Merge remote-tracking branch 'origin' into node-selector

Signed-off-by: Shahar Harari <[email protected]>

api/v1alpha1/clienttrafficpolicy_types.go

@@ -34,6 +34,7 @@ type ClientTrafficPolicy struct {
 	Status ClientTrafficPolicyStatus `json:"status,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols) ? self.tls.alpnProtocols.size() == 0 : true",message="alpn protocols can't be set if HTTP/3 is enabled"
 // ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy.
 type ClientTrafficPolicySpec struct {
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io"
@@ -69,6 +70,10 @@ type ClientTrafficPolicySpec struct {
 	//
 	// +optional
 	HTTP3 *HTTP3Settings `json:"http3,omitempty"`
+	// TLS settings configure TLS termination settings with the downstream client.
+	//
+	// +optional
+	TLS *TLSSettings `json:"tls,omitempty"`
 }
 
 // HTTP3Settings provides HTTP/3 configuration on the listener.

api/v1alpha1/tls_types.go

@@ -0,0 +1,99 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == 'v1_3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3"
+// +kubebuilder:validation:XValidation:rule="has(self.minVersion) && has(self.maxVersion) ? {\"Auto\":0,\"v1_1\":1,\"v1_2\":2,\"v1_3\":3}[self.minVersion] <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : !has(self.minVersion) && has(self.maxVersion) ? 2 <= {\"v1_1\":1,\"v1_2\":2,\"v1_3\":3,\"Auto\":4}[self.maxVersion] : true", message="minVersion must be smaller or equal to maxVersion"
+type TLSSettings struct {
+
+	// Min specifies the minimal TLS protocol version to allow.
+	//
+	// The default is TLS 1.2 if this is not specified.
+	// +optional
+	MinVersion *TLSVersion `json:"minVersion,omitempty"`
+
+	// Max specifies the maximal TLS protocol version to allow
+	//
+	// The default is TLS 1.3 if this is not specified.
+	// +optional
+	MaxVersion *TLSVersion `json:"maxVersion,omitempty"`
+
+	// Ciphers specifies the set of cipher suites supported when
+	// negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+	//
+	// In non-FIPS Envoy Proxy builds the default cipher list is:
+	// - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+	// - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+	// - ECDHE-ECDSA-AES256-GCM-SHA384
+	// - ECDHE-RSA-AES256-GCM-SHA384
+	//
+	// In builds using BoringSSL FIPS the default cipher list is:
+	// - ECDHE-ECDSA-AES128-GCM-SHA256
+	// - ECDHE-RSA-AES128-GCM-SHA256
+	// - ECDHE-ECDSA-AES256-GCM-SHA384
+	// - ECDHE-RSA-AES256-GCM-SHA384
+	//
+	// +optional
+	Ciphers []string `json:"ciphers,omitempty"`
+
+	// ECDHCurves specifies the set of supported ECDH curves.
+	// In non-FIPS Envoy Proxy builds the default curves are:
+	// - X25519
+	// - P-256
+	//
+	// In builds using BoringSSL FIPS the default curve is:
+	// - P-256
+	//
+	// +optional
+	ECDHCurves []string `json:"ecdhCurves,omitempty"`
+
+	// SignatureAlgorithms specifies which signature algorithms the listener should
+	// support.
+	//
+	// +optional
+	SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"`
+
+	// ALPNProtocols supplies the list of ALPN protocols that should be
+	// exposed by the listener. By default http/2 and http/1.1 are enabled.
+	//
+	// Supported values are:
+	// - http/1.0
+	// - http/1.1
+	// - http/2
+	//
+	// +optional
+	ALPNProtocols []ALPNProtocol `json:"alpnProtocols,omitempty"`
+}
+
+// ALPNProtocol specifies the protocol to be negotiated using ALPN
+// +kubebuilder:validation:Enum=http/1.0;http/1.1;http/2
+type ALPNProtocol string
+
+const (
+	// HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
+	HTTPProtocolVersion1_0 ALPNProtocol = "http/1.0"
+	// HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
+	HTTPProtocolVersion1_1 ALPNProtocol = "http/1.1"
+	// HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
+	HTTPProtocolVersion2 ALPNProtocol = "http/2"
+)
+
+// TLSVersion specifies the TLS version
+// +kubebuilder:validation:Enum=Auto;v1_0;v1_1;v1_2;v1_3
+type TLSVersion string
+
+const (
+	// TLSAuto allows Envoy to choose the optimal TLS Version
+	TLSAuto TLSVersion = "Auto"
+	// TLSv1_0 specifies TLS version 1.0
+	TLSv10 TLSVersion = "v1_0"
+	// TLSv1_1 specifies TLS version 1.1
+	TLSv11 TLSVersion = "v1_1"
+	// TLSv1.2 specifies TLS version 1.2
+	TLSv12 TLSVersion = "v1_2"
+	// TLSv1.3 specifies TLS version 1.3
+	TLSv13 TLSVersion = "v1_3"
+)

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -136,9 +136,89 @@ spec:
                     format: int32
                     type: integer
                 type: object
+              tls:
+                description: TLS settings configure TLS termination settings with
+                  the downstream client.
+                properties:
+                  alpnProtocols:
+                    description: "ALPNProtocols supplies the list of ALPN protocols
+                      that should be exposed by the listener. By default http/2 and
+                      http/1.1 are enabled. \n Supported values are: - http/1.0 -
+                      http/1.1 - http/2"
+                    items:
+                      description: ALPNProtocol specifies the protocol to be negotiated
+                        using ALPN
+                      enum:
+                      - http/1.0
+                      - http/1.1
+                      - http/2
+                      type: string
+                    type: array
+                  ciphers:
+                    description: "Ciphers specifies the set of cipher suites supported
+                      when negotiating TLS 1.0 - 1.2. This setting has no effect for
+                      TLS 1.3. \n In non-FIPS Envoy Proxy builds the default cipher
+                      list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+                      - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+                      - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
+                      \n In builds using BoringSSL FIPS the default cipher list is:
+                      - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
+                      - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384"
+                    items:
+                      type: string
+                    type: array
+                  ecdhCurves:
+                    description: "ECDHCurves specifies the set of supported ECDH curves.
+                      In non-FIPS Envoy Proxy builds the default curves are: - X25519
+                      - P-256 \n In builds using BoringSSL FIPS the default curve
+                      is: - P-256"
+                    items:
+                      type: string
+                    type: array
+                  maxVersion:
+                    description: "Max specifies the maximal TLS protocol version to
+                      allow \n The default is TLS 1.3 if this is not specified."
+                    enum:
+                    - Auto
+                    - v1_0
+                    - v1_1
+                    - v1_2
+                    - v1_3
+                    type: string
+                  minVersion:
+                    description: "Min specifies the minimal TLS protocol version to
+                      allow. \n The default is TLS 1.2 if this is not specified."
+                    enum:
+                    - Auto
+                    - v1_0
+                    - v1_1
+                    - v1_2
+                    - v1_3
+                    type: string
+                  signatureAlgorithms:
+                    description: SignatureAlgorithms specifies which signature algorithms
+                      the listener should support.
+                    items:
+                      type: string
+                    type: array
+                type: object
+                x-kubernetes-validations:
+                - message: setting ciphers has no effect if the minimum possible TLS
+                    version is 1.3
+                  rule: 'has(self.minVersion) && self.minVersion == ''v1_3'' ? !has(self.ciphers)
+                    : true'
+                - message: minVersion must be smaller or equal to maxVersion
+                  rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"v1_1":1,"v1_2":2,"v1_3":3}[self.minVersion]
+                    <= {"v1_1":1,"v1_2":2,"v1_3":3,"Auto":4}[self.maxVersion] : !has(self.minVersion)
+                    && has(self.maxVersion) ? 2 <= {"v1_1":1,"v1_2":2,"v1_3":3,"Auto":4}[self.maxVersion]
+                    : true'
             required:
             - targetRef
             type: object
+            x-kubernetes-validations:
+            - message: alpn protocols can't be set if HTTP/3 is enabled
+              rule: 'has(self.http3) && has(self.tls) && has(self.tls.alpnProtocols)
+                ? self.tls.alpnProtocols.size() == 0 : true'
           status:
             description: Status defines the current status of ClientTrafficPolicy.
             properties:

internal/gatewayapi/backendtrafficpolicy.go

@@ -22,6 +22,7 @@ import (
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/ir"
 	"github.com/envoyproxy/gateway/internal/status"
+	"github.com/envoyproxy/gateway/internal/utils/regex"
 )
 
 type policyTargetRouteKey struct {
@@ -535,6 +536,9 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) {
 				}
 				irRule.HeaderMatches = append(irRule.HeaderMatches, m)
 			case *header.Type == egv1a1.HeaderMatchRegularExpression && header.Value != nil:
+				if err := regex.Validate(*header.Value); err != nil {
+					return nil, err
+				}
 				m := &ir.StringMatch{
 					Name:      header.Name,
 					SafeRegex: header.Value,

internal/gatewayapi/clienttrafficpolicy.go

@@ -291,6 +291,10 @@ func (t *Translator) translateClientTrafficPolicyForListener(policySpec *egv1a1.
 
 		// Translate Proxy Protocol
 		translateListenerProxyProtocol(policySpec.EnableProxyProtocol, httpIR)
+
+		// Translate Suppress Envoy Headers
+		translateListenerSuppressEnvoyHeaders(policySpec.SuppressEnvoyHeaders, httpIR)
+
 		// enable http3 if set and TLS is enabled
 		if httpIR.TLS != nil && policySpec.HTTP3 != nil {
 			httpIR.HTTP3 = &ir.HTTP3Settings{}
@@ -349,3 +353,9 @@ func translateListenerProxyProtocol(enableProxyProtocol *bool, httpIR *ir.HTTPLi
 		httpIR.EnableProxyProtocol = true
 	}
 }
+
+func translateListenerSuppressEnvoyHeaders(suppressEnvoyHeaders *bool, httpIR *ir.HTTPListener) {
+	if suppressEnvoyHeaders != nil {
+		httpIR.SuppressEnvoyHeaders = *suppressEnvoyHeaders
+	}
+}