feat: support backend tls settings with envoyproxy #3218
Conversation
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
alexwo
changed the title
alexwo
changed the title
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
|
cc @zhaohuabing who was also looking into backend MTLS in #2984 |
api/v1alpha1/envoyproxy_types.go
Outdated
| ClientCertificateRef *gwapiv1.SecretObjectReference `json:"clientCertificateRef,omitempty"` | ||
| // Ciphers defines only support the specified cipher list when negotiating BackendTLS 1.0-1.2 (this setting has no effect when negotiating BackendTLS 1.3). | ||
| // +optional | ||
| Ciphers []string `json:"ciphers,omitempty"` |
There was a problem hiding this comment.
Maybe we reuse some of the types in tls_types.go that we use in client traffic policy, like TLSVersion? Maybe we can just embed the top-level TLSSettings struct here?
There was a problem hiding this comment.
We can, it currently contain also ClientValidation and ALPNProtocol, this is less interesting in this context.
Would it make sense to re-structure TLSSettings and include the commons here?
There was a problem hiding this comment.
we can create a struct that represents the TLSParams and embed that struct in both place and handle the ClientCertificateRef and ClientValidation fields seperately
| @@ -78,7 +78,26 @@ func (t *Translator) processBackendTLSPolicy( | |||
| } | |||
|
|
|||
| status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName) | |||
|
|
|||
| // apply defaults as per envoyproxy | |||
| if resources.EnvoyProxy != nil { | |||
There was a problem hiding this comment.
Should we apply this logic outside of backendtlspolicy translation, since it's not directly originating from that policy? It's probably most efficient and user-friendly to do it here. But, in the future TLS settings may originate from other resources, as described in kubernetes-sigs/gateway-api#2910
There was a problem hiding this comment.
Right, it can make sense but maybe we can do it after support for additional resources is implemented in upstream. I guess we can move / extend this logic to other areas as well at any time.
Do you see an advantage in making this change now? Maybe If we want to support a use case of applying this on a gateway level already.
wdyt?
internal/xds/translator/utils.go
Outdated
| @@ -161,3 +161,17 @@ func createExtServiceXDSCluster(rd *ir.RouteDestination, tCtx *types.ResourceVer | |||
| } | |||
| return nil | |||
| } | |||
|
|
|||
| func ParseTLSProtocol(tlsVersion ir.TLSVersion) (tlsv3.TlsParameters_TlsProtocol, error) { | |||
There was a problem hiding this comment.
can we reuse the util that we have in CTP for this mapping?
There was a problem hiding this comment.
yes, i think we should be able i will check it.
| @@ -0,0 +1,133 @@ | |||
| gateways: | |||
There was a problem hiding this comment.
Can we also add MTLS + TLS Settings tests for ext-auth and ext-proc, demonstrating how this applied to these sorts of backends?
|
thanks for working on this @alexwo !
both 1. and 2. are added into the global |
Hi @arkodg , It can allow for better flexibility, perhaps it can make more sense for (2) settings, @guydc WDYT?
|
The major downside I see in using BTP is that it can only attach to xRoute backends. So, if we need to apply TLS settings for other backends (extproc, extauth, OTEL, ALS ... ), we will need to add TLS setting in the scope of of #3069. I'm fine with both options, as long as we can support TLS settings for both xRoute and non-xRoute backends. @arkodg - WDYT? |
yeah for non xRoute we'll need to embed it into our by moving 2. into BTP, we add the ability to fine tune settings, but now
|
If we go with the BTP direction, does it make sense to move clientCertificateRef, to BTP as well? |
I think so. It's possible that different backends will require a different client cert. It's not uncommon for organizations to use private PKI(s) for client certs, and so backends may have different trust stores and CAs. If we go with EnvoyProxy-level config, we basically assume that all backends can be configured to trust the EG client certificate. |
|
@guydc @alexwo as platform administrators, would you say that the feature is necessary, because you are trying to enforce specific tls parameters (ciphers, tls versions). If this is true, then the argument of putting it in |
Yes, our use case is related to defining system-wide upstream TLS settings, and so EnvoyProxy makes a lot of sense to me. |
cool, i'm a +1 for this as well |
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
|
/retest |
| @@ -768,10 +768,29 @@ func buildXdsUpstreamTLSCASecret(tlsConfig *ir.TLSUpstreamConfig) *tlsv3.Secret | |||
| func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3.TransportSocket, error) { | |||
|
|
|||
| var tlsCtx *tlsv3.UpstreamTlsContext | |||
| var tlsParams *tlsv3.TlsParameters | |||
There was a problem hiding this comment.
can we reuse
gateway/internal/xds/translator/listener.go
Line 572 in 27a770f
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
Signed-off-by: Alexander Volchok <alex.volchok@sap.com>
|
/retest |
|
/retest |
1 similar comment
|
/retest |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
What this PR does / why we need it:
This change allows to enhance the security and adaptability of connections to backend services. By allowing administrators to specify TLS settings, such as which cryptographic ciphers and TLS protocol versions to use, it allows to better align their security posture with industry best practices and regulatory requirements.
Approach:
Once the BackendTLS policy or an alternative method for providing these settings is implemented/accepted in upstream, opt for more specific settings than those provided by envoyproxy backendtls settings.
Which issue(s) this PR fixes:
#2901