Deprecate cluster's and listener's tls_context in favor of transport socket

source/common/upstream/upstream_impl.cc

@@ -894,13 +894,7 @@ Network::TransportSocketFactoryPtr createTransportSocketFactory(
   // if necessary.
   auto transport_socket = config.transport_socket();
   if (!config.has_transport_socket()) {
-    if (config.has_hidden_envoy_deprecated_tls_context()) {
-      transport_socket.set_name("envoy.transport_sockets.tls");
-      transport_socket.mutable_typed_config()->PackFrom(
-          config.hidden_envoy_deprecated_tls_context());
-    } else {
-      transport_socket.set_name("envoy.transport_sockets.raw_buffer");
-    }
+    transport_socket.set_name("envoy.transport_sockets.raw_buffer");
   }
 
   auto& config_factory = Config::Utility::getAndCheckFactory<

source/extensions/clusters/dynamic_forward_proxy/cluster.cc

@@ -24,15 +24,7 @@ Cluster::Cluster(
                                        added_via_api, factory_context.dispatcher().timeSource()),
       dns_cache_manager_(cache_manager_factory.get()),
       dns_cache_(dns_cache_manager_->getCache(config.dns_cache_config())),
-      update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info) {
-  // Block certain TLS context parameters that don't make sense on a cluster-wide scale. We will
-  // support these parameters dynamically in the future. This is not an exhaustive list of
-  // parameters that don't make sense but should be the most obvious ones that a user might set
-  // in error.
-  if (!cluster.hidden_envoy_deprecated_tls_context().sni().empty()) {
-    throw EnvoyException("dynamic_forward_proxy cluster cannot configure 'sni'");
-  }
-}
+      update_callbacks_handle_(dns_cache_->addUpdateCallbacks(*this)), local_info_(local_info) {}
 
 void Cluster::startPreInit() {
   // If we are attaching to a pre-populated cache we need to initialize our hosts.

source/server/listener_manager_impl.cc

@@ -941,13 +941,7 @@ Network::DrainableFilterChainSharedPtr ListenerFilterChainFactoryBuilder::buildF
   // We copy by value first then override if necessary.
   auto transport_socket = filter_chain.transport_socket();
   if (!filter_chain.has_transport_socket()) {
-    if (filter_chain.has_hidden_envoy_deprecated_tls_context()) {
-      transport_socket.set_name("envoy.transport_sockets.tls");
-      transport_socket.mutable_typed_config()->PackFrom(
-          filter_chain.hidden_envoy_deprecated_tls_context());
-    } else {
-      transport_socket.set_name("envoy.transport_sockets.raw_buffer");
-    }
+    transport_socket.set_name("envoy.transport_sockets.raw_buffer");
   }
 
   auto& config_factory = Config::Utility::getAndCheckFactory<

test/config/utility.cc

@@ -807,14 +807,8 @@ void ConfigHelper::finalize(const std::vector<uint32_t>& ports) {
     for (int j = 0; j < listener->filter_chains_size(); ++j) {
       if (tap_path) {
         auto* filter_chain = listener->mutable_filter_chains(j);
-        const bool has_tls = filter_chain->has_hidden_envoy_deprecated_tls_context();
-        const Protobuf::Message* tls_config = nullptr;
-        if (has_tls) {
-          tls_config = &filter_chain->hidden_envoy_deprecated_tls_context();
-          filter_chain->clear_hidden_envoy_deprecated_tls_context();
-        }
         setTapTransportSocket(tap_path.value(), fmt::format("listener_{}_{}", i, j),
-                              *filter_chain->mutable_transport_socket(), tls_config);
+                              *filter_chain->mutable_transport_socket());
       }
     }
   }
@@ -849,14 +843,8 @@ void ConfigHelper::finalize(const std::vector<uint32_t>& ports) {
     }
 
     if (tap_path) {
-      const bool has_tls = cluster->has_hidden_envoy_deprecated_tls_context();
-      const Protobuf::Message* tls_config = nullptr;
-      if (has_tls) {
-        tls_config = &cluster->hidden_envoy_deprecated_tls_context();
-        cluster->clear_hidden_envoy_deprecated_tls_context();
-      }
       setTapTransportSocket(tap_path.value(), absl::StrCat("cluster_", i),
-                            *cluster->mutable_transport_socket(), tls_config);
+                            *cluster->mutable_transport_socket());
     }
   }
   ASSERT(skip_port_usage_validation_ || port_idx == ports.size() || eds_hosts ||
@@ -876,17 +864,13 @@ void ConfigHelper::finalize(const std::vector<uint32_t>& ports) {
   finalized_ = true;
 }
 
-void ConfigHelper::setTapTransportSocket(const std::string& tap_path, const std::string& type,
-                                         envoy::config::core::v3::TransportSocket& transport_socket,
-                                         const Protobuf::Message* tls_config) {
+void ConfigHelper::setTapTransportSocket(
+    const std::string& tap_path, const std::string& type,
+    envoy::config::core::v3::TransportSocket& transport_socket) {
   // Determine inner transport socket.
   envoy::config::core::v3::TransportSocket inner_transport_socket;
   if (!transport_socket.name().empty()) {
-    RELEASE_ASSERT(!tls_config, "");
     inner_transport_socket.MergeFrom(transport_socket);
-  } else if (tls_config) {
-    inner_transport_socket.set_name("envoy.transport_sockets.tls");
-    inner_transport_socket.mutable_typed_config()->PackFrom(*tls_config);
   } else {
     inner_transport_socket.set_name("envoy.transport_sockets.raw_buffer");
   }

test/config/utility.h

@@ -374,8 +374,7 @@ class ConfigHelper {
 
   // Configure a tap transport socket for a cluster/filter chain.
   void setTapTransportSocket(const std::string& tap_path, const std::string& type,
-                             envoy::config::core::v3::TransportSocket& transport_socket,
-                             const Protobuf::Message* tls_config);
+                             envoy::config::core::v3::TransportSocket& transport_socket);
 
   // The bootstrap proto Envoy will start up with.
   envoy::config::bootstrap::v3::Bootstrap bootstrap_;

test/extensions/clusters/dynamic_forward_proxy/cluster_test.cc

@@ -234,30 +234,6 @@ class ClusterFactoryTest : public testing::Test {
   Server::MockOptions options_;
 };
 
-// Verify that using 'sni' causes a failure.
-TEST_F(ClusterFactoryTest, DEPRECATED_FEATURE_TEST(InvalidSNI)) {
-  TestDeprecatedV2Api _deprecated_v2_api;
-  const std::string yaml_config = TestEnvironment::substitute(R"EOF(
-name: name
-connect_timeout: 0.25s
-cluster_type:
-  name: dynamic_forward_proxy
-  typed_config:
-    "@type": type.googleapis.com/envoy.config.cluster.dynamic_forward_proxy.v2alpha.ClusterConfig
-    dns_cache_config:
-      name: foo
-tls_context:
-  sni: api.lyft.com
-  common_tls_context:
-    validation_context:
-      trusted_ca:
-        filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"
-)EOF");
-
-  EXPECT_THROW_WITH_MESSAGE(createCluster(yaml_config, false), EnvoyException,
-                            "dynamic_forward_proxy cluster cannot configure 'sni'");
-}
-
 TEST_F(ClusterFactoryTest, InvalidUpstreamHttpProtocolOptions) {
   const std::string yaml_config = TestEnvironment::substitute(R"EOF(
 name: name