api: Add TLS configuration attributes in ClientTrafficPolicy (#2287)

* api: Add TLS configuration attributes in ClientTrafficPolicy Signed-off-by: Lior Okman <[email protected]> * Fixed typos in the comments. Signed-off-by: Lior Okman <[email protected]> * Added missing TLS 1.1 enum value for TLS Versions Signed-off-by: Lior Okman <[email protected]> * Regenerated the ClientTrafficPolicy CRD to include the TLS 1.1 enum. Signed-off-by: Lior Okman <[email protected]> * Added CEL validation for ciphers if minimum TLS version is 1.3. Documented the defaults used for fields. Signed-off-by: Lior Okman <[email protected]> * Modified ALPN to be an enum array. Signed-off-by: Lior Okman <[email protected]> * Removed the 'TLS_' prefix from the TLS protocol version enum values. Signed-off-by: Lior Okman <[email protected]> * Updated the comment for `TLSSettings`. Signed-off-by: Lior Okman <[email protected]> * Removed the intermediate "version" level when specifying the TLS protocol version. Defined the default minimal TLS version to be 1.2 and the default maximal TLS version to 1.3. Signed-off-by: Lior Okman <[email protected]> * Aligned the Golang and JSON name for ciphers. Signed-off-by: Lior Okman <[email protected]> * Added CEL validation to verify that tls.minVersion is less than or equal to tls.maxVersion Signed-off-by: Lior Okman <[email protected]> * Fixed a CEL issue where tls.minVersion was checked before verifying it was specified. Fixed a CEL issue where setting tls.maxVersion without setting tls.minVersion was not correctly validated Signed-off-by: Lior Okman <[email protected]> * Regenerated after rebasing Signed-off-by: Lior Okman <[email protected]> * Added CEL validation tests. Require that if HTTP/3 is enabled then ALPN protocols are not specified, since HTTP/3 sets a custom "h3" protocol in ALPN. Signed-off-by: Lior Okman <[email protected]> --------- Signed-off-by: Lior Okman <[email protected]>
envoyproxy · Dec 27, 2023 · 3e220ef · 3e220ef
1 parent 80ebd53
commit 3e220ef
Show file tree

Hide file tree

Showing 6 changed files with 385 additions and 1 deletion.
diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -34,6 +34,7 @@ type ClientTrafficPolicy struct {
 	Status ClientTrafficPolicyStatus `json:"status,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols) ? self.tls.alpnProtocols.size() == 0 : true",message="alpn protocols can't be set if HTTP/3 is enabled"
 // ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
 type ClientTrafficPolicySpec struct {
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
@@ -69,6 +70,10 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	HTTP3 *HTTP3Settings `json:"http3,omitempty"`
+	// TLS settings configure TLS termination settings with the downstream client.
+	//
+	// +optional
+	TLS *TLSSettings `json:"tls,omitempty"`
 }
 
 // HTTP3Settings provides HTTP/3 configuration on the listener.

diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go
@@ -0,0 +1,99 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == 'v1_3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3"
+// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && has(self.maxVersion) ? {\"Auto\":0,\"v1_1\":1,\"v1_2\":2,\"v1_3\":3}[self.minVersion] <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : !has(self.minVersion) && has(self.maxVersion) ? 2 <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : true", message="minVersion must be smaller or equal to maxVersion"
+type TLSSettings struct {
+
+	// Min specifies the minimal TLS protocol version to allow.
+	//
+	// The default is TLS 1.2 if this is not specified.
+	// +optional
+	MinVersion *TLSVersion `json:"minVersion,omitempty"`
+
+	// Max specifies the maximal TLS protocol version to allow
+	//
+	// The default is TLS 1.3 if this is not specified.
+	// +optional
+	MaxVersion *TLSVersion `json:"maxVersion,omitempty"`
+
+	// Ciphers specifies the set of cipher suites supported when
+	// negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+	//
+	// In non-FIPS Envoy Proxy builds the default cipher list is:
+	// - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+	// - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+	// - ECDHE-ECDSA-AES256-GCM-SHA384
+	// - ECDHE-RSA-AES256-GCM-SHA384
+	//
+	// In builds using BoringSSL FIPS the default cipher list is:
+	// - ECDHE-ECDSA-AES128-GCM-SHA256
+	// - ECDHE-RSA-AES128-GCM-SHA256
+	// - ECDHE-ECDSA-AES256-GCM-SHA384
+	// - ECDHE-RSA-AES256-GCM-SHA384
+	//
+	// +optional
+	Ciphers []string `json:"ciphers,omitempty"`
+
+	// ECDHCurves specifies the set of supported ECDH curves.
+	// In non-FIPS Envoy Proxy builds the default curves are:
+	// - X25519
+	// - P-256
+	//
+	// In builds using BoringSSL FIPS the default curve is:
+	// - P-256
+	//
+	// +optional
+	ECDHCurves []string `json:"ecdhCurves,omitempty"`
+
+	// SignatureAlgorithms specifies which signature algorithms the listener should
+	// support.
+	//
+	// +optional
+	SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`
+
+	// ALPNProtocols supplies the list of ALPN protocols that should be
+	// exposed by the listener. By default http/2 and http/1.1 are enabled.
+	//
+	// Supported values are:
+	// - http/1.0
+	// - http/1.1
+	// - http/2
+	//
+	// +optional
+	ALPNProtocols []ALPNProtocol `json:"alpnProtocols,omitempty"`
+}
+
+// ALPNProtocol specifies the protocol to be negotiated using ALPN
+// +kubebuilder:validation:Enum=http/1.0;http/1.1;http/2
+type ALPNProtocol string
+
+const (
+	// HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
+	HTTPProtocolVersion1_0 ALPNProtocol = "http/1.0"
+	// HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
+	HTTPProtocolVersion1_1 ALPNProtocol = "http/1.1"
+	// HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
+	HTTPProtocolVersion2 ALPNProtocol = "http/2"
+)
+
+// TLSVersion specifies the TLS version
+// +kubebuilder:validation:Enum=Auto;v1_0;v1_1;v1_2;v1_3
+type TLSVersion string
+
+const (
+	// TLSAuto allows Envoy to choose the optimal TLS Version
+	TLSAuto TLSVersion = "Auto"
+	// TLSv1_0 specifies TLS version 1.0
+	TLSv10 TLSVersion = "v1_0"
+	// TLSv1_1 specifies TLS version 1.1
+	TLSv11 TLSVersion = "v1_1"
+	// TLSv1.2 specifies TLS version 1.2
+	TLSv12 TLSVersion = "v1_2"
+	// TLSv1.3 specifies TLS version 1.3
+	TLSv13 TLSVersion = "v1_3"
+)
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -136,9 +136,89 @@ spec:
                     format: int32
                     type: integer
                 type: object
+              tls:
+                description: TLS settings configure TLS termination settings with
+                  the downstream client.
+                properties:
+                  alpnProtocols:
+                    description: "ALPNProtocols supplies the list of ALPN protocols
+                      that should be exposed by the listener. By default http/2 and
+                      http/1.1 are enabled. \n Supported values are: - http/1.0 -
+                      http/1.1 - http/2"
+                    items:
+                      description: ALPNProtocol specifies the protocol to be negotiated
+                        using ALPN
+                      enum:
+                      - http/1.0
+                      - http/1.1
+                      - http/2
+                      type: string
+                    type: array
+                  ciphers:
+                    description: "Ciphers specifies the set of cipher suites supported
+                      when negotiating TLS 1.0 - 1.2. This setting has no effect for
+                      TLS 1.3. \n In non-FIPS Envoy Proxy builds the default cipher
+                      list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+                      - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+                      - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
+                      \n In builds using BoringSSL FIPS the default cipher list is:
+                      - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
+                      - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384"
+                    items:
+                      type: string
+                    type: array
+                  ecdhCurves:
+                    description: "ECDHCurves specifies the set of supported ECDH curves.
+                      In non-FIPS Envoy Proxy builds the default curves are: - X25519
+                      - P-256 \n In builds using BoringSSL FIPS the default curve
+                      is: - P-256"
+                    items:
+                      type: string
+                    type: array
+                  maxVersion:
+                    description: "Max specifies the maximal TLS protocol version to
+                      allow \n The default is TLS 1.3 if this is not specified."
+                    enum:
+                    - Auto
+                    - v1_0
+                    - v1_1
+                    - v1_2
+                    - v1_3
+                    type: string
+                  minVersion:
+                    description: "Min specifies the minimal TLS protocol version to
+                      allow. \n The default is TLS 1.2 if this is not specified."
+                    enum:
+                    - Auto
+                    - v1_0
+                    - v1_1
+                    - v1_2
+                    - v1_3
+                    type: string
+                  signatureAlgorithms:
+                    description: SignatureAlgorithms specifies which signature algorithms
+                      the listener should support.
+                    items:
+                      type: string
+                    type: array
+                type: object
+                x-kubernetes-validations:
+                - message: setting ciphers has no effect if the minimum possible TLS
+                    version is 1.3
+                  rule: 'has(self.minVersion) && self.minVersion == ''v1_3'' ? !has(self.ciphers)
+                    : true'
+                - message: minVersion must be smaller or equal to maxVersion
+                  rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"v1_1":1,"v1_2":2,"v1_3":3}[self.minVersion]
+                    <= {"v1_1":1,"v1_2":2,"v1_3":3,"Auto":4}[self.maxVersion] : !has(self.minVersion)
+                    && has(self.maxVersion) ? 2 <= {"v1_1":1,"v1_2":2,"v1_3":3,"Auto":4}[self.maxVersion]
+                    : true'
             required:
             - targetRef
             type: object
+            x-kubernetes-validations:
+            - message: alpn protocols can't be set if HTTP/3 is enabled
+              rule: 'has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols)
+                ? self.tls.alpnProtocols.size() == 0 : true'
           status:
             description: Status defines the current status of ClientTrafficPolicy.
             properties:

diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -27,6 +27,17 @@ API group.
 
 
 
+#### ALPNProtocol
+
+_Underlying type:_ `string`
+
+ALPNProtocol specifies the protocol to be negotiated using ALPN
+
+_Appears in:_
+- [TLSSettings](#tlssettings)
+
+
+
 #### BackendTrafficPolicy
 
 
@@ -208,6 +219,7 @@ _Appears in:_
 | `suppressEnvoyHeaders` _boolean_ | SuppressEnvoyHeaders configures the Envoy Router filter to suppress the "x-envoy-' headers from both requests and responses. By default these headers are added to both requests and responses. |
 | `enableProxyProtocol` _boolean_ | EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. |
 | `http3` _[HTTP3Settings](#http3settings)_ | HTTP3 provides HTTP/3 configuration on the listener. |
+| `tls` _[TLSSettings](#tlssettings)_ | TLS settings configure TLS termination settings with the downstream client. |
 
 
 
@@ -1856,6 +1868,42 @@ _Appears in:_
 | `interval` _Duration_ | The duration between keep-alive probes. Defaults to `75s`. |
 
 
+#### TLSSettings
+
+
+
+
+
+_Appears in:_
+- [ClientTrafficPolicySpec](#clienttrafficpolicyspec)
+
+| Field | Description |
+| --- | --- |
+| `minVersion` _[TLSVersion](#tlsversion)_ | Min specifies the minimal TLS protocol version to allow. 
+ The default is TLS 1.2 if this is not specified. |
+| `maxVersion` _[TLSVersion](#tlsversion)_ | Max specifies the maximal TLS protocol version to allow 
+ The default is TLS 1.3 if this is not specified. |
+| `ciphers` _string array_ | Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. 
+ In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 
+ In builds using BoringSSL FIPS the default cipher list is: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 |
+| `ecdhCurves` _string array_ | ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256 
+ In builds using BoringSSL FIPS the default curve is: - P-256 |
+| `signatureAlgorithms` _string array_ | SignatureAlgorithms specifies which signature algorithms the listener should support. |
+| `alpnProtocols` _[ALPNProtocol](#alpnprotocol) array_ | ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener. By default http/2 and http/1.1 are enabled. 
+ Supported values are: - http/1.0 - http/1.1 - http/2 |
+
+
+#### TLSVersion
+
+_Underlying type:_ `string`
+
+TLSVersion specifies the TLS version
+
+_Appears in:_
+- [TLSSettings](#tlssettings)
+
+
+
 #### TracingProvider