api: Backend TLS SNI (#7014)

* api: add support for auto SNI and auto SAN SNI validation options

Signed-off-by: Guy Daich <[email protected]>

* fix validation context building

Signed-off-by: Guy Daich <[email protected]>

* fix docs

Signed-off-by: Guy Daich <[email protected]>

* more fixes

Signed-off-by: Guy Daich <[email protected]>

* rebase

Signed-off-by: Guy Daich <[email protected]>

* fix settings for dynamic resolver

Signed-off-by: Guy Daich <[email protected]>

* rebase

Signed-off-by: Guy Daich <[email protected]>

* fix lint

Signed-off-by: Guy Daich <[email protected]>

* infer auto sni and auto san without API

Signed-off-by: Guy Daich <[email protected]>

* rebase

Signed-off-by: Guy Daich <[email protected]>

* remove old api

Signed-off-by: Guy Daich <[email protected]>

* fix gen

Signed-off-by: Guy Daich <[email protected]>

* fix typo

Signed-off-by: Guy Daich <[email protected]>

---------

Signed-off-by: Guy Daich <[email protected]>
Co-authored-by: zirain <[email protected]>

Author: guydc

api/v1alpha1/backend_types.go

@@ -204,6 +204,18 @@ type BackendTLSSettings struct {
 	// +kubebuilder:default=false
 	// +optional
 	InsecureSkipVerify *bool `json:"insecureSkipVerify,omitempty"`
+
+	// SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
+	//
+	// Envoy Gateway will use the HTTP host header value for SNI, when all resources referenced in BackendRefs are:
+	// 1. Backend resources that do not set SNI, or
+	// 2. Service/ServiceImport resources that do not have a BackendTLSPolicy attached to them
+	//
+	// When a BackendTLSPolicy attaches to a Backend resource, the BackendTLSPolicy's Hostname value takes precedence
+	// over this value.
+	//
+	// +optional
+	SNI *gwapiv1.PreciseHostname `json:"sni,omitempty"`
 }
 
 // BackendType defines the type of the Backend.

api/v1alpha1/zz_generated.deepcopy.go

@@ -223,6 +223,20 @@ spec:
                       InsecureSkipVerify indicates whether the upstream's certificate verification
                       should be skipped. Defaults to "false".
                     type: boolean
+                  sni:
+                    description: |-
+                      SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
+
+                      Envoy Gateway will use the HTTP host header value for SNI, when all resources referenced in BackendRefs are:
+                      1. Backend resources that do not set SNI, or
+                      2. Service/ServiceImport resources that do not have a BackendTLSPolicy attached to them
+
+                      When a BackendTLSPolicy attaches to a Backend resource, the BackendTLSPolicy's Hostname value takes precedence
+                      over this value.
+                    maxLength: 253
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
                   wellKnownCACertificates:
                     description: |-
                       WellKnownCACertificates specifies whether system CA certificates may be used in

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_backends.yaml

@@ -222,6 +222,20 @@ spec:
                       InsecureSkipVerify indicates whether the upstream's certificate verification
                       should be skipped. Defaults to "false".
                     type: boolean
+                  sni:
+                    description: |-
+                      SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
+
+                      Envoy Gateway will use the HTTP host header value for SNI, when all resources referenced in BackendRefs are:
+                      1. Backend resources that do not set SNI, or
+                      2. Service/ServiceImport resources that do not have a BackendTLSPolicy attached to them
+
+                      When a BackendTLSPolicy attaches to a Backend resource, the BackendTLSPolicy's Hostname value takes precedence
+                      over this value.
+                    maxLength: 253
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
                   wellKnownCACertificates:
                     description: |-
                       WellKnownCACertificates specifies whether system CA certificates may be used in

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml

@@ -76,6 +76,8 @@ func (t *Translator) applyBackendTLSSetting(
 	return t.applyEnvoyProxyBackendTLSSetting(upstreamConfig, resources, envoyProxy)
 }
 
+// Merges TLS settings from Gateway API BackendTLSPolicy and Envoy Gateway Backend TL.
+// BackendTLSPolicy takes precedence for identical attributes that are set in both.
 func mergeBackendTLSConfigs(
 	backendTLSSettingsConfig *ir.TLSUpstreamConfig,
 	backendTLSPolicyConfig *ir.TLSUpstreamConfig,
@@ -91,8 +93,8 @@ func mergeBackendTLSConfigs(
 		return backendTLSSettingsConfig
 	}
 
-	// If both are set, we merge them, with BackendTLSPolicy settings taking precedence
 	mergedConfig := backendTLSSettingsConfig.DeepCopy()
+
 	if backendTLSPolicyConfig.CACertificate != nil {
 		mergedConfig.CACertificate = backendTLSPolicyConfig.CACertificate
 	}
@@ -117,6 +119,10 @@ func (t *Translator) processBackendTLSSettings(
 		InsecureSkipVerify: ptr.Deref(backend.Spec.TLS.InsecureSkipVerify, false),
 	}
 
+	if backend.Spec.TLS.SNI != nil {
+		tlsConfig.SNI = ptr.To(string(*backend.Spec.TLS.SNI))
+	}
+
 	if !tlsConfig.InsecureSkipVerify {
 		tlsConfig.UseSystemTrustStore = ptr.Deref(backend.Spec.TLS.WellKnownCACertificates, "") == gwapiv1a3.WellKnownCACertificatesSystem
 

internal/gatewayapi/backendtlspolicy.go

@@ -83,6 +83,7 @@ func (t *Translator) translateExtServiceBackendRefs(
 	if rs.HasMixedEndpoints() {
 		return nil, errors.New("external service destinations having multiple endpoint types are not supported")
 	}
+
 	return rs, nil
 }
 

internal/gatewayapi/ext_service.go

@@ -0,0 +1,225 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      name: gateway-btls
+      namespace: envoy-gateway
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: httproute-backend-without-sni
+      namespace: envoy-gateway
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-btls
+          sectionName: http
+      hostnames:
+        - backend-without-sni.example.com
+      rules:
+        - matches:
+            - path:
+                type: Exact
+                value: "/backend-without-sni"
+          backendRefs:
+            - kind: Backend
+              group: gateway.envoyproxy.io
+              name: backend-without-sni
+              namespace: backends
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: httproute-backend-with-sni
+      namespace: envoy-gateway
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-btls
+          sectionName: http
+      hostnames:
+        - backend-with-sni.example.com
+      rules:
+        - matches:
+            - path:
+                type: Exact
+                value: "/backend-with-sni"
+          backendRefs:
+            - kind: Backend
+              group: gateway.envoyproxy.io
+              name: backend-with-sni
+              namespace: backends
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: httproute-backend-with-sni-and-btlsp
+      namespace: envoy-gateway
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-btls
+          sectionName: http
+      hostnames:
+        - backend-with-sni-and-btlsp.example.com
+      rules:
+        - matches:
+            - path:
+                type: Exact
+                value: "/backend-with-sni-and-btlsp"
+          backendRefs:
+            - kind: Backend
+              group: gateway.envoyproxy.io
+              name: backend-with-sni-and-btlsp
+              namespace: backends
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: httproute-backend-without-sni-and-btlsp
+      namespace: envoy-gateway
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-btls
+          sectionName: http
+      hostnames:
+        - "backend-without-sni-and-btlsp.example.com"
+      rules:
+        - matches:
+            - path:
+                type: Exact
+                value: "/backend-without-sni-and-btlsp"
+          backendRefs:
+            - kind: Backend
+              group: gateway.envoyproxy.io
+              name: backend-without-sni-and-btlsp
+              namespace: backends
+              port: 8080
+referenceGrants:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: ReferenceGrant
+    metadata:
+      name: refg-route-svc
+      namespace: backends
+    spec:
+      from:
+        - group: gateway.networking.k8s.io
+          kind: HTTPRoute
+          namespace: envoy-gateway
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          namespace: envoy-gateway
+        - group: gateway.networking.k8s.io
+          kind: BackendTLSPolicy
+          namespace: policies
+      to:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-without-sni
+      namespace: backends
+    spec:
+      endpoints:
+        - ip:
+            address: 1.1.1.1
+            port: 3001
+      tls:
+        caCertificateRefs:
+          - name: ca-secret
+            group: ""
+            kind: Secret
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-with-sni
+      namespace: backends
+    spec:
+      endpoints:
+        - ip:
+            address: 1.1.1.1
+            port: 3001
+      tls:
+        caCertificateRefs:
+          - name: ca-secret
+            group: ""
+            kind: Secret
+        sni: "backend.sni.com"
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-without-sni-and-btlsp
+      namespace: backends
+    spec:
+      endpoints:
+        - ip:
+            address: 1.1.1.1
+            port: 3001
+      tls:
+        caCertificateRefs:
+          - name: ca-secret
+            group: ""
+            kind: Secret
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-with-sni-and-btlsp
+      namespace: backends
+    spec:
+      endpoints:
+        - ip:
+            address: 1.1.1.1
+            port: 3001
+      tls:
+        caCertificateRefs:
+          - name: ca-secret
+            group: ""
+            kind: Secret
+        sni: "backend.sni.com"
+secrets:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: ca-secret
+      namespace: backends
+    data:
+      ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+
+backendTLSPolicies:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: BackendTLSPolicy
+    metadata:
+      name: policy-btls
+      namespace: backends
+    spec:
+      targetRefs:
+        - kind: Backend
+          group: gateway.envoyproxy.io
+          name: backend-without-sni-and-btlsp
+        - kind: Backend
+          group: gateway.envoyproxy.io
+          name: backend-with-sni-and-btlsp
+      validation:
+        caCertificateRefs:
+          - name: ca-secret
+            group: ""
+            kind: Secret
+        hostname: example.com
+        subjectAltNames:
+          - type: URI
+            uri: spiffe://cluster.local/ns/istio-demo/sa/echo-v1
+          - hostname: subdomain.secondexample.com