Coleman <[email protected]>

* remove unused library

---------

Co-authored-by: NiniOak <[email protected]>
Co-authored-by: Nathan Coleman <[email protected]>
@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @NiniOak! a backport is missing for this PR [21984] for versions [1.15,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

@hc-github-team-consul-core
Copy link
Collaborator

📣 Hi @NiniOak! a backport is missing for this PR [21984] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description:

<details>
	<summary> Overview of commits </summary>
		- <<backport commit 1>>
		- <<backport commit 2>>
		...
</details>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathancoleman nathancoleman nathancoleman approved these changes

@blake blake Awaiting requested review from blake

Assignees
No one assigned
Labels
backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent backport/1.20 Changes are backported to 1.20 theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NiniOak @hc-github-team-consul-core @nathancoleman