internal/envoy: Allow TLSv1.3 for xDS connection.

This change sets the maximum TLS version to TLSv1.3 in the Envoy bootstrap config for the xDS connection. It means that TLSv1.3 will be selected from now on, since Contour already accepts TLSv1.3. Previously Envoy defaulted to TLSv1.2 for the xDS connection. Updates #3518 Signed-off-by: Tero Saarni <[email protected]>
projectcontour · Oct 7, 2021 · 8d6eda0 · 8d6eda0
1 parent db9e15d
commit 8d6eda0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/internal/envoy/v3/bootstrap.go b/internal/envoy/v3/bootstrap.go
@@ -218,6 +218,9 @@ func bootstrapConfig(c *envoy.BootstrapConfig) *envoy_bootstrap_v3.Bootstrap {
 func upstreamFileTLSContext(c *envoy.BootstrapConfig) *envoy_tls_v3.UpstreamTlsContext {
 	context := &envoy_tls_v3.UpstreamTlsContext{
 		CommonTlsContext: &envoy_tls_v3.CommonTlsContext{
+			TlsParams: &envoy_tls_v3.TlsParameters{
+				TlsMaximumProtocolVersion: envoy_tls_v3.TlsParameters_TLSv1_3,
+			},
 			TlsCertificates: []*envoy_tls_v3.TlsCertificate{{
 				CertificateChain: &envoy_core_v3.DataSource{
 					Specifier: &envoy_core_v3.DataSource_Filename{
@@ -253,6 +256,9 @@ func upstreamFileTLSContext(c *envoy.BootstrapConfig) *envoy_tls_v3.UpstreamTlsC
 func upstreamSdsTLSContext(certificateSdsFile, validationSdsFile string) *envoy_tls_v3.UpstreamTlsContext {
 	context := &envoy_tls_v3.UpstreamTlsContext{
 		CommonTlsContext: &envoy_tls_v3.CommonTlsContext{
+			TlsParams: &envoy_tls_v3.TlsParameters{
+				TlsMaximumProtocolVersion: envoy_tls_v3.TlsParameters_TLSv1_3,
+			},
 			TlsCertificateSdsSecretConfigs: []*envoy_tls_v3.SdsSecretConfig{{
 				Name: "contour_xds_tls_certificate",
 				SdsConfig: &envoy_core_v3.ConfigSource{

diff --git a/internal/envoy/v3/bootstrap_test.go b/internal/envoy/v3/bootstrap_test.go
@@ -1049,6 +1049,9 @@ func TestBootstrap(t *testing.T) {
           "typed_config": {
             "@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
             "common_tls_context": {
+              "tls_params": {
+                "tls_maximum_protocol_version": "TLSv1_3"
+              },
               "tls_certificates": [
                 {
                   "certificate_chain": {
@@ -1208,6 +1211,9 @@ func TestBootstrap(t *testing.T) {
                 "typed_config": {
                   "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
                   "common_tls_context": {
+                    "tls_params": {
+                      "tls_maximum_protocol_version": "TLSv1_3"
+                    },
                     "tls_certificate_sds_secret_configs": [
                       {
                         "name": "contour_xds_tls_certificate",