Skip to content

Backport of Inline API Gateway TLS cert code into release/1.15.x#16306

Merged
andrewstucki merged 3 commits intorelease/1.15.xfrom
backport/api-gateway-inline/gratefully-current-terrier
Feb 17, 2023
Merged

Backport of Inline API Gateway TLS cert code into release/1.15.x#16306
andrewstucki merged 3 commits intorelease/1.15.xfrom
backport/api-gateway-inline/gratefully-current-terrier

Conversation

@hc-github-team-consul-core
Copy link
Collaborator

@hc-github-team-consul-core hc-github-team-consul-core commented Feb 17, 2023

Backport

This PR is auto-generated from #16295 to be assessed for backporting due to the inclusion of the label backport/1.15.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

merge conflict error: unable to process merge commit: "1945da274ab88a654739ab01515e3149a6ea6d0a", automatic backport requires rebase workflow

The below text is copied from the body of the original PR.

Description

We initially attempted to ship API Gateway certificates via SDS secrets over ADS, however, currently certificates pushed down via ADS never come out of a warming state. This acts as a stop-gap to try and ship certificates to API Gateways without requiring having a fully functioning ADS secret pushdown.

In order to implement binding multiple certificates to a gateway listener it adds some SNI behavior to the gateways, specifically the xDS generation code, when applying a single certificate leverages it for all traffic. For multiple certificates it:

  1. parses all of the possible server names that a cert responds to out of the CN, DNSSans, and IPSans fields of the certificate
  2. finds any overlapping server names for the certificates (envoy starts spitting crazy amounts of errors if you have overlapping server names in two different filter chains)
  3. only adds filters for the server names that don't overlap and associates them with the corresponding certificate
  4. constructs a default listener using the connect leaf certificate for the gateway and uses it for any other requests (including for requests for the server name that the certificates overlap on)

The above overlapping check to a default listener was done to make things deterministic rather than based off of something like which cert was created first.

In the future I think we should talk to the upstream community about the possibility of either adding an optional flag for a certificate to be the default certificate, or potentially adding an optional hostnames field to the certificate references so that an implementation can just leverage that rather than trying to construct a non-overlapping hostnames set themselves, or both (this is a generic multi-cert problem).

PR Checklist

  • updated test coverage
  • external facing docs updated
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/api-gateway-inline/gratefully-current-terrier branch 2 times, most recently from 3ec24d2 to 2524d13 Compare February 17, 2023 17:46
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Feb 17, 2023
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Feb 17, 2023
View reviewed changes
Copy link
Collaborator

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@nathancoleman
Inline API Gateway TLS cert code (#16295)
16396b6 
* Include secret type when building resources from config snapshot

* First pass at generating envoy secrets from api-gateway snapshot

* Update comments for xDS update order

* Add secret type + corresponding golden files to existing tests

* Initialize test helpers for testing api-gateway resource generation

* Generate golden files for new api-gateway xDS resource test

* Support ADS for TLS certificates on api-gateway

* Configure TLS on api-gateway listeners

* Inline TLS cert code

* update tests

* Add SNI support so we can have multiple certificates

* Remove commented out section from helper

* regen deep-copy

* Add tcp tls test

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
@andrewstucki andrewstucki force-pushed the backport/api-gateway-inline/gratefully-current-terrier branch from 2524d13 to 16396b6 Compare February 17, 2023 17:57
@andrewstucki andrewstucki marked this pull request as ready for review February 17, 2023 17:58
@andrewstucki andrewstucki merged commit 4920cb4 into release/1.15.x Feb 17, 2023
@andrewstucki andrewstucki deleted the backport/api-gateway-inline/gratefully-current-terrier branch February 17, 2023 19:46
@jjti jjti mentioned this pull request Aug 28, 2023
Closed
@dlaguerta dlaguerta mentioned this pull request Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@andrewstucki andrewstucki Awaiting requested review from andrewstucki

Assignees

No one assigned

Labels

theme/envoy/xds Related to Envoy support

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hc-github-team-consul-core @github-team-consul-core-pr-approver @andrewstucki