Backport of NET-11798: Set APIGateway TLSConfig if unset or empty into release/1.20.x

.changelog/21984.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+Fixed API Gateway TLS configuration to properly enforce listener TLS versions and cipher suites
+```

agent/xds/listeners_apigateway.go

@@ -5,6 +5,7 @@ package xds
 
 import (
 	"fmt"
+	"reflect"
 
 	envoy_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
@@ -114,6 +115,7 @@ func (s *ResourceGenerator) makeAPIGatewayListeners(address string, cfgSnap *pro
 
 			if isAPIGatewayWithTLS {
 				// construct SNI filter chains
+				setAPIGatewayTLSConfig(listenerCfg, cfgSnap)
 				l.FilterChains, err = s.makeInlineOverrideFilterChains(
 					cfgSnap,
 					cfgSnap.APIGateway.TLSConfig,
@@ -228,7 +230,8 @@ func (s *ResourceGenerator) makeAPIGatewayListeners(address string, cfgSnap *pro
 			sniFilterChains := []*envoy_listener_v3.FilterChain{}
 
 			if isAPIGatewayWithTLS {
-				sniFilterChains, err = s.makeInlineOverrideFilterChains(cfgSnap, cfgSnap.IngressGateway.TLSConfig, listenerKey.Protocol, filterOpts, certs)
+				setAPIGatewayTLSConfig(listenerCfg, cfgSnap)
+				sniFilterChains, err = s.makeInlineOverrideFilterChains(cfgSnap, cfgSnap.APIGateway.TLSConfig, listenerKey.Protocol, filterOpts, certs)
 				if err != nil {
 					return nil, err
 				}
@@ -515,3 +518,31 @@ func (s *ResourceGenerator) makeInlineOverrideFilterChains(cfgSnap *proxycfg.Con
 
 	return chains, nil
 }
+
+// setAPIGatewayTLSConfig updates the TLS configuration for an API gateway
+// by setting TLS parameters from a listener configuration if the existing
+// configuration is empty.
+// Only empty or unset values are updated, preserving any existing specific configurations.
+func setAPIGatewayTLSConfig(listenerCfg structs.APIGatewayListener, cfgSnap *proxycfg.ConfigSnapshot) {
+	// Create a local TLS config based on listener configuration
+	gatewayTLSConfig := structs.GatewayTLSConfig{
+		TLSMinVersion: listenerCfg.TLS.MinVersion,
+		TLSMaxVersion: listenerCfg.TLS.MaxVersion,
+		CipherSuites:  listenerCfg.TLS.CipherSuites,
+	}
+
+	// Check and set TLSMinVersion if empty
+	if reflect.ValueOf(cfgSnap.APIGateway.TLSConfig.TLSMinVersion).IsZero() {
+		cfgSnap.APIGateway.TLSConfig.TLSMinVersion = gatewayTLSConfig.TLSMinVersion
+	}
+
+	// Check and set TLSMaxVersion if empty
+	if reflect.ValueOf(cfgSnap.APIGateway.TLSConfig.TLSMaxVersion).IsZero() {
+		cfgSnap.APIGateway.TLSConfig.TLSMaxVersion = gatewayTLSConfig.TLSMaxVersion
+	}
+
+	// Check and set CipherSuites if empty
+	if len(cfgSnap.APIGateway.TLSConfig.CipherSuites) == 0 {
+		cfgSnap.APIGateway.TLSConfig.CipherSuites = gatewayTLSConfig.CipherSuites
+	}
+}

agent/xds/resources_test.go

@@ -1000,6 +1000,73 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase {
 					}}, nil)
 			},
 		},
+		{
+			name: "api-gateway-with-multiple-inline-certificates-tls-params-unset",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotAPIGateway(t, "default", nil, func(entry *structs.APIGatewayConfigEntry, bound *structs.BoundAPIGatewayConfigEntry) {
+					entry.Listeners = []structs.APIGatewayListener{
+						{
+							Name:     "listener",
+							Protocol: structs.ListenerProtocolTCP,
+							Port:     8080,
+							TLS: structs.APIGatewayTLSConfiguration{
+								Certificates: []structs.ResourceReference{{
+									Kind: structs.InlineCertificate,
+									Name: "certificate",
+								}},
+							},
+						},
+					}
+					bound.Listeners = []structs.BoundAPIGatewayListener{
+						{
+							Name: "listener",
+							Certificates: []structs.ResourceReference{
+								{
+									Kind: structs.InlineCertificate,
+									Name: "certificate",
+								},
+								{
+									Kind: structs.InlineCertificate,
+									Name: "certificate-too",
+								},
+							},
+							Routes: []structs.ResourceReference{{
+								Kind: structs.TCPRoute,
+								Name: "route",
+							}},
+						},
+					}
+				},
+					[]structs.BoundRoute{
+						&structs.TCPRouteConfigEntry{
+							Kind: structs.TCPRoute,
+							Name: "route",
+							Services: []structs.TCPService{{
+								Name: "service",
+							}},
+							Parents: []structs.ResourceReference{
+								{
+									Kind: structs.APIGateway,
+									Name: "api-gateway",
+								},
+							},
+						},
+					}, []structs.InlineCertificateConfigEntry{
+						{
+							Kind:        structs.InlineCertificate,
+							Name:        "certificate",
+							PrivateKey:  gatewayTestPrivateKey,
+							Certificate: gatewayTestCertificate,
+						},
+						{
+							Kind:        structs.InlineCertificate,
+							Name:        "certificate-too",
+							PrivateKey:  gatewayTestPrivateKeyTwo,
+							Certificate: gatewayTestCertificateTwo,
+						},
+					}, nil)
+			},
+		},
 		{
 			name: "api-gateway-with-multiple-inline-certificates",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@@ -1073,6 +1140,87 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase {
 					}, nil)
 			},
 		},
+		{
+			name: "api-gateway-with-http-route-tls-params-unset",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotAPIGateway(t, "default", nil, func(entry *structs.APIGatewayConfigEntry, bound *structs.BoundAPIGatewayConfigEntry) {
+					entry.Listeners = []structs.APIGatewayListener{
+						{
+							Name:     "listener",
+							Protocol: structs.ListenerProtocolHTTP,
+							Port:     8080,
+						},
+					}
+					bound.Listeners = []structs.BoundAPIGatewayListener{
+						{
+							Name: "listener",
+							Certificates: []structs.ResourceReference{{
+								Kind: structs.InlineCertificate,
+								Name: "certificate",
+							}},
+							Routes: []structs.ResourceReference{{
+								Kind: structs.HTTPRoute,
+								Name: "route",
+							}},
+						},
+					}
+				}, []structs.BoundRoute{
+					&structs.HTTPRouteConfigEntry{
+						Kind: structs.HTTPRoute,
+						Name: "route",
+						Rules: []structs.HTTPRouteRule{{
+							Filters: structs.HTTPFilters{
+								Headers: []structs.HTTPHeaderFilter{
+									{
+										Add: map[string]string{
+											"X-Header-Add": "added",
+										},
+										Set: map[string]string{
+											"X-Header-Set": "set",
+										},
+										Remove: []string{"X-Header-Remove"},
+									},
+								},
+								RetryFilter: &structs.RetryFilter{
+									NumRetries:            3,
+									RetryOn:               []string{"cancelled"},
+									RetryOnStatusCodes:    []uint32{500},
+									RetryOnConnectFailure: true,
+								},
+								TimeoutFilter: &structs.TimeoutFilter{
+									IdleTimeout:    time.Second * 30,
+									RequestTimeout: time.Second * 30,
+								},
+							},
+							Services: []structs.HTTPService{{
+								Name: "service",
+							}},
+						}},
+						Parents: []structs.ResourceReference{
+							{
+								Kind: structs.APIGateway,
+								Name: "api-gateway",
+							},
+						},
+					},
+				}, []structs.InlineCertificateConfigEntry{{
+					Kind:        structs.InlineCertificate,
+					Name:        "certificate",
+					PrivateKey:  gatewayTestPrivateKey,
+					Certificate: gatewayTestCertificate,
+				}}, []proxycfg.UpdateEvent{{
+					CorrelationID: "discovery-chain:" + serviceUID.String(),
+					Result: &structs.DiscoveryChainResponse{
+						Chain: serviceChain,
+					},
+				}, {
+					CorrelationID: "upstream-target:" + serviceChain.ID() + ":" + serviceUID.String(),
+					Result: &structs.IndexedCheckServiceNodes{
+						Nodes: proxycfg.TestUpstreamNodes(t, "service"),
+					},
+				}})
+			},
+		},
 		{
 			name: "api-gateway-with-http-route",
 			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
@@ -1082,6 +1230,18 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase {
 							Name:     "listener",
 							Protocol: structs.ListenerProtocolHTTP,
 							Port:     8080,
+							TLS: structs.APIGatewayTLSConfiguration{
+								Certificates: []structs.ResourceReference{{
+									Kind: structs.InlineCertificate,
+									Name: "certificate",
+								}},
+								MinVersion: types.TLSv1_2,
+								MaxVersion: types.TLSv1_3,
+								CipherSuites: []types.TLSCipherSuite{
+									types.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+									types.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+								},
+							},
 						},
 					}
 					bound.Listeners = []structs.BoundAPIGatewayListener{

agent/xds/testdata/listeners/api-gateway-with-http-route.latest.golden

@@ -61,7 +61,14 @@
                     }
                   }
                 ],
-                "tlsParams": {}
+                "tlsParams": {
+                  "cipherSuites": [
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                  ],
+                  "tlsMaximumProtocolVersion": "TLSv1_3",
+                  "tlsMinimumProtocolVersion": "TLSv1_2"
+                }
               },
               "requireClientCertificate": false
             }

agent/xds/testdata/listeners/api-gateway-with-multiple-inline-certificates.latest.golden

@@ -41,7 +41,14 @@
                     }
                   }
                 ],
-                "tlsParams": {}
+                "tlsParams": {
+                  "cipherSuites": [
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                  ],
+                  "tlsMaximumProtocolVersion": "TLSv1_3",
+                  "tlsMinimumProtocolVersion": "TLSv1_2"
+                }
               },
               "requireClientCertificate": false
             }
@@ -73,7 +80,14 @@
                     }
                   }
                 ],
-                "tlsParams": {},
+                "tlsParams": {
+                  "cipherSuites": [
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                  ],
+                  "tlsMaximumProtocolVersion": "TLSv1_3",
+                  "tlsMinimumProtocolVersion": "TLSv1_2"
+                },
                 "validationContext": {
                   "trustedCa": {
                     "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n"