fix: match SNI when using TLS listeners with hostname

[michaelbeaumont]

What type of PR is this?

A fix for TLS listener with hostname handling.

What this PR does / why we need it:

This PR sets filterChainMatch.serverNames when using TLS listeners with a hostname.

Which issue(s) this PR fixes:

[arkodg]

hey @michaelbeaumont, for my understanding, is this PR is trying to solve ?

Listener Protocol: TLS
TLS Mode: Terminate
Route Type: TCPRoute

https://gateway-api.sigs.k8s.io/guides/tls/#clientserver-and-tls

afaik this should be supported today
#1431
https://gateway.envoyproxy.io/v1.0.0/user/security/tls-termination/

[michaelbeaumont]

Hey, yeah traffic is terminated properly, but if I set hostname on that listener, there's no filtering of traffic by SNI as specified by the spec for hostname. The final commit shows the difference for this listener.

Implementations MUST apply Hostname matching appropriately for each of the following protocols:

• TLS: The Listener Hostname MUST match the SNI.

[arkodg]

got it makes sense, thanks for clarifying !
is there a way to modify the TCP Listener IR w/o affecting the HTTP Listener IR structure and achieving the same goal ?
Currently the Hostnames field within the HTTP Listener is used for Filter Chain creation with a server_name constaint

[zhaohuabing]

@michaelbeaumont Thank you for addressing the issue! A few comments.

[zhaohuabing]

Consider moving SNIs up to TLSConfig and removing TLSInspectorConfig?

TLS Inspector is an implementation detail of Envoy, so we probably don't need to expose it to ir.

[michaelbeaumont]

I think it's already exposed as TLS.Passthrough isn't it? I can add SNIs directly to TLSConfig if you prefer

[arkodg]

I'd vote for making TLSInspectorConfig an embedded field within TLS

gateway/internal/ir/xds.go

Line 1088 in 4d6da72

type TLS struct {

, removing the need for a dedicated Passthrough field

• passthrough logic can be computed using - isTLSPassthrough := irListener.TLS != nil && irListener.TLS.Terminate == nil
• this also eliminates the need to add Inspector into the TLSConfig field, which is common to HTTPS, which uses another field (listener.Hostname) for SNI inspection

[michaelbeaumont]

I pushed an update here, it changes a different part of the IR though, passthrough -> inspector, since that's now common between mode: Terminate and mode: Passthrough

[zhaohuabing]

Could we add multiple hostnames in the gateway API translator and XDS translator tests for TLS termination? This could cover the scenario where a single listener needs to handle multiple SNIs. Thanks!

[shuji-2019]

Is there any updates for this feature ?

[aoledk]

@michaelbeaumont Are you still working on this? If not I can help, based on your previous work.

[michaelbeaumont]

Updated and merged

[arkodg]

shouldnt this be executed conditionally ?
e.g.

gateway/internal/gatewayapi/listener.go

Line 53 in 33443f8

if listener.TLS != nil {

[michaelbeaumont]

I don't think anything's changed here, previously we set unconditionally:

TLS: &ir.TLS{Terminate: irTLSConfigs(listener.tlsSecrets)},

irTLSConfigs returns nil if there aren't any secrets. The line you linked to is also gated by checking the listener protocol.

[arkodg]

Cool thanks for the checking!

[arkodg]

@michaelbeaumont 'make lint's is failing because of trailing whitespaces, once that's fixed, LGTM from my end !

[arkodg]

@michaelbeaumont can you also fix DCO and force push ?

[arkodg]

LGTM thanks !

[zhaohuabing]

LGTM thanks!

It would be helpful if we wcould cover two snis on the same port in the xds translation test. But this can be added later.

[michaelbeaumont]

@zhaohuabing I added another SNI to the test https://github.com/envoyproxy/gateway/pull/2942/files#diff-3481ca7cb1d20b614db1882fa576de2d303d434e519a17d12c2792436d6a0e18R28 actually