internal/envoy: Allow TLSv1.3 for xDS connection. (#4081)

This change sets the maximum TLS version to TLSv1.3 in the Envoy bootstrap config for the xDS connection. It means that TLSv1.3 will be selected from now on, since Contour already accepts TLSv1.3. Previously Envoy defaulted to TLSv1.2 for the xDS connection. Updates #3518 Signed-off-by: Tero Saarni <[email protected]>
projectcontour · Oct 7, 2021 · 7963cce · 7963cce
1 parent a0ec930
commit 7963cce
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/changelogs/unreleased/4081-tsaarni-small.md b/changelogs/unreleased/4081-tsaarni-small.md
@@ -0,0 +1 @@
+Allow TLSv1.3 for the xDS connection between Contour and Envoy.
diff --git a/internal/envoy/v3/bootstrap.go b/internal/envoy/v3/bootstrap.go
@@ -218,6 +218,9 @@ func bootstrapConfig(c *envoy.BootstrapConfig) *envoy_bootstrap_v3.Bootstrap {
 func upstreamFileTLSContext(c *envoy.BootstrapConfig) *envoy_tls_v3.UpstreamTlsContext {
 	context := &envoy_tls_v3.UpstreamTlsContext{
 		CommonTlsContext: &envoy_tls_v3.CommonTlsContext{
+			TlsParams: &envoy_tls_v3.TlsParameters{
+				TlsMaximumProtocolVersion: envoy_tls_v3.TlsParameters_TLSv1_3,
+			},
 			TlsCertificates: []*envoy_tls_v3.TlsCertificate{{
 				CertificateChain: &envoy_core_v3.DataSource{
 					Specifier: &envoy_core_v3.DataSource_Filename{
@@ -253,6 +256,9 @@ func upstreamFileTLSContext(c *envoy.BootstrapConfig) *envoy_tls_v3.UpstreamTlsC
 func upstreamSdsTLSContext(certificateSdsFile, validationSdsFile string) *envoy_tls_v3.UpstreamTlsContext {
 	context := &envoy_tls_v3.UpstreamTlsContext{
 		CommonTlsContext: &envoy_tls_v3.CommonTlsContext{
+			TlsParams: &envoy_tls_v3.TlsParameters{
+				TlsMaximumProtocolVersion: envoy_tls_v3.TlsParameters_TLSv1_3,
+			},
 			TlsCertificateSdsSecretConfigs: []*envoy_tls_v3.SdsSecretConfig{{
 				Name: "contour_xds_tls_certificate",
 				SdsConfig: &envoy_core_v3.ConfigSource{

diff --git a/internal/envoy/v3/bootstrap_test.go b/internal/envoy/v3/bootstrap_test.go
@@ -1049,6 +1049,9 @@ func TestBootstrap(t *testing.T) {
           "typed_config": {
             "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
             "common_tls_context": {
+              "tls_params": {
+                "tls_maximum_protocol_version": "TLSv1_3"
+              },
               "tls_certificates": [
                 {
                   "certificate_chain": {
@@ -1208,6 +1211,9 @@ func TestBootstrap(t *testing.T) {
                 "typed_config": {
                   "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
                   "common_tls_context": {
+                    "tls_params": {
+                      "tls_maximum_protocol_version": "TLSv1_3"
+                    },
                     "tls_certificate_sds_secret_configs": [
                       {
                         "name": "contour_xds_tls_certificate",