diff --git a/.changelog/12601.txt b/.changelog/12601.txt
new file mode 100644
index 000000000..078da4439
--- /dev/null
+++ b/.changelog/12601.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+xds: adding control of the mesh-wide min/max TLS versions and cipher suites from the mesh config entry
+```
diff --git a/agent/proxycfg/connect_proxy.go b/agent/proxycfg/connect_proxy.go
index 64ce9020c..d0849a01e 100644
--- a/agent/proxycfg/connect_proxy.go
+++ b/agent/proxycfg/connect_proxy.go
@@ -70,6 +70,18 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
return snap, err
}
+ // Get information about the entire service mesh.
+ err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{
+ Kind: structs.MeshConfig,
+ Name: structs.MeshConfigMesh,
+ Datacenter: s.source.Datacenter,
+ QueryOptions: structs.QueryOptions{Token: s.token},
+ EnterpriseMeta: *structs.DefaultEnterpriseMetaInPartition(s.proxyID.PartitionOrDefault()),
+ }, meshConfigEntryID, s.ch)
+ if err != nil {
+ return snap, err
+ }
+
// Watch for service check updates
err = s.cache.Notify(ctx, cachetype.ServiceHTTPChecksName, &cachetype.ServiceHTTPChecksRequest{
ServiceID: s.proxyCfg.DestinationServiceID,
@@ -90,17 +102,6 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
if err != nil {
return snap, err
}
-
- err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{
- Kind: structs.MeshConfig,
- Name: structs.MeshConfigMesh,
- Datacenter: s.source.Datacenter,
- QueryOptions: structs.QueryOptions{Token: s.token},
- EnterpriseMeta: *structs.DefaultEnterpriseMetaInPartition(s.proxyID.PartitionOrDefault()),
- }, meshConfigEntryID, s.ch)
- if err != nil {
- return snap, err
- }
}
// Watch for updates to service endpoints for all upstreams
@@ -368,23 +369,6 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u cache.UpdateEv
svcID := structs.ServiceIDFromString(strings.TrimPrefix(u.CorrelationID, svcChecksWatchIDPrefix))
snap.ConnectProxy.WatchedServiceChecks[svcID] = resp
- case u.CorrelationID == meshConfigEntryID:
- resp, ok := u.Result.(*structs.ConfigEntryResponse)
- if !ok {
- return fmt.Errorf("invalid type for response: %T", u.Result)
- }
-
- if resp.Entry != nil {
- meshConf, ok := resp.Entry.(*structs.MeshConfigEntry)
- if !ok {
- return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
- }
- snap.ConnectProxy.MeshConfig = meshConf
- } else {
- snap.ConnectProxy.MeshConfig = nil
- }
- snap.ConnectProxy.MeshConfigSet = true
-
default:
return (*handlerUpstreams)(s).handleUpdateUpstreams(ctx, u, snap)
}
diff --git a/agent/proxycfg/ingress_gateway.go b/agent/proxycfg/ingress_gateway.go
index 1a5eb5ed9..34566201b 100644
--- a/agent/proxycfg/ingress_gateway.go
+++ b/agent/proxycfg/ingress_gateway.go
@@ -25,6 +25,18 @@ func (s *handlerIngressGateway) initialize(ctx context.Context) (ConfigSnapshot,
return snap, err
}
+ // Get information about the entire service mesh.
+ err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{
+ Kind: structs.MeshConfig,
+ Name: structs.MeshConfigMesh,
+ Datacenter: s.source.Datacenter,
+ QueryOptions: structs.QueryOptions{Token: s.token},
+ EnterpriseMeta: *structs.DefaultEnterpriseMetaInPartition(s.proxyID.PartitionOrDefault()),
+ }, meshConfigEntryID, s.ch)
+ if err != nil {
+ return snap, err
+ }
+
// Watch this ingress gateway's config entry
err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{
Kind: structs.IngressGateway,
diff --git a/agent/proxycfg/manager_test.go b/agent/proxycfg/manager_test.go
index 5ac37b793..61454a074 100644
--- a/agent/proxycfg/manager_test.go
+++ b/agent/proxycfg/manager_test.go
@@ -147,6 +147,13 @@ func TestManager_BasicLifecycle(t *testing.T) {
},
},
})
+ meshCacheKey := testGenCacheKey(&structs.ConfigEntryQuery{
+ Datacenter: "dc1",
+ QueryOptions: structs.QueryOptions{Token: "my-token"},
+ Kind: structs.MeshConfig,
+ Name: structs.MeshConfigMesh,
+ EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
+ })
dbChainCacheKey := testGenCacheKey(&structs.DiscoveryChainRequest{
Name: "db",
@@ -214,7 +221,8 @@ func TestManager_BasicLifecycle(t *testing.T) {
Roots: roots,
ConnectProxy: configSnapshotConnectProxy{
ConfigSnapshotUpstreams: ConfigSnapshotUpstreams{
- Leaf: leaf,
+ Leaf: leaf,
+ MeshConfigSet: true,
DiscoveryChain: map[UpstreamID]*structs.CompiledDiscoveryChain{
dbUID: dbDefaultChain(),
},
@@ -272,7 +280,8 @@ func TestManager_BasicLifecycle(t *testing.T) {
Roots: roots,
ConnectProxy: configSnapshotConnectProxy{
ConfigSnapshotUpstreams: ConfigSnapshotUpstreams{
- Leaf: leaf,
+ Leaf: leaf,
+ MeshConfigSet: true,
DiscoveryChain: map[UpstreamID]*structs.CompiledDiscoveryChain{
dbUID: dbSplitChain(),
},
@@ -319,6 +328,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
types.roots.Set(rootsCacheKey, roots)
types.leaf.Set(leafCacheKey, leaf)
types.intentions.Set(intentionCacheKey, TestIntentions())
+ types.configEntry.Set(meshCacheKey, &structs.ConfigEntryResponse{Entry: nil})
tt.setup(t, types)
expectSnapCopy, err := copystructure.Copy(tt.expectSnap)
@@ -692,6 +702,22 @@ func TestManager_SyncState_No_Notify(t *testing.T) {
}
+ // update the mesh config entry
+ notifyCH <- cache.UpdateEvent{
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ Err: nil,
+ }
+
+ // at this point the snapshot should not be valid and not be sent
+ after = time.After(200 * time.Millisecond)
+ select {
+ case <-snapSent:
+ t.Fatal("snap should not be valid")
+ case <-after:
+
+ }
+
// prepare to read a snapshot update as the next update should make the snapshot valid
readEvent <- true
diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go
index 98aafa262..cebf0b2e9 100644
--- a/agent/proxycfg/snapshot.go
+++ b/agent/proxycfg/snapshot.go
@@ -17,6 +17,9 @@ import (
type ConfigSnapshotUpstreams struct {
Leaf *structs.IssuedCert
+ MeshConfig *structs.MeshConfigEntry
+ MeshConfigSet bool
+
// DiscoveryChain is a map of UpstreamID -> CompiledDiscoveryChain's, and
// is used to determine what services could be targeted by this upstream.
// We then instantiate watches for those targets.
@@ -117,12 +120,10 @@ type configSnapshotConnectProxy struct {
// intentions.
Intentions structs.Intentions
IntentionsSet bool
-
- MeshConfig *structs.MeshConfigEntry
- MeshConfigSet bool
}
-func (c *configSnapshotConnectProxy) IsEmpty() bool {
+// isEmpty is a test helper
+func (c *configSnapshotConnectProxy) isEmpty() bool {
if c == nil {
return true
}
@@ -143,6 +144,9 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool {
}
type configSnapshotTerminatingGateway struct {
+ MeshConfig *structs.MeshConfigEntry
+ MeshConfigSet bool
+
// WatchedServices is a map of service name to a cancel function. This cancel
// function is tied to the watch of linked service instances for the given
// id. If the linked services watch would indicate the removal of
@@ -241,7 +245,8 @@ func (c *configSnapshotTerminatingGateway) ValidServices() []structs.ServiceName
return out
}
-func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
+// isEmpty is a test helper
+func (c *configSnapshotTerminatingGateway) isEmpty() bool {
if c == nil {
return true
}
@@ -257,7 +262,8 @@ func (c *configSnapshotTerminatingGateway) IsEmpty() bool {
len(c.ServiceConfigs) == 0 &&
len(c.WatchedConfigs) == 0 &&
len(c.GatewayServices) == 0 &&
- len(c.HostnameServices) == 0
+ len(c.HostnameServices) == 0 &&
+ !c.MeshConfigSet
}
type configSnapshotMeshGateway struct {
@@ -335,7 +341,8 @@ func (c *configSnapshotMeshGateway) GatewayKeys() []GatewayKey {
return keys
}
-func (c *configSnapshotMeshGateway) IsEmpty() bool {
+// isEmpty is a test helper
+func (c *configSnapshotMeshGateway) isEmpty() bool {
if c == nil {
return true
}
@@ -382,7 +389,8 @@ type configSnapshotIngressGateway struct {
Listeners map[IngressListenerKey]structs.IngressListener
}
-func (c *configSnapshotIngressGateway) IsEmpty() bool {
+// isEmpty is a test helper
+func (c *configSnapshotIngressGateway) isEmpty() bool {
if c == nil {
return true
}
@@ -390,7 +398,8 @@ func (c *configSnapshotIngressGateway) IsEmpty() bool {
len(c.UpstreamsSet) == 0 &&
len(c.DiscoveryChain) == 0 &&
len(c.WatchedUpstreams) == 0 &&
- len(c.WatchedUpstreamEndpoints) == 0
+ len(c.WatchedUpstreamEndpoints) == 0 &&
+ !c.MeshConfigSet
}
type IngressListenerKey struct {
@@ -451,10 +460,12 @@ func (s *ConfigSnapshot) Valid() bool {
}
return s.Roots != nil &&
s.ConnectProxy.Leaf != nil &&
- s.ConnectProxy.IntentionsSet
+ s.ConnectProxy.IntentionsSet &&
+ s.ConnectProxy.MeshConfigSet
case structs.ServiceKindTerminatingGateway:
- return s.Roots != nil
+ return s.Roots != nil &&
+ s.TerminatingGateway.MeshConfigSet
case structs.ServiceKindMeshGateway:
if s.ServiceMeta[structs.MetaWANFederationKey] == "1" {
@@ -469,7 +480,8 @@ func (s *ConfigSnapshot) Valid() bool {
return s.Roots != nil &&
s.IngressGateway.Leaf != nil &&
s.IngressGateway.GatewayConfigLoaded &&
- s.IngressGateway.HostsSet
+ s.IngressGateway.HostsSet &&
+ s.IngressGateway.MeshConfigSet
default:
return false
}
@@ -519,3 +531,32 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert {
return nil
}
}
+
+func (s *ConfigSnapshot) MeshConfig() *structs.MeshConfigEntry {
+ switch s.Kind {
+ case structs.ServiceKindConnectProxy:
+ return s.ConnectProxy.MeshConfig
+ case structs.ServiceKindIngressGateway:
+ return s.IngressGateway.MeshConfig
+ case structs.ServiceKindTerminatingGateway:
+ return s.TerminatingGateway.MeshConfig
+ default:
+ return nil
+ }
+}
+
+func (s *ConfigSnapshot) MeshConfigTLSIncoming() *structs.MeshDirectionalTLSConfig {
+ mesh := s.MeshConfig()
+ if mesh == nil || mesh.TLS == nil {
+ return nil
+ }
+ return mesh.TLS.Incoming
+}
+
+func (s *ConfigSnapshot) MeshConfigTLSOutgoing() *structs.MeshDirectionalTLSConfig {
+ mesh := s.MeshConfig()
+ if mesh == nil || mesh.TLS == nil {
+ return nil
+ }
+ return mesh.TLS.Outgoing
+}
diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go
index 7e88c6eab..5a88c2880 100644
--- a/agent/proxycfg/state_test.go
+++ b/agent/proxycfg/state_test.go
@@ -504,6 +504,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
rootsWatchID: genVerifyRootsWatch("dc1"),
leafWatchID: genVerifyLeafWatch("web", "dc1"),
intentionsWatchID: genVerifyIntentionWatch("web", "dc1"),
+ meshConfigEntryID: genVerifyMeshConfigWatch("dc1"),
"upstream:" + pqUID.String(): genVerifyPreparedQueryWatch("query", "dc1"),
fmt.Sprintf("discovery-chain:%s", apiUID.String()): genVerifyDiscoveryChainWatch(&structs.DiscoveryChainRequest{
Name: "api",
@@ -568,6 +569,10 @@ func TestState_WatchesAndUpdates(t *testing.T) {
Result: ixnMatch,
Err: nil,
},
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ },
{
CorrelationID: fmt.Sprintf("discovery-chain:%s", apiUID.String()),
Result: &structs.DiscoveryChainResponse{
@@ -628,7 +633,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.True(t, snap.Valid())
- require.True(t, snap.MeshGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.ConnectProxy.Leaf)
@@ -643,6 +648,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.True(t, snap.ConnectProxy.IntentionsSet)
require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions)
+ require.True(t, snap.ConnectProxy.MeshConfigSet)
},
}
@@ -657,7 +663,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.True(t, snap.Valid())
- require.True(t, snap.MeshGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.ConnectProxy.Leaf)
@@ -740,7 +746,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "gateway without root is not valid")
- require.True(t, snap.ConnectProxy.IsEmpty())
+ require.True(t, snap.ConnectProxy.isEmpty())
},
},
{
@@ -749,7 +755,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "gateway without services is valid")
- require.True(t, snap.ConnectProxy.IsEmpty())
+ require.True(t, snap.ConnectProxy.isEmpty())
require.Equal(t, indexedRoots, snap.Roots)
require.Empty(t, snap.MeshGateway.WatchedServices)
require.False(t, snap.MeshGateway.WatchedServicesSet)
@@ -771,7 +777,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.True(t, snap.Valid(), "gateway with empty service list is valid")
- require.True(t, snap.ConnectProxy.IsEmpty())
+ require.True(t, snap.ConnectProxy.isEmpty())
require.Equal(t, indexedRoots, snap.Roots)
require.Empty(t, snap.MeshGateway.WatchedServices)
require.True(t, snap.MeshGateway.WatchedServicesSet)
@@ -940,17 +946,22 @@ func TestState_WatchesAndUpdates(t *testing.T) {
{
requiredWatches: map[string]verifyWatchRequest{
rootsWatchID: genVerifyRootsWatch("dc1"),
+ meshConfigEntryID: genVerifyMeshConfigWatch("dc1"),
gatewayConfigWatchID: genVerifyConfigEntryWatch(structs.IngressGateway, "ingress-gateway", "dc1"),
gatewayServicesWatchID: genVerifyGatewayServiceWatch("ingress-gateway", "dc1"),
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "gateway without root is not valid")
- require.True(t, snap.IngressGateway.IsEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
},
},
{
events: []cache.UpdateEvent{
rootWatchEvent(),
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ },
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "gateway without config entry is not valid")
@@ -1104,11 +1115,16 @@ func TestState_WatchesAndUpdates(t *testing.T) {
{
requiredWatches: map[string]verifyWatchRequest{
rootsWatchID: genVerifyRootsWatch("dc1"),
+ meshConfigEntryID: genVerifyMeshConfigWatch("dc1"),
gatewayConfigWatchID: genVerifyConfigEntryWatch(structs.IngressGateway, "ingress-gateway", "dc1"),
gatewayServicesWatchID: genVerifyGatewayServiceWatch("ingress-gateway", "dc1"),
},
events: []cache.UpdateEvent{
rootWatchEvent(),
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ },
ingressConfigWatchEvent(true, false),
{
CorrelationID: gatewayServicesWatchID,
@@ -1179,11 +1195,16 @@ func TestState_WatchesAndUpdates(t *testing.T) {
{
requiredWatches: map[string]verifyWatchRequest{
rootsWatchID: genVerifyRootsWatch("dc1"),
+ meshConfigEntryID: genVerifyMeshConfigWatch("dc1"),
gatewayConfigWatchID: genVerifyConfigEntryWatch(structs.IngressGateway, "ingress-gateway", "dc1"),
gatewayServicesWatchID: genVerifyGatewayServiceWatch("ingress-gateway", "dc1"),
},
events: []cache.UpdateEvent{
rootWatchEvent(),
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ },
ingressConfigWatchEvent(false, true),
{
CorrelationID: gatewayServicesWatchID,
@@ -1266,27 +1287,33 @@ func TestState_WatchesAndUpdates(t *testing.T) {
stages: []verificationStage{
{
requiredWatches: map[string]verifyWatchRequest{
- rootsWatchID: genVerifyRootsWatch("dc1"),
+ rootsWatchID: genVerifyRootsWatch("dc1"),
+ meshConfigEntryID: genVerifyMeshConfigWatch("dc1"),
gatewayServicesWatchID: genVerifyServiceSpecificRequest(gatewayServicesWatchID,
"terminating-gateway", "", "dc1", false),
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "gateway without root is not valid")
- require.True(t, snap.ConnectProxy.IsEmpty())
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
+ require.True(t, snap.ConnectProxy.isEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
},
},
{
events: []cache.UpdateEvent{
rootWatchEvent(),
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ },
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.True(t, snap.Valid(), "gateway without services is valid")
- require.True(t, snap.ConnectProxy.IsEmpty())
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.ConnectProxy.isEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.False(t, snap.TerminatingGateway.isEmpty())
+ require.Nil(t, snap.TerminatingGateway.MeshConfig)
require.Equal(t, indexedRoots, snap.Roots)
},
},
@@ -1303,12 +1330,17 @@ func TestState_WatchesAndUpdates(t *testing.T) {
stages: []verificationStage{
{
requiredWatches: map[string]verifyWatchRequest{
- rootsWatchID: genVerifyRootsWatch("dc1"),
+ rootsWatchID: genVerifyRootsWatch("dc1"),
+ meshConfigEntryID: genVerifyMeshConfigWatch("dc1"),
gatewayServicesWatchID: genVerifyServiceSpecificRequest(gatewayServicesWatchID,
"terminating-gateway", "", "dc1", false),
},
events: []cache.UpdateEvent{
rootWatchEvent(),
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{},
+ },
{
CorrelationID: gatewayServicesWatchID,
Result: &structs.IndexedGatewayServices{
@@ -1680,11 +1712,11 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "proxy without roots/leaf/intentions is not valid")
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.True(t, snap.TerminatingGateway.isEmpty())
- require.False(t, snap.ConnectProxy.IsEmpty())
+ require.False(t, snap.ConnectProxy.isEmpty())
expectUpstreams := map[UpstreamID]*structs.Upstream{
dbUID: {
DestinationName: "db",
@@ -1721,9 +1753,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.Leaf())
require.Equal(t, TestIntentions().Matches[0], snap.ConnectProxy.Intentions)
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.True(t, snap.TerminatingGateway.isEmpty())
require.True(t, snap.ConnectProxy.MeshConfigSet)
require.Nil(t, snap.ConnectProxy.MeshConfig)
},
@@ -1766,9 +1798,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "proxy without roots/leaf/intentions is not valid")
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.True(t, snap.TerminatingGateway.isEmpty())
// Centrally configured upstream defaults should be stored so that upstreams from intentions can inherit them
require.Len(t, snap.ConnectProxy.UpstreamConfig, 1)
@@ -1807,9 +1839,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.Leaf())
require.Equal(t, TestIntentions().Matches[0], snap.ConnectProxy.Intentions)
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.True(t, snap.TerminatingGateway.isEmpty())
require.True(t, snap.ConnectProxy.MeshConfigSet)
require.NotNil(t, snap.ConnectProxy.MeshConfig)
},
@@ -2333,9 +2365,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
},
verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
require.False(t, snap.Valid(), "proxy without roots/leaf/intentions is not valid")
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.True(t, snap.TerminatingGateway.isEmpty())
// Centrally configured upstream defaults should be stored so that upstreams from intentions can inherit them
require.Len(t, snap.ConnectProxy.UpstreamConfig, 2)
@@ -2375,9 +2407,9 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.Leaf())
require.Equal(t, TestIntentions().Matches[0], snap.ConnectProxy.Intentions)
- require.True(t, snap.MeshGateway.IsEmpty())
- require.True(t, snap.IngressGateway.IsEmpty())
- require.True(t, snap.TerminatingGateway.IsEmpty())
+ require.True(t, snap.MeshGateway.isEmpty())
+ require.True(t, snap.IngressGateway.isEmpty())
+ require.True(t, snap.TerminatingGateway.isEmpty())
require.True(t, snap.ConnectProxy.MeshConfigSet)
require.NotNil(t, snap.ConnectProxy.MeshConfig)
},
diff --git a/agent/proxycfg/terminating_gateway.go b/agent/proxycfg/terminating_gateway.go
index b08985b29..73b968272 100644
--- a/agent/proxycfg/terminating_gateway.go
+++ b/agent/proxycfg/terminating_gateway.go
@@ -28,6 +28,18 @@ func (s *handlerTerminatingGateway) initialize(ctx context.Context) (ConfigSnaps
return snap, err
}
+ // Get information about the entire service mesh.
+ err = s.cache.Notify(ctx, cachetype.ConfigEntryName, &structs.ConfigEntryQuery{
+ Kind: structs.MeshConfig,
+ Name: structs.MeshConfigMesh,
+ Datacenter: s.source.Datacenter,
+ QueryOptions: structs.QueryOptions{Token: s.token},
+ EnterpriseMeta: *structs.DefaultEnterpriseMetaInPartition(s.proxyID.PartitionOrDefault()),
+ }, meshConfigEntryID, s.ch)
+ if err != nil {
+ return snap, err
+ }
+
// Watch for the terminating-gateway's linked services
err = s.cache.Notify(ctx, cachetype.GatewayServicesName, &structs.ServiceSpecificRequest{
Datacenter: s.source.Datacenter,
@@ -70,6 +82,23 @@ func (s *handlerTerminatingGateway) handleUpdate(ctx context.Context, u cache.Up
}
snap.Roots = roots
+ case u.CorrelationID == meshConfigEntryID:
+ resp, ok := u.Result.(*structs.ConfigEntryResponse)
+ if !ok {
+ return fmt.Errorf("invalid type for response: %T", u.Result)
+ }
+
+ if resp.Entry != nil {
+ meshConf, ok := resp.Entry.(*structs.MeshConfigEntry)
+ if !ok {
+ return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
+ }
+ snap.TerminatingGateway.MeshConfig = meshConf
+ } else {
+ snap.TerminatingGateway.MeshConfig = nil
+ }
+ snap.TerminatingGateway.MeshConfigSet = true
+
// Update watches based on the current list of services associated with the terminating-gateway
case u.CorrelationID == gatewayServicesWatchID:
services, ok := u.Result.(*structs.IndexedGatewayServices)
diff --git a/agent/proxycfg/testing.go b/agent/proxycfg/testing.go
index af3a33061..eb2ebfb0b 100644
--- a/agent/proxycfg/testing.go
+++ b/agent/proxycfg/testing.go
@@ -32,6 +32,7 @@ type TestCacheTypes struct {
query *ControllableCacheType
compiledChain *ControllableCacheType
serviceHTTPChecks *ControllableCacheType
+ configEntry *ControllableCacheType
}
// NewTestCacheTypes creates a set of ControllableCacheTypes for all types that
@@ -46,6 +47,7 @@ func NewTestCacheTypes(t testing.T) *TestCacheTypes {
query: NewControllableCacheType(t),
compiledChain: NewControllableCacheType(t),
serviceHTTPChecks: NewControllableCacheType(t),
+ configEntry: NewControllableCacheType(t),
}
ct.query.blocking = false
return ct
@@ -62,6 +64,7 @@ func TestCacheWithTypes(t testing.T, types *TestCacheTypes) *cache.Cache {
c.RegisterType(cachetype.PreparedQueryName, types.query)
c.RegisterType(cachetype.CompiledDiscoveryChainName, types.compiledChain)
c.RegisterType(cachetype.ServiceHTTPChecksName, types.serviceHTTPChecks)
+ c.RegisterType(cachetype.ConfigEntryName, types.configEntry)
return c
}
diff --git a/agent/proxycfg/testing_connect_proxy.go b/agent/proxycfg/testing_connect_proxy.go
index 35a8e6011..61db728c2 100644
--- a/agent/proxycfg/testing_connect_proxy.go
+++ b/agent/proxycfg/testing_connect_proxy.go
@@ -125,6 +125,12 @@ func TestConfigSnapshotDiscoveryChain(
},
},
},
+ {
+ CorrelationID: meshConfigEntryID,
+ Result: &structs.ConfigEntryResponse{
+ Entry: nil,
+ },
+ },
{
CorrelationID: svcChecksWatchIDPrefix + webSN,
Result: []structs.CheckType{},
diff --git a/agent/proxycfg/upstreams.go b/agent/proxycfg/upstreams.go
index e77b554ff..f8daf340f 100644
--- a/agent/proxycfg/upstreams.go
+++ b/agent/proxycfg/upstreams.go
@@ -35,6 +35,23 @@ func (s *handlerUpstreams) handleUpdateUpstreams(ctx context.Context, u cache.Up
}
upstreamsSnapshot.Leaf = leaf
+ case u.CorrelationID == meshConfigEntryID:
+ resp, ok := u.Result.(*structs.ConfigEntryResponse)
+ if !ok {
+ return fmt.Errorf("invalid type for response: %T", u.Result)
+ }
+
+ if resp.Entry != nil {
+ meshConf, ok := resp.Entry.(*structs.MeshConfigEntry)
+ if !ok {
+ return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
+ }
+ upstreamsSnapshot.MeshConfig = meshConf
+ } else {
+ upstreamsSnapshot.MeshConfig = nil
+ }
+ upstreamsSnapshot.MeshConfigSet = true
+
case strings.HasPrefix(u.CorrelationID, "discovery-chain:"):
resp, ok := u.Result.(*structs.DiscoveryChainResponse)
if !ok {
diff --git a/agent/structs/config_entry_gateways.go b/agent/structs/config_entry_gateways.go
index 80ef0f98d..94014230d 100644
--- a/agent/structs/config_entry_gateways.go
+++ b/agent/structs/config_entry_gateways.go
@@ -240,37 +240,7 @@ func (e *IngressGatewayConfigEntry) validateServiceSDS(lis IngressListener, svc
}
func validateGatewayTLSConfig(tlsCfg GatewayTLSConfig) error {
- if tlsCfg.TLSMinVersion != types.TLSVersionUnspecified {
- if err := types.ValidateTLSVersion(tlsCfg.TLSMinVersion); err != nil {
- return err
- }
- }
-
- if tlsCfg.TLSMaxVersion != types.TLSVersionUnspecified {
- if err := types.ValidateTLSVersion(tlsCfg.TLSMaxVersion); err != nil {
- return err
- }
-
- if tlsCfg.TLSMinVersion != types.TLSVersionUnspecified {
- if err, maxLessThanMin := tlsCfg.TLSMaxVersion.LessThan(tlsCfg.TLSMinVersion); err == nil && maxLessThanMin {
- return fmt.Errorf("configuring max version %s less than the configured min version %s is invalid", tlsCfg.TLSMaxVersion, tlsCfg.TLSMinVersion)
- }
- }
- }
-
- if len(tlsCfg.CipherSuites) != 0 {
- if _, ok := types.TLSVersionsWithConfigurableCipherSuites[tlsCfg.TLSMinVersion]; !ok {
- return fmt.Errorf("configuring CipherSuites is only applicable to conncetions negotiated with TLS 1.2 or earlier, TLSMinVersion is set to %s", tlsCfg.TLSMinVersion)
- }
-
- // NOTE: it would be nice to emit a warning but not return an error from
- // here if TLSMaxVersion is unspecified, TLS_AUTO or TLSv1_3
- if err := types.ValidateEnvoyCipherSuites(tlsCfg.CipherSuites); err != nil {
- return err
- }
- }
-
- return nil
+ return validateTLSConfig(tlsCfg.TLSMinVersion, tlsCfg.TLSMaxVersion, tlsCfg.CipherSuites)
}
func (e *IngressGatewayConfigEntry) Validate() error {
diff --git a/agent/structs/config_entry_mesh.go b/agent/structs/config_entry_mesh.go
index 020b76c9c..eb9f34f43 100644
--- a/agent/structs/config_entry_mesh.go
+++ b/agent/structs/config_entry_mesh.go
@@ -5,6 +5,7 @@ import (
"fmt"
"github.com/hashicorp/consul/acl"
+ "github.com/hashicorp/consul/types"
)
type MeshConfigEntry struct {
@@ -12,6 +13,8 @@ type MeshConfigEntry struct {
// when enabled.
TransparentProxy TransparentProxyMeshConfig `alias:"transparent_proxy"`
+ TLS *MeshTLSConfig `json:",omitempty"`
+
Meta map[string]string `json:",omitempty"`
EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
RaftIndex
@@ -25,6 +28,20 @@ type TransparentProxyMeshConfig struct {
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
}
+type MeshTLSConfig struct {
+ Incoming *MeshDirectionalTLSConfig `json:",omitempty"`
+ Outgoing *MeshDirectionalTLSConfig `json:",omitempty"`
+}
+
+type MeshDirectionalTLSConfig struct {
+ TLSMinVersion types.TLSVersion `json:",omitempty" alias:"tls_min_version"`
+ TLSMaxVersion types.TLSVersion `json:",omitempty" alias:"tls_max_version"`
+
+ // Define a subset of cipher suites to restrict
+ // Only applicable to connections negotiated via TLS 1.2 or earlier
+ CipherSuites []types.TLSCipherSuite `json:",omitempty" alias:"cipher_suites"`
+}
+
func (e *MeshConfigEntry) GetKind() string {
return MeshConfig
}
@@ -57,10 +74,24 @@ func (e *MeshConfigEntry) Validate() error {
if e == nil {
return fmt.Errorf("config entry is nil")
}
+
if err := validateConfigEntryMeta(e.Meta); err != nil {
return err
}
+ if e.TLS != nil {
+ if e.TLS.Incoming != nil {
+ if err := validateMeshDirectionalTLSConfig(e.TLS.Incoming); err != nil {
+ return fmt.Errorf("error in incoming TLS configuration: %v", err)
+ }
+ }
+ if e.TLS.Outgoing != nil {
+ if err := validateMeshDirectionalTLSConfig(e.TLS.Outgoing); err != nil {
+ return fmt.Errorf("error in outgoing TLS configuration: %v", err)
+ }
+ }
+ }
+
return e.validateEnterpriseMeta()
}
@@ -105,3 +136,48 @@ func (e *MeshConfigEntry) MarshalJSON() ([]byte, error) {
}
return json.Marshal(source)
}
+
+func validateMeshDirectionalTLSConfig(cfg *MeshDirectionalTLSConfig) error {
+ if cfg == nil {
+ return nil
+ }
+ return validateTLSConfig(cfg.TLSMinVersion, cfg.TLSMaxVersion, cfg.CipherSuites)
+}
+
+func validateTLSConfig(
+ tlsMinVersion types.TLSVersion,
+ tlsMaxVersion types.TLSVersion,
+ cipherSuites []types.TLSCipherSuite,
+) error {
+ if tlsMinVersion != types.TLSVersionUnspecified {
+ if err := types.ValidateTLSVersion(tlsMinVersion); err != nil {
+ return err
+ }
+ }
+
+ if tlsMaxVersion != types.TLSVersionUnspecified {
+ if err := types.ValidateTLSVersion(tlsMaxVersion); err != nil {
+ return err
+ }
+
+ if tlsMinVersion != types.TLSVersionUnspecified {
+ if err, maxLessThanMin := tlsMaxVersion.LessThan(tlsMinVersion); err == nil && maxLessThanMin {
+ return fmt.Errorf("configuring max version %s less than the configured min version %s is invalid", tlsMaxVersion, tlsMinVersion)
+ }
+ }
+ }
+
+ if len(cipherSuites) != 0 {
+ if _, ok := types.TLSVersionsWithConfigurableCipherSuites[tlsMinVersion]; !ok {
+ return fmt.Errorf("configuring CipherSuites is only applicable to connections negotiated with TLS 1.2 or earlier, TLSMinVersion is set to %s", tlsMinVersion)
+ }
+
+ // NOTE: it would be nice to emit a warning but not return an error from
+ // here if TLSMaxVersion is unspecified, TLS_AUTO or TLSv1_3
+ if err := types.ValidateEnvoyCipherSuites(cipherSuites); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
diff --git a/agent/structs/config_entry_test.go b/agent/structs/config_entry_test.go
index e4d581075..f125998b9 100644
--- a/agent/structs/config_entry_test.go
+++ b/agent/structs/config_entry_test.go
@@ -1675,6 +1675,24 @@ func TestDecodeConfigEntry(t *testing.T) {
transparent_proxy {
mesh_destinations_only = true
}
+ tls {
+ incoming {
+ tls_min_version = "TLSv1_1"
+ tls_max_version = "TLSv1_2"
+ cipher_suites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ outgoing {
+ tls_min_version = "TLSv1_1"
+ tls_max_version = "TLSv1_2"
+ cipher_suites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ }
`,
camel: `
Kind = "mesh"
@@ -1685,6 +1703,24 @@ func TestDecodeConfigEntry(t *testing.T) {
TransparentProxy {
MeshDestinationsOnly = true
}
+ TLS {
+ Incoming {
+ TLSMinVersion = "TLSv1_1"
+ TLSMaxVersion = "TLSv1_2"
+ CipherSuites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ Outgoing {
+ TLSMinVersion = "TLSv1_1"
+ TLSMaxVersion = "TLSv1_2"
+ CipherSuites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ }
`,
expect: &MeshConfigEntry{
Meta: map[string]string{
@@ -1694,6 +1730,24 @@ func TestDecodeConfigEntry(t *testing.T) {
TransparentProxy: TransparentProxyMeshConfig{
MeshDestinationsOnly: true,
},
+ TLS: &MeshTLSConfig{
+ Incoming: &MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSv1_1,
+ TLSMaxVersion: types.TLSv1_2,
+ CipherSuites: []types.TLSCipherSuite{
+ types.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ types.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ },
+ Outgoing: &MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSv1_1,
+ TLSMaxVersion: types.TLSv1_2,
+ CipherSuites: []types.TLSCipherSuite{
+ types.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ types.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ },
+ },
},
},
{
diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go
index 716c320d3..94610a828 100644
--- a/agent/xds/clusters.go
+++ b/agent/xds/clusters.go
@@ -158,8 +158,8 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
// This size is an upper bound.
clusters := make([]proto.Message, 0, len(cfgSnap.ConnectProxy.PassthroughUpstreams)+1)
- if cfgSnap.ConnectProxy.MeshConfig == nil ||
- !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
+ if meshConf := cfgSnap.MeshConfig(); meshConf == nil ||
+ !meshConf.TransparentProxy.MeshDestinationsOnly {
clusters = append(clusters, &envoy_cluster_v3.Cluster{
Name: OriginalDestinationClusterName,
@@ -200,7 +200,11 @@ func makePassthroughClusters(cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message,
Service: uid.Name,
}
- commonTLSContext := makeCommonTLSContextFromLeafWithoutParams(cfgSnap, cfgSnap.Leaf())
+ commonTLSContext := makeCommonTLSContextFromLeaf(
+ cfgSnap,
+ cfgSnap.Leaf(),
+ makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()),
+ )
err := injectSANMatcher(commonTLSContext, spiffeID)
if err != nil {
return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
@@ -567,7 +571,11 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
}
// Enable TLS upstream with the configured client certificate.
- commonTLSContext := makeCommonTLSContextFromLeafWithoutParams(cfgSnap, cfgSnap.Leaf())
+ commonTLSContext := makeCommonTLSContextFromLeaf(
+ cfgSnap,
+ cfgSnap.Leaf(),
+ makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()),
+ )
err = injectSANMatcher(commonTLSContext, spiffeIDs...)
if err != nil {
return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
@@ -745,7 +753,12 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
c.Http2ProtocolOptions = &envoy_core_v3.Http2ProtocolOptions{}
}
- commonTLSContext := makeCommonTLSContextFromLeafWithoutParams(cfgSnap, cfgSnap.Leaf())
+ commonTLSContext := makeCommonTLSContextFromLeaf(
+ cfgSnap,
+ cfgSnap.Leaf(),
+ makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSOutgoing()),
+ )
+
err = injectSANMatcher(commonTLSContext, spiffeIDs...)
if err != nil {
return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
diff --git a/agent/xds/clusters_test.go b/agent/xds/clusters_test.go
index 4b4de8d27..c8a1e98e5 100644
--- a/agent/xds/clusters_test.go
+++ b/agent/xds/clusters_test.go
@@ -13,11 +13,13 @@ import (
testinf "github.com/mitchellh/go-testing-interface"
"github.com/stretchr/testify/require"
+ "github.com/hashicorp/consul/agent/cache"
"github.com/hashicorp/consul/agent/proxycfg"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/agent/xds/proxysupport"
"github.com/hashicorp/consul/agent/xds/xdscommon"
"github.com/hashicorp/consul/sdk/testutil"
+ "github.com/hashicorp/consul/types"
)
func TestClustersFromSnapshot(t *testing.T) {
@@ -36,6 +38,85 @@ func TestClustersFromSnapshot(t *testing.T) {
return proxycfg.TestConfigSnapshot(t, nil, nil)
},
},
+ {
+ name: "connect-proxy-with-tls-outgoing-min-version-auto",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSVersionAuto,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "connect-proxy-with-tls-outgoing-min-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSv1_3,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "connect-proxy-with-tls-outgoing-max-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ TLSMaxVersion: types.TLSv1_2,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "connect-proxy-with-tls-outgoing-cipher-suites",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ CipherSuites: []types.TLSCipherSuite{
+ types.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ types.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
{
name: "custom-local-app",
create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@@ -322,6 +403,66 @@ func TestClustersFromSnapshot(t *testing.T) {
"default", nil, nil, nil)
},
},
+ {
+ name: "ingress-gateway-with-tls-outgoing-min-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshotIngressGateway(t, true, "tcp", "default", nil, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSv1_3,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "ingress-gateway-with-tls-outgoing-max-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshotIngressGateway(t, true, "tcp", "default", nil, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ TLSMaxVersion: types.TLSv1_2,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "ingress-gateway-with-tls-outgoing-cipher-suites",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshotIngressGateway(t, true, "tcp", "default", nil, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ CipherSuites: []types.TLSCipherSuite{
+ types.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ types.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
{
name: "ingress-gateway-no-services",
create: func(t testinf.T) *proxycfg.ConfigSnapshot {
diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go
index 2a671c40d..bca152ad9 100644
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@@ -12,6 +12,7 @@ import (
"time"
"github.com/hashicorp/consul/agent/connect/ca"
+ "github.com/hashicorp/consul/types"
envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
@@ -250,8 +251,8 @@ func (s *ResourceGenerator) listenersFromSnapshotConnectProxy(cfgSnap *proxycfg.
})
// Add a catch-all filter chain that acts as a TCP proxy to destinations outside the mesh
- if cfgSnap.ConnectProxy.MeshConfig == nil ||
- !cfgSnap.ConnectProxy.MeshConfig.TransparentProxy.MeshDestinationsOnly {
+ if meshConf := cfgSnap.MeshConfig(); meshConf == nil ||
+ !meshConf.TransparentProxy.MeshDestinationsOnly {
filterChain, err := s.makeUpstreamFilterChain(filterChainOpts{
clusterName: OriginalDestinationClusterName,
@@ -749,7 +750,11 @@ func injectHTTPFilterOnFilterChains(
func (s *ResourceGenerator) injectConnectTLSOnFilterChains(cfgSnap *proxycfg.ConfigSnapshot, listener *envoy_listener_v3.Listener) error {
for idx := range listener.FilterChains {
tlsContext := &envoy_tls_v3.DownstreamTlsContext{
- CommonTlsContext: makeCommonTLSContextFromLeafWithoutParams(cfgSnap, cfgSnap.Leaf()),
+ CommonTlsContext: makeCommonTLSContextFromLeaf(
+ cfgSnap,
+ cfgSnap.Leaf(),
+ makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSIncoming()),
+ ),
RequireClientCertificate: &wrappers.BoolValue{Value: true},
}
transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)
@@ -1071,7 +1076,11 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(
protocol string,
) (*envoy_listener_v3.FilterChain, error) {
tlsContext := &envoy_tls_v3.DownstreamTlsContext{
- CommonTlsContext: makeCommonTLSContextFromLeafWithoutParams(cfgSnap, cfgSnap.TerminatingGateway.ServiceLeaves[service]),
+ CommonTlsContext: makeCommonTLSContextFromLeaf(
+ cfgSnap,
+ cfgSnap.TerminatingGateway.ServiceLeaves[service],
+ makeTLSParametersFromProxyTLSConfig(cfgSnap.MeshConfigTLSIncoming()),
+ ),
RequireClientCertificate: &wrappers.BoolValue{Value: true},
}
transportSocket, err := makeDownstreamTLSTransportSocket(tlsContext)
@@ -1549,11 +1558,11 @@ func makeEnvoyHTTPFilter(name string, cfg proto.Message) (*envoy_http_v3.HttpFil
}, nil
}
-func makeCommonTLSContextFromLeafWithoutParams(cfgSnap *proxycfg.ConfigSnapshot, leaf *structs.IssuedCert) *envoy_tls_v3.CommonTlsContext {
- return makeCommonTLSContextFromLeaf(cfgSnap, leaf, nil)
-}
-
-func makeCommonTLSContextFromLeaf(cfgSnap *proxycfg.ConfigSnapshot, leaf *structs.IssuedCert, tlsParams *envoy_tls_v3.TlsParameters) *envoy_tls_v3.CommonTlsContext {
+func makeCommonTLSContextFromLeaf(
+ cfgSnap *proxycfg.ConfigSnapshot,
+ leaf *structs.IssuedCert,
+ tlsParams *envoy_tls_v3.TlsParameters,
+) *envoy_tls_v3.CommonTlsContext {
// Concatenate all the root PEMs into one.
if cfgSnap.Roots == nil {
return nil
@@ -1662,3 +1671,66 @@ func makeCommonTLSContextFromFiles(caFile, certFile, keyFile string) *envoy_tls_
return &ctx
}
+
+func validateListenerTLSConfig(tlsMinVersion types.TLSVersion, cipherSuites []types.TLSCipherSuite) error {
+ // Validate. Configuring cipher suites is only applicable to connections negotiated
+ // via TLS 1.2 or earlier. Other cases shouldn't be possible as we validate them at
+ // input but be resilient to bugs later.
+ if len(cipherSuites) != 0 {
+ if _, ok := tlsVersionsWithConfigurableCipherSuites[tlsMinVersion]; !ok {
+ return fmt.Errorf("configuring CipherSuites is only applicable to connections negotiated with TLS 1.2 or earlier, TLSMinVersion is set to %s in config", tlsMinVersion)
+ }
+ }
+
+ return nil
+}
+
+var tlsVersionsWithConfigurableCipherSuites = map[types.TLSVersion]struct{}{
+ // Remove these two if Envoy ever sets TLS 1.3 as default minimum
+ types.TLSVersionUnspecified: {},
+ types.TLSVersionAuto: {},
+
+ types.TLSv1_0: {},
+ types.TLSv1_1: {},
+ types.TLSv1_2: {},
+}
+
+func makeTLSParametersFromProxyTLSConfig(tlsConf *structs.MeshDirectionalTLSConfig) *envoy_tls_v3.TlsParameters {
+ if tlsConf == nil {
+ return &envoy_tls_v3.TlsParameters{}
+ }
+
+ return makeTLSParametersFromTLSConfig(tlsConf.TLSMinVersion, tlsConf.TLSMaxVersion, tlsConf.CipherSuites)
+}
+
+func makeTLSParametersFromTLSConfig(
+ tlsMinVersion types.TLSVersion,
+ tlsMaxVersion types.TLSVersion,
+ cipherSuites []types.TLSCipherSuite,
+) *envoy_tls_v3.TlsParameters {
+ tlsParams := envoy_tls_v3.TlsParameters{}
+
+ if tlsMinVersion != types.TLSVersionUnspecified {
+ if minVersion, ok := envoyTLSVersions[tlsMinVersion]; ok {
+ tlsParams.TlsMinimumProtocolVersion = minVersion
+ }
+ }
+ if tlsMaxVersion != types.TLSVersionUnspecified {
+ if maxVersion, ok := envoyTLSVersions[tlsMaxVersion]; ok {
+ tlsParams.TlsMaximumProtocolVersion = maxVersion
+ }
+ }
+ if len(cipherSuites) != 0 {
+ tlsParams.CipherSuites = types.MarshalEnvoyTLSCipherSuiteStrings(cipherSuites)
+ }
+
+ return &tlsParams
+}
+
+var envoyTLSVersions = map[types.TLSVersion]envoy_tls_v3.TlsParameters_TlsProtocol{
+ types.TLSVersionAuto: envoy_tls_v3.TlsParameters_TLS_AUTO,
+ types.TLSv1_0: envoy_tls_v3.TlsParameters_TLSv1_0,
+ types.TLSv1_1: envoy_tls_v3.TlsParameters_TLSv1_1,
+ types.TLSv1_2: envoy_tls_v3.TlsParameters_TLSv1_2,
+ types.TLSv1_3: envoy_tls_v3.TlsParameters_TLSv1_3,
+}
diff --git a/agent/xds/listeners_ingress.go b/agent/xds/listeners_ingress.go
index cd2023d2b..5261bdb50 100644
--- a/agent/xds/listeners_ingress.go
+++ b/agent/xds/listeners_ingress.go
@@ -214,23 +214,8 @@ func resolveListenerTLSConfig(gatewayTLSCfg *structs.GatewayTLSConfig, listenerC
}
}
- var TLSVersionsWithConfigurableCipherSuites = map[types.TLSVersion]struct{}{
- // Remove these two if Envoy ever sets TLS 1.3 as default minimum
- types.TLSVersionUnspecified: {},
- types.TLSVersionAuto: {},
-
- types.TLSv1_0: {},
- types.TLSv1_1: {},
- types.TLSv1_2: {},
- }
-
- // Validate. Configuring cipher suites is only applicable to connections negotiated
- // via TLS 1.2 or earlier. Other cases shouldn't be possible as we validate them at
- // input but be resilient to bugs later.
- if len(mergedCfg.CipherSuites) != 0 {
- if _, ok := TLSVersionsWithConfigurableCipherSuites[mergedCfg.TLSMinVersion]; !ok {
- return nil, fmt.Errorf("configuring CipherSuites is only applicable to connections negotiated with TLS 1.2 or earlier, TLSMinVersion is set to %s in listener or gateway config", mergedCfg.TLSMinVersion)
- }
+ if err := validateListenerTLSConfig(mergedCfg.TLSMinVersion, mergedCfg.CipherSuites); err != nil {
+ return nil, err
}
return &mergedCfg, nil
@@ -365,32 +350,8 @@ func makeSDSOverrideFilterChains(cfgSnap *proxycfg.ConfigSnapshot,
return chains, nil
}
-var envoyTLSVersions = map[types.TLSVersion]envoy_tls_v3.TlsParameters_TlsProtocol{
- types.TLSVersionAuto: envoy_tls_v3.TlsParameters_TLS_AUTO,
- types.TLSv1_0: envoy_tls_v3.TlsParameters_TLSv1_0,
- types.TLSv1_1: envoy_tls_v3.TlsParameters_TLSv1_1,
- types.TLSv1_2: envoy_tls_v3.TlsParameters_TLSv1_2,
- types.TLSv1_3: envoy_tls_v3.TlsParameters_TLSv1_3,
-}
-
func makeTLSParametersFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *envoy_tls_v3.TlsParameters {
- tlsParams := envoy_tls_v3.TlsParameters{}
-
- if tlsCfg.TLSMinVersion != types.TLSVersionUnspecified {
- if minVersion, ok := envoyTLSVersions[tlsCfg.TLSMinVersion]; ok {
- tlsParams.TlsMinimumProtocolVersion = minVersion
- }
- }
- if tlsCfg.TLSMaxVersion != types.TLSVersionUnspecified {
- if maxVersion, ok := envoyTLSVersions[tlsCfg.TLSMaxVersion]; ok {
- tlsParams.TlsMaximumProtocolVersion = maxVersion
- }
- }
- if len(tlsCfg.CipherSuites) != 0 {
- tlsParams.CipherSuites = types.MarshalEnvoyTLSCipherSuiteStrings(tlsCfg.CipherSuites)
- }
-
- return &tlsParams
+ return makeTLSParametersFromTLSConfig(tlsCfg.TLSMinVersion, tlsCfg.TLSMaxVersion, tlsCfg.CipherSuites)
}
func makeCommonTLSContextFromGatewayTLSConfig(tlsCfg structs.GatewayTLSConfig) *envoy_tls_v3.CommonTlsContext {
diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go
index 71c5a09fe..d80cde7b1 100644
--- a/agent/xds/listeners_test.go
+++ b/agent/xds/listeners_test.go
@@ -43,6 +43,85 @@ func TestListenersFromSnapshot(t *testing.T) {
return proxycfg.TestConfigSnapshot(t, nil, nil)
},
},
+ {
+ name: "connect-proxy-with-tls-outgoing-min-version-auto",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Outgoing: &structs.MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSVersionAuto,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "connect-proxy-with-tls-incoming-min-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Incoming: &structs.MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSv1_3,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "connect-proxy-with-tls-incoming-max-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Incoming: &structs.MeshDirectionalTLSConfig{
+ TLSMaxVersion: types.TLSv1_2,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "connect-proxy-with-tls-incoming-cipher-suites",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshot(t, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Incoming: &structs.MeshDirectionalTLSConfig{
+ CipherSuites: []types.TLSCipherSuite{
+ types.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ types.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
{
name: "listener-bind-address",
create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@@ -477,6 +556,66 @@ func TestListenersFromSnapshot(t *testing.T) {
return proxycfg.TestConfigSnapshotTerminatingGateway(t, true, nil, nil)
},
},
+ {
+ name: "terminating-gateway-with-tls-incoming-min-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshotTerminatingGateway(t, true, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Incoming: &structs.MeshDirectionalTLSConfig{
+ TLSMinVersion: types.TLSv1_3,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "terminating-gateway-with-tls-incoming-max-version",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshotTerminatingGateway(t, true, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Incoming: &structs.MeshDirectionalTLSConfig{
+ TLSMaxVersion: types.TLSv1_2,
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
+ {
+ name: "terminating-gateway-with-tls-incoming-cipher-suites",
+ create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+ return proxycfg.TestConfigSnapshotTerminatingGateway(t, true, nil, []cache.UpdateEvent{
+ {
+ CorrelationID: "mesh",
+ Result: &structs.ConfigEntryResponse{
+ Entry: &structs.MeshConfigEntry{
+ TLS: &structs.MeshTLSConfig{
+ Incoming: &structs.MeshDirectionalTLSConfig{
+ CipherSuites: []types.TLSCipherSuite{
+ types.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ types.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ },
+ },
+ },
+ },
+ },
+ },
+ })
+ },
+ },
{
name: "terminating-gateway-no-services",
create: func(t testinf.T) *proxycfg.ConfigSnapshot {
diff --git a/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden
new file mode 100644
index 000000000..3efce306b
--- /dev/null
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden
@@ -0,0 +1,151 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+ },
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
+ }
+ ]
+ }
+ },
+ "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "local_app",
+ "type": "STATIC",
+ "connectTimeout": "5s",
+ "loadAssignment": {
+ "clusterName": "local_app",
+ "endpoints": [
+ {
+ "lbEndpoints": [
+ {
+ "endpoint": {
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 8080
+ }
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-max-version.envoy-1-20-x.golden b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-max-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..afef227a2
--- /dev/null
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-max-version.envoy-1-20-x.golden
@@ -0,0 +1,145 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+ },
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
+ }
+ ]
+ }
+ },
+ "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "local_app",
+ "type": "STATIC",
+ "connectTimeout": "5s",
+ "loadAssignment": {
+ "clusterName": "local_app",
+ "endpoints": [
+ {
+ "lbEndpoints": [
+ {
+ "endpoint": {
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 8080
+ }
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version-auto.envoy-1-20-x.golden b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version-auto.envoy-1-20-x.golden
new file mode 100644
index 000000000..2e3c9ea20
--- /dev/null
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version-auto.envoy-1-20-x.golden
@@ -0,0 +1,145 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+ },
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
+ }
+ ]
+ }
+ },
+ "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "local_app",
+ "type": "STATIC",
+ "connectTimeout": "5s",
+ "loadAssignment": {
+ "clusterName": "local_app",
+ "endpoints": [
+ {
+ "lbEndpoints": [
+ {
+ "endpoint": {
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 8080
+ }
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version.envoy-1-20-x.golden b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..9d8c283a4
--- /dev/null
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tls-outgoing-min-version.envoy-1-20-x.golden
@@ -0,0 +1,145 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+ },
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
+ }
+ ]
+ }
+ },
+ "sni": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "local_app",
+ "type": "STATIC",
+ "connectTimeout": "5s",
+ "loadAssignment": {
+ "clusterName": "local_app",
+ "endpoints": [
+ {
+ "lbEndpoints": [
+ {
+ "endpoint": {
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 8080
+ }
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden b/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden
new file mode 100644
index 000000000..6a64ad79b
--- /dev/null
+++ b/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-cipher-suites.envoy-1-20-x.golden
@@ -0,0 +1,68 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-max-version.envoy-1-20-x.golden b/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-max-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..eb24656eb
--- /dev/null
+++ b/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-max-version.envoy-1-20-x.golden
@@ -0,0 +1,65 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-min-version.envoy-1-20-x.golden b/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-min-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..1c29f4d25
--- /dev/null
+++ b/agent/xds/testdata/clusters/ingress-gateway-with-tls-outgoing-min-version.envoy-1-20-x.golden
@@ -0,0 +1,65 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "name": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "altStatName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+ "type": "EDS",
+ "edsClusterConfig": {
+ "edsConfig": {
+ "ads": {
+
+ },
+ "resourceApiVersion": "V3"
+ }
+ },
+ "connectTimeout": "5s",
+ "circuitBreakers": {
+
+ },
+ "outlierDetection": {
+
+ },
+ "commonLbConfig": {
+ "healthyPanicThreshold": {
+
+ }
+ },
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ },
+ "matchSubjectAltNames": [
+ {
+ "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/db"
+ }
+ ]
+ }
+ },
+ "sni": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-cipher-suites.envoy-1-20-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-cipher-suites.envoy-1-20-x.golden
new file mode 100644
index 000000000..05ed17d4e
--- /dev/null
+++ b/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-cipher-suites.envoy-1-20-x.golden
@@ -0,0 +1,122 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "db:127.0.0.1:9191",
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 9191
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "prepared_query:geo-cache:127.10.10.10:8181",
+ "address": {
+ "socketAddress": {
+ "address": "127.10.10.10",
+ "portValue": 8181
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.prepared_query_geo-cache",
+ "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "public_listener:0.0.0.0:9999",
+ "address": {
+ "socketAddress": {
+ "address": "0.0.0.0",
+ "portValue": 9999
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "public_listener",
+ "cluster": "local_app"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-max-version.envoy-1-20-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-max-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..8f157291c
--- /dev/null
+++ b/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-max-version.envoy-1-20-x.golden
@@ -0,0 +1,119 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "db:127.0.0.1:9191",
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 9191
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "prepared_query:geo-cache:127.10.10.10:8181",
+ "address": {
+ "socketAddress": {
+ "address": "127.10.10.10",
+ "portValue": 8181
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.prepared_query_geo-cache",
+ "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "public_listener:0.0.0.0:9999",
+ "address": {
+ "socketAddress": {
+ "address": "0.0.0.0",
+ "portValue": 9999
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "public_listener",
+ "cluster": "local_app"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-min-version.envoy-1-20-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-min-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..1081c4431
--- /dev/null
+++ b/agent/xds/testdata/listeners/connect-proxy-with-tls-incoming-min-version.envoy-1-20-x.golden
@@ -0,0 +1,119 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "db:127.0.0.1:9191",
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 9191
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "prepared_query:geo-cache:127.10.10.10:8181",
+ "address": {
+ "socketAddress": {
+ "address": "127.10.10.10",
+ "portValue": 8181
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.prepared_query_geo-cache",
+ "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "public_listener:0.0.0.0:9999",
+ "address": {
+ "socketAddress": {
+ "address": "0.0.0.0",
+ "portValue": 9999
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "public_listener",
+ "cluster": "local_app"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tls-outgoing-min-version-auto.envoy-1-20-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tls-outgoing-min-version-auto.envoy-1-20-x.golden
new file mode 100644
index 000000000..57d50f71c
--- /dev/null
+++ b/agent/xds/testdata/listeners/connect-proxy-with-tls-outgoing-min-version-auto.envoy-1-20-x.golden
@@ -0,0 +1,119 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "db:127.0.0.1:9191",
+ "address": {
+ "socketAddress": {
+ "address": "127.0.0.1",
+ "portValue": 9191
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "prepared_query:geo-cache:127.10.10.10:8181",
+ "address": {
+ "socketAddress": {
+ "address": "127.10.10.10",
+ "portValue": 8181
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.prepared_query_geo-cache",
+ "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ]
+ }
+ ],
+ "trafficDirection": "OUTBOUND"
+ },
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "public_listener:0.0.0.0:9999",
+ "address": {
+ "socketAddress": {
+ "address": "0.0.0.0",
+ "portValue": 9999
+ }
+ },
+ "filterChains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "public_listener",
+ "cluster": "local_app"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden b/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden
new file mode 100644
index 000000000..7b8a7eb8f
--- /dev/null
+++ b/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-cipher-suites.envoy-1-20-x.golden
@@ -0,0 +1,268 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "default:1.2.3.4:8443",
+ "address": {
+ "socketAddress": {
+ "address": "1.2.3.4",
+ "portValue": 8443
+ }
+ },
+ "filterChains": [
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.api.default.default.dc1",
+ "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICnTCCAkKgAwIBAgIRAJrvEdaRAkSltrotd/l/j2cwCgYIKoZIzj0EAwIwgbgx\nCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj\nbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw\nFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB\nIDk2NjM4NzM1MDkzNTU5NTIwNDk3MTQwOTU3MDY1MTc0OTg3NDMxMB4XDTIwMDQx\nNDIyMzE1MloXDTIxMDQxNDIyMzE1MlowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j\nb25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ4v0FoIYI0OWmxE2MR6w5l\n0pWGhc02RpsOPj/6RS1fmXMMu7JzPzwCmkGcR16RlwwhNFKCZsWpvAjVRHf/pTp+\no4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\nBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgk7kABFitAy3PluyNtmzYiC7H\njSN8W/K/OXNJQAQAscMwKwYDVR0jBCQwIoAgNKbPPepvRHXSAPTc+a/BXBzFX1qJ\ny+Zi7qtjlFX7qtUwLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs\naG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAhP4HmN5BWysWTbQWClXaWUah\nLpBGFrvc/2cCQuyEZKsCIQD6JyYCYMArtWwZ4G499zktxrFlqfX14bqyONrxtA5I\nDw==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIE3KbKXHdsa0vvC1fysQaGdoJRgjRALIolI4XJanie+coAoGCCqGSM49\nAwEHoUQDQgAEOL9BaCGCNDlpsRNjEesOZdKVhoXNNkabDj4/+kUtX5lzDLuycz88\nAppBnEdekZcMITRSgmbFqbwI1UR3/6U6fg==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.cache.default.default.dc1",
+ "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICmjCCAkGgAwIBAgIQe1ZmC0rzRwer6jaH1YIUIjAKBggqhkjOPQQDAjCBuDEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv\nMRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV\nBgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg\nODE5ODAwNjg0MDM0MTM3ODkyNDYxNTA1MDk0NDU3OTU1MTQxNjEwHhcNMjAwNjE5\nMTU1MjAzWhcNMjEwNjE5MTU1MjAzWjAcMRowGAYDVQQDExFzZXJ2ZXIuZGMxLmNv\nbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH2aWaaa3fpQLBayheHiKlrH\n+z53m0frfGknKjOhOPVYDVHV8x0OE01negswVQbKHAtxPf1M8Zy+WbI9rK7Ua1mj\ngccwgcQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCDf9CPBSUwwZvpeW73oJLTmgQE2\ntW1NKpL5t1uq9WFcqDArBgNVHSMEJDAigCCPPd/NxgZB0tq2M8pdVpPj3Cr79iTv\ni4/T1ysodfMb7zAtBgNVHREEJjAkghFzZXJ2ZXIuZGMxLmNvbnN1bIIJbG9jYWxo\nb3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIFCjFZAoXq0s2ied2eIBv0i1KoW5\nIhCylnKFt6iHkyDeAiBBCByTcjHRgEQmqyPojQKoO584EFiczTub9aWdnf9tEw==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEINsen3S8xzxMrKcRZIvxXzhKDn43Tw9ttqWEFU9TqS5hoAoGCCqGSM49\nAwEHoUQDQgAEfZpZpprd+lAsFrKF4eIqWsf7PnebR+t8aScqM6E49VgNUdXzHQ4T\nTWd6CzBVBsocC3E9/UzxnL5Zsj2srtRrWQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICnTCCAkOgAwIBAgIRAKF+qDJbaOULNL1TIatrsBowCgYIKoZIzj0EAwIwgbkx\nCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj\nbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw\nFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB\nIDE4Nzg3MDAwNjUzMDcxOTYzNTk1ODkwNTE1ODY1NjEzMDA2MTU0NDAeFw0yMDA2\nMTkxNTMxMzRaFw0yMTA2MTkxNTMxMzRaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu\nY29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdQ8Igci5f7ZvvCVsxXt9\ntLfvczD+60XHg0OC0+Aka7ZjQfbEjQwZbz/82EwPoS7Dqo3LTK4IuelOimoNNxuk\nkaOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\nAQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEILzTLkfJcdWQnTMKUcai/YJq\n0RqH1pjCqtY7SOU4gGOTMCsGA1UdIwQkMCKAIMa2vNcTEC5AGfHIYARJ/4sodX0o\nLzCj3lpw7BcEzPTcMC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh\nbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgBZ/Z4GSLEc98WvT/qjTVCNTG\n1WNaAaesVbkRx+J0yl8CIQDAVoqY9ByA5vKHjnQrxWlc/JUtJz8wudg7e/OCRriP\nSg==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIN1v14FaNxgY4MgjDOOWthen8dgwB0lNMs9/j2TfrnxzoAoGCCqGSM49\nAwEHoUQDQgAEdQ8Igci5f7ZvvCVsxXt9tLfvczD+60XHg0OC0+Aka7ZjQfbEjQwZ\nbz/82EwPoS7Dqo3LTK4IuelOimoNNxukkQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.web.default.default.dc1",
+ "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "cipherSuites": [
+ "ECDHE-ECDSA-AES128-GCM-SHA256",
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ ]
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.sni_cluster"
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "terminating_gateway.default",
+ "cluster": ""
+ }
+ }
+ ]
+ }
+ ],
+ "listenerFilters": [
+ {
+ "name": "envoy.filters.listener.tls_inspector"
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden b/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..433a49902
--- /dev/null
+++ b/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-max-version.envoy-1-20-x.golden
@@ -0,0 +1,256 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "default:1.2.3.4:8443",
+ "address": {
+ "socketAddress": {
+ "address": "1.2.3.4",
+ "portValue": 8443
+ }
+ },
+ "filterChains": [
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.api.default.default.dc1",
+ "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICnTCCAkKgAwIBAgIRAJrvEdaRAkSltrotd/l/j2cwCgYIKoZIzj0EAwIwgbgx\nCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj\nbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw\nFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB\nIDk2NjM4NzM1MDkzNTU5NTIwNDk3MTQwOTU3MDY1MTc0OTg3NDMxMB4XDTIwMDQx\nNDIyMzE1MloXDTIxMDQxNDIyMzE1MlowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j\nb25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ4v0FoIYI0OWmxE2MR6w5l\n0pWGhc02RpsOPj/6RS1fmXMMu7JzPzwCmkGcR16RlwwhNFKCZsWpvAjVRHf/pTp+\no4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\nBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgk7kABFitAy3PluyNtmzYiC7H\njSN8W/K/OXNJQAQAscMwKwYDVR0jBCQwIoAgNKbPPepvRHXSAPTc+a/BXBzFX1qJ\ny+Zi7qtjlFX7qtUwLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs\naG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAhP4HmN5BWysWTbQWClXaWUah\nLpBGFrvc/2cCQuyEZKsCIQD6JyYCYMArtWwZ4G499zktxrFlqfX14bqyONrxtA5I\nDw==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIE3KbKXHdsa0vvC1fysQaGdoJRgjRALIolI4XJanie+coAoGCCqGSM49\nAwEHoUQDQgAEOL9BaCGCNDlpsRNjEesOZdKVhoXNNkabDj4/+kUtX5lzDLuycz88\nAppBnEdekZcMITRSgmbFqbwI1UR3/6U6fg==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.cache.default.default.dc1",
+ "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICmjCCAkGgAwIBAgIQe1ZmC0rzRwer6jaH1YIUIjAKBggqhkjOPQQDAjCBuDEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv\nMRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV\nBgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg\nODE5ODAwNjg0MDM0MTM3ODkyNDYxNTA1MDk0NDU3OTU1MTQxNjEwHhcNMjAwNjE5\nMTU1MjAzWhcNMjEwNjE5MTU1MjAzWjAcMRowGAYDVQQDExFzZXJ2ZXIuZGMxLmNv\nbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH2aWaaa3fpQLBayheHiKlrH\n+z53m0frfGknKjOhOPVYDVHV8x0OE01negswVQbKHAtxPf1M8Zy+WbI9rK7Ua1mj\ngccwgcQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCDf9CPBSUwwZvpeW73oJLTmgQE2\ntW1NKpL5t1uq9WFcqDArBgNVHSMEJDAigCCPPd/NxgZB0tq2M8pdVpPj3Cr79iTv\ni4/T1ysodfMb7zAtBgNVHREEJjAkghFzZXJ2ZXIuZGMxLmNvbnN1bIIJbG9jYWxo\nb3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIFCjFZAoXq0s2ied2eIBv0i1KoW5\nIhCylnKFt6iHkyDeAiBBCByTcjHRgEQmqyPojQKoO584EFiczTub9aWdnf9tEw==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEINsen3S8xzxMrKcRZIvxXzhKDn43Tw9ttqWEFU9TqS5hoAoGCCqGSM49\nAwEHoUQDQgAEfZpZpprd+lAsFrKF4eIqWsf7PnebR+t8aScqM6E49VgNUdXzHQ4T\nTWd6CzBVBsocC3E9/UzxnL5Zsj2srtRrWQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICnTCCAkOgAwIBAgIRAKF+qDJbaOULNL1TIatrsBowCgYIKoZIzj0EAwIwgbkx\nCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj\nbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw\nFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB\nIDE4Nzg3MDAwNjUzMDcxOTYzNTk1ODkwNTE1ODY1NjEzMDA2MTU0NDAeFw0yMDA2\nMTkxNTMxMzRaFw0yMTA2MTkxNTMxMzRaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu\nY29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdQ8Igci5f7ZvvCVsxXt9\ntLfvczD+60XHg0OC0+Aka7ZjQfbEjQwZbz/82EwPoS7Dqo3LTK4IuelOimoNNxuk\nkaOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\nAQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEILzTLkfJcdWQnTMKUcai/YJq\n0RqH1pjCqtY7SOU4gGOTMCsGA1UdIwQkMCKAIMa2vNcTEC5AGfHIYARJ/4sodX0o\nLzCj3lpw7BcEzPTcMC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh\nbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgBZ/Z4GSLEc98WvT/qjTVCNTG\n1WNaAaesVbkRx+J0yl8CIQDAVoqY9ByA5vKHjnQrxWlc/JUtJz8wudg7e/OCRriP\nSg==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIN1v14FaNxgY4MgjDOOWthen8dgwB0lNMs9/j2TfrnxzoAoGCCqGSM49\nAwEHoUQDQgAEdQ8Igci5f7ZvvCVsxXt9tLfvczD+60XHg0OC0+Aka7ZjQfbEjQwZ\nbz/82EwPoS7Dqo3LTK4IuelOimoNNxukkQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.web.default.default.dc1",
+ "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMaximumProtocolVersion": "TLSv1_2"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.sni_cluster"
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "terminating_gateway.default",
+ "cluster": ""
+ }
+ }
+ ]
+ }
+ ],
+ "listenerFilters": [
+ {
+ "name": "envoy.filters.listener.tls_inspector"
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-min-version.envoy-1-20-x.golden b/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-min-version.envoy-1-20-x.golden
new file mode 100644
index 000000000..74a08b900
--- /dev/null
+++ b/agent/xds/testdata/listeners/terminating-gateway-with-tls-incoming-min-version.envoy-1-20-x.golden
@@ -0,0 +1,256 @@
+{
+ "versionInfo": "00000001",
+ "resources": [
+ {
+ "@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "name": "default:1.2.3.4:8443",
+ "address": {
+ "socketAddress": {
+ "address": "1.2.3.4",
+ "portValue": 8443
+ }
+ },
+ "filterChains": [
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.api.default.default.dc1",
+ "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICnTCCAkKgAwIBAgIRAJrvEdaRAkSltrotd/l/j2cwCgYIKoZIzj0EAwIwgbgx\nCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj\nbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw\nFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB\nIDk2NjM4NzM1MDkzNTU5NTIwNDk3MTQwOTU3MDY1MTc0OTg3NDMxMB4XDTIwMDQx\nNDIyMzE1MloXDTIxMDQxNDIyMzE1MlowHDEaMBgGA1UEAxMRc2VydmVyLmRjMS5j\nb25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ4v0FoIYI0OWmxE2MR6w5l\n0pWGhc02RpsOPj/6RS1fmXMMu7JzPzwCmkGcR16RlwwhNFKCZsWpvAjVRHf/pTp+\no4HHMIHEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\nBQUHAwIwDAYDVR0TAQH/BAIwADApBgNVHQ4EIgQgk7kABFitAy3PluyNtmzYiC7H\njSN8W/K/OXNJQAQAscMwKwYDVR0jBCQwIoAgNKbPPepvRHXSAPTc+a/BXBzFX1qJ\ny+Zi7qtjlFX7qtUwLQYDVR0RBCYwJIIRc2VydmVyLmRjMS5jb25zdWyCCWxvY2Fs\naG9zdIcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAhP4HmN5BWysWTbQWClXaWUah\nLpBGFrvc/2cCQuyEZKsCIQD6JyYCYMArtWwZ4G499zktxrFlqfX14bqyONrxtA5I\nDw==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIE3KbKXHdsa0vvC1fysQaGdoJRgjRALIolI4XJanie+coAoGCCqGSM49\nAwEHoUQDQgAEOL9BaCGCNDlpsRNjEesOZdKVhoXNNkabDj4/+kUtX5lzDLuycz88\nAppBnEdekZcMITRSgmbFqbwI1UR3/6U6fg==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.cache.default.default.dc1",
+ "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICmjCCAkGgAwIBAgIQe1ZmC0rzRwer6jaH1YIUIjAKBggqhkjOPQQDAjCBuDEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv\nMRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV\nBgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg\nODE5ODAwNjg0MDM0MTM3ODkyNDYxNTA1MDk0NDU3OTU1MTQxNjEwHhcNMjAwNjE5\nMTU1MjAzWhcNMjEwNjE5MTU1MjAzWjAcMRowGAYDVQQDExFzZXJ2ZXIuZGMxLmNv\nbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH2aWaaa3fpQLBayheHiKlrH\n+z53m0frfGknKjOhOPVYDVHV8x0OE01negswVQbKHAtxPf1M8Zy+WbI9rK7Ua1mj\ngccwgcQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCDf9CPBSUwwZvpeW73oJLTmgQE2\ntW1NKpL5t1uq9WFcqDArBgNVHSMEJDAigCCPPd/NxgZB0tq2M8pdVpPj3Cr79iTv\ni4/T1ysodfMb7zAtBgNVHREEJjAkghFzZXJ2ZXIuZGMxLmNvbnN1bIIJbG9jYWxo\nb3N0hwR/AAABMAoGCCqGSM49BAMCA0cAMEQCIFCjFZAoXq0s2ied2eIBv0i1KoW5\nIhCylnKFt6iHkyDeAiBBCByTcjHRgEQmqyPojQKoO584EFiczTub9aWdnf9tEw==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEINsen3S8xzxMrKcRZIvxXzhKDn43Tw9ttqWEFU9TqS5hoAoGCCqGSM49\nAwEHoUQDQgAEfZpZpprd+lAsFrKF4eIqWsf7PnebR+t8aScqM6E49VgNUdXzHQ4T\nTWd6CzBVBsocC3E9/UzxnL5Zsj2srtRrWQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.db.default.default.dc1",
+ "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICnTCCAkOgAwIBAgIRAKF+qDJbaOULNL1TIatrsBowCgYIKoZIzj0EAwIwgbkx\nCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj\nbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw\nFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB\nIDE4Nzg3MDAwNjUzMDcxOTYzNTk1ODkwNTE1ODY1NjEzMDA2MTU0NDAeFw0yMDA2\nMTkxNTMxMzRaFw0yMTA2MTkxNTMxMzRaMBwxGjAYBgNVBAMTEXNlcnZlci5kYzEu\nY29uc3VsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdQ8Igci5f7ZvvCVsxXt9\ntLfvczD+60XHg0OC0+Aka7ZjQfbEjQwZbz/82EwPoS7Dqo3LTK4IuelOimoNNxuk\nkaOBxzCBxDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\nAQUFBwMCMAwGA1UdEwEB/wQCMAAwKQYDVR0OBCIEILzTLkfJcdWQnTMKUcai/YJq\n0RqH1pjCqtY7SOU4gGOTMCsGA1UdIwQkMCKAIMa2vNcTEC5AGfHIYARJ/4sodX0o\nLzCj3lpw7BcEzPTcMC0GA1UdEQQmMCSCEXNlcnZlci5kYzEuY29uc3Vsgglsb2Nh\nbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgBZ/Z4GSLEc98WvT/qjTVCNTG\n1WNaAaesVbkRx+J0yl8CIQDAVoqY9ByA5vKHjnQrxWlc/JUtJz8wudg7e/OCRriP\nSg==\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIN1v14FaNxgY4MgjDOOWthen8dgwB0lNMs9/j2TfrnxzoAoGCCqGSM49\nAwEHoUQDQgAEdQ8Igci5f7ZvvCVsxXt9tLfvczD+60XHg0OC0+Aka7ZjQfbEjQwZ\nbz/82EwPoS7Dqo3LTK4IuelOimoNNxukkQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filterChainMatch": {
+ "serverNames": [
+ "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ ]
+ },
+ "filters": [
+ {
+ "name": "envoy.filters.network.rbac",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+ "rules": {
+
+ },
+ "statPrefix": "connect_authz"
+ }
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "upstream.web.default.default.dc1",
+ "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul"
+ }
+ }
+ ],
+ "transportSocket": {
+ "name": "tls",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
+ "commonTlsContext": {
+ "tlsParams": {
+ "tlsMinimumProtocolVersion": "TLSv1_3"
+ },
+ "tlsCertificates": [
+ {
+ "certificateChain": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n"
+ },
+ "privateKey": {
+ "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n"
+ }
+ }
+ ],
+ "validationContext": {
+ "trustedCa": {
+ "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"
+ }
+ }
+ },
+ "requireClientCertificate": true
+ }
+ }
+ },
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.sni_cluster"
+ },
+ {
+ "name": "envoy.filters.network.tcp_proxy",
+ "typedConfig": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
+ "statPrefix": "terminating_gateway.default",
+ "cluster": ""
+ }
+ }
+ ]
+ }
+ ],
+ "listenerFilters": [
+ {
+ "name": "envoy.filters.listener.tls_inspector"
+ }
+ ],
+ "trafficDirection": "INBOUND"
+ }
+ ],
+ "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener",
+ "nonce": "00000001"
+}
\ No newline at end of file
diff --git a/api/config_entry.go b/api/config_entry.go
index 91c407bb5..ace5894cb 100644
--- a/api/config_entry.go
+++ b/api/config_entry.go
@@ -244,9 +244,10 @@ type ProxyConfigEntry struct {
Config map[string]interface{} `json:",omitempty"`
MeshGateway MeshGatewayConfig `json:",omitempty" alias:"mesh_gateway"`
Expose ExposeConfig `json:",omitempty"`
- Meta map[string]string `json:",omitempty"`
- CreateIndex uint64
- ModifyIndex uint64
+
+ Meta map[string]string `json:",omitempty"`
+ CreateIndex uint64
+ ModifyIndex uint64
}
func (p *ProxyConfigEntry) GetKind() string { return p.Kind }
diff --git a/api/config_entry_mesh.go b/api/config_entry_mesh.go
index f58fabc17..30fab166c 100644
--- a/api/config_entry_mesh.go
+++ b/api/config_entry_mesh.go
@@ -17,6 +17,8 @@ type MeshConfigEntry struct {
// in transparent mode.
TransparentProxy TransparentProxyMeshConfig `alias:"transparent_proxy"`
+ TLS *MeshTLSConfig `json:",omitempty"`
+
Meta map[string]string `json:",omitempty"`
// CreateIndex is the Raft index this entry was created at. This is a
@@ -33,6 +35,17 @@ type TransparentProxyMeshConfig struct {
MeshDestinationsOnly bool `alias:"mesh_destinations_only"`
}
+type MeshTLSConfig struct {
+ Incoming *MeshDirectionalTLSConfig `json:",omitempty"`
+ Outgoing *MeshDirectionalTLSConfig `json:",omitempty"`
+}
+
+type MeshDirectionalTLSConfig struct {
+ TLSMinVersion string `json:",omitempty" alias:"tls_min_version"`
+ TLSMaxVersion string `json:",omitempty" alias:"tls_max_version"`
+ CipherSuites []string `json:",omitempty" alias:"cipher_suites"`
+}
+
func (e *MeshConfigEntry) GetKind() string { return MeshConfig }
func (e *MeshConfigEntry) GetName() string { return MeshConfigMesh }
func (e *MeshConfigEntry) GetPartition() string { return e.Partition }
diff --git a/api/config_entry_test.go b/api/config_entry_test.go
index f072bea91..0f38f62cd 100644
--- a/api/config_entry_test.go
+++ b/api/config_entry_test.go
@@ -1260,6 +1260,24 @@ func TestDecodeConfigEntry(t *testing.T) {
},
"TransparentProxy": {
"MeshDestinationsOnly": true
+ },
+ "TLS": {
+ "Incoming": {
+ "TLSMinVersion": "TLSv1_1",
+ "TLSMaxVersion": "TLSv1_2",
+ "CipherSuites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ },
+ "Outgoing": {
+ "TLSMinVersion": "TLSv1_1",
+ "TLSMaxVersion": "TLSv1_2",
+ "CipherSuites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
}
}
`,
@@ -1271,6 +1289,24 @@ func TestDecodeConfigEntry(t *testing.T) {
TransparentProxy: TransparentProxyMeshConfig{
MeshDestinationsOnly: true,
},
+ TLS: &MeshTLSConfig{
+ Incoming: &MeshDirectionalTLSConfig{
+ TLSMinVersion: "TLSv1_1",
+ TLSMaxVersion: "TLSv1_2",
+ CipherSuites: []string{
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ },
+ },
+ Outgoing: &MeshDirectionalTLSConfig{
+ TLSMinVersion: "TLSv1_1",
+ TLSMaxVersion: "TLSv1_2",
+ CipherSuites: []string{
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ },
+ },
+ },
},
},
} {
diff --git a/command/config/write/config_write_test.go b/command/config/write/config_write_test.go
index 3128233fe..a55253d48 100644
--- a/command/config/write/config_write_test.go
+++ b/command/config/write/config_write_test.go
@@ -2737,6 +2737,24 @@ func TestParseConfigEntry(t *testing.T) {
transparent_proxy {
mesh_destinations_only = true
}
+ tls {
+ incoming {
+ tls_min_version = "TLSv1_1"
+ tls_max_version = "TLSv1_2"
+ cipher_suites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ outgoing {
+ tls_min_version = "TLSv1_1"
+ tls_max_version = "TLSv1_2"
+ cipher_suites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ }
`,
camel: `
Kind = "mesh"
@@ -2747,6 +2765,24 @@ func TestParseConfigEntry(t *testing.T) {
TransparentProxy {
MeshDestinationsOnly = true
}
+ TLS {
+ Incoming {
+ TLSMinVersion = "TLSv1_1"
+ TLSMaxVersion = "TLSv1_2"
+ CipherSuites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ Outgoing {
+ TLSMinVersion = "TLSv1_1"
+ TLSMaxVersion = "TLSv1_2"
+ CipherSuites = [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
+ }
`,
snakeJSON: `
{
@@ -2757,6 +2793,24 @@ func TestParseConfigEntry(t *testing.T) {
},
"transparent_proxy": {
"mesh_destinations_only": true
+ },
+ "tls": {
+ "incoming": {
+ "tls_min_version": "TLSv1_1",
+ "tls_max_version": "TLSv1_2",
+ "cipher_suites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ },
+ "outgoing": {
+ "tls_min_version": "TLSv1_1",
+ "tls_max_version": "TLSv1_2",
+ "cipher_suites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
}
}
`,
@@ -2769,6 +2823,24 @@ func TestParseConfigEntry(t *testing.T) {
},
"TransparentProxy": {
"MeshDestinationsOnly": true
+ },
+ "TLS": {
+ "Incoming": {
+ "TLSMinVersion": "TLSv1_1",
+ "TLSMaxVersion": "TLSv1_2",
+ "CipherSuites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ },
+ "Outgoing": {
+ "TLSMinVersion": "TLSv1_1",
+ "TLSMaxVersion": "TLSv1_2",
+ "CipherSuites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ ]
+ }
}
}
`,
@@ -2780,6 +2852,24 @@ func TestParseConfigEntry(t *testing.T) {
TransparentProxy: api.TransparentProxyMeshConfig{
MeshDestinationsOnly: true,
},
+ TLS: &api.MeshTLSConfig{
+ Incoming: &api.MeshDirectionalTLSConfig{
+ TLSMinVersion: "TLSv1_1",
+ TLSMaxVersion: "TLSv1_2",
+ CipherSuites: []string{
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ },
+ },
+ Outgoing: &api.MeshDirectionalTLSConfig{
+ TLSMinVersion: "TLSv1_1",
+ TLSMaxVersion: "TLSv1_2",
+ CipherSuites: []string{
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ },
+ },
+ },
},
},
{
diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx
index 7a633e056..a72a54aa0 100644
--- a/website/content/docs/connect/config-entries/mesh.mdx
+++ b/website/content/docs/connect/config-entries/mesh.mdx
@@ -17,6 +17,99 @@ Settings in this config entry apply across all namespaces and federated datacent
## Sample Configuration Entries
+### Mesh-wide TLS Min Version
+
+Enforce that service mesh mTLS traffic uses TLS v1.2 or newer.
+
+
+
+
+
+
+```hcl
+Kind = "mesh"
+TLS {
+ Incoming {
+ TLSMinVersion = "TLSv1_2"
+ }
+}
+```
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+ name: mesh
+spec:
+ tls:
+ incoming:
+ tlsMinVersion: TLSv1_2
+```
+
+```json
+{
+ "Kind": "mesh",
+ "TLS": {
+ "Incoming": {
+ "TLSMinVersion": "TLSv1_2"
+ }
+ }
+}
+```
+
+
+
+
+
+
+The `mesh` configuration entry can only be created in the `default` namespace and will apply to proxies across **all** namespaces.
+
+
+
+```hcl
+Kind = "mesh"
+Namespace = "default" # Can only be set to "default".
+Partition = "default"
+
+TLS {
+ Incoming {
+ TLSMinVersion = "TLSv1_2"
+ }
+}
+```
+
+```yaml
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+ name: mesh
+ namespace: default
+spec:
+ tls:
+ incoming:
+ tlsMinVersion: TLSv1_2
+```
+
+```json
+{
+ "Kind": "mesh",
+ "Namespace": "default",
+ "Partition": "default",
+ "TLS": {
+ "Incoming": {
+ "TLSMinVersion": "TLSv1_2"
+ }
+ }
+}
+```
+
+
+
+
+
+
+Note that the Kubernetes example does not include a `partition` field. Configuration entries are applied on Kubernetes using [custom resource definitions (CRD)](/docs/k8s/crds), which can only be scoped to their own partition.
+
### Mesh Destinations Only
Only allow transparent proxies to dial addresses in the mesh.
@@ -171,6 +264,101 @@ Note that the Kubernetes example does not include a `partition` field. Configura
},
],
},
+ {
+ name: 'TLS',
+ type: 'TLSConfig: ',
+ description: 'TLS configuration for the service mesh.',
+ children: [
+ {
+ name: 'Incoming',
+ yaml: false,
+ type: 'TLSDirectionConfig: ',
+ description: `TLS configuration for inbound mTLS connections targeting
+ the public listener on \`connect-proxy\` and \`terminating-gateway\`
+ proxy kinds.`,
+ children: [
+ {
+ name: 'TLSMinVersion',
+ yaml: false,
+ type: 'string: ""',
+ description:
+ "Set the default minimum TLS version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.",
+ },
+ {
+ name: 'TLSMaxVersion',
+ yaml: false,
+ type: 'string: ""',
+ description: {
+ hcl:
+ "Set the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.",
+ yaml:
+ "Set the default maximum TLS version supported. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.",
+ },
+ },
+ {
+ name: 'CipherSuites',
+ yaml: false,
+ type: 'array: ',
+ description: `Set the default list of TLS cipher suites
+ to support when negotiating connections using
+ TLS 1.2 or earlier. If unspecified, Envoy will use a
+ [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites).
+ The list of supported cipher suites can seen in
+ [\`consul/types/tls.go\`](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169)
+ and is dependent on underlying support in Envoy. Future
+ releases of Envoy may remove currently-supported but
+ insecure cipher suites, and future releases of Consul
+ may add new supported cipher suites if any are added to
+ Envoy.`,
+ },
+ ],
+ },
+ {
+ name: 'Outgoing',
+ yaml: false,
+ type: 'TLSDirectionConfig: ',
+ description: `TLS configuration for outbound mTLS connections dialing upstreams
+ from \`connect-proxy\` and \`ingress-gateway\`
+ proxy kinds.`,
+ children: [
+ {
+ name: 'TLSMinVersion',
+ yaml: false,
+ type: 'string: ""',
+ description:
+ "Set the default minimum TLS version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer [will default to TLS 1.2 as a min version](https://github.com/envoyproxy/envoy/pull/19330), while older releases of Envoy default to TLS 1.0.",
+ },
+ {
+ name: 'TLSMaxVersion',
+ yaml: false,
+ type: 'string: ""',
+ description: {
+ hcl:
+ "Set the default maximum TLS version supported. Must be greater than or equal to `TLSMinVersion`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy will default to TLS 1.2 as a max version for outgoing connections, but future Envoy releases [may change this to TLS 1.3](https://github.com/envoyproxy/envoy/issues/9300).",
+ yaml:
+ "Set the default maximum TLS version supported. Must be greater than or equal to `tls_min_version`. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy will default to TLS 1.2 as a max version for outgoing connections, but future Envoy releases [may change this to TLS 1.3](https://github.com/envoyproxy/envoy/issues/9300).",
+ },
+ },
+ {
+ name: 'CipherSuites',
+ yaml: false,
+ type: 'array: ',
+ description: `Set the default list of TLS cipher suites
+ to support when negotiating connections using
+ TLS 1.2 or earlier. If unspecified, Envoy will use a
+ [default server cipher list](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites).
+ The list of supported cipher suites can seen in
+ [\`consul/types/tls.go\`](https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169)
+ and is dependent on underlying support in Envoy. Future
+ releases of Envoy may remove currently-supported but
+ insecure cipher suites, and future releases of Consul
+ may add new supported cipher suites if any are added to
+ Envoy.`,
+ },
+ ],
+ },
+ ],
+ },
]}
/>