Merge 7045225 into backport/NET-11798_API_Gateway_TLS_Max_Min_Version…

…s_and_CipherSuites_settings_not_respected/optionally-proper-minnow
hashicorp · Jan 15, 2025 · 0e44260 · 0e44260
2 parents bd972c4 + 7045225
commit 0e44260
Show file tree

Hide file tree

Showing 3 changed files with 184 additions and 3 deletions.
diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go
@@ -1000,6 +1000,73 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase {
 					}}, nil)
 			},
 		},
+		{
+			name: "api-gateway-with-multiple-inline-certificates-tls-params-unset",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotAPIGateway(t, "default", nil, func(entry *structs.APIGatewayConfigEntry, bound *structs.BoundAPIGatewayConfigEntry) {
+					entry.Listeners = []structs.APIGatewayListener{
+						{
+							Name:     "listener",
+							Protocol: structs.ListenerProtocolTCP,
+							Port:     8080,
+							TLS: structs.APIGatewayTLSConfiguration{
+								Certificates: []structs.ResourceReference{{
+									Kind: structs.InlineCertificate,
+									Name: "certificate",
+								}},
+							},
+						},
+					}
+					bound.Listeners = []structs.BoundAPIGatewayListener{
+						{
+							Name: "listener",
+							Certificates: []structs.ResourceReference{
+								{
+									Kind: structs.InlineCertificate,
+									Name: "certificate",
+								},
+								{
+									Kind: structs.InlineCertificate,
+									Name: "certificate-too",
+								},
+							},
+							Routes: []structs.ResourceReference{{
+								Kind: structs.TCPRoute,
+								Name: "route",
+							}},
+						},
+					}
+				},
+					[]structs.BoundRoute{
+						&structs.TCPRouteConfigEntry{
+							Kind: structs.TCPRoute,
+							Name: "route",
+							Services: []structs.TCPService{{
+								Name: "service",
+							}},
+							Parents: []structs.ResourceReference{
+								{
+									Kind: structs.APIGateway,
+									Name: "api-gateway",
+								},
+							},
+						},
+					}, []structs.InlineCertificateConfigEntry{
+						{
+							Kind:        structs.InlineCertificate,
+							Name:        "certificate",
+							PrivateKey:  gatewayTestPrivateKey,
+							Certificate: gatewayTestCertificate,
+						},
+						{
+							Kind:        structs.InlineCertificate,
+							Name:        "certificate-too",
+							PrivateKey:  gatewayTestPrivateKeyTwo,
+							Certificate: gatewayTestCertificateTwo,
+						},
+					}, nil)
+			},
+		},
 		{
 			name: "api-gateway-with-multiple-inline-certificates",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@@ -1073,6 +1140,87 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase {
 					}, nil)
 			},
 		},
+		{
+			name: "api-gateway-with-http-route-tls-params-unset",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotAPIGateway(t, "default", nil, func(entry *structs.APIGatewayConfigEntry, bound *structs.BoundAPIGatewayConfigEntry) {
+					entry.Listeners = []structs.APIGatewayListener{
+						{
+							Name:     "listener",
+							Protocol: structs.ListenerProtocolHTTP,
+							Port:     8080,
+						},
+					}
+					bound.Listeners = []structs.BoundAPIGatewayListener{
+						{
+							Name: "listener",
+							Certificates: []structs.ResourceReference{{
+								Kind: structs.InlineCertificate,
+								Name: "certificate",
+							}},
+							Routes: []structs.ResourceReference{{
+								Kind: structs.HTTPRoute,
+								Name: "route",
+							}},
+						},
+					}
+				}, []structs.BoundRoute{
+					&structs.HTTPRouteConfigEntry{
+						Kind: structs.HTTPRoute,
+						Name: "route",
+						Rules: []structs.HTTPRouteRule{{
+							Filters: structs.HTTPFilters{
+								Headers: []structs.HTTPHeaderFilter{
+									{
+										Add: map[string]string{
+											"X-Header-Add": "added",
+										},
+										Set: map[string]string{
+											"X-Header-Set": "set",
+										},
+										Remove: []string{"X-Header-Remove"},
+									},
+								},
+								RetryFilter: &structs.RetryFilter{
+									NumRetries:            3,
+									RetryOn:               []string{"cancelled"},
+									RetryOnStatusCodes:    []uint32{500},
+									RetryOnConnectFailure: true,
+								},
+								TimeoutFilter: &structs.TimeoutFilter{
+									IdleTimeout:    time.Second * 30,
+									RequestTimeout: time.Second * 30,
+								},
+							},
+							Services: []structs.HTTPService{{
+								Name: "service",
+							}},
+						}},
+						Parents: []structs.ResourceReference{
+							{
+								Kind: structs.APIGateway,
+								Name: "api-gateway",
+							},
+						},
+					},
+				}, []structs.InlineCertificateConfigEntry{{
+					Kind:        structs.InlineCertificate,
+					Name:        "certificate",
+					PrivateKey:  gatewayTestPrivateKey,
+					Certificate: gatewayTestCertificate,
+				}}, []proxycfg.UpdateEvent{{
+					CorrelationID: "discovery-chain:" + serviceUID.String(),
+					Result: &structs.DiscoveryChainResponse{
+						Chain: serviceChain,
+					},
+				}, {
+					CorrelationID: "upstream-target:" + serviceChain.ID() + ":" + serviceUID.String(),
+					Result: &structs.IndexedCheckServiceNodes{
+						Nodes: proxycfg.TestUpstreamNodes(t, "service"),
+					},
+				}})
+			},
+		},
 		{
 			name: "api-gateway-with-http-route",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@@ -1082,6 +1230,18 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase {
 							Name:     "listener",
 							Protocol: structs.ListenerProtocolHTTP,
 							Port:     8080,
+							TLS: structs.APIGatewayTLSConfiguration{
+								Certificates: []structs.ResourceReference{{
+									Kind: structs.InlineCertificate,
+									Name: "certificate",
+								}},
+								MinVersion: types.TLSv1_2,
+								MaxVersion: types.TLSv1_3,
+								CipherSuites: []types.TLSCipherSuite{
+									types.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+									types.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+								},
+							},
 						},
 					}
 					bound.Listeners = []structs.BoundAPIGatewayListener{

diff --git a/agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden b/agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden
@@ -61,7 +61,14 @@
                     }
                   }
                 ],
-                "tlsParams": {}
+                "tlsParams": {
+                  "cipherSuites": [
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                  ],
+                  "tlsMaximumProtocolVersion": "TLSv1_3",
+                  "tlsMinimumProtocolVersion": "TLSv1_2"
+                }
               },
               "requireClientCertificate": false
             }

diff --git a/agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden b/agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden
@@ -41,7 +41,14 @@
                     }
                   }
                 ],
-                "tlsParams": {}
+                "tlsParams": {
+                  "cipherSuites": [
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                  ],
+                  "tlsMaximumProtocolVersion": "TLSv1_3",
+                  "tlsMinimumProtocolVersion": "TLSv1_2"
+                }
               },
               "requireClientCertificate": false
             }
@@ -73,7 +80,14 @@
                     }
                   }
                 ],
-                "tlsParams": {},
+                "tlsParams": {
+                  "cipherSuites": [
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                  ],
+                  "tlsMaximumProtocolVersion": "TLSv1_3",
+                  "tlsMinimumProtocolVersion": "TLSv1_2"
+                },
                 "validationContext": {
                   "trustedCa": {
                     "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"