Skip to content

feat: support backend tls settings with envoyproxy #3218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arkodg merged 19 commits into from
Apr 25, 2024
Merged

feat: support backend tls settings with envoyproxy #3218

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
9868422
adding backend tls settings support via envoyproxy
alexwo Apr 18, 2024
7ecca6f
updating
alexwo Apr 18, 2024
ccdae56
update docs
alexwo Apr 18, 2024
5ce2994
fix generates
alexwo Apr 18, 2024
09f2f0e
updating
alexwo Apr 18, 2024
01b3bcc
updating
alexwo Apr 18, 2024
77fab65
adding translation
alexwo Apr 18, 2024
69c25b8
updating
alexwo Apr 18, 2024
93e8382
merge with main
alexwo Apr 24, 2024
8022085
code review changes
alexwo Apr 24, 2024
c6ed523
updating
alexwo Apr 24, 2024
b9d6c8f
regenerate
alexwo Apr 24, 2024
7755982
fix generate
alexwo Apr 24, 2024
27a770f
Merge branch 'main' into backend_tls
guydc Apr 24, 2024
6d98016
reuse tls builder
alexwo Apr 24, 2024
c17d15b
Merge branch 'backend_tls' of https://github.com/alexwo/gateway
alexwo Apr 24, 2024
12f7063
Merge branch 'main' into backend_tls
alexwo Apr 24, 2024
949a5d7
Merge branch 'main' into backend_tls
alexwo Apr 25, 2024
5ed2666
Merge branch 'main' into backend_tls
guydc Apr 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions api/v1alpha1/envoyproxy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
)

const (
Expand Down Expand Up @@ -116,6 +117,34 @@ type EnvoyProxySpec struct {
// +optional
// +notImplementedHide
FilterOrder []FilterPosition `json:"filterOrder,omitempty"`
// BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
// These settings are applied on backends for which TLS policies are specified.
// +optional
BackendTLS *BackendTLSConfig `json:"backendTLS,omitempty"`
}

// BackendTLSConfig describes the BackendTLS configuration for Envoy Proxy.
type BackendTLSConfig struct {
// ClientCertificateRef defines the reference to a Kubernetes Secret that contains
// the client certificate and private key for Envoy to use when connecting to
// backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
// +optional
ClientCertificateRef *gwapiv1.SecretObjectReference `json:"clientCertificateRef,omitempty"`
// Ciphers defines only support the specified cipher list when negotiating BackendTLS 1.0-1.2 (this setting has no effect when negotiating BackendTLS 1.3).
// +optional
Ciphers []string `json:"ciphers,omitempty"`
Copy link
Contributor

@guydc guydc Apr 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we reuse some of the types in tls_types.go that we use in client traffic policy, like TLSVersion? Maybe we can just embed the top-level TLSSettings struct here?

Copy link
Contributor Author

@alexwo alexwo Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can, it currently contain also ClientValidation and ALPNProtocol, this is less interesting in this context.
Would it make sense to re-structure TLSSettings and include the commons here?

Copy link
Contributor

@arkodg arkodg Apr 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can create a struct that represents the TLSParams and embed that struct in both place and handle the ClientCertificateRef and ClientValidation fields seperately

// ECDHCurves specifies the set of supported ECDH curves.
// +optional
EcdhCurves []string `json:"ecdhCurves,omitempty"`
// MinVersion specifies the minimal tls protocol to allow.
// +optional
MinVersion string `json:"minVersion,omitempty"`
// MaxVersion specifies the maximal tls protocol version to allow
// +optional
MaxVersion string `json:"maxVersion,omitempty"`
// SignatureAlgorithms specifies which signature algorithms the listener should support.
// +optional
SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`
}

// FilterPosition defines the position of an Envoy HTTP filter in the filter chain.
Expand Down
40 changes: 40 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

78 changes: 78 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,84 @@ spec:
spec:
description: EnvoyProxySpec defines the desired state of EnvoyProxy.
properties:
backendTLS:
description: |-
BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified.
properties:
ciphers:
description: Ciphers defines only support the specified cipher
list when negotiating BackendTLS 1.0-1.2 (this setting has no
effect when negotiating BackendTLS 1.3).
items:
type: string
type: array
clientCertificateRef:
description: |-
ClientCertificateRef defines the reference to a Kubernetes Secret that contains
the client certificate and private key for Envoy to use when connecting to
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
properties:
group:
default: ""
description: |-
Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example "Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: |-
Namespace is the namespace of the referenced object. When unspecified, the local
namespace is inferred.


Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.


Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
ecdhCurves:
description: ECDHCurves specifies the set of supported ECDH curves.
items:
type: string
type: array
maxVersion:
description: MaxVersion specifies the maximal tls protocol version
to allow
type: string
minVersion:
description: MinVersion specifies the minimal tls protocol to
allow.
type: string
signatureAlgorithms:
description: SignatureAlgorithms specifies which signature algorithms
the listener should support.
items:
type: string
type: array
type: object
bootstrap:
description: |-
Bootstrap defines the Envoy Bootstrap as a YAML string.
Expand Down
21 changes: 20 additions & 1 deletion internal/gatewayapi/backendtlspolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,26 @@ func (t *Translator) processBackendTLSPolicy(
}

status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName)

// apply defaults as per envoyproxy
if resources.EnvoyProxy != nil {
Copy link
Contributor

@guydc guydc Apr 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we apply this logic outside of backendtlspolicy translation, since it's not directly originating from that policy? It's probably most efficient and user-friendly to do it here. But, in the future TLS settings may originate from other resources, as described in kubernetes-sigs/gateway-api#2910

Copy link
Contributor Author

@alexwo alexwo Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, it can make sense but maybe we can do it after support for additional resources is implemented in upstream. I guess we can move / extend this logic to other areas as well at any time.

Do you see an advantage in making this change now? Maybe If we want to support a use case of applying this on a gateway level already.

wdyt?

if resources.EnvoyProxy.Spec.BackendTLS != nil {
if len(resources.EnvoyProxy.Spec.BackendTLS.Ciphers) > 0 {
tlsBundle.Ciphers = resources.EnvoyProxy.Spec.BackendTLS.Ciphers
}
if len(resources.EnvoyProxy.Spec.BackendTLS.EcdhCurves) > 0 {
tlsBundle.EcdhCurves = resources.EnvoyProxy.Spec.BackendTLS.EcdhCurves
}
if len(resources.EnvoyProxy.Spec.BackendTLS.SignatureAlgorithms) > 0 {
tlsBundle.SignatureAlgorithms = resources.EnvoyProxy.Spec.BackendTLS.SignatureAlgorithms
}
if resources.EnvoyProxy.Spec.BackendTLS.MinVersion != "" {
tlsBundle.MinVersion = ptr.To(ir.TLSVersion(resources.EnvoyProxy.Spec.BackendTLS.MinVersion))
}
if resources.EnvoyProxy.Spec.BackendTLS.MaxVersion != "" {
tlsBundle.MaxVersion = ptr.To(ir.TLSVersion(resources.EnvoyProxy.Spec.BackendTLS.MaxVersion))
}
}
}
return tlsBundle
}

Expand Down
133 changes: 133 additions & 0 deletions internal/gatewayapi/testdata/envoyproxy-tls-settings.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
gateways:
Copy link
Contributor

@guydc guydc Apr 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add MTLS + TLS Settings tests for ext-auth and ext-proc, demonstrating how this applied to these sorts of backends?

- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway-tls
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
listeners:
- protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- kind: Secret
namespace: envoy-gateway
group: ""
name: default-cert
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: httproute-tls
namespace: envoy-gateway
spec:
parentRefs:
- namespace: envoy-gateway
name: gateway-tls
rules:
- backendRefs:
- name: https-backend
namespace: default
port: 443
referenceGrants:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferenceGrant
metadata:
name: refg-route-svc
namespace: default
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: envoy-gateway
- group: gateway.networking.k8s.io
kind: Gateway
namespace: envoy-gateway
- group: gateway.networking.k8s.io
kind: BackendTLSPolicy
namespace: default
to:
- group: ""
kind: Service
services:
- apiVersion: v1
kind: Service
metadata:
name: https-backend
namespace: default
spec:
clusterIP: 10.11.12.13
ports:
- port: 443
name: https
protocol: TCP
targetPort: 443

endpointSlices:
- apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: endpointslice-https-backend
namespace: default
labels:
kubernetes.io/service-name: https-backend
addressType: IPv4
ports:
- name: https
protocol: TCP
port: 443
endpoints:
- addresses:
- "10.244.0.11"
conditions:
ready: true
backendTLSPolicies:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: BackendTLSPolicy
metadata:
name: policy-tls
namespace: default
spec:
targetRef:
group: ''
kind: Service
name: https-backend
tls:
wellKnownCACerts: System
hostname: example.com
envoyproxy:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
namespace: envoy-gateway-system
name: test
spec:
backendTLS:
clientCertificateRef:
group: ""
kind: Secret
namespace: default
name: secret.yaml
ciphers:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
ecdhCurves:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
maxVersion: tls1.3
minVersion: tls1.2
SignatureAlgorithms:
- RSA-PSS-RSAE-SHA256
- ECDSA-SECP256R1-SHA256
secrets:
- apiVersion: v1
kind: Secret
metadata:
name: default-cert
namespace: envoy-gateway
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
Loading