277c41d336
* xds: refactor ingress listener SDS configuration * xds: update resolveListenerSDS call args in listeners_test * ingress: add TLS min, max and cipher suites to GatewayTLSConfig * xds: implement envoyTLSVersions and envoyTLSCipherSuites * xds: merge TLS config * xds: configure TLS parameters with ingress TLS context from leaf * xds: nil check in resolveListenerTLSConfig validation * xds: nil check in makeTLSParameters* functions * changelog: add entry for TLS params on ingress config entries * xds: remove indirection for TLS params in TLSConfig structs * xds: return tlsContext, nil instead of ambiguous err Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * xds: switch zero checks to types.TLSVersionUnspecified * ingress: add validation for ingress config entry TLS params * ingress: validate listener TLS config * xds: add basic ingress with TLS params tests * xds: add ingress listeners mixed TLS min version defaults precedence test * xds: add more explicit tests for ingress listeners inheriting gateway defaults * xds: add test for single TLS listener on gateway without TLS defaults * xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test * types/tls: change TLSVersion to string * types/tls: update TLSCipherSuite to string type * types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private * api: add TLS params to GatewayTLSConfig, add tests * api: add TLSMinVersion to ingress gateway config entry test JSON * xds: switch to Envoy TLS cipher suite encoding from types package * xds: fixup validation for TLSv1_3 min version with cipher suites * add some kitchen sink tests and add a missing struct tag * xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites * xds: update connectTLSEnabled comment * xds: remove unsued resolveGatewayServiceTLSConfig function * xds: add makeCommonTLSContextFromLeafWithoutParams * types/tls: add LessThan comparator function for concrete values * types/tls: change tlsVersions validation map from string to TLSVersion keys * types/tls: remove unused envoyTLSCipherSuites * types/tls: enable chacha20 cipher suites for Consul agent * types/tls: remove insecure cipher suites from allowed config TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source. Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330 * types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private * types/tls: return all unmatched cipher suites in validation errors * xds: check that Envoy API value matching TLS version is found when building TlsParameters * types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings * types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String() * xds: add TLSVersionUnspecified to list of configurable cipher suites * structs: update note about config entry warning * xds: remove TLS min version cipher suite unconfigurable test placeholder * types/tls: update tests to remove assumption about private map values Co-authored-by: R.B. Boyer <rb@hashicorp.com> |
||
|---|---|---|
| .. | ||
| acl.go | ||
| acl_cache.go | ||
| acl_cache_test.go | ||
| acl_oss.go | ||
| acl_test.go | ||
| auto_encrypt.go | ||
| autopilot.go | ||
| autopilot_oss.go | ||
| catalog.go | ||
| catalog_oss.go | ||
| check_definition.go | ||
| check_definition_test.go | ||
| check_type.go | ||
| config_entry.go | ||
| config_entry_discoverychain.go | ||
| config_entry_discoverychain_oss.go | ||
| config_entry_discoverychain_test.go | ||
| config_entry_exports.go | ||
| config_entry_gateways.go | ||
| config_entry_gateways_test.go | ||
| config_entry_intentions.go | ||
| config_entry_intentions_oss.go | ||
| config_entry_intentions_test.go | ||
| config_entry_mesh.go | ||
| config_entry_mesh_oss.go | ||
| config_entry_oss.go | ||
| config_entry_oss_test.go | ||
| config_entry_test.go | ||
| connect.go | ||
| connect_ca.go | ||
| connect_ca_test.go | ||
| connect_oss.go | ||
| connect_proxy_config.go | ||
| connect_proxy_config_oss.go | ||
| connect_proxy_config_test.go | ||
| discovery_chain.go | ||
| discovery_chain_oss.go | ||
| errors.go | ||
| federation_state.go | ||
| identity.go | ||
| intention.go | ||
| intention_oss.go | ||
| intention_test.go | ||
| operator.go | ||
| prepared_query.go | ||
| prepared_query_test.go | ||
| protobuf_compat.go | ||
| sanitize_oss.go | ||
| service_definition.go | ||
| service_definition_test.go | ||
| snapshot.go | ||
| structs.go | ||
| structs_filtering_test.go | ||
| structs_oss.go | ||
| structs_oss_test.go | ||
| structs_test.go | ||
| system_metadata.go | ||
| testing.go | ||
| testing_catalog.go | ||
| testing_connect_proxy_config.go | ||
| testing_intention.go | ||
| testing_service_definition.go | ||
| txn.go | ||