Skip to content

Backport of NET-11798: Set APIGateway TLSConfig if unset or empty into release/1.20.x #22076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jan 16, 2025
Merged

Backport of NET-11798: Set APIGateway TLSConfig if unset or empty into release/1.20.x #22076

merged 6 commits into from
Jan 16, 2025

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #21984 to be assessed for backporting due to the inclusion of the label backport/1.20.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@NiniOak
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: unable to process merge commit: "2815c7ebdbaa5ff7fde66d734e50d5342a309f81", automatic backport requires rebase workflow

The below text is copied from the body of the original PR.

Description

The API Gateway TLS.{Min,Max}Versions and TLS.CipherSuites settings are not applied to API Gateway Listeners. To fix this:

  • Create a dedicated function setAPIGatewayTLSConfig that handles the logic for setting TLS configuration for APIGateway
  • Check if those values are empty and sets them accordingly

Testing & Reproduction steps

Tested manually, as follows:

Using this config file config.hcl

  bootstrap = [
    {
      Kind = "proxy-defaults"
      Name = "global"
      Config = {
        protocol = "http"
      }
    },
    {
      Kind      = "api-gateway"
      Name      = "my-gateway"
      Namespace = "default"
      Partition = "default"
      Listeners = [
        {
          Port     = 8443
          Name     = "my-http-listener"
          Protocol = "HTTP"
          TLS = {
            Certificates = [
              {
                Kind      = "inline-certificate"
                Name      = "my-certificate"
                Namespace = "default"
                Partition = "default"
              }
            ]
            MinVersion = "TLSv1_3"
          }
        }
      ]
    },
    {
      Kind      = "http-route"
      Name      = "my-http-route"
      Namespace = "default"
      Partition = "default"
      Rules = [
        {
          Matches = [
            {
              Path = {
                Match = "prefix"
                Value = "/api"
              }
            }
          ]
          Services = [
            {
              Name = "api"
            }
          ]
        }
      ]
      Parents = [
        {
          Kind        = "api-gateway"
          Name        = "my-gateway"
          Namespace   = "default"
          Partition   = "default"
          SectionName = "my-http-listener"
        }
      ]
    },
    {
      Kind      = "inline-certificate"
      Name      = "my-certificate"
      Namespace = "default"
      Partition = "default"
      Certificate = ""
      PrivateKey  = ""
    }
  ]
}
  1. Build Consul binary locally
    make dev-build
  2. Run dev agent with attached config file
    consul agent -dev -config-file consul.hcl
  3. Start API Gateway
    consul connect envoy -gateway api -service my-gateway -register
  4. Check the config_dump for "tls_minimum_protocol_version": "TLSv1_3"
    curl -s 0:19000/config_dump | grep tls_minimum
  5. Should return
    "tls_minimum_protocol_version": "TLSv1_3"

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/NET-11798_API_Gateway_TLS_Max_Min_Versions_and_CipherSuites_settings_not_respected/optionally-proper-minnow branch from 0e44260 to 3daaca2 Compare January 15, 2025 17:14
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver previously approved these changes Jan 15, 2025
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Jan 15, 2025
@NiniOak NiniOak marked this pull request as ready for review January 15, 2025 17:59
@NiniOak NiniOak requested a review from a team as a code owner January 15, 2025 17:59
NiniOak
NiniOak previously approved these changes Jan 15, 2025
View reviewed changes
@NiniOak NiniOak dismissed stale reviews from github-team-consul-core-pr-approver and themself via 9d63b08 January 15, 2025 18:00
NiniOak
NiniOak previously approved these changes Jan 15, 2025
View reviewed changes
@NiniOak @nathancoleman
NET-11798: Set APIGateway TLSConfig if unset or empty (#21984)
28d04f4 
* NET-11798: Set APIGateway TLSConfig if unset or empty

* add changelog

* update golden file tests

* add missing golden files

* Update .changelog/21984.txt

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* remove use of reflect library and check if object is empty instead

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
@NiniOak NiniOak enabled auto-merge (squash) January 15, 2025 18:19
@NiniOak NiniOak merged commit 4ad72ff into release/1.20.x Jan 16, 2025
93 checks passed
@NiniOak NiniOak deleted the backport/NET-11798_API_Gateway_TLS_Max_Min_Versions_and_CipherSuites_settings_not_respected/optionally-proper-minnow branch January 16, 2025 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarahalsmiller sarahalsmiller sarahalsmiller approved these changes

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver Awaiting requested review from github-team-consul-core-pr-approver

@NiniOak NiniOak Awaiting requested review from NiniOak

Assignees

@NiniOak NiniOak

Labels
theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hc-github-team-consul-core @NiniOak @sarahalsmiller @github-team-consul-core-pr-approver